Bank of America is selling something called a "SafePass Card" for a flat, one-time $20. they claim (i tried to link to the pop-up where this is written, to no avail. just trust me, it's on the BoA website):
background: They've offered free SafePass services for anyone with an account there for a year or so now. enabling safepass adds an extra layer of security by sending a randomly-generated 6-digit code to the mobile phone of your choice. the code expires as soon as you enter it. once you've signed up, you can't log in to online banking without that 6-digit code, so you must always have your phone with you to sign on. i always have my phone with me, so i was somewhat interested....

back to my frustration/confusion: this card supposedly generates 6-digit codes (#1) without battery power and (#2) without mobile device reception. #1 is highly improbable. i'm 99.9% sure there's no solar cell or dynamo involved, so i assume it's just a lie. of course, most people won't contend it because they'll lose or break the card before the battery dies. but what really drives me nuts is #2. i can't even IMAGINE what they MEAN by that. how can a card, unable to communicate with the bank's website, replace the free service that works with cell phones?!?

i've googled for about an hour and can't find any answers. someone, please help me out here, or at least confirm that i'm not missing some really obvious explanation for this!

SecureID : http://en.wikipedia.org/wiki/SecurID

But as it s time based ... i don't understand how it s possible to generate one without power.

ah, thank you, khertan.

so the card and the website are synchronized (in a more true sense of the word than 80% of the time it's used these days). but then there must be a fairly accurate clock running inside that card, PLUS you couldn't really generate a new code every time you press the button on the card, like BoA says. there'd just be a new code every 30-60 seconds. they could narrow the intervals, i guess, but that would require an even more accurate clock and even calculating a new code every 5-10 seconds would really suck the juice out of a credit-card-size battery pretty fast, wouldn't it?

ok, so if the card gets out of sync, you can probably call BoA and have them re-sync it for you... and the card is probably marked with an expiration date, such that it expires before the battery is predicted to die.

I didn't see the news but I suppose the code is something the user have to type somewhere, so the code has to last enough to allow it.
You could still generate a different code every second even if the validity is 60 seconds since the time they were generated.

Since it is time based the new calculation happens only when it is required, usually once for each session.

This sounds like the device the PayPal uses, which is similar to RSA's SecurID card. Don't worry about the time getting out of sync. I know that the RSA card uses proprietary methods for keeping the clocks in sync, each time you log in. Also, there is a battery in the device, but the battery is designed to last 3 years or more. The battery is not something to worry about because the device is designed to self-destruct prior to the battery dying. No smoke or flames, just a blank display.

That's boring. If I get a self-destructing security device, I expect some flames.

I had a SecurID card for using my laptop to connect to the company network at my previous job. You would enter a PIN, and it would give you a login code. There was a repeating countdown on the card, and when it hit 0, the code was no longer good. (I think this was 5-4-3-2-1 tick marks, but I don't remember for sure). Each repetition of the countdown took maybe 30 seconds (maybe less), so if it was low, you'd wait for it to start the next cycle before entering your PIN.

I think if you entered your PIN twice during a single cycle, you'd get two different codes, but the second code wouldn't work. I can't remember for sure, though. The card was the size of a credit card, only about 3 times as thick. The card did of course have a battery, but I had it for 2-3 years, and the battery didn't die in that time span.

Edit - forgot to mention: appropriately enough for this forum, that previous job was at Nokia.

The RSA key thing works about the same as Caira describes. Each login requires your password and the code on the RSA key. You have to wait for the next code if you're logging in more than once. Basically, one password + code per login. There's an internal battery and it "self destructs" at the end of its life.

I know it's a two week old thread, but I stumbled across it while trying to figure out how this BofA safepass card thing works. I got one, for curiosity first, and security second (I know, priorities).

Anyway, the back says it contains a lithium battery, and to destroy it only by cutting along a specific marked line. If anyone is interested, it's branded as nagraID. Mine states V.1.4.1. http://www.nagraid.com/index.html

To sync it with your BofA account, you need to input the card serial number along with TWO generated codes in short succession of one another.

So anyway, that's that!