A Real Shot at Consumers Two-Factor Authentication

Opinion: I'm both dazzled by the brilliance of putting an OTP device in a credit card and leery of the problems it could cause. Will it work? Will consumers accept it?

It seems that everyone involved in online commerce and other online businesses that require authenticating the consumer are making money in spite of fraud, phishing and the like, but it would certainly be better if they could do it with less fraud.

This is why I was excited by the announcement by VeriSign and Innovative Card Technologies of credit cards with OTP directly embedded into them. It really could be a transformative technology. Or maybe it isnt.

2-factor authentication with one-time password fobs has been SOP in corporate and other sensitive networks for many years. For just as many years there has been talk about how banks, brokerages and other fraud-senstive services would soon begin to employ them in order to strengthen authentication. But it hasnt happened, at least not in a big way.

/zimages/5/28571.gifRSAs SecurID two-factor authentication now supports the Java Micro Edition and will soon support Windows Mobile platforms. Click here to read more.

Companies are afraid of several things, but mainly of support costs and disgruntled users. Its not like in corporate America where you can call people in for a training session. And thats not the only problem. With conventional 2-factor devices such as keys or cards, expect calls from consumers that they left it in a bar or ran it in the washing machine. Then you have to ship them out a new one (do you charge them?) and make a change in your key store.

With no extra OTP device to keep track of, expect fewer of the lost device problems, but there are new ones: the cards have to be pretty rugged, much more so than one would expect from one of those RSA cards. My credit cards are in my wallet in my back pocket, under my big you-know-what. They have a lot of pressure on them and they get bent. Thats a lot to expect of electronics, a display, a battery.

Theres another problem with them: The VeriSign press release speaks about online transactions only, although I cant see why they couldnt be used, in at least some cases, in retail where there is a pin pad. But many online merchants make commerce more convenient by remembering your credit card information so that you dont have to retype it in or even have your card around. But if you are asked for the OTP on your card will need to have the card around.

If I need to walk upstairs to find my wallet in order to consummate that impulse purchase, I may say the heck with it and not bother. This has to be a major concern for retailers.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest news, views and analysis on technologys impact on retail.

The flip side for retailers is that requiring security features like this typically lowers their fees (called the Discount Rate) to the credit card cartels. Thus they have an incentive to try to get consumers to adopt it, perhaps their own discounts.

Helping to minimize fraud is good for everyone involved, except the criminals, of course. Im rooting for this technology, but I have to be skeptical.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

More from Larry Seltzer