On Wed, Jan 03, 2007 at 03:35:30PM +0100, Florian Weimer wrote:
SecureID might be helpful if you want to differentiate your product between automatic and manual use, but it doesn't do anything to authenticate the party you are relaying information to. But it's useless in a phishing context. If you want a token solution, at least use something that factors in transaction-related data.
And since the whole point of using a token is having an isolated, presumably more trustworthy environment, then you also would logically need a display and input device for it. On the cryptography@metzdowd.com list, there has been some discussion of this, and also some statements that the login needs to be part of the "browser chrome" (whatever that is) and not just any old form on an unprotected HTML page. Furthermore, the current understanding of marketing departments and customer support is on par with "the lock icon means it's secure", so even reputable companies like (IIRC) Chase are sending out emails telling their customers to log in to web sites with domain names that don't even resemble Chase, essentially training customers to be phishing victims. It's clear that the technology has progressed to the point that it is easier to confuse the user than actually exploit the security systems, and what we really need now is some leadership from UI designers (say, Apple) for browser designs and idioms that are intuitively obvious to the most casual of users. However, that's not exactly hard science and there isn't much usability research in the security community, because it's already so recondite. -- ``Unthinking respect for authority is the greatest enemy of truth.'' -- Albert Einstein -><- <URL:http://www.subspacefield.org/~travis/>