A Real Shot at Consumers Two-Factor Authentication

By Larry Seltzer  |  Posted 2007-05-03 Print this article Print

Opinion: I'm both dazzled by the brilliance of putting an OTP device in a credit card and leery of the problems it could cause. Will it work? Will consumers accept it?

It seems that everyone involved in online commerce and other online businesses that require authenticating the consumer are making money in spite of fraud, phishing and the like, but it would certainly be better if they could do it with less fraud. This is why I was excited by the announcement by VeriSign and Innovative Card Technologies of credit cards with OTP directly embedded into them. It really could be a transformative technology. Or maybe it isnt.

2-factor authentication with one-time password fobs has been SOP in corporate and other sensitive networks for many years. For just as many years there has been talk about how banks, brokerages and other fraud-senstive services would soon begin to employ them in order to strengthen authentication. But it hasnt happened, at least not in a big way.

RSAs SecurID two-factor authentication now supports the Java Micro Edition and will soon support Windows Mobile platforms. Click here to read more.

Companies are afraid of several things, but mainly of support costs and disgruntled users. Its not like in corporate America where you can call people in for a training session. And thats not the only problem. With conventional 2-factor devices such as keys or cards, expect calls from consumers that they left it in a bar or ran it in the washing machine. Then you have to ship them out a new one (do you charge them?) and make a change in your key store.

With no extra OTP device to keep track of, expect fewer of the lost device problems, but there are new ones: the cards have to be pretty rugged, much more so than one would expect from one of those RSA cards. My credit cards are in my wallet in my back pocket, under my big you-know-what. They have a lot of pressure on them and they get bent. Thats a lot to expect of electronics, a display, a battery.

Theres another problem with them: The VeriSign press release speaks about online transactions only, although I cant see why they couldnt be used, in at least some cases, in retail where there is a pin pad. But many online merchants make commerce more convenient by remembering your credit card information so that you dont have to retype it in or even have your card around. But if you are asked for the OTP on your card will need to have the card around.

If I need to walk upstairs to find my wallet in order to consummate that impulse purchase, I may say the heck with it and not bother. This has to be a major concern for retailers.

Check out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.

The flip side for retailers is that requiring security features like this typically lowers their fees (called the Discount Rate) to the credit card cartels. Thus they have an incentive to try to get consumers to adopt it, perhaps their own discounts.

Helping to minimize fraud is good for everyone involved, except the criminals, of course. Im rooting for this technology, but I have to be skeptical.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog. More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel