Cookies haven’t been the huge issue they used to be, these last few years. People have gotten their heads around distinctions like session cookies versus permanent cookies versus third party cookies, for the most part. But banks seem to push the envelope in pursuit of higher security, and some of the things they try seem to require cookies used in relatively unusual ways.

In one bank scheme I’ve seen, a cookie pre-identifies you when you get to the login page, and in addition to the usual username and password boxes, it’s preloaded an image I chose when I registered. Supposedly the image can’t be counterfeited, and if I recognize it, I’m supposed to be reassured that I’m not at a phishing site, and it’s safe to proceed to log in. Sounds good in concept, since it could prevent you from supplying a password at a phishing site. But if you lose that cookie, the site won’t begin the login process, and somehow you need to reestablish your credentials. It hasn’t happened yet so I don’t know what the procedure is, but it can’t be pretty.

There are a lot of ways to address the problem of authenticating online, but anything beyond supplying a memorized code has the Achilles Heel of requiring you to posses some kind of documentation to identify yourself to a computer. Digital certificates would be far more secure than cookies, but you’d still be SOL if you lose the certificate. In all places at all times, you’re hosed if your papers aren’t in order.