Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: Token authentication with web applications
From: Michael Silk (michaelsphg.com.au)
Date: Fri Jul 02 2004 - 01:24:37 CDT
As far as I have found is that the secure systems will perform
some computation on the card itself, the computation is such that
it is secure (i.e. no private data leaves the card, and other
So, in your situation obviously the computer where the key is plugged
into isn't considered secure; so computation can't be done there.
Perhaps you could look into utilising the users' palm pilots? If they
have them ...
If not, well, the only solution is to use a system that can be
copied (i.e. cd's, printouts, and so on) and accepting the risk.
Potentially (and this is just a very rough suggestion) you could
have a secure server and the users' computers can request a token
from that. (i.e. try and emulate the computational card-based system
utilising a server instead of the card).
From: Ivan Krstic [mailto:krsticfas.harvard.edu]
Sent: Friday, 2 July 2004 8:48 AM
Subject: Token authentication with web applications
I'm looking for people's experiences with cheap, uncomplicated token
devices or other physical means of authentication that play nicely with
more traditional authentication methods in web applications.
The cheapest solutions that came to mind are printing credit-card sized
s/key cards, or burning mini-CDs with a key and an auth agent for users.
Obviously, both methods are flawed (s/key cards can be copied down if
left exposed, and that's assuming they're not taped to the monitor,
while a stolen CD can be copied and replaced without evidence of
tampering), but would still raise the security bar at essentially no
cost. More extensive authentication solutions are usually rather expensive.
 The s/key printed cards at least address this insofar as the user,
presuming he can be bothered with remembering which of the 100 s/keys he
used last, can notice that an intruder gained access to the system.
This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments.
This email is for your convenience only, you should not rely on any information contained herein for contractual or legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by authorised persons.