Smartcard and non-password methods (was Re: Password repository)

Adam Stasiniewicz stasinia at
Sat Nov 21 18:40:26 UTC 2009

Sadly, passwords are the least common denominator.  The biggest problems
with 2 factor devices (smart cards, OTPs, etc) is having to buy, configure,
and distribute them; plus get them to work with all the myriad of

Certificates that are issued to computers/web browsers suffer from a lack of
portability (i.e. by design, the user shouldn't be able to export and share
the certificate with anyone they want).  Plus with any solution using
certificates (client or smart card) a substantial reconfiguration is
required to support websites/applications being able to process certificate

IMHO, even though OTPs are the less secure of the two types of two-factor
products, I see them growing faster than any other method.  From an end-user
perspective, they are small/portable, don't require a reader, and don't
require any special OS, web browser, or software.  For an infrastructure
perspective, it is easier to convert a website to support OTPs (simply
change the function that runs the password validation; instead of having to
install and configure a special module/component that would handle the
mutual auth required by certificates).  Also, many of the OTP vendors are
working on making their products function more easily cross platform (while
with smart cards, you are basically stuck with either the Microsoft's
corporate/non-service provider friendly solution, or have to code your own).

My $0.02,
Adam Stasiniewicz

-----Original Message-----
From: Sean Donelan [mailto:sean at] 
Sent: Friday, November 20, 2009 5:43 PM
To: nanog at
Subject: Smartcard and non-password methods (was Re: Password repository)

Are any network providers supporting smartcards or other non-password 
based authentication methods?  Passwords always end up blaming the 
user for choosing/not remembering good passwords instead of blaming the
technology for choosing/not doing things so the user isn't forced to
work around its flaws.

I know about the DOD Common Access Card.  One-time code-generator tokens 
seem more widely used by single enterprises.  But inter-operable 
credentials still seem to be one of those great unsolved problems for 
compter security.  Are passwords still the only lowest-common-denominator?

More information about the NANOG mailing list