On Thu, 17 Jan 2002, Gunther Birznieks wrote: > >Of course, the best authentication system for banking I've seen is > >from UBS. They send you a scratchlist of around 100 numbers. Every > >time you login you use one of the numbers and cross it off. Very > >slick. > > Does that really work in practice? That sounds really annoying. Is this for > business banking or for retail? How do they get the next 100 numbers to the > user? Do they mail it out when they've used 90? > > It sounds like it would be less annoying to use certificates and some > plug-in token there is going to be that much extra work to deal with a > password sheet.
Alternately, for a high-tech approach, RSA makes a nice product called a SecurID token (Well, one of mine says Security Dynamics on the back, but the new ones definitely say RSA). Actually, they make two, one nice, one not nice. The nice one has a keypad where you enter in a pin, press a button, and it generates a temporary id based on its serial number, your pin, and the current time interval; the time interval changes every minute or two. The not nice one has no keypad; it works like the other would if you didn't enter a pin. I know of several companies that use these; they tend to work fairly well. (I had one break on me, but I gave it a lot of abuse first; it lasted almost half of its battery span in spite of not being taken care of.) Ed
