Banks have spent the last two years steering their users to behind-the-scenes, no-fuss security tools for enhanced online authentication. This year, millions of customers may be asking banks to let them drive for awhile.
Two digital security firms, GuardID Systems and Gemalto, are among vendors who plan to roll out big with new consumer-driven authentication tokens that will marry smart-card technology with real-time risk monitoring on user-owned USB tokens. GuardID, which has been out since late fall with the retail version of its ID Vault token-the size of a flash jump drive-and software package, is now ramping up with a new banking partnership program that includes add-on services like credit monitoring from Equifax from participating banks. At press time, Gemalto was planning to introduce its Network Identity Management (NIM) card solution at the RSA Conference this month, to work with the VeriSign Identity Protection (VIP) network system introduced last year as a self-service authentication portal already supported by Yahoo!, PayPal and eBay. "Consumers believe they are at the point they need something better than what they're getting today," with username log-ins, says Francois Lasnier, vp of banking of Gemalto. "But they realize today there's no universal solution."
Jerry Thompson, CEO of GuardID, says the proliferation of multiple online account relationships ("My wife and I have six or seven accounts between us," he says) is driving a convenience factor to revisit the idea of ID/password aggregation tokens and software, but this time with risk-based authentication. "There's a fallacy out there that people don't want tokens," based on the complexity of proprietary and corporate devices, says Thompson. GuardID market surveys show half of users would prefer tokens, and 70 percent would leave them at one PC location, mitigating the token portability risk.
Thompson says he thinks users are getting more fearful of phishing and pharming attacks, and learning how their actions aid them. Many are also beginning to understand the greater risk of exposing bank account information online: unlike fraud protection on credit cards, reimbursement for debit or checking account fraud isn't guaranteed by institutions.
Bankers have been long averse to tokens for the masses, not only for the expense but the coupled tech support issues. With Guard ID, the customer buys the token and GuardID monitors a whitelist service that updates current IP sign-on addresses with 7,000 financial institutions. Banks aren't involved in the security loop, but may choose to co-brand the product to its users in an affinity relationship with GuardID. Along with fronting device distribution to consumers, banks could add on credit and ACH monitoring, wire transfers, or secure email communications, among other services, through the secured GuardID/Equifax channel.
Gemalto's NIM device will not only be smart-card enabled, but will include imbedded network communications stacks that will house SSL Internet layered security and add federated authentication to any VIP member institution. While banks will have to pay for the devices to distribute to customers, they will gain those funds back in an "interchange-type mechanism" with VeriSign.
Gartner security analyst Avivah Litan says the market could be a niche play - she estimates GuardID could sell as many as 10 million units - but won't be a mainstream answer. "It'll certainly appeal to a subset. The same kind of people who shred their documents."
