Will 2FA use transcend online banking?

SINGAPORE--Two-factor authentication (2FA) is starting to become available for online services other than banking and remote logon to corporate networks, but it remains to be seen whether consumers will take to it.

Local security technology firm Data Security Systems Solutions (DSSS), is set to showcase a new two-factor authentication service for online services at the RSA Conference next week. Called BetterThanPin, the service is unique in that it allows consumers, rather than service providers or enterprises, to initiate stronger authentication for the online services they deem important, said Tan Teik Guan, the company's chief executive and chief technology officer, in an interview Friday with ZDNet Asia.

The BetterThanPin service requires a user to create an account on the BetterThanPin portal and register the online accounts. During the sign-up process, the user is also asked to select the preferred mode or token of receiving the weekly-generated passwords. These temporary passwords--six-digit numbers--will be added to the string of characters in a user's static password for a particular account.

According to Tan, the service currently only allows users to initiate 2FA for their Gmail accounts. However, it is also ready to manage Facebook accounts, and there are plans to include Yahoo Mail and Skype to BetterThanPin. The service is also envisioned to be compatible with hardware and software tokens.

Starting next week, DSSS will initiate a trial for Gmail users, he added. The company is targeting 1,000 users of different demographics globally to participate in the trial, which will last till August.

"From the feedback, we will decide whether to continue [developing] the service [and] what [other] online services to ready [it for]," said Tan.

The company has so far been focused on developing BetterThanPin, which uses existing authentication technology by DSSS, and paid scant attention to the commercial viability of the service, admitted Tan. However, he said the service could eventually be offered through the cloud by service providers, in individual enterprise deployments such as Intranet sign-in or directly to individuals.

Should DSSS market the service direct to consumers, it may include advertisements sent with the temporary passwords as it would not be realistic to offer the service for free long-term to consumers, he noted.

DSSS is not alone at trying to introduce stronger authentication for online services. Last month, Vasco Data Security announced in a media release that customers of Square Enix would be offered stronger authentication to access content and services by the Tokyo-based video game company.

With the move, Vasco noted the popular massively multiplayer online role-playing game, Final Fantasy XI, would be the first online game in Japan to make use of one-time passwords for authentication.

Citing statistics released by Japan's Ministry of Internal Affairs and Communications in February, Vasco said there were nearly 2,300 cases of fraudulent access to online services in the country last year--a 26 percent increase year on year. Over half of the cases involved online auctions, while some 457 were related to online games.

Security vendors including Sophos and Symantec, have also, in the past, warned of cybercriminals tapping on malware such as Trojans to steal credentials of online gamers. With the growing number of online game sites and players, it was increasingly lucrative for malware writers looking to profit from online assets.

Reassurance for cloud computing users
Analysts ZDNet Asia contacted said stronger authentication would be a welcomed option but such services would need to be pitched to the right target market.

In a phone interview, Shaun Rein, managing director of China Market Research (CMR), pointed out that the demand for better authentication could come from usage related to e-commerce including online games.

However, he noted that it may be "doubtful" to expect that consumers would pay for a 2FA service. "People don't like to spend money on online [activities]. Chinese gamers don't want to waste money… most of the gamers are under the age of 28. They don't have that much money--they'd rather spend it on buying more avatars," said Rein.

The idea of receiving new passwords every week could also be disruptive and time-consuming, he added.

Instead, the real opportunity lies in the enterprise realm. Service providers such as Google will likely incorporate these security elements to their users, to alleviate security concerns around cloud computing, Rein explained.

He said: "The bigger market is from the corporate side. Gmail will have that type of service to prove to their corporate clients.

"Especially with this recession, [companies] are switching to Linux and Google Docs rather than using Microsoft--they don't want to buy hardware anymore. They don't want to buy servers since they're switching to cloud computing."

Michael Warrilow, managing director of Hydrasight, pointed out in an e-mail that online services such as e-mail are considered "low-value".

"Two-factor authentication certainly would assist to reduce hacking of online accounts. However, even in online banking, it is not widely adopted due to cost and inconvenience," he noted.

Warrilow added: "We do not expect low-value online services such as Google or Facebook to require users to adopt 2FA during the next five or more years."

Similarly, CMR's Rein noted: "While I think it's a service or tool that's definitely needed, I'm not sure how much traction it's going to get."