Hello,
PL>Of course, the best authentication system for banking I've seen is
PL>from UBS. They send you a scratchlist of around 100 numbers. Every
PL>time you login you use one of the numbers and cross it off. Very
PL>slick.
GB>Does that really work in practice? That sounds really annoying. Is this
GB>for business banking or for retail? How do they get the next 100 numbers
GB>to the user? Do they mail it out when they've used 90?
The ACE SecurID system (I think they're owned by RSA now) refines this
process well. You have a hardy little credit-card sized (or key fob sized,
and I'm sure they have other form factors) object. It has a little LCD
screen and every 30 seconds the 4- to 6-digit number on it changes. When
you log into the server, you give it your ID, a password, AND the number
currently on your SecurID card or key fob.
The key fob is nice. It's hardy and lasts a long time. I have one from
Motorola from my stint there many years ago. You could probably toss it on
the sidewalk from my third-story balcony and it'd be okay, plus it's
small and easy to read.
This is inferior to a true zero-knowledge challenge-response system which
would require a little calculator, but it's far more secure than a
password and far easier to use than paper and pencil.
Here's the RSA SecurID URL:
http://www.rsasecurity.com/products/securid/
Here's a picture of some of the hardware tokens:
http://www.rsasecurity.com/products/securid/hardware_token.html
I guess they DO have a challenge-response calculator. Neat.
Humbly,
Andrew
----------------------------------------------------------------------
Andrew Ho http://www.tellme.com/ [EMAIL PROTECTED]
Engineer [EMAIL PROTECTED] Voice 650-930-9062
Tellme Networks, Inc. 1-800-555-TELL Fax 650-930-9101
----------------------------------------------------------------------
