Monday, January 8

Yikkes! Bad Security

Dave Birch (Hyperion) posted about an administrator at a large financial firm who encourages his user population to tether their RSA SecurID tokens to their laptops. All I could really say is Yiikes! ...and I don't think I've ever used that word before. Imagine the look on his or her face when the CIO (or other IT manager) who approved the 2-factor authentication project in order to achieve greater security got that email.

Apparently, some of the employees of this organization complained about having to carry a token with them. I can understand that, but there are certainly other options -- think Blackberry or Mobile Phone token, software token, browser toolbar token, just to name a few. And even the latest token design is less bulky on your key chain if you elect to stay with physical tokens.

So, if this message gets back to the SecurID administrator who posted that message, please reach out to us. We can make life easier AND more secure. It's not an either-or scenario. These users can install a soft token on their mobile device and then leave their hardware token at home where they use it most.

The proposed tethered-token solution really minimizes the organization's security investment. And I can only guess that this practice would have a negative affect on a security or compliance audit.

[Addendum: Dave was pointing to another article.]

No comments: