Peter Gutmann wrote:

Take a look at Boojum Mobile -- it is precisely the idea of using the cell
phone as an out-of-band chanel for an in-band transaction.

Banks here have been using it to authenticate higher-value electronic
transactions as well.  The way it works is that for transactions with a
combined value over the default floor limit of NZ$2.5K you have to use an
additional PIN sent via SMS to a pre-configured number to authenticate the
session.  The PIN authenticates that particular session (not just one
transaction), with a fee of NZ$0.25.  It's not perfect, obviously, but that
was seen as the best tradeoff between cost, user convenience, and security.

<grumble>A few years ago I wanted to do this out-of-band authentication as a
research project, and at the time couldn't find anyone interested in it; now
they've paid an arm and a leg for it themselves, sigh</grumble>.

Back when we used to run O2's (then Cellnet) web stuff, we used to authenticate user accounts by sending random words to their phone. This was so long ago I can't remember when it was, but certainly > 5 years.



>>>ApacheCon Europe<<<         

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to