RSA Security (Bedford, Mass.) plans to issue a security token that can be purchased directly by consumers for use at multiple financial institutions. The device answers the common complaint about one-time-password tokens -- that consumers would be required to carry several tokens in order to transact with multiple businesses. The RSA-branded and managed service currently is being tested by customers of banks and brokerages with online channels. RSA intends to launch the offering in early 2006.
The service will provide an alternative to on-premise solutions, for which the financial institution itself manages issuance and authentication of the token devices. By letting a third party manage this function, the financial institution has the potential to minimize its cost of deployment for the security measure. "It's a subscription-based model," explains Chris Young, VP of consumer authentication, RSA Security (Bedford, Mass.). "[Firms] pay on a per-user, per-year basis."
However, the model would require banks to relinquish some control over the data residing on the devices, in that a shared token also could help customers log onto competing financial institutions' sites. Still, if a shared infrastructure drives increased consumer adoption, the higher level of security could be a net benefit for the entire industry.
Over time, other authentication networks likely will arise, Young acknowledges. "There will be competing network services," he says. "As the user bases build up on these, we will need to have interoperability among networks," Young adds. "Those conversations have already begun to figure out how they're going to work," he says. "It's highly analogous to the ATM networks of the past."
The more immediate challenge is to get U.S. banks and consumers to adopt the technology. So far, a common response to the October FFIEC guidance on Internet authentication has been that back-office security measures, such as transaction monitoring, that avoid the need for special hardware to be deployed to retail customers are good enough in most cases. (For more on authentication efforts, see article, page 18.)
But tokens are emerging as at least part of the solution. For example, banks might make tokens mandatory for ACH transfers, but optional for electronic payments to standard recipients through online bill pay. "The ultimate model that will emerge is going to be one that is a layered authentication approach," suggests Young. "You will have risk-based authentication and forms of passive authentication, but, for certain segments of users and certain types of transactions that may be high-risk or high-value, there will be a need for strong credentials like one-time-password tokens." * --Ivan Schneider