It really is a cool system. We're currently using it for VPN access and front ending OWA, and we're playing with it and some Cisco Aironet wireless devices - requiring SecurID authentication before you get onto the wireless network.
-------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Ken Cornetet [mailto:[EMAIL PROTECTED] > Sent: Friday, September 19, 2003 2:21 PM > To: Exchange Discussions > Subject: RE: OWA front end server - licensing and security > > > I've not examined the system for several years (I'm just a happy user > now, not and admin), but at least at one time SecurID would accept the > current code (of course),one code behind or one ahead for a > total window > of 3 minutes as Roger notes. > > If the gadget's clock had drifted to more than one minute off, and you > were TWO codes ahead or behind, the system would additionally > prompt for > the NEXT code displayed to make sure you were you, and it would update > the stored time offset for your gadget. Pretty slick system. > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Friday, September 19, 2003 10:01 AM > To: Exchange Discussions > Subject: RE: OWA front end server - licensing and security > > > Actually, you've got the system down correctly. > > However, the slack time is +/- 1 minute, so you really get 3 > minutes per > code. > > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] > > Sent: Friday, September 19, 2003 10:29 AM > > To: Exchange Discussions > > Subject: RE: OWA front end server - licensing and security > > > > > > Forgive me for arguing, but I believe the time alloted for > > guessing that > > third factor is even less than indicated below. Of course, > > by token, I am > > referring to what RSA calls a "keyfob." Is that what you are > > referring to > > as well? > > > > Here is what I understand to be the process, from reading the > > manuals we > > have: > > 1. Upon issuance to the user, you synch the token/keyfob > > with the the RSA > > server DB. > > 2. A 6-digit code displays for 1 minute on the token. > > 3. If used for authentication within that 1 minute period, it is > > "time-stamped" as to when you entered the Passcode (PIN + > > code) and has an > > additional 1 minute latency period. Meaning that if you > > dial-up and enter > > your passcode, 30-seconds into the code, you have 1:30 to > > connect to the > > dial-up server and be authenticated. > > 4. If you enter the same code after the display has rolled > > over however, > > that code is no longer valid, as the timestamp when you > > entered it will no > > longer match with the timestamp on the server for when that > > code was valid. > > > > So the short version is that if you enter the code while it's > > displaying on > > the token, it's good for 1 minute with a 1 minute latency > > period. If you > > don't enter the number while it's viewable, then you've > > missed your window > > of opportunity, because it was only good for one minute. Oh > > and BTW...if > > you are trying to guess the code and miss it three times, > > regardless of > > length of time between guesses, it will lock your token until > > an admin can > > reset it. > > > > That's how I understand the process. > > > > -----Original Message----- > > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > > Sent: Friday, September 19, 2003 5:44 AM > > To: Exchange Discussions > > Subject: RE: OWA front end server - licensing and security > > > > > > It doesn't stop key logging per se, but it renders it ineffective. > > > > The SecurID tokens use a three factor[1] authentication > > system, in which the > > third piece is a 6 digit, one time use code. That code is > > good for exactly 3 > > minutes, and once used cannot be used again. > > > > Therefore, logging the authentication process is useless, as > > you'll only get > > 2 of the 3 factors, and for the third factor, you have a 1 in > > 1,000,000 > > chance, reset every three minutes, to guess that last part. > > > > Roger > > -------------------------------------------------------------- > > Roger D. Seielstad - MTS MCSE MS-MVP > > Sr. Systems Administrator > > Inovis Inc. > > > > [1] They call it 2 factor, but you need a username, a PIN, > > and the securID > > token number to log in - that's either 3 or 11, depending on > > how much of a > > geek you are. > > > > :::: snip :::: > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=&lang=english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t ext_mode=& lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]