RSA Offers New Security Tokens for Online Banking

SA says one U.S. bank and several abroad are testing the Bedford, Mass.-based vendor's first security token modeled on a credit card. The RSA SecurID Display Card, which is thin and easily fits in a wallet, is another option that RSA's bank clients can offer their own customers when it comes to online security -- specifically, to meet the Federal Financial Institutions Examination Council's (FFIEC) multifactor authentication requirements.

The card could possibly be bank-branded, notes Rachael Stockton, product manager of the RSA SecurID card. But customers actually would need a different security card for each bank, she explains. That's partly because the software that manages the authentication process resides with the particular bank.

The latest version of the companion software, RSA Authentication Manager 7.1, released in late May by RSA -- the security division of Hopkinton, Mass.-based EMC -- offers, at additional cost, the option of authenticating customers by using a software token that sits on their cell phones rather than requiring them to carry separate, physical security tokens. Up to 10 financial institutions' tokens could sit on one cell phone, according to Stockton. "Whether it's [physical] fobs, cards, software tokens on a Blackberry, ... banks have different preferences" for security offerings, she says.

The "list price" for the SecurID Display Card is $48, compared with $39 for the cell phone security -- based on a sliding scale, beginning with a deployment of at least 10,000 users, Stockton says.

Mobile Complexity

The emerging mobile channel is adding both complexity and opportunity to the security picture. Keith Schwalm, a consultant with The Santa Fe Group, remarks, "People lose things, but they don't typically lose their mobile phone. It's usually attached at the hip, literally."

With physical tokens, even a change of pocketbook or wallet could throw a spanner in the banking security works. A customer who lost a card would likely have to wait days to get a new one mailed, he says. Also, Schwalm notes, a potential $48 replacement card compares with $5 for a keychain security token for the use of online payment service PayPal or reissuing a software token at no cost over the mobile network.

In fact, of banks considering issuing security tokens to customers, RSA's Stockton says, "We're seeing many of the banks considering passing that [cost] on to customers." Outside of the U.S., it is often customers who demand extra security since they are entirely liable for fraud on their accounts. But in the U.S., where defrauded customers typically are made whole by their financial institutions, banks are showing "significant interest" in getting better security into the hands of the wealthiest 10 percent of customers, in particular, Stockton says.

Related Blog: So Many Passwords, So Little Memory

A recent blog on BS&T's Web site that noted how exhausted people are from having to authenticate themselves online over and over again elicited many e-mail replies (and even a Dilbert cartoon). Reportedly, most people enter a username and password 13 times a day. Weigh in here.