[Dave Birch] I noticed an article about a large US bank planning to issue digital certificates to retail customers.  I wanted to pass on some of our experience in this area to explain why I don’t think this is the best way forward for banks outside the US.

Technorati Tags: , ,

Some years ago, we were retained by the provider of a managed PKI services to interview some of their customers (large commercial organisations) to find out how the service was going.  They hated it, and it later folded.  But the service wasn’t proving economic to provide anyway. The service provider had decided to issue soft certificates rather than hardware because of cost, but the fact is that the soft certificates ended up costing far more.

There were two key reasons for this.

One was support costs.  The soft certificates would need to be reloaded every time a PC crashed or had to be swapped, they were frequently corrupted by system crashes and because they were personal (ie, the certificate was issued to the PC user, not to the PC) they had to be moved from machine to machine, which was something users couldn’t do themselves.

The other was complexity.  Explaining what certificates were and what they did — to junior staff who had no real interest in the topic (like most people!) — was near impossible.  By contrast, the simple proposition "when you want to log in to the ordering system or use company e-mail, you must put in your smart card and enter your PIN" would have been significantly less expensive over the system lifetime.  The moral of this story is that a $1 soft certificate does not make for a cheaper implementation that a $5 smart card and USB reader bundle.

What’s more, customers in (eg, the UK) already have smart cards and PINs given to them by their banks.  So adding a cheap USB reader doesn’t seem like a big deal.  Since all UK chip and PIN cards will have to be re-issued as DDA cards at some point (in some countries, such as France, the rollover has already started), they will have cryptographic co-processors that can be used by a digital signature application to provide genuine end-to-end security between the customer and their bank.

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: