Re: Circle Bank plays with two-factor authentication

2006-10-03 Thread leichter_jerrold
| Have you seen the technique used at http://www.griddatasecurity.com ? Sounds | a lot like your original idea. Nah - more clever than what I had (which was meant for an age when you couldn't carry any computation with you, and things you interacted with on a day by day basis didn't have

Re: Circle Bank plays with two-factor authentication

2006-10-02 Thread Peter van Liesdonk
Here in the Netherlands, we have a bank (Rabobank) which sends the required code by SMS to your (registered) cellular phone as soon as you want to log in. So the codes are always fresh and random and only available to whoever knows the password ánd has the phone. At my own bank, the bank-card is

Re: Circle Bank plays with two-factor authentication

2006-10-02 Thread Jason Axley
snip The question is what the threat model is. We all know that email can be intercepted over the wire. We also know that that's not very common or very easy, except for wireless hotspots. I assert that *most* email does not flow over such links, and that the probability of a successful

Re: Circle Bank plays with two-factor authentication

2006-10-01 Thread Richard Stiennon
Have you seen the technique used at http://www.griddatasecurity.com ? Sounds a lot like your original idea. Screen shot here: http://blogs.zdnet.com/threatchaos/?p=374 -Richard Stiennon At 02:40 PM 9/28/2006, Leichter, Jerry wrote: | Circle Bank is using a coordinate matrix to let |

Re: Circle Bank plays with two-factor authentication

2006-10-01 Thread Florian Weimer
* Steven M. Bellovin: Again -- the scheme isn't foolproof, but it's probably *good enough*. I agree that if you consider this scheme in isolation, it's better than plain user names and passwords. But I wonder if it significantly increases customer confusion because banks told their customer

Re: Circle Bank plays with two-factor authentication

2006-09-29 Thread Steven M. Bellovin
On Thu, 28 Sep 2006 12:34:24 -0700, Ed Gerck [EMAIL PROTECTED] wrote: Circle Bank is using a coordinate matrix to let users pick three letters according to a grid, to be entered together with their username and password. The matrix is sent by email, with the user's account sign on ID in

Re: Circle Bank plays with two-factor authentication

2006-09-29 Thread Ed Gerck
Steven M. Bellovin wrote: I'd like to hear why you think the scheme isn't that usable. I disagree with you about its security. The first condition for security is usability. I consider this to be self-evident. Users have difficulty already with something as simple as username/pwd. Here, the

Circle Bank plays with two-factor authentication

2006-09-28 Thread Ed Gerck
Circle Bank is using a coordinate matrix to let users pick three letters according to a grid, to be entered together with their username and password. The matrix is sent by email, with the user's account sign on ID in plaintext. Worse, the matrix is pretty useless for the majority of users,

Re: Circle Bank plays with two-factor authentication

2006-09-28 Thread Leichter, Jerry
| Circle Bank is using a coordinate matrix to let | users pick three letters according to a grid, to be | entered together with their username and password. | | The matrix is sent by email, with the user's account | sign on ID in plaintext. | | Worse, the matrix is pretty useless for the

Re: Circle Bank plays with two-factor authentication

2006-09-28 Thread pat hache
Here,(Mexico) BBVA / Bancomer uses 24 special three digits numbers on a card you need to have at hand to access your account after login and username... the system asks you one of those 24 numbers to allow each session - entry. supposed to be effective. donno if there is a similar system