AOL, RSA, VeriSign push authentication services

Responding to a scourge of online fraud and identity theft that threatens to undermine public confidence in Internet commerce, major companies are rolling out new services to encourage the adoption of better technology to identify customers, business partners, and employees online.

RSA Security Inc. and America Online Inc. (AOL) plan to announce a new program on Tuesday called "AOL PassCode" that will encourage AOL customers to use secure tokens to protect account information. On the same day, VeriSign Inc. plans to announce a new service called Unified Authentication that it said will reduce the cost of so-called "strong authentication," such as one-time passwords or hardware smart cards.

The announcements are the latest signs of increasing interest from companies and online merchants in the use of "two-factor authentication," which combines an account password with another "factor" such as a smart card, USB (Universal Serial Bus) token, or a one-time password, to combat a steep increase in online crimes that trick users into divulging sensitive financial information, the companies said.

The PassCode program will offer AOL-branded SecurID tokens from RSA to AOL customers for added account protection, said John Worrall, vice president of worldwide marketing at RSA of Bedford, Massachusetts.

The program is the first major rollout of multifactor authentication to consumers, according to Ned Brody, senior vice president of premium services at AOL.

Likening the RSA SecurID token to a "dead bolt lock" on a door, Brody said the service will let security-conscious consumers feel more confident that their AOL account information is secure, especially in light of the increase in phishing scams. This type of fraud uses spam and Web sites designed to look like legitimate e-commerce sites to part consumers from sensitive information such as user names, passwords and credit card information.

While AOL does not store customer financial information in its accounts, customers increasingly use free storage linked to their AOL accounts to store confidential data such as photos and personal files, including financial files, in addition to e-mail. Company data shows that AOL customers know that static passwords should be updated frequently, but few do so. The PassCode token will also enforce strong passwords by requiring a unique value to be entered each time users log on to the service, Brody said.

AOL customers can sign up through the company's Web page for the premium service and will pay a US$9.95 one-time fee to receive a keychain token by mail. The company will charge $1.95 per month to secure one screen name through PassCode, and $4.95 a month for up to seven screen names, AOL said.

Once the token is received, AOL customers can activate it through their AOL account. After that, customers will log in using their AOL user name and password, after which they will be presented with an additional screen asking them to enter the unique, six-digit value displayed on their PassCode token. Behind the scenes, AOL maintains a database that links the SecurID token to the AOL user account and tracks the passwords generated by the device, which change every 60 seconds, Brody said.

The new system will protect users from having their AOL account information stolen in a phishing attack because having an AOL customer's user name and password will no longer be adequate to access an account, he said.