AOL, RSA, VeriSign push authentication services

Companies are moving to 'two-factor authentication' to combat increase in online crimes

Customers who lose their token can "unbind" their account from the token by answering a number of questions through AOL's Web site that will identify them, then request a replacement token from the company, he said.

AOL has already conducted a small test release of the technology in the last week, but will begin marketing the service in earnest on Tuesday with its announcement, along with banner ads for its customers and information in AOL's Safety and Security Center. The company will not estimate how many PassCode tokens it hopes to sell, but said that internal polls and a test run of the service in late 2003 indicated that the interest in purchasing the tokens was "phenomenal," he said.

PassCode is just the latest in a series of premium services introduced by AOL in the last 18 months. Other services include AOL Virus protection, which uses McAfee Inc.'s antivirus software to protect customers from e-mail borne threats. The company is planning more security services in coming months, and is also looking at ways to extend the PassCode service to secure other e-commerce services available to its customers, he said.

The company also announced a partnership with Microsoft Corp. in February to offer SecurID for Windows, a handheld token that allows users to log on to Windows 2000 and XP machines using a one time password, without requiring a connection to an RSA server to authenticate the user.

Multifactor authentication is also the focus of VeriSign's Unified Authentication program. The new service is an extension of the company's Intelligence and ControlSM Services, which offer businesses network security information and tools.

Companies can use VeriSign's infrastructure to validate strong authentication information for users, while relying on existing user directory services, such as Microsoft Corp. Active Directory and Radius servers, or single-sign on technology, such as IBM Corp.'s Tivoli Identity Management software, VeriSign said.

User login and permissions information will reside in the customer's user directory, but will be linked to a unique serial number for a secure token or other authentication device stored on a VeriSign server. Login requests by users will be passed to the VeriSign server where a stored algorithm will validate that the serial number of the secure token or the one-time password is valid for the user requesting access, said Mark Griffiths, vice president of security services at VeriSign.

Unified Authentication customers will have the option of deploying the authentication verification service internally or using it as a managed service hosted by VeriSign, the company said.

"Technology companies, us included, have tended to offer point solutions. But now companies are saying 'I want to issue employees or business partners a different kind of credential ... and I want something integrated,'" Griffiths said.

VeriSign will initially deploy the services with either a USB smart card that contains a digital certificate, or with a clientless one-time password token that generates a unique password for use at Internet kiosks, home computers or PDAs (personal digital assistants), he said.

The company plans to add support for other credentials including cellular telephones with build in certificates and low-cost "soft certificates" like scratch cards containing one-time passwords, Griffiths said.