Archive for March, 2011

Interesting discussion paper about mobile phone wallets

Tuesday, March 29th, 2011

If you’re interested in authentication, or in how economic incentives impact security architectures, this is definitely worth reading:

RSA Exploit

Monday, March 21st, 2011

It will be interesting to see if the recent, successful attack against RSA revealed the seeds used to initialize RSA tokens. If so, those tokens are basically useless now – providing just 1 factor of authentication.

The big lesson here is not about RSA or even tokens per-se. It’s about concentration of risk. If the security of every one of the millions of RSA tokens issued to thousands of organizations around the world depends on the security of a single set of seed numbers, then it follows that there is too much trust vested in a single organization’s ability to protect a single (and small) data set.

Far better for each RSA customer to initialize its own tokens, using its own seed numbers. This way, a compromise would only impact that organization’s tokens – not anybody else’s. Limited harm.

I wonder if RSA would or even could change the SecurID token architecture to allow organizations to implement their own number sequences?