Guillaume's blog

Thoughts on the future of money

Posts from the “security” Category

Using ATM to send cash – no bank account or card required, only a cell phone.

Posted on November 5th, 2008

If you haven’t read this at bankwatch or banktech yet: Privier’s New ATM Service Requires No Card, Account The service is a cash-to-cash service targeted at the unbanked population. After registering a mobile phone online as well as other personal information, a user can go to an ATM, deposit cash, enter a mobile phone number, and receive in return a 10-digit withdrawal code that he can send to someone else. This is essentially an authorization delegation mechanism, and as such it reminds me of OAuth, which allows authorization delegation for APIs on the Web. The main issue here is adoption: the service is only valuable if the receiving party can go to an ATM that supports the technique, so my understanding is that this…

Les banques devrait-elles devenir des fournisseurs d’OpenID?

Posted on June 22nd, 2008

This is a translation in French of an earlier post. Il y a presque dix ans, au sommet du boom Internet, je me rappelle avoir avoir discuté avec un banquier qui me suggérait que dans le future, le rôle des banques ne se limiterait pas a garder l’argent de leur dépositaires, mais aussi à garder leur identité en ligne secrète. D’une certaine manière, cette prediction s’est concrétisée par le biais des programmes de protection contre le vol d’identité. Cela dit, si l’on définit l’identité comme la somme des informations personnelles qui distingue une personne d’une autre et qu’il est difficile voire impossible de se procurer, on voit bien qu’une grand partie de ces informations (et en particulier les secrets tels les mots de passe)…

Should banks bank on OpenID?

Posted on May 21st, 2008

Almost a decade ago, at the height of the Internet boom, I remember talking to a banker telling me that in the future, banks would not just keep your money safe, but also your identity. To some extent, this has materialized with identity protection programs offering insurance against the risk of identity theft. That said, if you view the identity as the collection of hard- or impossible-to-obtain information about a person that uniquely distinguishes her from others, you would certainly admit that a big part of this information (in particular secrets such as passwords) are spread around in a variety of online services (60 on average, growing to 200 according to a Yankee report on OpenID). OpenID, as everyone knows, is the open solution…

twauth: mobile authentication with OpenID and Twitter

Posted on May 13th, 2008

I stumbled upon Ian McKellar‘s twauth prototype: a Twitter and OpenID based mobile authentication solution. The idea behind twauth is to address the usability issues of current mobile OpenID-based authentication workflows. The particular issue that Ian’s twauth addresses it the effort place on the user to enter alphanumeric passwords. Twauth addresses this issue by replacing the alphanumeric password entry by a digits-only 5-digit one-time code sent to the mobile phone via Twitter/SMS, that the user then enters on the openid authentication page. Here are some screenshots of the complete workflow: 1. Entering the twauth mobile OpenID URL at the mobile ( 2. Instructing the OpenID server to send a direct (private) Twitter message with a 5-digit code (ignore the garbage): 3. The mobile phone that is… a perfect banking use case for OAuth

Posted on May 13th, 2008 provides a free service, which is able with your authorization, to connect to your bank(s), retrieve your bank account information and all your transactions and provide value-add services with the data. In particular, it allows you to see where you money is spent and give you hints at how you could save money. I personally think it is a superbly designed UI to the user data held at banks, which shows how much value there is to unlock, and also how much startups can be so much more efficient at delivering innovating services than banks themselves sometimes. Yodlee, a partner of, was a dot com era example of this and might be their Web 2.0 equivalent. One problem is: requires you to provide your…

Bank of America Online Banking’s user-friendly password strength indicator

Posted on May 13th, 2008

Like many Web services, Bank of America Online Banking provides you with real-time feedback about the strength of your password when changing your password. What’s great with their implementation is that it does it via a thumb up indicator for each security rule your password must comply with that gets updated as the user fills out the password. This technique is the best I’ve seen so far at guiding the user into providing a secure password into a short amount of time, thus improving an experience that is generally frustrating given the generally low perceived value by users of these increasing security requirements (just like with anything security-related, users don’t value it until something bad happens to them). This is a nice evolution from indicators that merely…