Date: Wed, 09 Dec 2009 12:00:53 +0100 From: Alexander Leidinger <Alexander@Leidinger.net> To: Mark Fullmer <maf@eng.oar.net> Cc: freebsd-security@freebsd.org, Tomasz bla Fortuna <bla@thera.be> Subject: Re: One-time password implementation. Message-ID: <20091209120053.17563x5e4o354bcw@webmail.leidinger.net> In-Reply-To: <CD8B9224-165D-45C8-863A-3DCDE74D9C2A@eng.oar.net> References: <20091207201924.5d6ef1bf@thera.be> <73FE9669-75FD-4E2B-A238-68EAC6AA941B@eng.oar.net> <20091208095410.68368l6s44h5u9f4@webmail.leidinger.net> <CD8B9224-165D-45C8-863A-3DCDE74D9C2A@eng.oar.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Mark Fullmer <maf@eng.oar.net> (from Tue, 8 Dec 2009 17:01:11 -0500): > HOTP is defined in rfc4226, it's not my own. There is variant > called TOTP which ties the count to a clock. > > The Spyrus reader has an RTCC which could be used to drive the > count. What scenario do you see a time based token having advantage > over a loosely synchronized count? Situations where the generated passwd is sniffed somehow (e.g. looking over the shoulder) and then the person is tricked in not logging in for a while. Currently he would notice the compromise, but it would be still possible to compromise until the owner of the account wants to login himself. With a time based limit, the attack has to be fast. Bye, Alexander. -- "I never got in on my looks, you know." "You were always better looking than you photographed." -- Johnny Fontane and Virginia, "Chapter 12", page 160 http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091209120053.17563x5e4o354bcw>