Australia Post tests online identification service
Australia Post is trialling a two-factor authentication service to be used by customers such as banks for online transactions.
A small group of customers are using Post's VIP Online Security service, an outsourced authentication offering based on number-generating tokens. Post would not reveal the trial customers.
The new service is an electronic extension of Australian Post's traditional identity verification business. Postal employees already conduct identity checks when issuing passports and immigration clearances.
Post hopes to target the finance sector with VIP which allows companies, such as banks, to set-up two-factor authentication without the associated infrastructure costs.
As with most two-factor authentication services, an end user would enter a random six digit number generated by a token in the log-in section of their online account. The token generates a different number every 60 seconds.
Once entered, the number is verified against a database of the tokens before access is granted. The database is hosted at a VeriSign data centre. The vendor is Post's technology partner for the service, which is based on VeriSign's VIP security service.
End users of the service do not "see" Australia Post's involvement in the course of the authentication.
"We didn't want to hold any identification information," said Wylie Easthope, product manager, electronic authentication, Australia Post.
"Once you become a trusted identity provider, it brings with it a lot of compliance."
Easthope said VIP represented the continuation of Post moving its authentication services into the electronic arena.
Post had the advantages of its coverage and logistics services to efficiently deliver tokens to customers, he said.
It could also offer receiver identity checks, if a customer were to ask end users to collect their tokens by attending a Post branch. Post had no exclusive token supplier, said Easthope, and was technology-agnostic.
"We're not in the game of selling tokens or someone else's brand," he said.
"We'll be offering tokens from a variety of vendors, both hard and soft [tokens]."
Driving the adoption of VIP, according to Post, is the opportunity to use the same token across multiple accounts.
Users will be able to use their token on other VeriSign-based VIP accounts including Yahoo and eBay, although the online giants are yet to deploy the service.
"We do think that by getting the lowest common denominator out there [to link accounts], people will use it," Easthope said.
Gregg Rowley, managing director, Verisign Australia, said VIP was a safe way for users to access linked accounts.
"The problem Australia Post sees in the future is you're going to have a necklace of these [numbers].
"[But] this is a token sharing service. It's not about sharing your identity."
Post is using the VIP service internally, as well. A few hundred Post employees have used the token-based system for tasks such as remote network access, Easthope said.
However, there were no plans to make customers use VIP to access Post services such as its online bill paying system, Postbillpay, he said.
"Postbillpay doesn't have a need for it. The level of fraud in Postbillpay is incredibly low."