On Thu, May 17, 2007 at 02:14:55PM -0500, Eric Johnson wrote: > Obviously, a fake skey challenge would need to be saved so that if the > attacker tried again, he would see the same challenge.
Instead of saving the challenge, just regenerate it each time. E.g., hash a 128-bit secret with the username, and then format this as an skey challenge.
