First Union Corp. will begin a pilot test next month of a hand-held security device for customers to identify themselves to their banks over the Internet, according to the developers.
AccessKey II, about the size of a pager, is made by Vasco Data Security Inc. and uses software that Vasco developed along with Trinet Services Inc., which helped First Union develop its Web site.
Vasco, based in Lombard, Ill., says it has sold almost 400,000 of the readers to the Dutch banks ABN-Amro Holding and ING.
First Union officials did say how long the test would last and declined to discuss their investment in the project.
The device works like this, the developers said:
When a customer tries to connect with a bank account through the Internet, the bank's computer flashes a bar code on the customer's screen - a new one each time. (First Union would incorporate the bar codes in its Web site.)
The customer holds AccessKey II to the computer screen. The device reads the code and displays six digits on a small readout panel.
Finally, the customer types those digits into the computer.
Proponents said AccessKey II provides transaction security comparable to what hardware tokens and access card "keys" deliver. But Access II is more portable than many other methods of authentication, they said.
"First Union has been seeking solid solutions to identify our customers on the Internet so we can make our vision of Cyberbanking a reality," said Edgar Brown, the bank's senior vice president of remote banking.
"The openness and global nature of the Internet provide a tremendous opportunity for fast and easy transactions, but we have to ensure that banking transactions are secure," he added.
In addition to First Union, Wells Fargo & Co., Signet Banking Corp., Crestar Financial Corp., and NationsBank Corp. have expressed interest in the technology, according to John C. Haggard, president of Vasco Data.
Experts in data encryption and authorization said authenticating devices like AccessKey can offer more security than software-based solutions. But some question whether it is cost-effective for PC banking.
"It is hard to believe individuals will acquire a $100 device of their own accord," said Scott T. Schnell, vice president of marketing at RSA Data Security Inc. of Redwood City.
But banks will have a financial incentive to ensure a fool-proof system without conventional, easily decodable passwords, said Frank S. Taylor, president of Trinet, which is based in Raleigh, N.C.
"If you are a bank or a merchant offering a service, you can't depend upon the customer being smart. People are people, and you can't count on them use passwords carefully."