ID Keeper, a new service from American Express, has introduced software that turns its smart card into a special-purpose storage device. Now, Amex Blue cardholders can store their user IDs, passwords, and addresses to their favorite Web sites onto the chip's memory.
Similar programs from other card issuers are likely to follow. "This has been one of the applications that all of the proposed models for multiapplication cards were going to include," said Randy Vanderhoof, executive director of the Smart Card Alliance, Princeton Junction, N.J. "I would expect that other bank card issuers that are putting out smart cards will follow in the track of adding this type of secure access."
As evidenced by the debate over account aggregation, banks have displayed keen interest in how their customers manage online account information. Even when a customer's own negligence results in a lost or stolen password, it's the account provider that has to bear some of the direct support costs for the resulting fraud or password reset, not to mention the indirect damage to brand equity from customer dissatisfaction.
Web users have demonstrated a marked interest in technology to manage their tangled collections of passwords. For example, Gator Corp., a Redwood City, Calif. software firm, claims 30 million active users for its eWallet service, which provides password storage and automatic form-filling features. A comparative shopping feature, which provides targeted pop-up advertising to compete with those sites a user visits, has drawn the ire of publishing companies, online merchants and privacy advocates alike.
Although some consumers enjoy Gator's ability to provide competing offers as they surf, the service lacks the security of smart cards. "Gator's technology is host-based, where you're passing all of your personal information to them, they store it on a database, and you access that information by giving them a user name and a password," said Vanderhoof. "With a smart card, the information goes wherever you go."
Essentially, smart cards limit the potential points of compromise. The user's personal information resides in only two user-controlled locations: on the PIN-protected card and on a password-protected, encrypted backup file. "The difference between this and the electronic wallet is the ability to take your most confidential information and put it on the card-and take it out of the cyberspace environment," said David Bonalle, vice president and general manager of advanced payments enterprise development, American Express, New York.
With ID Keeper, passwords no longer need to be stored in cookies. The service includes a downloadable browser plug-in that pulls information directly from the chip in order to log onto password-protected Web sites, and also assists the user in filling out forms at e-commerce shopping sites.
The service relieves cardholders from telling everybody on the Web the name of their maternal grandfather, high school, or childhood pet as a secondary password. Similarly, it should make it more practical for users to choose difficult-to-guess passwords combining a long string of numbers and letters.
As part of the ID Keeper rollout, American Express provides free smart card readers to its cardholders and also sells discounted Compaq keyboards with built-in readers. "Any manufacturer that wanted to make our software available on their reader, we would give them everything they needed to be able to do that," said Bonalle.
Amex cardholders can install the ID Keeper functionality onto the smart cards they already own. "This application is downloaded over the Internet in a very secure way, which is very different from how other applications on smart cards have been introduced in the past," said Bonalle. "It had to be on the card at issuance, or otherwise you were out of luck."