Re: [SAGE] Security tokens

[Jim Hickstein <jxh@jxh.com>]

>>  My thoughts on this have lead me to a deep suspicion of OTP in
>>  general.

My goals are a little simpler than all these attacks imply.  This would 
only be used down encrypted channels from trusted client hosts, so the MITM 
stuff isn't my biggest concern.  The objective is simply to preclude the 
use of re-usable passwords, when reaching in across my physical network 
boundary, so people can't trivially give them away to each other (and to 
customers, friends, etc.).

Disabling, say, a former employee's reusable-password access to company 
systems utterly fails to ensure that they don't know the reusable password 
of another, current employee.  There is far too much laxity here about 
keeping passwords secret, even if they're strong.  This then transfers the 
problem the PIN that unlocks the stored secret, but this is why I want a 
token rather than simply using the PIN _as_ the secret -- as S/Key and Opie 
do -- because they'd give away their PINs if they could.  Forcing them in 
this case to surrender the one device that gives them their own access, 
i.e. making it non-duplicable, is the only way I can see to stop this.