[e-gold-list] RE: two factor cracked - VNUNet.com

Thu Aug 3 10:20:53 MDT 2006

Patrick,

> "One particularly sophisticated phishing site demonstrated this point when it was uncovered that it could validate and make use of the one-time password credentials live, in real-time, as the user entered their details into the phishing site."

Such things would continue happening until a hardware isolated solution
will be developed. I am (slowly) building an (open source) application
which will run on PDAs, in hardware isolation, which will provide users
with authentication on each action they want to make (it's not limited
to financial transactions). Certainly, no matter how simple things will
be with this application, it will still not address to most users, but
only to those who are highly motivated to protect their money.

If it will catch on, one day it will run on dedicated device, that is,
with hardware code protection.

(One interesting thing is that it will support hidden identities,
asymmetric key pairs, by simply creating 100 random looking slots. This
way, even with a gun pointed at one's head, one can still hide his most
interesting identities, those which protect the most important
accounts.)

The main purpose of AxiomaticId is to allow users to securely access the
accounts they have with service providers. Here are the steps which are
taken by both sides:

* The service provider uses AxiomaticId to create an axiomatic identity
for itself.

* The service provider creates a service descriptor which includes the
public identity and the description of each action which users can
request from the service provider.

* The service provider publishes, on its website, the service
descriptor.

* The user who wants to use the service, imports the service descriptor
into AxiomaticId.

* The user uses AxiomaticId to create an axiomatic identity for himself.

* The user creates a user account with the service provider. He sends
his public identity to serve as account authentication information.

* The user uses AxiomaticId and chooses to interact with the service and
requests that a certain action is executed by the service.

* AxiomaticId parses the service descriptor for the chosen action and
starts a wizard which guides the user step by step to fill in data.

* On a computer which is connected to the Internet, the user starts the
HTML file created by AxiomaticId. This file sends the signed and
encrypted action request created by the user, to the service provider.

* The service provider verifies the authenticity of the action request
against the authentication data from the user's account.

* If the action is authenticated, the service provider executes the
requested action.

Details: http://www.gardenerofthoughts.org/ideas/axiomaticid/index.htm

---
You are currently subscribed to e-gold-list as: e-gold-list at kobly.com
To unsubscribe send a blank email to leave-e-gold-list-512001C at talk.e-gold.com

Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.