Technorati Tags: identity
It’s certainly not obvious that, as a consumer, I would prefer one of these OTP 2FA tokens over either a) nothing, b) something simple with mobile phones or c) proper end-to-end security with digital signatures and the like. Bruce Schneier is typically succinct:
What I would want to know from the bank is: Who is liable for fraud when it occurs?
If it’s me, I don’t want the account or the token. If it’s them, I don’t care what sort of authentication they use.
This isn’t the whole story, of course, because I do care what authentication they use if its something that’s going to cause me major hassle every time I want to log in. The 2FA token certainly will, because I sometimes need to log in to my home banking from work. When I wanted to do this last week I couldn’t, because I’d forgotten my 12-digit user identification and I have it written on a sticky note at home. Now, even if I remember to bring the sticky note with me, I’ll have forgotten the token.
By contrast, I always have my mobile phone with me. I have no intention of using it to log into my bank’s mobile banking service (I tried it once: never again) but I would use it as a 2FA device to log in to the my bank on the web. And if that was implemented properly, then I would use ideally the same service (perhaps now an income stream for the bank) to log in to other things as well.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]