RE: Problems with most web app auth schemes

Authentication is really an easy problem to solve. The hard part comes when someone is going to USE the authentication as the basis for an authorization decision. Now the issue becomes "is the authentication good enough that the risk of granting the authorization to an unauthorized user acceptible?" Think about the Visa Check Card commercials where the clerk thinks facial recognition is good enough to get an autograph from the celebrity but knows it is not good enough to accept a check without 3 forms of ID.

The various web app schemes aren't trying to establish iron-clad security. They are trying to reduce the risk of loss to the client (customer) and server (merchant) to an acceptible level without being so intrusive that the clients won't attempt the transaction or be turned away.

The reason we can't get better security for current systems is that they pass the "good enough" tests for most clients. Merchants and credit card companies have enough data to understand the loss rate. So long as they can recover that in the prices they charge, there's no reason to change (same thing applies to ATMs).

Bob Cowles Received on Sun Jul 27 17:12:29 2003