RE: Problems with most web app auth schemes

["Cowles, Robert D." <rdc () SLAC Stanford EDU>]

Authentication is really an easy problem to solve. The hard part comes when someone is going to USE the authentication 
as the basis for an authorization decision. Now the issue becomes "is the authentication good enough that the risk of 
granting the authorization to an unauthorized user acceptible?"  Think about the Visa Check Card commercials where the 
clerk thinks facial recognition is good enough to get an autograph from the celebrity but knows it is not good enough 
to accept a check without 3 forms of ID.

The various web app schemes aren't trying to establish iron-clad security. They are trying to reduce the risk of loss 
to the client (customer) and server (merchant) to an acceptible level without being so intrusive that the clients won't 
attempt the transaction or be turned away. 

The reason we can't get better security for current systems is that they pass the "good enough" tests for most clients. 
Merchants and credit card companies have enough data to understand the loss rate. So long as they can recover that in 
the prices they charge, there's no reason to change (same thing applies to ATMs).

Bob Cowles