[Dave Birch] We’ve long felt that the mobile phone will become the central identity device, the pivot of the emerging digital identity infrastructure. Plenty of other people seem to think the same, so it’s puzzling that organisations that need significant improvements in both the security and the convenience of large-scale identity management are taking so long to exploit the mobile environment. An obvious case in point is banks. Since, in the U.K., everyone who might conceivably bank online already has a mobile phone, one might reasonably have expected mobile phones to become a standard 2FA token for online banking and shopping. It’s not exactly hard to imagine how that might work. But instead, banks have opted for the simple, not end-to-end 2FA that uses chip and PIN cards to generate one-time-passwords (OTPs) for logging in to home banking. Now, as it happens, my bank just send me one of these and I used it for the first time on Saturday. It worked fine, and I didn’t have to remember either my numerical passcode or my secret word. But does it give me security?

Technorati Tags:

It’s certainly not obvious that, as a consumer, I would prefer one of these OTP 2FA tokens over either a) nothing, b) something simple with mobile phones or c) proper end-to-end security with digital signatures and the like. Bruce Schneier is typically succinct:

What I would want to know from the bank is: Who is liable for fraud when it occurs?
If it’s me, I don’t want the account or the token. If it’s them, I don’t care what sort of authentication they use.

This isn’t the whole story, of course, because I do care what authentication they use if its something that’s going to cause me major hassle every time I want to log in. The 2FA token certainly will, because I sometimes need to log in to my home banking from work. When I wanted to do this last week I couldn’t, because I’d forgotten my 12-digit user identification and I have it written on a sticky note at home. Now, even if I remember to bring the sticky note with me, I’ll have forgotten the token.

By contrast, I always have my mobile phone with me. I have no intention of using it to log into my bank’s mobile banking service (I tried it once: never again) but I would use it as a 2FA device to log in to the my bank on the web. And if that was implemented properly, then I would use ideally the same service (perhaps now an income stream for the bank) to log in to other things as well.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: