[17747] in cryptography@c2.net mail archive
Re: the limits of crypto and authentication
daemon@ATHENA.MIT.EDU (Nick Owen)
Sat Jul 9 17:45:46 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 09 Jul 2005 17:50:02 -0400
From: Nick Owen <nowen@wikidsystems.com>
To: Ian Grigg <iang@systemics.com>
Cc: "Steven M. Bellovin" <smb@cs.columbia.edu>,
cryptography@metzdowd.com
In-Reply-To: <200507091956.40341.iang@systemics.com>
I think that the cost of two-factor authentication will plummet in the
face of the volumes offered by e-banking. Also, the more uses for the
token, the more shared the costs will be. The question to me is will
the FIs go with a anything beyond secure cookies, IP address validation
and unique images. Will they be forced to by the powers that be or by
disclosure requirements after the basic systems are thwarted?
I also think that the lower end cell phone is now capable of handling
the task. While a PC client may not be very secure, it does offer some
potential benefits such as auto-validating SSL certs. Whether the
carriers will bother with a potential revenue stream in two-factor
authentication when they can make more money in ringtones is another
question - back to the business model ;).
Ian Grigg wrote:
> FTR, e-gold were aware of the general makeup of this
> threat since 1998 and asked someone to look at it. The
> long and the short was that it was more difficult to solve
> than at first claimed, so the project was scrapped. This
> was a good risk-based decision. The first trojans that I
> know of for e-gold weren't spotted until 12-18 months
> ago, so it was also a profitable decision. What they are
> doing now I don't know.
>
> In the payments world we've known how to solve all
> this for some time, since the early 90s to my knowledge.
> The only question really is, have you got a business
> model that will pay for it, because any form of token is
> very expensive, and the form of token that is needed -
> a trusted device to put the application, display, keypad
> and net connection on - is even more expensive than
> the stop-gap two-factor authentication units commonly
> sold.
>
> iang
--
Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
http://www.wikidsystems.com
At last, two-factor authentication, without the hassle factor
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
