the limits of crypto and authentication
Ben Laurie
ben at algroup.co.uk
Mon Jul 11 14:43:31 EDT 2005
Peter Gutmann wrote:
> dan at geer.org writes:
>
>
>>Take a look at Boojum Mobile -- it is precisely the idea of using the cell
>>phone as an out-of-band chanel for an in-band transaction.
>>
>>http://www.boojummobile.com
>
>
> Banks here have been using it to authenticate higher-value electronic
> transactions as well. The way it works is that for transactions with a
> combined value over the default floor limit of NZ$2.5K you have to use an
> additional PIN sent via SMS to a pre-configured number to authenticate the
> session. The PIN authenticates that particular session (not just one
> transaction), with a fee of NZ$0.25. It's not perfect, obviously, but that
> was seen as the best tradeoff between cost, user convenience, and security.
>
> <grumble>A few years ago I wanted to do this out-of-band authentication as a
> research project, and at the time couldn't find anyone interested in it; now
> they've paid an arm and a leg for it themselves, sigh</grumble>.
Back when we used to run O2's (then Cellnet) web stuff, we used to
authenticate user accounts by sending random words to their phone. This
was so long ago I can't remember when it was, but certainly > 5 years.
Cheers,
Ben.
--
>>>ApacheCon Europe<<< http://www.apachecon.com/
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list