Additions:
<< UPDATE: it looks like we won't be using register Agents. Instead on startup it'll look for a serial in the properties, and if it doesn't find one it'll ask the server for one. During the normal course of operation there'll be a manager (or admin) only section that'll allow manual adjustment. We're already using SSL, poorly at that, due to the framework << ::c::
Additions:
==== Physical Tokens ====
It might be nice to allow user-based interaction with either RNG keygens (like RSA proposes), or with phyiscal manifestations of keypairs - such as having a keypair on a card you can scan or use as a smartcard. Any time a user needs to identify, or override, they can use a device and swipe it and improve throughput. Obviously this has a vulnerability cross-section of lost cards, loaned cards or borrowed cards, but no more than a UID/pass based solution. This does however introduce a security barrier because someone needs to forge one of your cards to gain access to a terminal, and it also provides a revocation list/repository for keys. You can also combine these keys into other sections of your business.
The downside is that scanners can be expensive, cards can be expensive and RNG keyfobs can be yet more expensive. I think that it may be of benefit to just use a barcode with a UID or possibly a password encoded on it - the cost is a piece of paper, printing a barcode and using whatever scanner you already possess.
It might be nice to allow user-based interaction with either RNG keygens (like RSA proposes), or with phyiscal manifestations of keypairs - such as having a keypair on a card you can scan or use as a smartcard. Any time a user needs to identify, or override, they can use a device and swipe it and improve throughput. Obviously this has a vulnerability cross-section of lost cards, loaned cards or borrowed cards, but no more than a UID/pass based solution. This does however introduce a security barrier because someone needs to forge one of your cards to gain access to a terminal, and it also provides a revocation list/repository for keys. You can also combine these keys into other sections of your business.
The downside is that scanners can be expensive, cards can be expensive and RNG keyfobs can be yet more expensive. I think that it may be of benefit to just use a barcode with a UID or possibly a password encoded on it - the cost is a piece of paper, printing a barcode and using whatever scanner you already possess.
