View Single Post
pichlo's Avatar
Posts: 6,445 | Thanked: 20,981 times | Joined on Sep 2012 @ UK
#2664
But, juiceme, you could say the same about the RSA tokens. They are also a software silution, however disguised as a piece of hardware. Just like any other key, they are the "security through obscurity" type, relying on the key being difficult to copy. Done right, any other software solution could be no worse han that.

FWIW, our company also replaced RSA tokens with a mobile "app" for the second level authentication. I believe the "app" is one of those that are a mere front-end to a server solution but I do not really know or care. Luckily they have a backup for the few Luddities like me who do not have (in my case by choice) an Android or iOS phone: the system sends me an SMS with the unlock OTP. The disadvantage is that I had to tell the company my mobile phone number. You just can't win, they always find a way to get you in the end.

The system is far from perfect and is actually quite annoying. I understand that they want to guard the entry to sensitive areas like git and Jira but come on, you really do not have to bother me with authentication when I have already authenticated once to enter the network - either by logging in to the company network (where only authenticated devices are allowed entry) or to VPN (with another two-stage authentication). So I end up with SMS OTP several times for each operation. The word paranoia does not start to cover it
__________________
Русский военный корабль, иди нахуй!
 

The Following 4 Users Say Thank You to pichlo For This Useful Post: