On Wed, Jun 17, 2009 at 3:51 PM, Curtis Bayne <span dir="ltr"><<a href="mailto:curtis@bayne.com.au">curtis@bayne.com.au</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Considering that tokens are (at least in our case) usually on the same<br>
retractable keychain as our datacentre swipe cards and photo identity<br>
cards I don't really see how it adds any extra security.</blockquote><div><br>It's called "2-factor authentication" for a reason.<br><br>The token is only one of the factors (the "something you have") - even if you do loose it and everything else on your keychain the person who finds it still can't (in theory, at least) authenticate without knowing the other factor such as the PIN number or password that goes with the token (the "something you know").<br>
<br>The reverse is also obviously true - if I can manage to shoulder-surf your password, I can't use it without the token.<br><br>Of course there's still a small risk that you could do both - shoulder-surf the password/pin and physically steal the token, but at least in that situation you're far more likely to notice that it's occurred than if you were using a password alone as you've be physically missing something - the token.<br>
<br> Scott<br><br></div></div>