Often times I joke about PKI being a technology without a business plan, you see its a technology that provides most of the value for the relying parting but most of the burden is on the subscriber.
Its this point that I feel is primarily to blame for the limited deployment of user certificate based authentication.
The credit card companies understand this, this is why they use the same technology today for credit cards as they did in the 1960s when the 1st magnetic strip credit card was introduced. Its not that they think they have some super secure technology, they fully understand the risk its just that they manage the risk in other ways.
Their business depends on the free flow of money,that means its important as many people as possible have their cards, that they can use them everywhere and that they feel comfortable using them.
The last point is the interesting one, since fraud in any system is a given they either needed to find a way to reduce the fraud to levels where its not interesting (deploying things like PKI could help in this regard) or build models where they can predict the risk and then pass it on to the card holder or the merchant.
If they pass the risk on to the card holder directly the card holder doesn't feel safe using their product so as a alternative they tell the customer they have $0 fraud liability and then they pass as much of the fraud costs back to the merchant as a tax for having access to their customer (the card holder).
The free flow of money has other impacts also, this means it must be convenient to use their product otherwise the card wont be used and they don't get their cut.
This exemplifies why PKI has had such limited deployment, its the e-commerce site who benefits from knowing who the user is in a strong fashion (e.g. using a token) not the user but its the user who has to deal with provisioning each machine they want to use with that e-commerce site and its the user who has to remember to carry the token if they want to use the e-commerce site.
This combined with the fact that users don't think about security like you or I has made this a loosing proposition.
But something has changed, its gotten so bad that as much as 48% of all households have experienced unauthorized use of their credit cards, its become a common occurrence to hear about some form of identity theft or the "war on terror" on the local news.
What this means is users are now more aware of the risks, this results in what Bruce Schneier calls "Security Theater" or "Cover Your Ass" (CYA) Security.
I personally believe this represents a business opportunity, with users more aware of the risks they are exposed to, some real, some not-so real they are now willing to take a little bit of that burden onto themselves.
Plus technology has advanced a great deal in the areas of token based security, devices are easier to use, cheaper to buy, are generally more usable thanks to operating system infrastructure that has been built and the tokens now have multiple uses built into them.
Take IronKey as an example (be forewarned I used to work with Dave Jevens one of their founders so I might be a little biased on their offering) they have developed a USB token that offers:
-
A cryptographic smartcard that can use used for signing, encryption and authentication.
-
A hardware backed encrypted flash drive for storing your important documents
-
A browsing solution that provides a consistent user experience (favorites and all) on every machine you use it on.
-
A anonimizer solution that enables anonymous browsing on the net.
-
A password manager for remembering your passwords so you don't have to.
That's a pretty complete solution, and I would like to believe that it represents a solution whose time has come, they have competition GuardId Systems for one although there are others too.
I actually did a phone interview with GuardID last year, I was considering leaving Microsoft and thought the this would be product area that I could really help make successful after all I used to own the cryptography and smartcard frameworks in Windows but they turned off when they found out I was a child prodigy who didn't complete college, short sighted if you ask me but I digress.
In any event I do think that that this is a product area whose time has come, if they can put together a reasonable product, get the right retail channel placement and the right partners I really do thing they will be successful.