at Sunday, October 20, 2002 2:22 PM, Jim Choate <ravage@einstein.ssz.com> was seen to say:

http://theregister.co.uk/content/6/27659.html looks like a dumbed-down version of the secureID system. Basically, it works like this

1. user enters five-digit pin code. code is in colours (four choices) not numbers though. Total pin keylength therefore ten bit. 2. device increments an internal counter, and generates a composite code comprising user id, current clock time and the internal counter (number of times card used, basically) 3. device uses single-DES to encrypt that data, and then binhexes it to give a keycode 4. user types in their username and keycode into website 5. website contacts quizid authentication server and verifies code is valid (and that account has enough to cover the transaction) 6. website completes transaction and bills quizid company 7. quizid company bills user's credit card. the plus side here is that the website never knows the user's credit card details, and is given a oneshot authentication handle that is useless once verified. the downside is that the system has no way to verify an amount, and is only weakly protected (both in pin (weaker than the usual four digit ATM pin) and in transit (single-des????)