Key fob security.

[Xyzzy]

We have a rough idea how this thing works, but since we know some of you really know how they work, we thought it would be fun to talk about how they function, their advantages and disadvantages and stuff like that.

We can see ourselves in a few years with a rope full of these things for every site we visit. Kind of like back in the dark ages when you had to stack parallel port dongles for every software package you had.

(This particular key works for Paypal and eBay.)

[jasong]

My dad used one of those when he had a tech job, I've never used one myself. I think what would be cool is if these could be made out of RFID dots, you could place them on e-paper that fits in your wallet. When you needed to enter a site you'd just scroll through the list and activate the appropriate dot.

It could be run off a watch battery.

[Xyzzy]

I'm curious how the numbers are generated and how the "server" keeps track of it all. I have a vague idea but I can't express it without getting this thread tossed into "Miscellaneous Math".

[potonono]

Rather than being random, I'd bet there are varying formulas in use.

I believe most servers probably keep track by keeping a database of device serial numbers tied to account ID's. At any given moment, the server knows what the device is displaying.

[moo]

ive heard of ones that go off of time were you set the time and it generates the number for that minute
withen that time you need to have your number entered into the website because thats what the server generated for that time.

[Mystwalker]

*cough* http://en.wikipedia.org/wiki/Securid *cough*

Btw.:
There are already considerations how a single (hardware) token can be used to authenticate against different companies.

[biwema]

Quote:

Originally Posted by Xyzzy

I'm curious how the numbers are generated and how the "server" keeps track of it all.

Short answer:
The token generates a sequence of a secret formula f(time). From this Sequence a hashvalue is generated.

The Server can generate the same sequence (knowing the time)

[Xyzzy]

What happens if the server time and the fob time get radically out of sync?

Or does the server adjust its time to match the fob?

[moo]

Quote:

Originally Posted by Xyzzy

What happens if the server time and the fob time get radically out of sync?

Or does the server adjust its time to match the fob?

then it dont work and you call your fob provider and have them ship you another fob united pack and smash style.


actually
difficulty can occur if the authentication server's clock becomes out of sync with the clock built in to the authentication tokens. However, typically the RSA Authentication Manager automatically corrects for this without affecting the user. It is also possible to manually resync a token in the RSA Authentication Manager. Also, providing authentication tokens to everyone who might need to access a network resource can potentially be expensive, particularly as the tokens are programmed to "expire" at a fixed time, usually three years, requiring purchase of a new token.

[Xyzzy]

Quote:

actually difficulty can occur if the authentication server's clock becomes out of sync with the clock built in to the authentication tokens. However, typically the RSA Authentication Manager automatically corrects for this without affecting the user. It is also possible to manually resync a token in the RSA Authentication Manager. Also, providing authentication tokens to everyone who might need to access a network resource can potentially be expensive, particularly as the tokens are programmed to "expire" at a fixed time, usually three years, requiring purchase of a new token.

Just a pet peeve:

If you are going to quote a source, especially verbatim, perhaps use quote tags and indicate the source.

[jasong]

I hope I don't offend anyone, but I've got a quick off-topic question:

Are moo and MooMoooo(or whatever) the same person?