This GEMALTO mini online banking authentication device and IBM's USB dongle stick (whatever its called) are not any better than a simple time-based OTP generator.
And no, I don't work for RSA or Verisign or any of these companies that offer these time-based OTP generators.
I have been searching for the best multi-factor authentication method/device for quite sometime now. In my opinion, a simple time-based OTP generator such as RSA's securid is the most efficient in the market. They come in different shapes, a key shape, in
credit card form, etc.
Adding a smartcard reader and requiring the user to insert a smartcard and enter a pincode just so to generate an OTP (which is probably an event-based OTP) is too many steps that actually provides less than what a simple time-based OTP generator can provide.
So, as far as I am concerned - its MUCH ADO ABOUT NOTHING.
Perhaps one can argue that a user is compromised if his simple time-based OTP generator is lost or stolen. But then again, the same applies if the user loses his smartcard/s.
What I did find in the course of my search for the best authentication system is a set of systems created by a french engineer (who by the way has a patent pending, filed worldwide I checked) that require 'MUTUAL' authentication of both business and consumer
(B and C) preferably using strong multi-factor authentication methods.
- His preferred embodiment is that the 'mutual' authentication of the two parties (B and C) is done by a Trusted Third Party and the multi-factor authentication method is through the usage of time-based OTPs.
- His is the only system that I know of that has developed an OTP generator that businesses can use to authenticate themselves to their consumers. I thought that this was very wise indeed since phishing is possible only because the business - "B" in a B2C
somehow never positively authenticates itself to consumers "C".
- Another great benefit of his system is that since its the Trusted Third Party that authenticates both parties (therefore the management of OTPs for businesses and consumers resides with that Trusted Third Party), that a single OTP device given to a consumer
can be used with many other different "Bs" businesses.
- Ergo, this new system can spread the cost of any expensive multi-factor authentication device/system. Imagine small online merchants being able to benefit from this system or how this can strongly secure P2P transactions !
- The Trusted Third Party in this new system also compares many other elements which totally thwarts man-in-the-middle attacks and phishing.
But as a consumer, what i truly like about this is that with 1 time-based OTP generator, I can authenticate myself with one to many parties who I know have also been authenticated by the Trusted Third Party. For other parties such as small businesses, big
businesses or even a peer, this system makes multi-factor authentication devices quite afforable.