America Online To Launch Secure Password Service

R. A. Hettinga rah at shipwright.com
Tue Sep 21 10:17:39 EDT 2004 

<http://online.wsj.com/article_print/0,,BT_CO_20040921_000016,00.html>

The Wall Street Journal


 September 21, 2004

 UPDATE: America Online To Launch Secure Password Service


DOW JONES NEWSWIRES
September 21, 2004


(Adds VeriSign announcement and comments from expert in paragraphs four
through nine, and additional comment in paragraphs 14-15.)
   By Riva Richmond
   Of DOW JONES NEWSWIRES

NEW YORK -- Password-generating devices long used by employees to securely
access corporate networks are finally coming to consumers.

Citing increased concerns among customers about rising identity theft
online, Time Warner Inc. (TWX) unit America Online said it will launch on
Tuesday a new, paid service that will allow members to log into their AOL
accounts using devices, or "tokens," made by RSA Security Inc. (RSAS).

The gadgets, which can be put on a keychain, display six-digit passcodes
that change every 60 seconds and are synchronized with AOL's servers,
making it nearly impossible for fraudsters to access accounts with stolen
passwords.

Also on Tuesday, VeriSign Inc. (VRSN) plans to launch two token products
that would compete with RSA. But the company, acknowledging that its rival
has largely wrapped up the corporate market for remote employees' use,
plans to market its devices to companies, particularly banks, as something
business partners and customers could use to access corporate networks more
safely.

For instance, VeriSign is in negotiations with two financial-services firms
that are interested in providing tokens to partner firms and high net worth
clients. It has also worked with i-SAFE, a non-profit group that promotes
safe Internet use for children, in a pilot program to provide students
tokens that allow them to enter age-restricted chat rooms and access
college Web sites where they can securely take tests. They hope to get
government funding to take the project nationwide.

Both of VeriSign's tokens plug into computers' USB ports and use smartcard
technology, which can store multiple digital credentials. One of the tokens
also has a screen that displays a changing six-digit passcode.

The new interest in bringing so-called "strong authentication" to consumers
reflects the significantly more hostile Internet they now face. Consumers
have found themselves under assault from a wave of viruses, phishing
attacks and spyware programs designed to steal their personal financial
information for use in identity-theft fraud.

"We've seen the threats now changing to target individuals because they're
not as sophisticated" as corporations, says Howard Schmidt, former White
House cybersecurity czar.

"The way to solve these (problems) in a fairly easy manner is by strong
authentication," he said. "Hacking can be reduced because people can't log
in as other people. Fraud goes down because you have the ability to do
instant validation.... If people can't harvest user IDs and passwords,
phishing becomes irrelevant."

AOL, Dulles, Va., said its main goal is to better protect its members, who
use their accounts to make financial transactions and take care of other
sensitive business, from such blights. AOL has been providing the devices
to customers who called its agents expressing fears about the security of
their accounts, making these members part of the company's testing effort.

"The impetus here really has to do with the deluge of spammers, scammers,
con artists, phishers, hackers and other malcontents that are trying to
dupe consumers into giving up their passwords or the security of their
accounts," said AOL spokesman Nicholas J. Graham. "It's another virtual
deadbolt on the front door of their online experience."

AOL already provides its members with free anti-spyware technology,
parental controls, pop-up blocking and spam filtering. It also scans
incoming and outgoing e-mail for viruses for free, while offering a
"premium" full-blown antivirus service. Both services are provided by
McAfee Inc. (MFE).

For now, however, AOL's service won't allow "single sign-on" into other Web
sites, such as banks and e-commerce sites, where members do business.
Members who sign up for AOL's service, dubbed AOL PassCode, will be
prompted when logging into AOL to enter the number shown on the token along
with their screen name and normal password. AOL will charge subscribers
$9.95 for each device and a monthly service fee of $1.95 to $4.95,
depending on how many devices are associated with account screen names.

But Schmidt thinks AOL's move will add momentum behind a move to this sort
of "federated identity," where one digital credential is recognized by
multiple companies' Web sites, particularly since Microsoft Corp. (MSFT) is
building support for RSA tokens into the next version of its Windows
operating system.

"That's the vision, and I think that's realistic sooner than later," he said.


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list