On Wed, 9 Feb 2000, Swift Griggs wrote: > On Tue, 8 Feb 2000, Andre L. Dos Santos wrote: > > Many Virtual Banks rely on a fixed length personal identification > > number (PIN) to identify a user. Some banks, allow access to all of > > their online operations after a successful identification, others > > require additional identification, like social security number, maiden > > name or an additional PIN. > > You don't mention x509 authentication in your analysis at all. IMHO, your > not doing anything here other than bringing up the age old technique of > brute forcing weak passwords in a circuitous way. > Users want systems that are user-friendly. Banks wants to maximize the numbers of users using their online services. Requiring x509 client certificates go against both desires (at least for the average users). But it could improve the protections, if all issues with certificates are not considered. I do not include this in the note because I have not seen a bank that requires client x509. Any pointers are welcome. Andre.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:34:00 PDT