Though traditional banks are still taking a wait-and-see approach to offering their customers two-factor authentication tokens, the online security technology is gaining momentum among Internet banks.
The $31 billion-asset E-Trade Financial Corp. began distributing the tokens about five weeks ago, and the $365 million-asset Stonebridge Financial Corp. of West Chester, Pa., and the $500 million-asset American Bank Inc. of Allentown, Pa., said last week that they were following suit.
All three are using passcode-generating tokens from RSA Security Inc. of Bedford, Mass., for customers who want better online banking security.
The first of a recent spate of highly publicized cases of data-security breaches involved ChoicePoint Inc., which disclosed in February that it had sold personal information on 145,000 people to identity thieves posing as customers of the Atlanta data broker.
The Federal Deposit Insurance Corp. recommended in December that banks take steps to tighten their online security, and legislators have proposed a number of measures to guard sensitive personal information.
Fred Schea, Stonebridge's executive vice president, said, "We certainly have had more and more inquiries from customers regarding our security systems and their concerns over conducting business over the Internet."
American Bank's chief executive, Mark Jaindl, said, "The importance for us - and for any bank out there - has got to be protection of our customers' information."
American offered the tokens to customers when it mailed them an Internet banking survey two months ago. Customers who said they would use a token for log-in will receive one by the end of June, said Mr. Jaindl, who is also the bank's chairman and president.
The keychain-fob tokens use a mathematical algorithm to generate a six-digit number that changes every 60 seconds, which customers must use to log in to the bank's Web site. (The same algorithm runs on the bank's computers to validate the number.)
The theory is that if someone's log-in information were stolen, the passcode would have expired and would be useless. Critics say it is expensive for banks to provide these tokens to large numbers of customers and that people may find it inconvenient to carry them around (RSA's tokens are a couple of inches long and shaped like a thumb).
American ordered 1,000 tokens, which Mr. Jaindl said would be enough for its first batch of sign-ups. He said he expects to order another 1,000 next month. American has 20,000 customers, half of whom bank online at least once a week.
Stonebridge's 4,500 consumer customers have had the option of using RSA's tokens since May 30. It also has 500 business customers, for which the tokens are mandatory. Mr. Schea said that there was already "pretty good acceptance" of the devices among customers, but sign-ups were still "relatively small - it's not in the hundreds at this point."
E-Trade, which is based in New York, began distributing RSA's tokens free in mid-April to customers who met certain requirements and requested the tokens.
American does not plan to charge for the tokens. Stonebridge plans to offer them free for the first year but to charge customers $25 a year after that.
American said it pays $20 to RSA for each token, and must also pay to maintain the systems that verify the passcode that each token generates. Stonebridge said the total annual expense for the token and maintenance is $25 per customer.
American said it does not expect to make the tokens mandatory, but Stonebridge said it may.
Both American and Stonebridge considered using other security methods, such as biometrics, to supplement passwords.
Mr. Schea said that Stonebridge decided against biometrics because "today a lot of people tend to think about biometrics as being intrusive on their personal space." Stonebridge chose RSA because "a number of people respect and are using RSA tokens in the corporate environment, so we wanted our customers to use it," he added.
Mr. Jaindl said American decided against biometrics because it is less convenient. Because few personal computers have fingerprint readers, the customer would have had to install such a device on any computer used for online banking.
American has used RSA's tokens for five years for its employees, Mr. Jaindl said.
Avivah Litan, a vice president and research director at Gartner Inc., a market research company in Stamford, Conn., said using tokens "is a great step, but you can't rely on it completely."
She pointed to phishing, a common e-mail scam that tries to trick customers into revealing their passwords. Phishers typically steal information by setting up an impostor bank Web site.
The use of the token would prevent the phishers from being able to log in to the real bank site remotely while posing as the customer, because the passcode would quickly expire. But a spoofed Web site could ask customers for other details, such as credit card numbers, Ms. Litan said.
"These tokens do a really good job of identifying the user," she said, "but it doesn't do a good job of identifying the Web site."
Bank of America Corp. said last month that it will introduce a system this year to identify itself by presenting an online sign-on image that a customer has previously selected. Only after recognizing the image would the customer type in a password.
Ms. Litan said customers may resist paying for their banks' security, and " 'extra device' is their least favorite option" for improved authentication, she said. But the tokens are more secure than other methods - including those such as B of A's - that do not require an extra device, she said.
John Worrall, RSA's vice president of worldwide marketing, said that though "there is no perfect security unless you disconnect your computer from the network," tokens "have proven to be a very effective form of combating phishing."
The token provides value, so "the consumer's willing to pay for it," Mr. Worrall said. "Customers can see their additional security. In the case of the token that we're offering, it's very tangible - you can hold it in your hand."
