Katsuko wrote:
Update: It seems that the token key you enter and use to log in also stays useable for 27 minutes.
(i.e. You generate a key, use it to log in, you then dc 10 minutes later. You can use the same key again to log in as the 27 minutes has not yet expired.)
This really doesn't fix the threat of keyloggers, and almost makes this entire thing pointless...
Okay it looks like the initial tester jumped the gun on this one.
Some more info came in, and it turns out that the code you use, plus all additional codes generated by the token
prior to the one you just used, get burned once you log in.
It looks like the token hashes a new password every 40 seconds, each of these passwords stay active for about 25 minutes, and when you hit the red button on the token, it just supplies you with the most recently created password. This means that at any given time, there are about 40 different token passwords that can be used, all of which unique to your token.
The token passwords are 6 digits long, with a possible 10 characters per digit, this means that it would take them almost 140 hours to have attempted each possible combination. As for random guesses and blind luck, they would have a 1/25,000 chance at guessing the token password correctly on a whim.
However! Now keep in mind that they would
also need your POL ID, your POL PW, your SE ID,
and SE PW.
So breathe a sigh of relief, once this token is in place on your account, the chances of you getting hacked is nearly astronomical.
Still, I would feel even a bit more comfortable if they were to reduce the natural password expiry to 5 minutes..