For most online consumers, a username and a password are the only two items used to identify and authenticate themselves with online services.
But they’re not necessarily always enough to secure an identity properly and are often the target of fraud and identity theft.
A new effort led by VeriSign is about to address that by offering consumers a second factor of authentication to authenticate themselves and better protect their online identities. The goal of the effort, according to VeriSign, is to provide a new layer of authentication infrastructure for the Internet.
VeriSign Identity Protection (VIP), announced today, will offer users the promise of a single security device that will enable authentication on VIP-enabled Web sites. So far the list of future VIP-enabled sites includes industry heavyweights PayPal, eBay and Yahoo.
VIP offers a different approach than Microsoft’s single sign on Passport effort, which eBay tried and then nixed in late 2004.
Nico Popp, vice president and general manager of VeriSign’s Authentication Services, said that VIP is not providing the identity to the user as Microsoft’s passport aimed to do.
“The reality is today you already have an identity with PayPal or eBay that stays as it is today,” Popp told internetnews.com. “What we’re doing is providing a second factor, a device that strengthens those existing factors.”
Two-factor authentication is of course nothing new, not even for VeriSign. The consumer-friendly approach taken with the VIP initiative in this go around, according to Popp, makes it more attractive to both users and providers.
VIP is based on the concept of a shared authentication network where VeriSign is a provider of the authentication that will work across all participating members of the network.
“With a network approach we lower the bar and the complexity required to do two-factor authentication on Web sites,” Popp said. “Sites can accept devices issued by someone else.”
In terms of devices, VeriSign is also lowering the bar for users. Popp said that users would only use a device that they are willing to carry with them. VIP initial security devices are set to be USB U3 mini-drives from SanDisk as well as Motorola cell phones.
“It’s all about security that consumers can access,” Popp said.
In addition to the visible security that the two-factor authentication device provides, VeriSign is also bolstering the VIP initiative with an “invisible” layer that protects users against fraud.
VeriSign’s new fraud-detection software works transparently in the background looking for pattern anomalies that could indicate something is amiss.
The service includes a “self learning anomaly detection engine” that will evolve as new threats and fraud tactics emerge.
A policy-based engine is also part of the mix. As with the shared authentication network offered by VIP, VeriSign intends to share fraud information across its network so all VIP-enabled sites benefit from everyone’s collective fraud intelligence.
Popp argued that as core Internet infrastructure and security provider VeriSign is a trustworthy entity and may well succeed where others have failed at providing stronger authentication for the Internet.
“This is something that really can become a new piece of infrastructure for the Internet,” Popp said. “It can really transform the Internet by propagating stronger authentication and making it part of how we use the Web. That’s the goal here.”