the limits of crypto and authentication
Florian Weimer
fw at deneb.enyo.de
Sat Jul 9 18:46:44 EDT 2005
* Nick Owen:
> I think that the cost of two-factor authentication will plummet in the
> face of the volumes offered by e-banking.
I doubt this is true. In Germany, we already use some form of
two-factor authentication for Internet banking transaction (account
number/password and a one-time password for each transaction). Yet
banks are desperately looking for alternatives because distributing
those one-time password lists is too expensive (!). To me, this was
quite surprising because it's just one sheet of paper every 200
transactions or so.
Even worse, this scheme has failed, and there are successful attacks
in the wild (involving compromised client PCs). Right now,
time-dependent tokens do help, but only because you outrun the other
guy. The real-time requirements imposed by them are not a fundamental
obstacle to the attackers, and even now, the way they route the money
makes it very hard to detect things in real-time (at least on the
money side).
Well, you can imagine my surprise when Howard Schmidt praised
two-factor authentication as a solution to our current problems at the
FIRST 2005 conference. 8-/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list