« Surprising Conclusion | Main | We're in the Economist »
Smart use of cell phones
Bruce Schneier reports on a good idea: using a cell phone to provide two factor authentication for secure websites. For example, when you try to transfer more than $2,500 on an online banking site, the site can send your phone a random code via SMS which you then have to type into the site before the transaction can be processed.
Of course, you have to register your cell phone number with the bank, which might be a slight privacy concern. You also have to have your cell phone handy when browsing the site. I don't usually keep my cell phone near my home computer, but I guess getting up off my ass whenever I want to pay someone a couple of grand is not wholly unreasonable.
This is one of those elegant, clever and practical security ideas that I wish I'd though of first. It's not as secure or convenient as having a real smart-credential based system, but it doesn't require any new infrastructure and can easily be implemented right now. Maybe someone that already knows your cell phone number (like the cellular carrier) can map customer numbers to some kind of blind ID and offer the two-factor service as a B2B service to secure website providers. If this was 1999, I'd have a a Powerpoint business plan around that idea by now.
Thanks to Dave Engberg for the link.
November 24, 2004 | Permalink
Comments
*Sounds* like a good idea at first glance -- but I've done 4 of those transactions on my Irish bank accounts in the past couple of months, and my SMS phone doesn't work in the US. I'd have been very annoyed if my bank used that system ;)
(ps: followed a link from Adam Shostack's blog to your e-passport posting that cited the NIST report. your blog looks interesting!)
Posted by: Justin Mason | Nov 27, 2004 2:55:43 AM
RSA has been selling two factor software, alternative to their SecurId Tokens, for multiple devices for nearly three years! They have been demonstrating such with more devices at the RSA Conference every year since incept. See http://www.rsasecurity.com/node.asp?id=1313.
Posted by: Randy Bowman | Nov 28, 2004 7:39:31 PM
Randy,
The nice thing here is that it doesn't require any client software and works with any SMS capable device (read: any phone sold in the last few years).
Posted by: Phil Libin | Nov 29, 2004 1:59:54 PM
Opps!!! I thought that my link included reference to RSA Mobile, which is exactly as Bruce and you describe. See additionally, http://www.rsasecurity.com/press_release.asp?doc_id=1506&id=1034, and note that this product is just over two years old, but already recieved SC Mag high marks!
Posted by: Randy Bowman | Nov 29, 2004 5:59:07 PM
We started Valimo Wireless in Finland in 2000 based on this idea. We now have over 20 operator, corporate and government customers based on this idea. We use both one-time passwords and WPKI, mostly mobile operator centric approach. Idea is picking up momemtum in Scandinavia and central Europe.
Posted by: Will Cardwell | May 24, 2005 9:30:42 PM
