the limits of crypto and authentication

Nick Owen nowen at wikidsystems.com
Sat Jul 9 17:50:02 EDT 2005 

I think that the cost of two-factor authentication will plummet in the
face of the volumes offered by e-banking.  Also, the more uses for the
token, the more shared the costs will be.  The question to me is will
the FIs go with a anything beyond secure cookies, IP address validation
and unique images.  Will they be forced to by the powers that be or by
disclosure requirements after the basic systems are thwarted?

I also think that the lower end cell phone is now capable of handling
the task.  While a PC client may not be very secure, it does offer some
potential benefits such as auto-validating SSL certs.  Whether the
carriers will bother with a potential revenue stream in two-factor
authentication when they can make more money in ringtones is another
question - back to the business model ;).

Ian Grigg wrote:
> FTR, e-gold were aware of the general makeup of this
> threat since 1998 and asked someone to look at it.  The
> long and the short was that it was more difficult to solve
> than at first claimed, so the project was scrapped.  This
> was a good risk-based decision.  The first trojans that I
> know of for e-gold weren't spotted until 12-18 months
> ago, so it was also a profitable decision.  What they are
> doing now I don't know.
> 
> In the payments world we've known how to solve all
> this for some time, since the early 90s to my knowledge.
> The only question really is, have you got a business
> model that will pay for it, because any form of token is
> very expensive, and the form of token that is needed -
> a trusted device to put the application, display, keypad
> and net connection on - is even more expensive than
> the stop-gap two-factor authentication units commonly
> sold.
> 
> iang

-- 

Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
http://www.wikidsystems.com
At last, two-factor authentication, without the hassle factor

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list