ETrade touts two-factor authentication service

Von Jaikumar Vijayan

ETrade Financial Corp. will soon launch a two-factor authentication service designed to provide customers of the online financial services company with an added layer of protection when they access account information over the Internet.

The authentication scheme is based on RSA Security Inc."s SecurID token technology and will allow ETrade customers to use a random and constantly changing number in conjunction with their regular user IDs and passwords to access their ETrade accounts.

The tokens give customers an additional layer of protection and make it impossible for unintended or unauthorized users to gain access to ETrade accounts by stealing passwords, said Joshua Levine, the company"s chief technology officer. Unlike static passwords, which can be stolen and misused, RSA"s tokens generate a unique six-digit code that changes every 60 seconds, Levine said.

ETrade"s decision to support two-factor authentication addresses consumer fears about online identity theft and data loss, Levine said. "We felt that this is really something that our customers needed to make them feel comfortable about doing e-commerce," he said.

Initially, ETrade will offer the authentication service as a free option only for customers who maintain accounts with the company that are worth more than US$50,000, Levine said. Eventually, other customers will be able to buy the tokens from ETrade for a fee, although the exact amount has not yet been decided.

ETrade is the first large financial services company in the U.S to offer two-factor authentication for online transactions, said Avivah Litan, an analyst at Stamford, Conn.-based Gartner Inc.

The company"s move comes at a time when consumer concerns over identity theft and e-mail fraud appear to be increasing -- especially in connection with online financial transactions.

In a December 2004 poll by Cambridge, Mass.-based Forrester Research Inc., 26 percent of online consumers surveyed said e-mail fraud concerns had stopped them from applying for a financial product over the Internet. And 20 percent of online consumers don"t open e-mails that appear to be from their financial provider because of fraud concerns, Forrester reported.

Another study, released last week by Forrester, warns that consumers could lose trust in the Internet as a channel for doing business as computer attacks on consumers and companies mount. To address that issue, companies will need to focus on identity assurance, usage assurance, service assurance and privacy assurance, the report said.

ETrade"s move gives "another way for them to retain their profitable, high-value customers," Litan said. But she noted that the company needs to make the security measure available to all customers "if they are really worried about fraud losses."

Though ETrade is the first U.S. online broker to support two-factor authentication, companies in Europe have been doing so for several years, Litan said. Much of that adoption stemmed from the stronger consumer concerns in Europe about security and privacy, she said.

In contrast, U.S. banks and other financial companies are afraid that they will drive customers away by introducing new security measures, she said. Cost is another issue -- authentication tokens such as those being offered by ETrade cost at least $10 per user to support, she said.

"ETrade is absorbing the cost because they expect to get it back by selling more services to their higher-value customers," Litan said.