On 7/12/07, <b class="gmail_sendername">Peter Williams</b> <<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<div>
<div>
<p><span style="color: rgb(31, 73, 125);">"</span>The average user
doesn't think about too much about security, especially back in the day, but
they want portability. The fact you couldn't transparently log in from your
home machine, a work machine and a public library machine with a client cert
was a major usability problem. <span style="color: rgb(31, 73, 125);">"</span></p>
<p><span style="color: rgb(31, 73, 125);"> </span></p>
<p><span style="color: rgb(31, 73, 125);">So, isn't the same true
with smartcards (e.g. the coming US national id card?), or USB tokens, or
mifare cards, or TPM-equipped PCs that can use a Euro-passport-chip's bio
data. These all (like client certs) require universal terminal-capability -
the USB port, the drivers, the special device readers, etc</span></p>
<p><span style="color: rgb(31, 73, 125);"> </span></p>
<p><span style="color: rgb(31, 73, 125);">If we assume this propositions,
we are surely left with limiting ourselves to conventional passwords –
or perhaps also those OFFLINE password keyfob dongles generating one-time-passwords
every 60s – devices that are (a) portable, and (b) require of the PC terminal
nothing other that which conventional passwords require (i.e. a keyboard to
enter OTP and pin)</span><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
</div>
</div>
</div>
</div>
</blockquote></div>I think we see the issue the same way but have different optimism levels about the non-portable solutions. So far, in the US, I think just about everything other than passwords and OTP keyfobs can be considered a failure in terms of consumer adoption and issuer ROI, except for perhaps the AmEx Blue smart card which was successful in generating subscribers, not actually having the chip be used. A while ago, I used to travel to Europe often where Barclays, among others, had issued chip/magstripe credit cards. When I would go into a hotel and ask them how many people used the chip reader they had at the front desk, the answer was almost none.
<br><br>For nationally issued ID documents, I wouldn't be surprised if government agencies like customs will have readers, but I doubt most individuals will have readers (that require external hardware and software drivers) to use them from their personal computers. After all, why don't end users have magstripe readers for credit cards with their personal computers today? The hardware as been available but I don't think the benefits justify the additional costs.
<br><br>While past adoption is no guarantee of future adoption, I'd say the track record for portable solutions is very good and the track record of non-portable solution is the opposite. I hope it changes but the probability of it happening is the issue. Of course, potential issuers and vendors of these solutions will see the situation differently.
<br><br>-- <br>John Wang<br><a href="http://www.dev411.com/blog/">http://www.dev411.com/blog/</a>