August 9, 2007:  E-Trade Financial ETFC, eBay's PayPal, Charles Schwab SCHW and others have started offering customers key-fob-size tokens to boost log-on safety. Users who opt for these can then only access their accounts online by typing in an up-to-the-minute passcode that a token displays. This basically bars identity thieves from getting into accounts, even if they have an account's user name and regular password.

A central question is how to most easily provide such one-time pass codes. Tokens can generate and show such codes. But now, with an embedded chip and display screen, so can thin magnetic-stripe cards that could serve as credit/debit cards too.

As most people now have cell phones, financial firms are also considering simply sending users one-time pass codes by text message or automated phone call, eliminating the need for tokens. Passcode generators can also be built into cell phone handsets.

In all these methods, the idea is to provide pass codes that could change every minute or so via some device other than the user's computer.  And references likely "will shift to mobile fairly soon — having a one-time password sent by SMS (short message service) to your handset," said Nick Holland, an analyst at financial services consulting firm Aite Group.

The pluses of a text messaging system are that "there's not having to pay for physical hardware. Most consumers have (cell phones)," Holland said.  He added that big banks are mulling the idea as they plan to expand mobile banking options. In a recent Aite study, 55% of banks polled said they were likely to introduce stronger user authentication applications within two years.

Banks already had to introduce some kind of enhanced user authentication last year to comply with a regulatory guideline. Several institutions already send pass codes by phone and text message, to clear a user to proceed with certain transactions.

Tokens have proved a popular, time-tested technology. E-Trade was among the first to bring them to consumers nearly two-and-a-half years ago, using tokens from RSA Security, which is now an EMC EMC unit.

"We see the largest proliferation around tokens, and I think that's an '07-'08 phenomenon and then we'll migrate off them," said Fran Rosch, vice president of authentication services at vendor VeriSign VRSN. "Over time, we believe the mobile phone is also going to win ... but not all customers are comfortable with text messaging."

VeriSign teamed with PayPal 18 months ago to provide some users of that online payments service with tokens. That project is ahead of expectations, says VeriSign Chief Financial Officer Bert Clement. The original order was for a million tokens to be distributed over three years.  "We'll do that in a little more than a year," he said.

A third authentication option, after tokens and text messaging, is the credit card type. When a pressure-sensitive area of the card is touched, a display built into the card shows a one-time passcode.

"It's a physical hardware device that's easy for consumers to understand. ... It's also a benefit to consumers that they don't have to carry an extra device on a key chain," Rosch said. "I think in '07 we'll see some pretty large pilots around this credit card form factor, and larger distribution in '08."

RSA, which Aite Group says has the largest share in banking authentication, at 40%, has long provided tokens and other authentication wares, as well as the back-end security systems that power their use. It has a project under way to put its authentication mechanisms into the newer kinds of passcode cards. RSA President Art Coviello says RSA has invested in a company that has the display technology for such cards.

"The reason this technology is so exciting is that it will fit comfortably in your wallet. It can be used in credit card transactions," he said. "As the technology matures and costs come down, it'll be a viable replacement for the token."

Innovative Card Technologies, a VeriSign partner, makes passcode cards. Several large financial institutions in the U.S. and elsewhere are testing its ICT DisplayCard. Monday, the first consumer rollout was announced, at South Korea's Meritz Securities Co.

The card's development started in the 1990s. The arrival of flexible batteries and other technology advances now enable building a password-generating card that isn't too big.

John McNulty, chief executive at authentication vendor Secure Computing SCUR, says that "flat tokens" — as he calls passcode-generating credit cards — have gotten thinner.

"We're at a stage where we believe you could build a device like that in high volume and have it in consumers' hands," he said. He says Secure is testing such cards.

"We have some suppliers we're working with and some customers we're working with," McNulty said.  Price, however, is a drawback of passcode cards. "The costs on some of these cards are as much as $20 or $30 just for the card. (Costs) have to come down pretty dramatically to be able to load our value-add in terms of the technology onto the card and still make it cost-effective," Coviello said.

If a bank bought a large quantity of cards — say 5 million — they could potentially cost $20 apiece, McNulty says. That's too high to gain wide acceptance, he says. "The price point 15 get it to wide acceptance is substantially less," he said. Banks would generally want a device to be available for $5. That's a price that low-end key fob tokens can near, in high volumes, he says.

The ICT DisplayCard is "really meant for small business, middle-market private banking, securities trading and very affluent online banking," said John Ward, Innovative Card Technologies (NASDAQ:INVC) ' chief executive. "It could (double as) an ATM card, debit card, credit card or companion card, but the advantage of our card is it's in your wallet."

Source: Investor's Business Daily