Industry watch Toolkit
Story: Mobile phones key to e-commerce security
Posted by: Clive Robinson (Tuesday 21 February 2006, 1:20 PM)
If RSA's system is based on SMS it's not going to work very reliably.
I actually proposed a One Time Password system over SMS at an EU sponsored seminar back in 2000 based on some work I had been doing.
Unfortunatly we found that using SMS was not the way, as SMS is regarded as a secondary service to mobile phone companies, they do not gaurenty deleviery at all, let alone timely delivery (ie inside of eight hours).
There are two reasons for this the first is network prioratisation under load (this effect is often seen at New Year etc when the network gets loaded). The real reason however is that the mobile phone system does not know where your phone is at any one time, only where in what cell it was last used.
When a call is placed to you the network makes good effort to connect it. However an SMS will be forwarded on to your last location if you are still there you get it if not the network may or may not make further attempts to deliver it then or at some time in the future depending on loading.
This is why when you get a phone call you often get your SMSs at the same time, or at odd times of day.
Full Talkback thread
Story: Mobile phones key to e-commerce security
-
If RSA's system is based on SMS it's not going to... Clive Robinson
