VeriSign is teaming up with Innovative Card Technologies to offer credit cards that have one-time password tokens built-in.
The companies announced that InCard’s cards will be available tied into the VeriSign Identity Protection network, an authentication service already connected to the likes of eBay, Yahoo and Charles Schwab.
In theory, any company that connects its authentication systems to the VIP network enables its users to log in using an OTP credential supplied by any other member of the network. eBay has already started distributing hardware tokens from VeriSign that tie into VIP.
Whereas the typical hardware token in the past has been a dedicated key fob, InCard’s tokens are built right into an otherwise normal credit card. The cards have a little button users press when they want to generate a one-time password, which appear on a small LCD display.
They’re powered by a tiny on-card battery. It wasn’t clear to us at press time what the expected lifespan of the battery is, which will certainly be a factor in how rapidly they are adopted by banks.
The cards would be used like this: When a consumer logs into a VIP web site, they would be prompted to enter their username and password, and then to generate a one-time password by pressing the button on their credit card. Before allowing entry, the web site would send the OTP to VeriSign’s authentication service, which is in sync with all the issued cards and knows what password to expect.
Even if somebody rips off a user’s credit card details, even including the valuable back of card data, they would not be able to log into any VIP site that draconianally enforces the OTP second factor.
Interest in two-factor authentication has been rising along with the rise of concern about online fraud and identity theft. The cost of buying, distributing, managing and replacing tokens has been a barrier to broad adoption, which has led to companies such as VeriSign and RSA offering somewhat less secure server-side fraud mitigation software as an alternative.
But there’s no real replacement for something you have as a second factor, so the industry has been figuring out ways to make hardware tokens more affordable. Entrust, for example, now offers a $5 token.
Neither InCard or VeriSign talks about the price of the card-tokens. At a time when many token vendors, including VeriSign, are publicly talking up low prices as a means to take market share from EMC/RSA’s leading SecurID, this reluctance suggests the cards may be relatively expensive, at least when compared to the low end.
That said, putting the token into the credit card means banks only have to manage one piece of hardware, and they, as a VeriSign spokesperson said, already have their distribution model set, which likely means greater efficiencies.
There are also, according to the spokesperson, financial incentives for banks to join the network. If a card-token issued by a bank is used at another VIP member, that bank receives a sliver of the revenue from the transaction.
VeriSign’s spokesperson said the company is currently having very active discussions with a number of financial institutions. He added: This year will see definitely see the live rollout of this technology.