Written by Technorati Tags: authentication, banking, internet
If these devices become widespread (ie, one per household) then one might expect other organisations to want to use them, either just to handle authentication or as part of a more generalised federated identity scheme. It could be cost effective for, say, the Inland Revenue to pay Barclays a penny and let me log in using the same combination of my Barclays debit card and hardware token rather than mess about with the government gateway or their own single sign-on. One of the national ID card schemes that we’re advising at the moment are studying doing just that, in fact.
It’s important to bear in mind though, as noted here before, that token authentication does not solve the "online identity" problem because it does not provide bi-directional end-to-end encryption and authentication, but it is a step in the right direction. UK banks ought to be looking at the next step (putting a PKI application on the EMV card — which is a pretty marginal cost once they have migrated to DDA cards which have cryptographic co-processors on board, as the French banks are.) and finding ways to connect to the customers PCs in a simple way: perhaps using cards with USB interfaces as an interim and waiting for PCs to start sprouting contactless interfaces (as they have in Japan).
