According to Tan Teik Guan, consumers "don't care" about digital signatures. Merchants do, and that is because they do not want to be held liable for all cases of fraudulent transactions.
But, the tide seems to be shifting in favor of digital signatures, as central banks worldwide increasingly look to two-factor authentication to tighten security of online transactions.
Two-factor authentication requires the use of either one-time passwords or devices that use Public Key Infrastructure (PKI) technologies such as smart cards and USB tokens, as the second layer of protection, explained Tan. PKI allows for digital signatures, and hence support non-repudiation component in transactions, but it is seen to be more expensive to deploy.
It is with this in mind that DSSS developed the One-Time Private Key (OTPK), which is basically an inexpensive PKI solution to address authentication needs and is, at the same time, in compliance with digital signature laws. The technology was one of eight technologies that won the DemoGod award at the DemoFall event last September.
In Singapore, where DSSS is based, two out of three banks use its authentication servers. The company has subsidiaries in Thailand and the United States, and is planning to expand into Japan.
In an interview with ZDNet Asia, Tan demystifies the company's OTPK technology and discusses its applications and potential.
How different is the OTPK compared with other PKI technologies currently available in the market?
The One-Time Private Key that we've invented, and patented, is really to provide the mobility that we see lacking in traditional PKI systems. These systems require you to have a smart card or USB token that has to be plugged into a PC, which needs to be pre-installed with the necessary drivers and libraries in order to carry out transactions online.
We wanted OTPK to be mobile, and yet be in compliance with government regulations--these are the two big areas that existing solutions in the market right now cannot fulfill. By mobility, I'm referring to the ability to use a PC wherever you are…or use your own mobile phone to carry out legally-compliant digital signatures.
OTPK sounds a little too good to be true, isn't it?
There are barriers to adoption, I would say, in three areas. If you're looking at it from a very personal one-man usage of digital signatures…most consumers on the street don't really care about digital signatures. Technology providers and merchants are trying to play up the hype over digital signatures, but consumers don't really care… They see it as really something that's for large enterprises.
Credit card transactions place liability on the merchant and not the consumer. If someone steals your credit card number and uses it to buy something, and the merchant wants to charge you for it, you can say 'Hey no, that's not my credit card. You go figure out how the fraud occurred, I'm not paying for the charges.' The merchant bears the liability.
So, from a consumer point of view, you would question: 'Why am I signing a transaction which I'm now going to be liable for?' Signatures transfer liability--if the merchant has a signature from you, he can then take you to court. So why should consumers want to use the signature?
It's the organizations that want digital signatures to protect them from the liability involved in the transactions. But, digital signatures currently come at a cost. For example, OTPK requires authentication infrastructure to be in place first before we can implement digital signatures.
Two-factor authentication is currently being rolled out in Singapore, and is already in use in a few other countries. That will obviously help in the adoption of digital signatures. But unfortunately, the infrastructure is a pre-requisite to deploy OTPK.
Banks in Singapore and Hong Kong, countries which mandated two-factor authentication, already have one-time password in place. Where does DSSS's OTPK fit into the picture?
We see OTPK as the next step that they're moving toward. The technology will gain traction in maybe one-and-a-half years to two years' time, when the market can absorb these kinds of new technologies in order to push out newer forms of electronic transactions that are of higher value and in larger volumes.
OTPK is not here to protect your 50 cents or one dollar-type transactions--there is no value for banks to do that. All they want from simple two-factor is to make sure they have the infrastructure in place before they can start rolling out higher value transactions. Imagine if the banks start to roll out services-related products, for example, that allow their customers to place bets or trade stocks online using their existing banking portals. These are money-making transactions for the bank, but without a good security infrastructure in place, they're not going to make it very far. So we want OTPK to be able to enable them to do these things.
What's the role of certificate authorities (CAs) in this picture then? Will OTPK change things for them?
We're positioning OTPK as a technology for doing digital signatures; we're not positioning