Actually, you've got the system down correctly. However, the slack time is +/- 1 minute, so you really get 3 minutes per code.
-------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] > Sent: Friday, September 19, 2003 10:29 AM > To: Exchange Discussions > Subject: RE: OWA front end server - licensing and security > > > Forgive me for arguing, but I believe the time alloted for > guessing that > third factor is even less than indicated below. Of course, > by token, I am > referring to what RSA calls a "keyfob." Is that what you are > referring to > as well? > > Here is what I understand to be the process, from reading the > manuals we > have: > 1. Upon issuance to the user, you synch the token/keyfob > with the the RSA > server DB. > 2. A 6-digit code displays for 1 minute on the token. > 3. If used for authentication within that 1 minute period, it is > "time-stamped" as to when you entered the Passcode (PIN + > code) and has an > additional 1 minute latency period. Meaning that if you > dial-up and enter > your passcode, 30-seconds into the code, you have 1:30 to > connect to the > dial-up server and be authenticated. > 4. If you enter the same code after the display has rolled > over however, > that code is no longer valid, as the timestamp when you > entered it will no > longer match with the timestamp on the server for when that > code was valid. > > So the short version is that if you enter the code while it's > displaying on > the token, it's good for 1 minute with a 1 minute latency > period. If you > don't enter the number while it's viewable, then you've > missed your window > of opportunity, because it was only good for one minute. Oh > and BTW...if > you are trying to guess the code and miss it three times, > regardless of > length of time between guesses, it will lock your token until > an admin can > reset it. > > That's how I understand the process. > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Friday, September 19, 2003 5:44 AM > To: Exchange Discussions > Subject: RE: OWA front end server - licensing and security > > > It doesn't stop key logging per se, but it renders it ineffective. > > The SecurID tokens use a three factor[1] authentication > system, in which the > third piece is a 6 digit, one time use code. That code is > good for exactly 3 > minutes, and once used cannot be used again. > > Therefore, logging the authentication process is useless, as > you'll only get > 2 of the 3 factors, and for the third factor, you have a 1 in > 1,000,000 > chance, reset every three minutes, to guess that last part. > > Roger > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > [1] They call it 2 factor, but you need a username, a PIN, > and the securID > token number to log in - that's either 3 or 11, depending on > how much of a > geek you are. > > :::: snip :::: > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t ext_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]