This is why I was excited by the announcement by VeriSign and Innovative Card Technologies of credit cards with OTP directly embedded into them. It really could be a transformative technology. Or maybe it isnt.
2-factor authentication with one-time password fobs has been SOP in corporate and other sensitive networks for many years. For just as many years there has been talk about how banks, brokerages and other fraud-senstive services would soon begin to employ them in order to strengthen authentication. But it hasnt happened, at least not in a big way.
Companies are afraid of several things, but mainly of support costs and disgruntled users. Its not like in corporate America where you can call people in for a training session. And thats not the only problem. With conventional 2-factor devices such as keys or cards, expect calls from consumers that they left it in a bar or ran it in the washing machine. Then you have to ship them out a new one (do you charge them?) and make a change in your key store.
With no extra OTP device to keep track of, expect fewer of the lost device problems, but there are new ones: the cards have to be pretty rugged, much more so than one would expect from one of those RSA cards. My credit cards are in my wallet in my back pocket, under my big you-know-what. They have a lot of pressure on them and they get bent. Thats a lot to expect of electronics, a display, a battery.
Theres another problem with them: The VeriSign press release speaks about online transactions only, although I cant see why they couldnt be used, in at least some cases, in retail where there is a pin pad. But many online merchants make commerce more convenient by remembering your credit card information so that you dont have to retype it in or even have your card around. But if you are asked for the OTP on your card will need to have the card around.
If I need to walk upstairs to find my wallet in order to consummate that impulse purchase, I may say the heck with it and not bother. This has to be a major concern for retailers.
The flip side for retailers is that requiring security features like this typically lowers their fees (called the Discount Rate) to the credit card cartels. Thus they have an incentive to try to get consumers to adopt it, perhaps their own discounts.
Helping to minimize fraud is good for everyone involved, except the criminals, of course. Im rooting for this technology, but I have to be skeptical.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer