Subject: Re: AD and enforced password policies Date: Tue, Jan 03, 2012 at 02:16:38PM -0000 Quoting Tim Franklin (tim@pelican.org):
There is indeed a difference between Europe (or is it only .SE?) and USA here; no bank in Sweden lets you login without at least a client certificate and password/pin code. Most banks have a hardware token, either challenge-response or HOTP/TOTP; some use the chip in chip-and-pin cards as certificate carrier, and combine it with a reader device to manage pin code entry.
Can't speak for Europe as a whole, but certainly in the UK it's not common - and I wish it was. I do have different passwords for my banking and other finance-type sites (pensions etc), both for each site and distinct from my "fuzzykittens" passwords (which do re-use a handful of variations on a couple of themes). A hardware token would be very nice though.
If it only was one token for all. Public services usually use most of the several national ID card "standards" that we have so for things like doing tax returns, applying for public health insurance payments, etc, one solution "works" -- but all the others have one each. Identity federations are probably the way to go.
Client cert worries me a bit - while it *should* be standards-based, I'm sure there's some way to implement it such that it only works on Windows. Given how long it took for banks to stop with the "Safari! Evil! Access denied!" routine, I don't hold much faith in their willingness or ability to build cross-platform solutions.
It sometimes works. Sometimes not. I have chip-and-pin with cert on and reader. If I use it as a standalone authenticator I can even use elinks, but to use it as national ID card I need to run a bunch of apps, and must stay on Firefox3. This is for OSX. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 UH-OH!! I think KEN is OVER-DUE on his R.V. PAYMENTS and HE'S having a NERVOUS BREAKDOWN too!! Ha ha.