Smartcard and non-password methods (was Re: Password repository)

Joel Jaeggli joelja at
Sun Nov 22 04:24:04 UTC 2009

cards and tokens are a proxy for the use of a certificate authentication

You can in fact do certificate auth without the use of cards or tokens
or mix and match physical tokens and other private key storage depending
on need with the same authentication backend (typically ldap).

Since this plays nicely with eap-tls, 802.1x. ike, ssl/tls, and s/mime
it seems like a shoe-in, once you have a uniform authentication system
one is inclined to use it for everything. obviously being involved in
several of these with with multiple ca's is something of a pain in the
ass if it involves juggling 2 or more tokens instead of passwords.
(which are already a problem if you have to trach quite a few
non-overlapping ones.

Typically tokens continue to require passwords or some other method to
unlock them for use, effectively making them two factor (secret+physical

Sean Donelan wrote:
> Are any network providers supporting smartcards or other non-password
> based authentication methods?  Passwords always end up blaming the user
> for choosing/not remembering good passwords instead of blaming the
> technology for choosing/not doing things so the user isn't forced to
> work around its flaws.
> I know about the DOD Common Access Card.  One-time code-generator tokens
> seem more widely used by single enterprises.  But inter-operable
> credentials still seem to be one of those great unsolved problems for
> compter security.  Are passwords still the only lowest-common-denominator?

More information about the NANOG mailing list