* Nick Owen: > I think that the cost of two-factor authentication will plummet in the > face of the volumes offered by e-banking.
I doubt this is true. In Germany, we already use some form of two-factor authentication for Internet banking transaction (account number/password and a one-time password for each transaction). Yet banks are desperately looking for alternatives because distributing those one-time password lists is too expensive (!). To me, this was quite surprising because it's just one sheet of paper every 200 transactions or so. Even worse, this scheme has failed, and there are successful attacks in the wild (involving compromised client PCs). Right now, time-dependent tokens do help, but only because you outrun the other guy. The real-time requirements imposed by them are not a fundamental obstacle to the attackers, and even now, the way they route the money makes it very hard to detect things in real-time (at least on the money side). Well, you can imagine my surprise when Howard Schmidt praised two-factor authentication as a solution to our current problems at the FIRST 2005 conference. 8-/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]