America Online’s decision to offer its customers the option to replace passwords with secure ID tokens could mark an important step forward in delivering secure e-commerce on the internet, according to security experts.
AOL last week announced a partnership with security supplier RSA to become the first internet service provider to offer its customers strong authentication to protect their internet transactions.
Smart tokens, which generate a series of unique random code numbers, provide significantly greater protection than passwords, which can often be easily guessed.
AOL plans to offer the service, which will cost an extra £1.08 a month per user, to private customers who are concerned about security and to small businesses that need to guarantee the security of their e-mails.
The move represents the first step in developing widely used identity services, which will allow ISPs to verify the identity of their customers to online banks and retailers, RSA said.
"We believe that other ISPs will follow AOL. If they are offering a service where they can authenticate users they can federate the ID by authenticating you to your bank. Federating ID with strong authentication could be very powerful," said Bill McQuaide, senior vice-president for enterprise solutions at RSA.
The Liberty Alliance (a group of 150 companies and public sector organisations), the Web Services Federation (backed by IBM and Microsoft) and the Organisation for the Advancement of Structured Information Standards are developing competing standards for federated identity.
The growth of internet commerce has been limited because of consumer concerns about the security of online bank accounts and online retail sites, RSA said.
Research by RSA showed that one third of individuals use their spouse’s name as a password, 14% used their birthday and 11% used their pet’s name. The most commonly used password is "password", it found.
Graham Titterington, senior analyst at Ovum Holway, said AOL was breaking the mould and the ISP could help to educate the public about improving their security.
"It makes it apparent to the man in the street that there is stronger ID available - that security is not synonymous with user ID and passwords," he said.
But Titterington questioned whether the public would be willing to pay extra for greater security. "People have to see that there is a hard benefit," he said. "Everyone expresses concerns about security but few people are prepared to put their hands in their pockets."