- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Thu, 12 Apr 2007 10:27:13 +0100
- To: Chuck Wade <Chuck@Interisle.net>
- CC: michael.mccormick@wellsfargo.com, public-wsc-wg@w3.org
There is inertia, but that's not, e.g. a reason to annoint something as good or inevitable. Perhaps it is a reason to push back to the extent that that'd help. There are also geographic variations in the amount of inertia, e.g. our east coast is not yours; other places are, I believe, even less like any of your coasts (in terms of legislated privacy protection). Basically, what I dislike technically about these schemes is that since each bank's (or, worse, service provider's) DB can be used to try spoof me to anyone else that uses such a scheme, then any site requiring such a scheme is potentially broadly threatening to me (as a user). Same as with biometrics - I only have 10 fingers and a small number of mothers-in-law's (1 in my case:-) and changing any of those is way too hard. Weak passwords +/- funny handshakes are way better in that respect. Bottom line I think is that any text about this stuff would have to contain quite a bunch of caveats. S. Chuck Wade wrote: > Stephen, > > I certainly share your sentiment, and your points are valid. However, > there is so much inertia behind knowledge-based queries that decrying > the problems with privacy and ineffectiveness are likely to be dismissed > by most financial services providers and the vast industry that has > emerged to serve this need. My observations are that many serious-minded > people in the financial industry see the problems with knowledge-based > queries, but it's hard to fight a system that has become so integral to > the way everything is done. > > The reality is that people will use what works--or what they /think/ > works. Unless preferable alternatives are presented, this W3C group > could come across as another bunch of Northeast liberals railing against > perceived privacy threats. Not only might we be ineffective, we could > cause some to discount the value of our collective recommendations. > > A better strategy in my mind would be to develop improved ways for Web > sites and user agents to authenticate each other in the every day cases > that matter the most. The goal should be to reduce as much as possible > the need for reliance on knowledge-based queries to improve > authentication confidence. Then, the remaining uses would be for unusual > circumstances where the parties are just getting to know each other, > such as during an account opening transaction with a financial institution. > > Put another way, the real problem with authentication based on shared > knowledge is /not/ that it is used at all, but that it has become /used > way too much./ In the absence of workable Web security, it is > understandable that financial institutions under strong pressure to > protect their customers (and themselves) will use a resource at their > disposal. This is analogous to the farmer who diverts a little bit of a > river to irrigate his fields. One farmer, not a problem. But when the > river's banks become lined with farms all taking their little bit, this > resource becomes overtaxed, and everyone suffers. Such trends cannot be > reversed by merely discouraging use of the river for irrigation. > Instead, the farmers have to be given some viable alternatives before > they can afford to change their ways. > > ...Chuck > _____________________________ > Chuck Wade, Principal > Interisle Consulting Group > +1 508 435-3050 Office > +1 508 277-6439 Mobile > www.interisle.net > > > Stephen Farrell wrote: >> >> >> Just dipping in (and out:-) quickly, but I think this is an interesting >> aspect to think about. >> >> michael.mccormick@wellsfargo.com wrote: >> >>> The much maligned Mother's Maiden Name is an example of weak KBA … >>> but much stronger ones are possible using the enormous databases of >>> personal data that are available from brokers today. So I think the >>> SPK "anti-pattern" would benefit from being softened a bit to >>> acknowledge there's a place for it under certain conditions. >> >> While I agree with your overall point, I think the above paragraph >> implies that such schemes are problematic since they depend upon, and >> thus encourage, the collection of such databases. That has two problems, >> first, authentication schemes that are privacy unfriendly like this >> are (IMO) problematic, and second, they inherently create a very >> nice target DB - a good bit worse than e.g. a weak shared secret DB >> that's protected via EKE and maybe Ford-Kaliski sharing (sorry don't >> have a reference to hand - ask PHB). >> >> Stephen. >> >>
Received on Thursday, 12 April 2007 09:37:57 UTC