Print

Mail

wiki links

AOL offers new gadget to improve online security

America Online Inc became the first major US online business to offer two-layer authentication to regular customers yesterday. Subscribers get a device displaying a code that changes every minute, so even with a password scammers can't access accounts. PHOTO: AP

Passwords alone won't be enough to get onto America Online (AOL) under a new optional log-on service that makes AOL the first major US online business to offer customers a second layer of security.

The so-called two-factor authentication scheme unveiled yesterday will cost US$1.95 a month in addition to a one-time US$9.95 fee. It is initially targeted at small businesses, victims of identity theft and individuals who pay a lot of bills and conduct other financial transactions through their AOL accounts.

Subscribers get a matchbook-size device from RSA Security Inc displaying a six-digit code that changes every minute. The code is necessary to log on, so a scammer who guesses or steals a password cannot access the account without the device in hand.

Two-factor authentication -- whether through the RSA device, biometrics or cards printed with rotating lists of passwords -- is common in Scandinavia, Brazil, Singapore and selected countries. In the US, its use is largely limited to employees accessing office networks remotely, or people with high-value financial portfolios.

AOL spokesman Andrew Weinstein said the time was ripe to offer it as subscribers move more of their sensitive personal, business and financial information online.

The offering also comes as scammers increasingly find ways to trick subscribers into giving their passwords by sending e-mail disguised as legitimate information requests.

And with so many sites now requiring passwords, many Internet users have become careless: They create easy-to-remember passwords that tend to be easy to guess -- or they write them down on sticky notes and post them at their computers.

By requiring a second, rotating password, "you don't have to remember complicated passwords to still have good security," said Scott Schnell, a senior vice president at RSA Security.

The second password will be required for checking e-mail and accessing services tied to the AOL account, including calendars, stock portfolios and AOL's Bill Pay.

It won't protect services offered by third parties on the open Internet outside AOL's firewalls, except in cases where their statements and other sensitive information are sent to the AOL e-mail account. Nor is the second password needed to use AOL Instant Messenger.

Gartner analyst Avivah Litan believes a "very narrow set of consumers" -- perhaps 5 percent to 15 percent of AOL's 30 million subscribers -- would sign up, but "you have to start somewhere."

She said AOL's offering likely would prompt other Internet service providers and banks to consider such systems more seriously, though the prevailing belief these days is that customers will find them difficult to use.

Just this summer, HSBC Bank USA began requiring a second password to access its bill-payment services.

That password is entered using an onscreen keypad to thwart snoops who secretly install software that records keystrokes as they are typed on a regular keyboard.

Unlike AOL's service, though, neither password automatically changes, nor is there a charge.
This story has been viewed 2190 times.