[Sightly off-topic - solution specific] Some European countries have long figured out logistics of smartcard distribution and management in their healthcare systems - some being at the second generation, already. In fact this is a subject "dear" to my heart, as I've researched and attempted a proposal for such systems for a few disparate businesses (with possible extension into eHR), based on a model similar to the one of SSL certificates authority (i.e third party management of authentication, with some very neat federated solution), but nobody seems to care.... Moral? It's been done and it works. Good luck with selling such. Stefan On 11/21/09, Adam Stasiniewicz <stasinia@msoe.edu> wrote:
Sadly, passwords are the least common denominator. The biggest problems with 2 factor devices (smart cards, OTPs, etc) is having to buy, configure, and distribute them; plus get them to work with all the myriad of applications.
Certificates that are issued to computers/web browsers suffer from a lack of portability (i.e. by design, the user shouldn't be able to export and share the certificate with anyone they want). Plus with any solution using certificates (client or smart card) a substantial reconfiguration is required to support websites/applications being able to process certificate logons.
IMHO, even though OTPs are the less secure of the two types of two-factor products, I see them growing faster than any other method. From an end-user perspective, they are small/portable, don't require a reader, and don't require any special OS, web browser, or software. For an infrastructure perspective, it is easier to convert a website to support OTPs (simply change the function that runs the password validation; instead of having to install and configure a special module/component that would handle the mutual auth required by certificates). Also, many of the OTP vendors are working on making their products function more easily cross platform (while with smart cards, you are basically stuck with either the Microsoft's corporate/non-service provider friendly solution, or have to code your own).
My $0.02, Adam Stasiniewicz
-----Original Message----- From: Sean Donelan [mailto:sean@donelan.com] Sent: Friday, November 20, 2009 5:43 PM To: nanog@nanog.org Subject: Smartcard and non-password methods (was Re: Password repository)
Are any network providers supporting smartcards or other non-password based authentication methods? Passwords always end up blaming the user for choosing/not remembering good passwords instead of blaming the technology for choosing/not doing things so the user isn't forced to work around its flaws.
I know about the DOD Common Access Card. One-time code-generator tokens seem more widely used by single enterprises. But inter-operable credentials still seem to be one of those great unsolved problems for compter security. Are passwords still the only lowest-common-denominator?
-- Sent from my mobile device ***Stefan Mititelu http://twitter.com/netfortius http://www.linkedin.com/in/netfortius