America Online (AOL; Dulles, Va.) will issue its customers PassCode secure token devices from Bedford, Mass.-based RSA Security that generate a unique six-digit code every 60 seconds. Authentication requires the use of that code, along with a customer's user ID and password. The optional service costs $9.95 for the device plus a monthly fee that starts at $1.95.
The move is part of a push by AOL to establish itself as a hassle-free way to connect to the Internet, with a security bundle including anti-spyware, antivirus, automatic firewalls and, now, secure authentication. "AOL's just very interested in becoming the secure e-mail ISP provider of choice," says Avivah Litan, an analyst at Gartner (Stamford, Conn.). "This is the way they're going to get their subscribers back."
By virtue of the fact that AOL installs software on users' machines, it has greater control over user settings and access than does a pure ISP such as Earthlink or a pure portal such as Yahoo!, observes Litan.
Having their accounts breached negatively impacts the online experience for customers. "They don't want somebody getting on with their ID and sending e-mail or spam in their name, or posting things to newsgroups in their name," says John Worrall, VP of worldwide marketing, RSA Security. Furthermore, greater security can also make customers more comfortable with online banking. "Getting more people to bank online is a major initiative for [AOL]."
AOL has a partnership with Yodlee (Redwood Shores, Calif.) for its bill payment capabilities, which can be accessed with or without the PassCode device. The default level of security uses an "account security question" for accessing secure content such as financial information. Yodlee's technology allows for same-day credit from many major billers and offers multiple payment options, including credit and ACH. Most Internet banking services do not match these capabilities, according to Hill Ferguson, general manager, EBPP group, Yodlee.
The Early Bird Gets the Worm
While banks can enhance their Internet bill payment sites, there's an undeniable first-mover advantage to issuing token devices. If every site were to demand that a user carry a token-generating device, the situation might quickly lead to "token necklace syndrome," RSA's Worrall notes.
The answer may be a "federated identity," by which numerous entities issue credentials that will be accepted by other issuers, similar to the way in which out-of-state driver's licenses are honored across the country. "One entity is chosen by the user to be his identity provider, and that user can choose to link that primary account or use that primary identity with accounts they may have at other destination sites," Worrall explains.
The technical side is not the difficult part. A technical committee of the e-business standards group OASIS (Organization for the Advancement of Structured Information Standards) has already developed Security Assurance Markup Language (SAML), which AOL utilizes to hand off its customers to Yodlee. The much harder part would be getting banks to accept AOL's say-so that Mr. X is Mr. X, especially given the company's recent black eye in information security: AOL was the victim of an insider theft, in which the e-mail addresses of more than 30 million customers were sold to spammers.
"I don't see banks accepting AOL PassCodes," says Gartner's Litan. "They may interoperate so that AOL may accept the bank's [token], but you can't expect Bank of America to say, 'You're an OK customer because AOL says you are.'"