Ok it doesn’t have video recording. Well who wants to wait 20 mins to send it across the slow cell networks? Download it to my computer? Our drunk escapades at happy hour are not worth the time and effort. Can’t manage playlists? If you have nothing better to do than organize your music collection while you’re away from the computer, then you got bigger fish to fry, no offense.

I want an EASY TO USE PHONE THAT DOES WHAT A PHONE DOES…CALL PEOPLE!

I don’t need to:
- edit excel spreadsheets and formulas on the train
- photoshop my head on brad pitt’s body while on the train
- write the next episode of harry potter on the train
- GPS locate my next stalking victim

I do need to:
- make phone calls
- listen to some tunes when i’m bored
- get the jest of my email in case i can’t get to a pc
- text message my friends
- not throw my phone against the wall in frustration

Counter-rant… OFF.

Many thanks for your thoughtful, insightful, and articulate reply to my blog entry. I agree that this is an important topic and the discourse we are having is a positive thing. To that end, I am posting this comment on both the Burton Group Identity Blog and your blog.

The Javelin user acceptance study is encouraging. The security of consumer authentication would be raised materially if a client were in play. Clientless device identification – while valuable – is readily impersonated. With a client, there can be some cryptographic ‘meat on the bone’ to provider a stronger device ID. Obviously, the security quality of the consumer’s primary authentication would be improved as well.

While software acceptance by consumers is a good thing, I have residual concerns. Will customers tolerate multiple client packages, with the potential for software conflicts or performance issues? This issue is the software analogue of the OTP “token necklace” many of us like to talk about. This is a different use case than deploying a single anti-virus package. To be fair, the customer may get lucky because all of the customer’s FIs may use the same client. Also, as you point out, user acceptance is only one-half of the recipe. FIs must be willing to deploy and support client software, and probably for multiple operating systems (not just Windows).

I agree that we should continue this discourse on the challenges of consumer authentication. I am not sure of the best medium, but I commit to giving it some thought (and I am open to suggestions). Additionally, the Burton Group IdPS team is in the process of defining our 2008 focus areas, and it will certainly include consumer authentication. We’ll wrap-up our planning mid-November. Perhaps we can take the roundtable idea to the next Burton Group Catalyst conference, which will enable a healthy percentage of customers to interactively collaborate with us on the topic.

For the record, I think that TriCipher has some interesting and unique technology in its portfolio, and I have called this out in our research work. The split key technology and variable client footprint options provides good security and mobility features. I like the way that TriCipher does mobile PKI in conjunction with one-time password devices. The use of the private key is tightly coupled to the OTP authentication, more so than any other product I am aware of. It’s also nice that the product transparently supports a mix of vendor OTPs; this capability introduces cost-saving OTP migration options.

As always, I look forward to reading your blog, and I look forward to additional discussions.

Sincerely,

Mark

Today, I am still an OTP basher because they give a false sense of security. An attacker does not need to have malware locally on my PC to compromise my OTP. These are not theoretical attacks, but real, live, “in the wild” attacks being carried out today. RSA themselves are touting their discovery of MITM kits available for any script kiddie with a dream of accessing and using.

The jump from compromising OTP protected authentication to compromising a smartcard or PKI digital credential (to be more generic) is a much higher jump requiring at least a footprint within the local browser itself vs. existing purely on the internet. Certainly, I agree with your point that at some elevated level of local device compromise, there is no defense, OTP, smartcard, biometric, etc.

If you’re worried about users in general, then yes, I can see potential issues with OTP. If you’re thinking just about yourself, then perhaps the risks of an OTP solutions are overblown?

If you’re being owned by local malware that spoofs you, reads the OTP, etc. its isn’t very likely that something like a smartcard would fare much better than an OTP scheme.

- Dave