eichin@ATHENA.MIT.EDU (Mark W. Eichin) (10/31/90)
(was this a random flame, or was it in response to a previous discussion? Last I knew, Enigma Logic makes authentication smart-cards, but I could be wrong...) Another alternative to network-visible passwords is the Kerberos(tm) Authentication System, developed at MIT's Project Athena. It has been discussed in several USENIX papers, is actively in use at a number of sites (aside from the over 10K users at MIT) and successfully provides multi-realm authentication (a "realm" is an administrative domain.) The password still gets entered at the local workstation, but there is no reason to send it further (in fact, there are systems at MIT that *only* accept authenticated connections, and will not accept passwords typed at them.) There remains the fact that a user can share the password with another user; Athena makes it policy that you are responsible for your password, and are not to share your account, thus "defining" you as accountable. Another important feature of Kerberos is that versions of it are becoming available at non-US sites, which is not, as far as I know, true of hardware based encryption/authentication boxes... _Mark_ <eichin@athena.mit.edu>