In the not-so-distant future, people looking to do their banking or stock trading online may whip out a credit card that has a tiny LCD screen and a button they push to make the card generate a disposable password.
It's the next wave of online safeguards, said Fran Rosch, vice president of authentication solutions at VeriSign, Inc., a provider of digital security services. VeriSign announced today it is teaming up with Innovative Card Technologies, Inc., the developer of the ICT DisplayCard, to come out with credit and debit cards that generate six-digit, one-time-use passwords to act as a form of online authentication.
"One-time passwords are a logical approach," said Rosch, in an interview with InformationWeek. "When consumers think about biometrics they become concerned with giving away their fingerprints or other measures. PKI [public key infrastructure] requires software on the desktop and banks don't want to get into distributing software... This, though, just made sense."
The cards would help fend of identity theft and online fraud, since it would give businesses a way to double check the user's identity -- going beyond user names and passwords. If a phisher or hacker was able to steal someone's user name and password, they still wouldn't be able to come up with the second password unless they physically were holding the user's credit card.
Rosch explained that, at this point anyway, the cards would not be geared toward online retailers, like Amazon.com. Instead, they're aiming the concept at businesses and consumers who set up online accounts, like banks, brokerages and PayPal.
The cards would hold an algorithm that could generate the six-digit passwords, which are only good for 30 seconds.
When a consumer wanted to log onto her online banking account, for instance, she would log on with her user name and password, as usual. Then the site would ask for her secondary password. She would press a button on her credit card and the numerical password would flash up on the LCD screen. The next time, she needed to log into her account, her card would give her a different number, which the site would match up with the card's unique serial number, which corresponds to the algorithm it uses.
The algorithm will continue producing numbers until the card's battery dies. Rosch said he expects the batteries to last for three or five years.
Rosch added that even if a key logger planted surreptitiously on the user's computer picked up that second password, a hacker wouldn't be able to use it because subsequent transactions would require a different password.
"It's the benefit of two-factor authentication," said Rosch. "Even if the credit card was stolen, the criminal could press the button and generate the security code, but he doesn't know your user name and password. It wouldn't do him any good."
The cards, according to VeriSign, have been certified through Visa and MasterCard, so any bank with a relationship with them can buy into these cards and pass them out to users.
"I think it's a very large step forward," Rosch noted. "Customers want security. Customers want something that is easy to use. It also really squeezes the cost out of it for banks and brokerages. They want better security but they don't want to get into issuing their own security devices and mailing them out... We think this really knocks most of the barriers to consumer adoption down."