In e-banking, user authentication with mobile phones and special-purpose cryptographic tokens is a promising alternative to conventional approaches, such as digital signatures on a personal computer (PC). Special-purpose tokens that do not have external connections avoid viruses transmitted via the Internet. Moreover, phones and tokens are mobile. The chapter assesses the potential of new technologies for user authentication (verification of the user’s identity) on the basis of a practical test and an analysis of trust. The practical test comprises a password generator, mobile phones with short message service (SMS), wireless application protocol (WAP), and third generation (3G), and (conventional) PC-based authentication, using digital signatures—all as used by a Danish e-bank. On the one hand, the test indicates that in some ways the hardware-based technologies are indeed easier to use. On the other hand, the trust analysis indicates that the secrecy of the new approaches may be a weakness, since there is no publicly available analysis of their security. The secrecy of the hardware-based technologies may be justified by the need to prevent various attacks, such as physically opening a password generator to determine its secret key. A prerequisite for consumer trust in the hardware-based technologies may be the introduction of security evaluation methods that do not disclose the secret parts of the technologies to the public and are conducted by public authorities or independent third parties.
Complete Chapter List
Göran Bergendahl, Ted Lindblom
Jean-Noël Ezingeard, Elspeth McFadzean, David Birchall
Guoling Lao, Liping Wang
Konstantinos Markantonakis, Keith Mayes
Nick Pullman, Kevin Streff