About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Some of these questions are hard | Main | No-one understands this stuff »

The march of the mobile

By davebirch posted Dec 7 2007 at 9:50 PM
[Dave Birch] We've long felt that the mobile phone will become the central identity device, the pivot of the emerging digital identity infrastructure. Plenty of other people seem to think the same, so it's puzzling that organisations that need significant improvements in both the security and the convenience of large-scale identity management are taking so long to exploit the mobile environment. An obvious case in point is banks. Since, in the U.K., everyone who might conceivably bank online already has a mobile phone, one might reasonably have expected mobile phones to become a standard 2FA token for online banking and shopping. It's not exactly hard to imagine how that might work. But instead, banks have opted for the simple, not end-to-end 2FA that uses chip and PIN cards to generate one-time-passwords (OTPs) for logging in to home banking. Now, as it happens, my bank just send me one of these and I used it for the first time on Saturday. It worked fine, and I didn't have to remember either my numerical passcode or my secret word. But does it give me security?

Technorati Tags:

It's certainly not obvious that, as a consumer, I would prefer one of these OTP 2FA tokens over either a) nothing, b) something simple with mobile phones or c) proper end-to-end security with digital signatures and the like. Bruce Schneier is typically succinct:

What I would want to know from the bank is: Who is liable for fraud when it occurs?
If it's me, I don't want the account or the token. If it's them, I don't care what sort of authentication they use.
This isn't the whole story, of course, because I do care what authentication they use if its something that's going to cause me major hassle every time I want to log in. The 2FA token certainly will, because I sometimes need to log in to my home banking from work. When I wanted to do this last week I couldn't, because I'd forgotten my 12-digit user identification and I have it written on a sticky note at home. Now, even if I remember to bring the sticky note with me, I'll have forgotten the token.

By contrast, I always have my mobile phone with me. I have no intention of using it to log into my bank's mobile banking service (I tried it once: never again) but I would use it as a 2FA device to log in to the my bank on the web. And if that was implemented properly, then I would use ideally the same service (perhaps now an income stream for the bank) to log in to other things as well.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]


TrackBack URL for this entry:

Listed below are links to weblogs that reference The march of the mobile:


The comments to this entry are closed.