In an ideal world

Whilst I love talking about authentication devices and other such widgets, there’s something going on over at “ideal government” that is worth a look and, better still, a quick post. How often do you get the chance to post what you think it would all look like if you were in charge and actually have people read it? The folks at Kablenet and, specifically, William Heath are behind it. Get over there and post!

AOL and Key Fobs

AOL announced last week that they would allow their users to protect their accounts with an additional layer of security through using an RSA Device.

The widget is probably the size of a matchbox and has an LCD that shows a multi-digit number that changes every minute or so. When you access AOL, you’ll need (I think) both your usual password and whatever the display shows as its current code. This is a neat extra layer of security designed to protect phishing or key logging attempts. If someone is watching your key strokes, the passcode is valid for only 60 seconds after use – pretty difficult to take advantage of.

There are a few flaws here though, which is a shame because (for the most part) we really need something like this to become widely available:

– You have to pay extra for the security – pricing looks to be $10 for the fob and then $1.95 or so a month extra. I’ve not seen many people want to pay extra for security – we’ve got too used to accepting what is there and dealing with it. Not enough people pay extra for firewalls, anti-virus software, anti-spyware software etc, so why will this be different?

– It doesn’t work on all devices. For sure it won’t work on Mac (I am pretty sure that RSA doesn’t yet support OS X) and it almost certainly won’t work on linux.

– I had one of these RSA widgets (I’m pretty sure it was called a “DES Gold” key at the time) at Citibank and, every so often, it would get out of sync with the main servers at the centre and I’d need to call tech support to sort it out. I can’t see that thrilling AOL (who, given they still have millions of users will find that, if it ever takes off, a surprisingly large number of people per day get out of sync – the law of averages and all that)

– Eventually the battery will go. Maybe it will take 3 years, maybe less. But it will go.

– There’s another flaw I think, which probably doesn’t apply to AOL, but does if, say, government were to want to use this. The key is not sufficient to digitally sign an XML document – a tax return or benefit claim perhaps – so as to secure it in transmission and provide non-repudiation and a guarantee that it wasn’t changed in flight.

I am, though, pleased that AOL are giving it a try. It might make the technology a little more mainstream and that, in turn, might drive innovation that addresses the flaws.

I’ve not heard that AOL are going to offer to federate the identity – i.e. offer the service to third parties – e.g. banks – but that will be needed if it’s going to take off properly. $1.95 to protect your AOL account is one thing, but that much to protect your three online banks, your broker and perhaps even Amazon is probably a better proposition. And, that way, perhaps the banks would even pay for it as a service to customers and to reduce their exposure to fraud losses.

It’s been quiet a long time

Over the summer I’ve been moving house, sorting out a bunch of business issues and trying to get a troublesome problem with my car resolved. And having got successfully through all of that, I had to wait for broadband at the new place – only a 7 day wait, but that was 7 days more than I was interested in at the time. Finally it’s installed and I am back online.

That probably doesn’t mean that I’ll be posting more often. Whilst I’ve missed posting and I’ve missed the interaction with people who send me mails on my posts, I’ve still got a few things that I need to sort.

So e-Government@large will stay quiet for a little longer. Meanwhile, I encourage you to visit the sites that I link to on the left. I’m still keeping up to date with them, you should too.

And, if that isn’t enough. Here’s a great site with a game where you get to throw waste paper into a rubbish bin. Or, if you’re anything like me, you get to throw paper on the floor, entirely missing the bin. It’s a popular site so you might have to wait in a virtual line for a bit.