Does using a token and a pin for logging into a corporate internal system removes the need for using regular user names and passwords?



  • I am evaluating an internal 2 factor authentication implementation in an organization. The system designer wants to remove regular user names and passwords from all user workstations such that each user will have his badge as a login token and will have to enter a 6 digit key to login into his workstation. Is this a normal practice? and does it make the scenario more secure or less secure? as a security reviewer, I find this as reducing the security of the workstation because the 6 digit pins are easy to capture by over the shoulder attacks and stealing a badge is not that difficult. Regular user names and strong passwords are harder to capture by similar attack. Remember that we are talking about an internal network with many other technical controls. My argument is that using just a card and a pin is more vulnerable to internal physical attacks.



  • In practice 2-factor auth means 2 of the following

    • Something you are
    • Something you know
    • Something you have

    In this case he is replacing username and password which are both in the "Something you know" category for a token code and a badge which both fall under the "Something you have". So there is negligible augmentation in the way authentication is happening on that computer.

    Hope this helps.




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2