No Longer Two Factor?
By putting the card and the two-factor generator in the same device (which generates the MasterCard SecureCode), doesn't this defeat the purpose of two-factor authentication?
Two-factor authentication just got a whole lot more convenient for residents of Singapore, after Standard Chartered Bank's local outfit teamed with MasterCard to offer account-holders a credit card that is also a one-time-password-generating hard token. MasterCard calls the device a 'Display Card' and says it includes “an …
It would appear a certain amount of ignorance is rife. This device isn't the second factor, it's a mechanism to safely transmit the second factor.
In short, that keypad on the front is used to enter a PIN. The device encrypts the PIN plus a value from an internal clock. The result is displayed and transmitted to the authorizing server, which calculates what the result would have been plus-or-minus a minute or so and, assuming it gets a match, updates its own database with an indicator of what the device's clock thinks the time is.
I'm pretty sure a decent hard token will produce the one time password 123456 approximately 1/1000000 of the time unless they have deliberately compromised cyptographic integrity. If they removed all the number combinations that humans sees patterns in then the pool of permitted values quickly declines.
Instead of having to stick the same card into a rather bigger device that does pretty much the same, this is small enough, and hopefully thin enough, to fit conveniently in the old wallet.
Now for open-sourcing everything but the key used to seed the thing so that cryptanalysts might have a look-see whether the algorithms used are any better than, say, DVD's CSS. That lack of transparency is actually becoming more worrisome as banking becomes more computerised.
All that is needed is a one way hash of the internal card number, the PIN and the current time - even MD5 would suffice. Without knowing the internal card number or the PIN there is only 1 chance in 999999 of getting the right value. Note the card does NOT need to know the correct PIN so there will be no indication to an attacker that the wrong PIN has been entered.
Existing implementations of this (which have been around under other brand names for several years) use the standard OATH protocols (see www.openauthentication.org) which are completely open. Not sure about the Nagra case. I know that in the past they have had difficulty in making this work because the display is an LCD and prone to breakage. Some competing products use e-paper for the display.
One problem with these systems is clock drift. Making a crystal keep time under a variety of temperatures while sitting in someone's wallet is not trivial. It can be done with the key-fob tokens which are in wide use, but they have more space to play with. Getting it to work reliably in a thin card form factor is much harder, especially when you factor in an EMV chip, the pad for access PIN entry and perhaps a contactless loop antenna as well, and the result is likely to be quite expensive per unit.
Presumably if the pin is entered many times over the life of the card then the wear patterns will show the numbers used - albeit not the sequence. Unless one has small fingers then a stylus will be needed for reliable selection of the numbers.
With a Pin Sentry it is easy to even up the wear on keys as a standard procedure before using the card each time.
That's assuming the numbers are actual buttons. They could also be simply touch-sensitive but not powered until the Chip goes in. Such light contact wouldn't leave as strong an impression on the plastic, and by the time it did, it would probably be at expiration, in which case a new card would be issued.