The biggest factor pushing companies to pay for something better than passwords are the concerns around identity theft and phishing. If something more than a password was needed to get access to financial records, it would be trickier for crooks to profit from such schemes.
"We want to add significantly more protection for our users and are looking at stronger authentication for passwords," said Adam Joffe, chief technology officer for Sony Online Entertainment, at an RSA Conference 2005 panel discussion.
Last week at the show, RSA Security announced plans for a hosted SecurID service where companies can add a layer of extra security for consumers. E*Trade Financial is among those that is trying out the RSA technology -- passing out a small number of the devices to customers for free. The company plans to decide later this quarter whether to expand beyond a few hundred early testers.
RSA said there are about a million consumers using its authentication technology, through a variety of pilot programs. Other companies that are eyeing the technology include financial institution Credit Suisse, Yahoo and Sony Online Entertainment.
Joffe said that Sony is "seriously considering" offering the RSA token to some of its customers. While game characters and points may not have the monetary value of a bank account, such identities are just as important to protect from online fraud.
"I wouldn't say [fraud is] a huge issue, but it's an issue," he said.
RSA's hope is that many number of companies will sign up for the program and that consumers would need only one token to manage a variety of accounts. Some businesses will give out the tokens free, while others may make customers foot part or all of the bill, the security provider believes.
Although the devices have the potential to help cut fraud, RSA Vice-president Christopher Young said the company is selling consumers as much on piece of mind as on cost savings. He likens it to the alarm that guards his house.
"I haven't had anyone break into my home before," said Young, who until about two months ago was head of safety and security premium services at America Online. "It makes my wife feel more comfortable when I am travelling, and I travel a lot."
Tony Gentile, a San Jose, California-based Web marketing consultant who runs a site called Buzzhit.com, said he would like to see a second method of authentication for many online activities, including banking, stock trading, Web-based health care and electronic voting.
But, he warns, any system is fraught with challenges. And he's not sure he or other consumers are ready to pay for it.
Talkback
What's all the dithering about, and whats all this talk of tokens. If companies or people are worried about carrying hardware then don't.
There is only one thing that will make it for a pwd replacement, that is biometrics plane and simple.
Home/Company desktop PC's already have scanners, mobile phones are soon to get them in the west. I will always have my finger with me, or eye etc... biometrics is so slap in the face obvious it gets on my nerves that banks don't do it already.
The banks may be reluctant to hand out hardware to make things more secure but I am also reluctant as a user. If I want to check my account online at work and at home I will need to carry these things around with me and they may get lost or damaged not to mention that I may have more than one online account.
Fingerprint scanners built into a mouse will work much better. If it becomes an industry standard then manufactures will make them cheaply and they will soon be everywhere.
Having worked in the IT industry for over twenty years I have seen quite a number of techniques for storing and retrieving data. The one lesson I have learned is that you never trust users to look after their own data. Sometimes even a password is a chore!
Eventually people will realise that the only way for people to 'reliably' access their data and associated facilities (ie credit, public and private access to premises etc) is by having a small chip implanted. That way they can't leave home without it. Don't have to remember card, don't have to remember password, don't have to remember keys, don't even have to remember who you are! With Chip readers everywhere and everyone carrying around their own KEY to the information and not the actual info itself. I'm amazed nobody has thought of it before.
Or maybe they have and are just waiting for the right opportunity to implement it?