My bank, Barclays, has sent me a new toy.
And here it is, the Barclays PINsentry™:
When I want to use online banking now, I enter my User ID and an 8-digit number I get from this device after sticking my debit card into it, pressing IDENTIFY then entering my PIN.
Kudos to Barclays for this: it’s statistically significantly more secure than using the 5-digit number and memorable word I’ve had for the last 7 years; very easy to use; and because it’s a completely standalone device it doesn’t prevent me from using online banking from whatever crazy OS I feel like using today.
Technically, I’m assuming this works in the obvious way:
PINsentry sends the current time (relatively coarsely quantised I’d assume) to an application in the chip on my card which will encrypt it with the private key on my card. The application asks for my PIN, which the device acquires for it, performs the encryption operation and returns the encrypted data. This is converted into an 8-digit number and shown to me, so I can enter it into the website. A backend thing in Barclays decrypts it with the corresponding public key, and verifies that it is a time from the last 5 minutes or so.
Thus I am authenticated. There’s a similar process using the SIGN button and requiring the recipient’s account number and the amount to be transferred for when I want to send large sums of money to someone or pay a new party.
As yet, they say the RESPOND button isn’t used. I’m slightly intrigued by what it will be used for. When I press it and enter my PIN it asks for a number; enter between 1 and 8 digits and it gives an 8-digit number as output. I’m guessing they will encrypt something with my public key, tell me the encrypted digits on the web, and that the IDENTIFY button will decrypt it, then encrypt the time with it and tell me that result.