In an earlier project I was involved with another token where we developed a custom GINA (Windows login screen basically). My experience is that it created a nightmare in terms of support- and compatibility problems, including inability to login in at all.
An alternative that always works is to use our "static OTP" configuration, i.e. having a Yubikey that sends a very long static password of gibberish. Although not as secure as a dynamic code, it is certainly a lift from traditional weak/short passwords.
Consider replacing a pretty-hard-to-guess password like
HaaRD!PaszwoRrD
with
fkjjrrceftukvgtvtekdvllnblrundclbdgteinlgrfvlnblrundkcelujvvuubgcirbhhjeegfenebteheg
Just imagine telling that one to someone over the phone. Write it down on paper and type it in, letter by letter...
In order to get more of a two-factor model, the password can be prefixed with the user's ordinary password. Then the Yubikey is pressed and the 32-64 character gibberish string is outputed after it together with an ENTER stroke.
An user with the password "Yubico" would then have the real password Yubicofkjjrrceftukvgtvtekdvllnblrundclbdgteinlgrfvlnblrundkcelujvvuubgcirbhhjeegfenebteheg
Again - not perfect but works for all settings, including local login. Allowing the user to changing the password is not that difficult either...
Regards,
JakobE
Hardware- and firmware guy @ Yubico
Telling the password over theStatistics: Posted by Jakob — Fri Jun 13, 2008 8:17 pm
]]>