

Ask HN (Ask Tptacek): Are RSA SecurIDs Fundamentally Flawed? - jashkenas

Since the attack on RSA earlier this year, I've been wondering if companies that use SecureIDs as a component of their corporate passwords aren't doing more harm to themselves than good.<p>In brief, it seems like they make a large portion of your password computationally predictable, and make the unique component of the password shorter than it otherwise would be. Fine if only RSA knows how to predict it -- but as soon as an exploit arises, it's literally impossible to patch the hardware.<p>If you were starting from scratch, would you hardware-based two-factor auth, choose a two-factor system that's in software and patchable, or forgo the notion entirely?
======
mceachen
Two-factor auth certainly lifts general security -- but I'd also be running
<http://www.openwall.com/john/> to prevent poor primary passwords in the first
place.

Why isn't <http://code.google.com/p/google-authenticator/> the go-to solution?
Open source codebase, ports for iOS, Android, and Blackberry, and it's easy to
integrate with...?

------
jolan
Have you heard of Duo Security?

<http://www.duosecurity.com/>

