Replies

I know it's an issue of semantics... but to say that they broke in to the network using copied SecureID tokens and the "other" required information is like me stealing your house key and then breaking in to your house. :-)

SecureID is one of those things I've always had misgivings with for high security needs simply because it's "obvious". It's like the wonks I used to work with who would keep STU-III keys on their keyring and they would be viewable "sometimes" when they pulled things out of their pockets at various places. IF somebody knows what the item is for, and they can get the rest of the required information, then the security is defeated.

If you compare this to IPSEC and a shared key, it's a lot more trouble even determining that IPSEC is using a shared key (at least for Phase-I). But SecureID is "visible". Somebody SEES it, and this tells them that the holder has access to information that somebody thinks is worth protecting. SecureID markets their product on the premise of high security, but no SCIF I ever worked in would have ever even permitted the token through the door simply based on what it does. :-)