I am talking about the Loyds bank solution not one time passwords. This should be obvious by the
context my flame-happy friend since one-time passwords do not require h/w and time sync.
"Using a visual hash to protect against keylogging is about as effective as putting a condom on your nose is against pregnancy. Visual hashes protect against impersonation/phishing, one-time passwords protect against eavesdropping/keylogging."
It seems that you have no idea how the SRP-based protocol works. The actual password and the session key is never transmitted so eavesdropping and phishing is prevented.
Keylogging, however is a different story.
A combination of SRP with one-time plaintext passwords would prevent both keylogging and all kinds of phishing (to retrieve your SSN, your password etc).
Obviously this solution is expensive and inconvenient because users have to get their hands on specialized hardware and carry it.
Furthermore, synchronization issues need to be addressed. I don't think this time regulated random generators use atomic clocks, GPS or NTP...
Also what about visually-impaired users?
All these issues would not exist if they simply used the Secure Remote Password from Standord.
http://en.wikipedia.org/wiki/Secure_remote_passwor d_protocol (check references for more details).
There already exist SSL/TLS implementations of this protocol.
A very good solution that uses SRP is suggested inhttp://www.cs.berkeley.edu/~tygar/papers/Battle_ against_phishing.pdf (previously slashdotted).
All the user has to do to verify a site is to compare images that are derived as visual hashes of a common secret session key (used for encryption) and exchanged random data. Audio hashes can also be used for the visually impaired.
Slashdot Mirror
I am talking about the Loyds bank solution not one time passwords. This should be obvious by the context my flame-happy friend since one-time passwords do not require h/w and time sync. "Using a visual hash to protect against keylogging is about as effective as putting a condom on your nose is against pregnancy. Visual hashes protect against impersonation/phishing, one-time passwords protect against eavesdropping/keylogging." It seems that you have no idea how the SRP-based protocol works. The actual password and the session key is never transmitted so eavesdropping and phishing is prevented. Keylogging, however is a different story. A combination of SRP with one-time plaintext passwords would prevent both keylogging and all kinds of phishing (to retrieve your SSN, your password etc).
This is because you login regularly allowing your card to resync. What happens if you access ur account much less frequently.
Obviously this solution is expensive and inconvenient because users have to get their hands on specialized hardware and carry it. Furthermore, synchronization issues need to be addressed. I don't think this time regulated random generators use atomic clocks, GPS or NTP... Also what about visually-impaired users? All these issues would not exist if they simply used the Secure Remote Password from Standord. http://en.wikipedia.org/wiki/Secure_remote_passwor d_protocol (check references for more details).
There already exist SSL/TLS implementations of this protocol.
A very good solution that uses SRP is suggested inhttp://www.cs.berkeley.edu/~tygar/papers/Battle_ against_phishing.pdf (previously slashdotted).
All the user has to do to verify a site is to compare images that are derived as visual hashes of a common secret session key (used for encryption) and exchanged random data. Audio hashes can also be used for the visually impaired.