the limits of crypto and authentication
Nick Owen
nowen at wikidsystems.com
Sun Jul 10 09:50:58 EDT 2005
I think the difference now is the number of vendors entering the market,
the variety of solutions ( and their relative security), and demand
outside of Europe. When we started in mid-2001, we were looking at the
existing hardware guys and that is it. Now there a handful of
venture-backed software players with different solutions all targeting
the banking market, which didn't exist then.
We have not seen any interest in our two-factor solution from Germany or
any country where they have some form of two-factor authentication.
Perhaps this is similar to the US corporate market where companies that
have tokens aren't very interested in switching to save money - the CSO
only takes risk in switching and sees no personal benefit in reducing
costs (my theory at least) so there's no true vetting, only beating up
the current vendor for a slightly better deal. Thus your banks will
still complain that the price of mailing paper is too high, which of
course it is when compared to software tokens.
We are, however, seeing interest from US and South American banks and
the numbers are huge and we will be very aggressive in pricing. We also
see that we are competing against companies that use IP address
verification, secure cookies and other things that are readily
compromised, but apparently easy to roll-out and maintain and
inexpensive. So, we have to compete against those substitutes that
don't even use cryptography or two-factor authentication but would be
better termed as fraud detection and prevention.
Florian Weimer wrote:
> * Nick Owen:
>
>
>>I think that the cost of two-factor authentication will plummet in the
>>face of the volumes offered by e-banking.
>
>
> I doubt this is true. In Germany, we already use some form of
> two-factor authentication for Internet banking transaction (account
> number/password and a one-time password for each transaction). Yet
> banks are desperately looking for alternatives because distributing
> those one-time password lists is too expensive (!). To me, this was
> quite surprising because it's just one sheet of paper every 200
> transactions or so.
>
> Even worse, this scheme has failed, and there are successful attacks
> in the wild (involving compromised client PCs). Right now,
> time-dependent tokens do help, but only because you outrun the other
> guy. The real-time requirements imposed by them are not a fundamental
> obstacle to the attackers, and even now, the way they route the money
> makes it very hard to detect things in real-time (at least on the
> money side).
>
> Well, you can imagine my surprise when Howard Schmidt praised
> two-factor authentication as a solution to our current problems at the
> FIRST 2005 conference. 8-/
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>
--
Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
http://www.wikidsystems.com
At last, two-factor authentication, without the hassle factor
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list