VeriSign to use one-time passwords for bank cards

VeriSign Inc. is looking to offer bank cards with an integrated one-time password generator, a slimmer way than key chains to implement two-factor authentication.

The technology would be an improvement over other authentication devices, such as key chains or fobs, which generate one-time passwords but are an extra item that users must carry.

VeriSign is partnering with the Los Angeles company Innovative Card Technologies (ICT), which makes banking cards containing a battery-powered, flexible display that generates one-time passcodes when a button is pressed on the card.

The passcode, which expires shortly after being generated, can be used along with a banking customer's static personal identification number for online banking transactions, adding another layer of security.

The card will last for about two years or 10,000 uses, ICT said. The display in the top right-hand corner of the card can show a code with four, six or eight digits in either green or white. The code can be generated using either the Initiative for Open Authentication (OATH) system or a proprietary algorithm, it said.

Users benefit since they don't have to carry a separate token to generate the password. The cards are also cheaper to mail to customers than key chains, ICT said. VeriSign will provide the back-end technology for using the cards through its Identity Protection product line, a suite of identity and authentication applications.

Widespread fraud has prompted banks and government regulators to look at ways to strengthen online banking security in light of phishing scams, where criminal set up fake banking sites or send e-mails that attempt to trick people into divulging their usernames and passwords.

However, security researchers have shown it's possible to defeat one-time passwords using a man-in-the-middle attack, luring a consumer to a fraudulent Web site where the authentication information is captured and then immediately used by the hacker to log-in to the real site.