User negligence?

James H. Cloos Jr. cloos at jhcloos.com
Sun Jul 27 13:52:29 UTC 2003


>>>>> "Owen" == Owen DeLong <owen at delong.com> writes:

Owen> I don't think the average user has a smart card reader at home.

They don't need readers.

The devices in question support a (supposedly :) secure challenge-
response system.

With some devices, the web site would display the challenge, the user
would enter that into their device, the device displays a response,
and the user uses that response as their passwd for that login.

With others, the passwd the device displays varies with time rather
than any input.  The challenge in that case is implicitly the current
date/time of the login attempt.

The downside of course is that you have yet another small, losable
device to keep track of.  (And to carry around if you want to login
while traveling.)

Security as always is a HARD problem.  People just hate to bother
until the risk hits some magic barrier.  Businesses of course have
fewer risk protection laws on their side, so adding secure features
for business customers will always be easier than adding them for
typical consumers.  Especially in places like the US where the
consumer protection laws are so strong.

OTOH, any business in real competition for consumers will eat small
losses as part of their advertizing/marketing budget....

-JimC




More information about the NANOG mailing list