Saturday, September 25, 2004
AOL and Key Fobs
AOL announced last week that they would allow their users to protect their accounts with an additional layer of security through using an RSA Device. The widget is probably the size of a matchbox and has an LCD that shows a multi-digit number that changes every minute or so. When you access AOL, you'll need (I think) both your usual password and whatever the display shows as its current code. This is a neat extra layer of security designed to protect phishing or key logging attempts. If someone is watching your key strokes, the passcode is valid for only 60 seconds after use - pretty difficult to take advantage of. There are a few flaws here though, which is a shame because (for the most part) we really need something like this to become widely available: - You have to pay extra for the security - pricing looks to be $10 for the fob and then $1.95 or so a month extra. I've not seen many people want to pay extra for security - we've got too used to accepting what is there and dealing with it. Not enough people pay extra for firewalls, anti-virus software, anti-spyware software etc, so why will this be different? - It doesn't work on all devices. For sure it won't work on Mac (I am pretty sure that RSA doesn't yet support OS X) and it almost certainly won't work on linux. - I had one of these RSA widgets (I'm pretty sure it was called a "DES Gold" key at the time) at Citibank and, every so often, it would get out of sync with the main servers at the centre and I'd need to call tech support to sort it out. I can't see that thrilling AOL (who, given they still have millions of users will find that, if it ever takes off, a surprisingly large number of people per day get out of sync - the law of averages and all that) - Eventually the battery will go. Maybe it will take 3 years, maybe less. But it will go. - There's another flaw I think, which probably doesn't apply to AOL, but does if, say, government were to want to use this. The key is not sufficient to digitally sign an XML document - a tax return or benefit claim perhaps - so as to secure it in transmission and provide non-repudiation and a guarantee that it wasn't changed in flight. I am, though, pleased that AOL are giving it a try. It might make the technology a little more mainstream and that, in turn, might drive innovation that addresses the flaws. I've not heard that AOL are going to offer to federate the identity - i.e. offer the service to third parties - e.g. banks - but that will be needed if it's going to take off properly. $1.95 to protect your AOL account is one thing, but that much to protect your three online banks, your broker and perhaps even Amazon is probably a better proposition. And, that way, perhaps the banks would even pay for it as a service to customers and to reduce their exposure to fraud losses.
Posted by Alan at Saturday, September 25, 2004