Move Over Token! My Phone Can do The Trick.
Banks have been issuing tokens to their business and corporate customers for some time. These multifactor authentication devices typically generate a one-time password that the user is required to provide upon login or to confirm a specific activity (e.g. the release of a wire transfer). Customers with multiple banking relationships end up lugging around a bunch of different tokens. They are easily misplaced, and the cost of these devices can also add up quickly (whether they are being paid for by the bank or the customer). Is there an alternative to the good old token? The mobile phone could be a great alternative in the form of out of band authentication (typically a text message sent to the phone containing the one-time password) or an one-time password generating application that resides on the phone. Out of band authentication hasn't caught on too quickly in the North American marketplace, but Celent predicts that adoption will gather speed as business users rely more on their mobile devices. The password generating application holds a lot of promise as well. Yesterday, Verisign
announced the availability of a one-time password generating iPhone application (dubbed VIP Access
) that would be a great alternative to a token. The app will be available for other devices as well (Blackberry, etc.). It can currently be used on select consumer sites (PayPal, EBay, AOL, etc.) and a handful of Australian credit unions (click here for list of supported sites
). It will be interesting to see which US bank is the first to use this app for online banking MFA. I doubt US banks will be too keen on integrating this into consumer online banking as the bother factor is too high. Consumers are finicky and can get thrown off by too much technical change and interruption. It's a great small business banking idea however and could have ramifications in the corporate space, particularly if it's available for Blackberry models.