Few financial companies are offering their customers password-generating tokens, but two computer memory companies are offering consumers devices with authentication capabilities.
SanDisk Corp., a Milpitas, Calif., memory chip company, has incorporated password-generating software from VeriSign Inc. and EMC Corp.'s RSA Security Inc. into its portable devices. And Guard ID Systems Inc. of San Mateo, Calif., is working with the credit bureau Equifax Inc. to distribute password-storage devices and expects to have 75,000 of them in consumers' hands by yearend.
Neither SanDisk nor Guard ID is working with banking companies to promote their products.
"There's really two categories of customers that buy products from us," said Chris Atwood, Equifax's vice president for product management - money managers, who want to evaluate their borrowing and spending power; and "protectors," people who are concerned about identify theft and look for evidence of errors in their transactions. "It's really that protector category we're focusing this on."
Equifax has put its brand on the packaging of Guard ID's ID Vault USB token, he said. The device stores passwords, so users do not have to type them. Storing the passwords protects people from keylogger viruses, which can keep track of anything that is typed.
Mr. Atwood said he is hoping that people who buy the devices in stores will see the Equifax sticker on the package and then buy Equifax's credit monitoring services. The bureau also is selling the device to people by phone.
Unlike Guard ID's device, SanDisk's products does not have software for storing passwords, but they are compatible with the one-time password-generating systems a handful of financial companies already use to provide strong authentication.
Password devices, which generate a code that changes every minute or so, are expensive, and few banking companies have offered them to consumers. Most are using various types of software to improve online security.
Even E-Trade Financial Corp. of New York, one of the first companies to offer RSA's tokens to customers, covered the cost only for certain clients.
SanDisk said that consumers will purchase its storage devices whether or not they are looking for security applications, and that the devices also can run a password-generating application. This would enable banks to use the SanDisk device as a password token, but without the cost or hassle of distributing them, the company said.
Ron LaPedis, the product marketing manger for enterprise and security at SanDisk, said each device can hold up to 10 one-time password programs. A version of the product that will run on mobile phones and can hold even more is in the works, he said.
Aside from the cost, one of the common critiques of using tokens is that if the idea were to catch on, users might have to carry several tokens to access various Web sites.
SanDisk plans to incorporate the security technology into all its USB memory devices, though Mr. LaPedis said that, to keep costs down, the company might not include the technology on the ones that are given away as promotions.
The security software, a complement to the VeriSign and RSA systems, is available free to banks, and SanDisk is offering a developer's kit to make its tokens work with banks' Web sites.
Equifax's marketing partnership with Guard ID is not its first, Mr. Atwood said. In 2004 it worked with Fellowes Inc., of Itasca, Ill., to put its brand on the packaging of paper shredders that Fellowes sold directly to consumers. That partnership ended when Fellowes stopped selling its shredders directly to consumers, he said.
Mr. Atwood said that Equifax is planning similar marketing deals next year, though he would not elaborate.
ID Vault, a product that Guard ID lists online for $49.95, resembles a flash memory drive but cannot be used to store files. Its sole purpose is to protect the passwords entrusted to it.
Mr. LaPedis said SanDisk's devices generally cost $15 per gigabyte of storage.
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said products such as these are "all about putting the consumer more in charge," and "frankly, I think that's the way the market's going to go."
Consumers are increasingly aware of their responsibility to protect their own data, she said. "Consumers do want to be in charge of their security, and they wouldn't mind putting it on their flash drive [if] they already paid for it." However, "I don't think banks would ever mandate it," because consumers might not pay for a device if the bank tried to sell them one.
Bankers' decision about what method to support will be driven by consumer demand, Ms. Litan said. Today, Guard ID is in the lead, because consumers can use them without the help of their banks, she said; SanDisk has an opportunity to catch up, and though it needs to work with banks to make the security aspect work, it can sell the USB drives as straight storage devices until then.
"As soon as one of these companies can tell a bank that half-a-million customers have them, in a region where you have a lot of branches, I think a bank will start supporting it," she said. "It really doesn't cost them anything to support it."
