[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Comments on "Hybrid Auth. mode for IKE"
Suresh, Steve
> > >Within an exchange-type authentication, you could authenticate a
> > >client in more than one-way. For example: Challenge/response
> > >authentication, followed by smart token card authentication.
> > >In general, the exchange type authentication could combine multiple
> > >authentications and hence is a stronger mechanism for auth than a
> > >single-payload-type authentcation.
> >
> > I don't agree. Several mediocre or poor methods are not
> necessarily as
> > good much less better than one very good method.
> >
>
> Well, exchange-type authentication is a strong requirement for legacy
> verification schemes. To that extent, it is valuable. I was merely
> extrapolating the process to suggest that we could use the scheme to
> perform multiple authentications in succession (example - 2 very good
> methods, one after the other). Apparantly, I have not been able to
> articulate this well. So, I will drop that line of discussion for the
> time being.
For mobile users I think a good case can be made for having more than
one round of authentication for the same reason that in order to take
money out of an ATM machine I need a card and a PIN. If I lose my wallet
containing all my token cards and smart cards, then it helps that they
are useless to anyone else unless they also know the associated PIN /
passwords etc. No matter how strong the authentication used to verify
that the remote party is in possession of a valid card, it doesn't mean
that it hasn't fallen into the wrong hands.
Bryan