So, how can this protect an internal network? Traditionally, routers and switches are accessed through a direct...
connection to the device, by telnet or via a Web interface. All of these methods send the user ID and password in clear text, which can be picked off the network by malicious users with packet sniffers. If a user ID and password were stolen, the intruder would still need the OTP value to gain access. Tokens can be defeated through man-in-the-middle attacks, where the credentials are stolen by a malicious user controlling a server between the client and the host. The attacker then immediately forwards its own bogus information by logging on to the real host with the stolen credentials. Since routers and switches are often directly accessed, tokens used for their management aren't susceptible to these types of attacks.
Tokens aren't foolproof. Here are some best practices for using them:
- Make sure every user has their own unique token. That means no sharing of tokens among users or allowing a single token for an entire user group.
- Educate users to keep a close eye on their tokens and keep them in a safe and secure place when not in use.
- Tightly control token distribution. Only issue tokens to active users. When a user no longer needs a token, not only revoke it, but also deactivate it entirely. Users should be required to report any lost or stolen tokens immediately.
- Keep an accurate inventory of all tokens received and distributed. Whenever a shipment of tokens arrives, keep a record of each individual token and its serial number. Note any irregularity, or defective token, in the record and send defective tokens back to the manufacturer.
Dig Deeper on Two-factor and multifactor authentication strategies
Related Q&A from Joel Dubin
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ...continue reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ...continue reading
When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.