/ 21 September 2004

AOL moves beyond passwords

Passwords alone won’t be enough to get onto America Online under a new, optional log on service that makes AOL the first major United States online business to offer customers a second layer of security.

The so-called two-factor authentication scheme, being unveiled on Tuesday, will cost $1,95 a month in addition to a one-time $9,95 fee. It is initially targeted at small businesses, victims of identity theft and individuals who pay a lot of bills and conduct other financial transactions through their AOL accounts.

Subscribers get a matchbook-size device from RSA Security displaying a six-digit code that changes every minute. The code is necessary to log on, so a scammer who guesses or steals a password cannot access the account without the device in hand.

Two-factor authentication — whether through the RSA device, biometrics or cards printed with rotating lists of passwords -‒ is common in Scandinavia, Brazil, Singapore and selected countries. In the United States, its use is largely limited to employees accessing office networks remotely, or people with high-value financial portfolios.

AOL spokesperson Andrew Weinstein said the time was ripe to offer it as subscribers move more of their sensitive personal, business and financial information online.

The offering also comes as scammers increasingly find ways to trick subscribers into giving their passwords by sending e-mail disguised as legitimate information requests.

And with so many sites now requiring passwords, many internet users have become careless: They create easy-to-remember passwords that tend to be easy to guess — or they write them down on sticky notes and post them at their computers.

By requiring the second, rotating password, ”you don’t have to remember complicated passwords to still have good security,” said Scott Schnell, a senior vice president at RSA Security.

The second password will be required for checking e-mail and accessing services tied to the AOL account, including calendars, stock portfolios and AOL’s Bill Pay.

It won’t protect services offered by third parties on the open internet, outside AOL’s walled gardens, except in cases where their statements and other sensitive information are sent to the AOL e-mail account. Nor is the second password needed to use AOL Instant Messenger.

Gartner analyst Avivah Litan believes a ”very narrow set of consumers” -perhaps 5% to 15% of AOL’s 30-million subscribers — would sign up, but ”you have to start somewhere”.

She said AOL’s offering likely would prompt other internet service providers and banks to consider such systems more seriously, though the prevailing belief these days is that customers will find them difficult to use.

Just this summer, HSBC Bank USA began requiring a second password to access its bill-payment services.

That password is entered using an on-screen keypad to thwart snoops who secretly install software that records keystrokes as they are typed on a regular keyboard.

Unlike AOL’s service, though, neither password automatically changes, nor is there a charge. ‒ Sapa-AP