AOL Offers Added Security

America Online is teaming up with RSA Security in an effort to keep its users safe from online fraud and identity theft. RSA and AOL are announcing a new program called "AOL PassCode" that will encourage AOL customers to use secure tokens to protect account information.

The PassCode program will offer AOL-branded SecurID tokens from RSA to AOL customers for added account protection, says John Worrall, vice president of worldwide marketing at RSA of Bedford, Massachusetts.

The program is the first major rollout of multifactor authentication to consumers, according to Ned Brody, senior vice president of premium services at AOL.

Likening the RSA SecurID token to a "deadbolt lock" on a door, Brody says the service will let security-conscious consumers feel more confident that their AOL account information is secure, especially in light of the increase in phishing scams. This type of fraud uses spam and Web sites designed to look like legitimate e-commerce sites to part consumers from sensitive information such as user names, passwords, and credit card information.

While AOL does not store customer financial information in its accounts, customers increasingly use free storage linked to their AOL accounts to store confidential data such as photos and personal files, including financial files, in addition to e-mail. Company data shows that AOL customers know that static passwords should be updated frequently, but few do so. The PassCode token will also enforce strong passwords by requiring a unique value to be entered each time users log on to the service, Brody says.

Added Fee

AOL customers can sign up through the company's Web page for the premium service and will pay a $9.95 one-time fee to receive a keychain token by mail. The company will charge $1.95 per month to secure one screen name through PassCode, and $4.95 a month for up to seven screen names, AOL says.

Once the token is received, AOL customers can activate it through their AOL account. After that, customers will log in using their AOL user name and password, after which they will be presented with an additional screen asking them to enter the unique, six-digit value displayed on their SecurID token. Behind the scenes, AOL maintains a database that links the SecurID token to the AOL user account and tracks the passwords generated by the device, which change every 60 seconds, Brody says.

The new system will protect users from having their AOL account information stolen in a phishing attack because having an AOL customer's user name and password will no longer be adequate to access an account, he says.

Customers who lose their token can "unbind" their account from the token by answering a number of questions through AOL's Web site that will identify them, then request a replacement token from the company, he says.

AOL has already conducted a small test release of the technology in the last week, but will begin marketing the service in earnest this week with its announcement, along with banner ads for its customers and information in AOL's Safety and Security Center. The company will not estimate how many PassCode tokens it hopes to sell, but said that internal polls and a test run of the service in late 2003 indicated that the interest in purchasing the tokens was "phenomenal," he says.

Premium Services

PassCode is just the latest in a series of premium services introduced by AOL in the last 18 months. Other services include AOL Virus protection, which uses McAfee's antivirus software to protect customers from e-mail-borne threats. The company is planning more security services in coming months, and is also looking at ways to extend the PassCode service to secure other e-commerce services available to its customers, he says.

The company also announced a partnership with Microsoft in February to offer SecurID for Windows, a handheld token that allows users to log on to Windows 2000 and XP machines using a one-time password, without requiring a connection to an RSA server to authenticate the user.

While AOL probably won't sell a token to all of its customers, it could still find a healthy market for the new premium service, according to Avivah Litan of Gartner.

A recent Gartner survey found that security is a major concern for about 20 percent of online consumers and 60 percent or 70 percent of consumers who had been online fraud victims. Sixty percent of those surveyed said they would be more likely to spend money through or keep money with an online vendor that implements security technology and gives them a choice of using it, Litan says.

Presented with an increasingly hostile Internet and online commerce environment, and slow response on the security problem from merchants, banks, and financial services companies, consumers may well reverse the trend of the last decade away from mediated Internet services like AOL that can help them keep their account and sensitive information secure, Litan says.

Note: has a partnership agreement to provide content to AOL.

Subscribe to the Best of PCWorld Newsletter