Of the four obstacles addressed in the paper (Latency, Lack of privacy, Convenience, and Reliance on a 3rd party), I think Convenience is the main killer of this technology.
Chase Bank implements something similar to SAW. Whenever I log into Chase, the server checks my current IP against my previous login IP. If the IP addresses differ, they e-mail me a token which I need to enter along with my password to enter the site. I say from experience that this is annoying as hell.
While authenticating over an IM protocol still has its obstacles (Privacy and Reliance), the Latency and Convenience issues become more tolerable.
One potential problem I see with this system (which is not as applicable today as it was a few years ago) is ability to support users without an e-mail address or IM identity. Can site owners safely assume that everyone has an e-mail address in this day and age? How about IM?
Chase Bank implements something similar to SAW. Whenever I log into Chase, the server checks my current IP against my previous login IP. If the IP addresses differ, they e-mail me a token which I need to enter along with my password to enter the site. I say from experience that this is annoying as hell.
While authenticating over an IM protocol still has its obstacles (Privacy and Reliance), the Latency and Convenience issues become more tolerable.
One potential problem I see with this system (which is not as applicable today as it was a few years ago) is ability to support users without an e-mail address or IM identity. Can site owners safely assume that everyone has an e-mail address in this day and age? How about IM?