本文探讨了三种主要的认证方式:你知道的东西(如密码)、你拥有的东西(如卡片或令牌)及你是谁(生物特征)。深入分析了各种组合方案的安全性和实用性,包括密码加一次性PIN码、挑战响应令牌及结合生物识别技术的智能卡等。
老外论坛上的,写的很好。
There are 3 types of authentication possibilities for a system like that:
Something you know (password, passphrase)
Someting you have (card, token, phone... etc)
Somebody you are (biometrics in general)
Strong authentication needs for sure to implement two of those.
So let's analyze some of your options:
1) Something you know + something you have:
- user/pass + token and one time PIN => already used, pretty secure
- user/pass + private key on the computer (not neccesarily PKI system) => I would not really advise, as by stealing your laptop the chance so also take your password is pretty high, so I wouldn't go for it.
- user/pass + challenge response token => I find this the best way. You need a system where you login with a user/pass + a PIN on the token.
Afterwards, there could be a challenge by the system which you introduce into the token and a response. This of course is based on an algorithm. It works quite well for online banking at the moment.
- certificate/private key (not neccesarily PKI) /passphrase + PIN + token + challenge/response => probably the best combination for this type (know+have). However the usability is quite low as you will always need to have at all times your key with you and also the laptop and so on.. it gets too complicated in my opinion.
What if you could have this certificate on an external device (card / bluetooth container / wireless container)?
Then you have quite a nice system to authenticate.
another nice option might be:
- user/pass + mobile phone as a pin (SMS or an SSL connection allowed only from your SIM). I find this quite a nice as you do not have to carry another device with you (token) but you can use the mobile phone.
Of course that the mobile phone needs to be properly secured by all means neccesary (additional risk)
The risks need to be carefully analyzed and managed.
a bit more complicated option
2) something you know + something you have + somebody you are
- user/pass + smarcard and PIN + biometrics
one example is http://www.cardwerk.com/smart-card-readers/fingerprintscanner.aspx, and it's not the only one.
another is http://www.smartcardbiometric.com/ ... you can find a lot of them in the industry.
this is quite nice as it can be easily implemented.
on the smartcard you can have a private key (not neccesarily in a PKI system) + biometrics information. The reader is quite nice and you've got three factors on a simple card.
There are 3 types of authentication possibilities for a system like that:
Something you know (password, passphrase)
Someting you have (card, token, phone... etc)
Somebody you are (biometrics in general)
Strong authentication needs for sure to implement two of those.
So let's analyze some of your options:
1) Something you know + something you have:
- user/pass + token and one time PIN => already used, pretty secure
- user/pass + private key on the computer (not neccesarily PKI system) => I would not really advise, as by stealing your laptop the chance so also take your password is pretty high, so I wouldn't go for it.
- user/pass + challenge response token => I find this the best way. You need a system where you login with a user/pass + a PIN on the token.
Afterwards, there could be a challenge by the system which you introduce into the token and a response. This of course is based on an algorithm. It works quite well for online banking at the moment.
- certificate/private key (not neccesarily PKI) /passphrase + PIN + token + challenge/response => probably the best combination for this type (know+have). However the usability is quite low as you will always need to have at all times your key with you and also the laptop and so on.. it gets too complicated in my opinion.
What if you could have this certificate on an external device (card / bluetooth container / wireless container)?
Then you have quite a nice system to authenticate.
another nice option might be:
- user/pass + mobile phone as a pin (SMS or an SSL connection allowed only from your SIM). I find this quite a nice as you do not have to carry another device with you (token) but you can use the mobile phone.
Of course that the mobile phone needs to be properly secured by all means neccesary (additional risk)
The risks need to be carefully analyzed and managed.
a bit more complicated option
2) something you know + something you have + somebody you are
- user/pass + smarcard and PIN + biometrics
one example is http://www.cardwerk.com/smart-card-readers/fingerprintscanner.aspx, and it's not the only one.
another is http://www.smartcardbiometric.com/ ... you can find a lot of them in the industry.
this is quite nice as it can be easily implemented.
on the smartcard you can have a private key (not neccesarily in a PKI system) + biometrics information. The reader is quite nice and you've got three factors on a simple card.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
