One-time password implementation.
Alexander Leidinger
Alexander at Leidinger.net
Wed Dec 9 11:01:04 UTC 2009
Quoting Mark Fullmer <maf at eng.oar.net> (from Tue, 8 Dec 2009 17:01:11 -0500):
> HOTP is defined in rfc4226, it's not my own. There is variant
> called TOTP which ties the count to a clock.
>
> The Spyrus reader has an RTCC which could be used to drive the
> count. What scenario do you see a time based token having advantage
> over a loosely synchronized count?
Situations where the generated passwd is sniffed somehow (e.g. looking
over the shoulder) and then the person is tricked in not logging in
for a while. Currently he would notice the compromise, but it would be
still possible to compromise until the owner of the account wants to
login himself. With a time based limit, the attack has to be fast.
Bye,
Alexander.
--
"I never got in on my looks, you know."
"You were always better looking than you photographed."
-- Johnny Fontane and Virginia, "Chapter 12", page 160
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
More information about the freebsd-security
mailing list