Coming from the financial security world, I don't think we want a law mandating a specific token. As an aside: there are many different types of tokens, the type described in the article originated as Secure-ID (the company later bought RSA and changed its name to RSA).

The benefit of changing the responsibility (mentioned by Bruce, etc.) is that it will force the banks to bear the cost of their inadequate practices. Once it starts costing them real money (but only then), the banks will figure out methods of making the systems work better. I?m aware of a number of different tokens, and there are a lot of considerations that can go into selecting the most appropriate version.

An alternate example to tokens is http://www.passmarksecurity.com/. I have no connection to the company was by was intrigued after seeing a presentation at SD Forum?s Silicon Valley Security SIG. Passmark essentially is a flexible security policy enforcer that can request additional user verification when it detects certain types of activity (for example when a user is not at their normal computer, they must answer their cell phone and punch a key before they can perform a sensitive action).

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/363/32537#32537