Hello, PL>Of course, the best authentication system for banking I've seen is PL>from UBS. They send you a scratchlist of around 100 numbers. Every PL>time you login you use one of the numbers and cross it off. Very PL>slick.
GB>Does that really work in practice? That sounds really annoying. Is this GB>for business banking or for retail? How do they get the next 100 numbers GB>to the user? Do they mail it out when they've used 90? The ACE SecurID system (I think they're owned by RSA now) refines this process well. You have a hardy little credit-card sized (or key fob sized, and I'm sure they have other form factors) object. It has a little LCD screen and every 30 seconds the 4- to 6-digit number on it changes. When you log into the server, you give it your ID, a password, AND the number currently on your SecurID card or key fob. The key fob is nice. It's hardy and lasts a long time. I have one from Motorola from my stint there many years ago. You could probably toss it on the sidewalk from my third-story balcony and it'd be okay, plus it's small and easy to read. This is inferior to a true zero-knowledge challenge-response system which would require a little calculator, but it's far more secure than a password and far easier to use than paper and pencil. Here's the RSA SecurID URL: http://www.rsasecurity.com/products/securid/ Here's a picture of some of the hardware tokens: http://www.rsasecurity.com/products/securid/hardware_token.html I guess they DO have a challenge-response calculator. Neat. Humbly, Andrew ---------------------------------------------------------------------- Andrew Ho http://www.tellme.com/ [EMAIL PROTECTED] Engineer [EMAIL PROTECTED] Voice 650-930-9062 Tellme Networks, Inc. 1-800-555-TELL Fax 650-930-9101 ----------------------------------------------------------------------