Responding to a scourge of online fraud and identity theft that threatens to undermine public confidence in Internet commerce, major companies are rolling out new services to encourage the adoption of better technology to identify customers, business partners and employees online.
RSA Security and America Online (AOL) recently announced a new program called AOL PassCode that encourages AOL customers to use secure tokens to protect account information. On the same day, VeriSign announced a new service called Unified Authentication that it said would reduce the cost of so-called "strong authentication," such as one-time passwords or hardware smart cards.
The announcements are the latest signs of increasing interest from companies and online merchants in the use of "two-factor authentication," which combines an account password with another "factor" such as a smart card, USB (Universal Serial Bus) token or a one-time password, to combat a steep increase in online crimes that trick users into divulging sensitive financial information, the companies said.
The PassCode program would offer AOL-branded SecurID tokens from RSA to AOL customers for added account protection, vice-president of worldwide marketing at RSA, John Worrall, said.
The program was the first major rollout of multifactor authentication to consumers, senior vice-president of premium services at AOL, Ned Brody, said.
Likening the RSA SecurID token to a "deadbolt lock" on a door, Brody said the service would let security-conscious consumers feel more confident that their AOL account information was secure, especially in light of the increase in phishing scams. This type of fraud uses spam and websites designed to look like legitimate e-commerce sites to part consumers from sensitive information such as user names, passwords and credit card information.
While AOL does not store customer financial information in its accounts, customers increasingly use free storage linked to their AOL accounts to store confidential data such as photos and personal files, including financial files, in addition to email. Company data shows that AOL customers know that static passwords should be updated frequently, but few do so.
The PassCode token would also enforce strong passwords by requiring a unique value to be entered each time users log on to the service, Brody said.
AOL customers can sign up through the company's Web page for the premium service and will pay a $US9.95 one-time fee to receive a keychain token by mail. The company would charge $US1.95 per month to secure one screen name through PassCode, and $US4.95 a month for up to seven screen names, AOL said.
Once the token is received, AOL customers can activate it through their AOL account. After that, customers will log in using their AOL user name and password. They will then be presented with an additional screen asking them to enter the unique, six-digit value displayed on their PassCode token.
Behind the scenes, AOL maintained a database that linked the SecurID token to the AOL user account and tracked the passwords generated by the device, which changed every 60 seconds, Brody said.
The new system will protect users from having their AOL account information stolen in a phishing attack because having an AOL customer's user name and password would no longer be adequate to access an account, he said.
Customers who lost their token could "unbind" their account from the token by answering a number of questions through AOL's website that would identify them, then request a replacement token from the company, he said.
AOL would not estimate how many PassCode tokens it hoped to sell, but said that internal polls and a test run of the service in late 2003 indicated that the interest in purchasing the tokens was "phenomenal", Brody said.
PassCode is just the latest in a series of premium services introduced by AOL in the last 18 months. Other services include AOL Virus protection, which uses McAfee's antivirus software to protect customers from email borne threats.
More to come
The company was planning more security services in coming months, and was also looking at ways to extend the PassCode service to secure other e-commerce services available to its customers, he said.
It also announced a partnership with Microsoft in February to offer SecurID for Windows, a handheld token that allows users to log on to Windows 2000 and XP machines using a one-time password, without requiring a connection to an RSA server to authenticate the user.
Multifactor authentication is also the focus of VeriSign's Unified Authentication program. The new service is an extension of the company's Intelligence and ControlSM Services, which offer businesses network security information and tools.
Companies can use VeriSign's infrastructure to validate strong authentication information for users, while relying on existing user directory services, such as Microsoft's Active Directory and Radius servers, or single-sign on technology, such as IBM's Tivoli Identity Management software, VeriSign said.
User login and permissions information will reside in the customer's user directory, but will be linked to a unique serial number for a secure token or other authentication device stored on a VeriSign server.
Login requests by users would be passed to the VeriSign server where a stored algorithm would validate that the serial number of the secure token or the one-time password was valid for the user requesting access, vice-president of security services at VeriSign, Mark Griffiths, said.
Unified Authentication customers would have the option of deploying the authentication verification service internally or using it as a managed service hosted by VeriSign, the company said.
VeriSign will initially deploy the services with either a USB smart card that contains a digital certificate, or with a clientless one-time password token that generates a unique password for use at Internet kiosks, home computers or personal digital assistants (PDAs), he said.
The company planned to add support for other credentials including cellular telephones with built-in certificates and low-cost "soft certificates" such as scratch cards containing one-time passwords, Griffiths said.
On the back end, VeriSign will distribute a plugin program for Microsoft's Management Console allowing allow customers to link user accounts with a particular strong authentication device for validation.
Separate plugins would redirect authentication requests from Active Directory or other Lightweight Direction Access Protocol (LDAP) directories to the Unified Authentication service for verification, he said.
While VeriSign's service is focused on enterprises and AOL's new service is focused on consumers, the two announcements are a sign of increasing competition within the market for multifactor authentication and public key infrastructure (PKI) technology, which RSA has long dominated, according to Laura Koetzle of Forrester Research.
Long dismissed as too expensive and difficult to implement, PKI and multifactor authentication were again getting the attention of enterprises and consumers frustrated by phishing attacks and hacking, she said.
By lowering the cost of deploying technology like SecurID tokens and PKI infrastructure, VeriSign was hoping to tap into demand among businesses for better login security for employees, business partners and customers, Koetzle said.
The company also hoped to draw in small businesses through its hosted service offering, she said.
At the same time, RSA was driving down the cost of its tokens and trying to popularise the use of multifactor authentication by extending the technology to consumers through the partnership with AOL, she said.
While AOL probably would not sell a token to all of its customers, it could still find a healthy market for the new premium service, Gartner spokesperson, Avivah Litan, said.
A recent Gartner survey found that security was a major concern for about 20 per cent of online consumers and 60-70 per cent of consumers who had been online fraud victims.
Sixty per cent of those surveyed said they would be more likely to spend money through or keep money with an online vendor that implements security technology and gives them a choice of using it, Litan said.