[SSL Observatory] offtopic: sites with client certificate authentication
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Tue Aug 16 22:29:31 PDT 2011
Erwann Abalea <eabalea at gmail.com> writes:
>The problems are more technical, and not balanced by a real benefit.
Interesting. I've run into something like this in another online tax-filing
case where there was debate over enforced password changes (conclusion: no,
because with once-a-year use the user will be forced to change it every single
time they file a return) and how to auth users (no-one will remember a
once-a-year password). The solution that was used was to print an
authenticator on the tax notice that was sent out, sort of like a TAN, and use
that to authenticate the return.
(An additional consideration for NZ is that many/most(?) people never file a
tax return, tax is deducted automatically from wages by the employer and all
you get is a summary of earnings, so this considerably reduces the potential
load on any online filing system, what's left are mostly businesses and
special-case earners).
Peter.
More information about the Observatory
mailing list