David Howe[SMTP:DaveHowe@gmx.co.uk] writes:

at Sunday, October 20, 2002 2:22 PM, Jim Choate <ravage@einstein.ssz.com> was seen to say:

...

http://theregister.co.uk/content/6/27659.html looks like a dumbed-down version of the secureID system. Basically, it works like this

1. user enters five-digit pin code. code is in colours (four choices) not numbers though. Total pin keylength therefore ten bit. 2. device increments an internal counter, and generates a composite code comprising user id, current clock time and the internal counter (number of times card used, basically) 3. device uses single-DES to encrypt that data, and then binhexes it to give a keycode 4. user types in their username and keycode into website 5. website contacts quizid authentication server and verifies code is valid (and that account has enough to cover the transaction) 6. website completes transaction and bills quizid company 7. quizid company bills user's credit card.

the plus side here is that the website never knows the user's credit card details, and is given a oneshot authentication handle that is useless once verified. the downside is that the system has no way to verify an amount, and is only weakly protected (both in pin (weaker than the usual four digit ATM pin) and in transit (single-des????)

[Disclosure: I work on SecurID]. This was discussed on Perry's Cryptography list last week. It does look kind of like a "dumbed down SecurID" - but what it looks like even more is an ActivCard keychain token http://www.activcard.com/activ/products/end_user/activ_card_one/index.html repackaged into a bigger form factor. The code generation scheme appears similar as well. The Company Info page reveals that ActivCard actually manufactures the device. I'd be nervous about a availability with centralized servers, even if they are "triple redundant with two sites". DDOS attacks, infrastructure (backhoe) attacks, etc, could all wreck havoc. I also wonder about scalability with centralized servers. A BBC article http://news.bbc.co.uk/1/hi/technology/2334491.stm claims 600 authentications/second, in a system which cost UKP 1M in hardware alone. This is not really good enough if you're trying to cover the world (or even just Britain) from one site. AOL gets about *50,000* login attempts per second at peak times, to give one admittedly extreme example. Disclaimer: The above are my personal opinions only. Peter Trei