Last week, I received my bank’s card reader, which can be used to generate keys for logging into the online system. The card reader replaces the old scheme, which uses a key file, placed on your machine and a password phrase, consisting of (at most) 32 characters. So, now the security is based on the possession of the reader, the card, and the knowledge of the card’s 4-digit pin code. Previously, it was based on the possession of the key file and the knowledge of a password phrase.
Of course, a lot of people will be careless and use a feeble password phrase, or a short one, or one containing important dates, but some people will also use a strong phrase. For example, my password phrase consists of 30 characters, so that’s 36^30 possibilities. I can’t but wonder if the security of the new scheme is far worse for my particular situation. After all, I need to carry both the reader and the card with me when I travel, if I want to access my bank account. Things do get stolen, and breaking a 4-digit pin-code is not very hard. The claim the bank makes, is that having a possession attribute that is not connected to the machine, and thus not to the internet makes it inherently safer. I wonder is that’s really true. It sounds acceptable, until you compare 4^10 to 36^32.