VeriSign Inc will today reveal its plans for an authentication network that it hopes will address financial industry regulations and bring two-factor authentication to millions of people. Yahoo Inc and eBay Inc have both already signed up to the service.
In what promises to be a highlight announcement of the first day of the RSA Conference, VeriSign will officially launch the VeriSign Identity Protection network with a promise from eBay’s Paypal unit to put authentication tokens in the hands of a million users within three years.
Users will be able to sign in to Yahoo, eBay and Paypal services using a single one-time password token. VeriSign’s service will verify the passwords are genuine before users are able to log on. The service will be optional, marketed at users concerned about fraud and identity theft.
These e-commerce companies will pay VeriSign a subscription fee for the service based on the volume of lookups executed. The idea is to reduce the amount of money they have to spend on fighting fraud and maintaining the strength of their brands.
But the greater opportunity for VeriSign may be in the US financial services market, where FFIEC regulations will oblige online banks to use strong authentication by the end of the year.
We hope to be able to announce financial institutions [as customers] within the coming days and weeks, said Nico Popp, vice president of authentication services at VeriSign. He said that some banks are in very advanced stages of negotiation.
Popp likened the VIP service to an A network, where users’ cards can be used at any bank, regardless of where they were issued.. The analogy sort of works, but VIP is a centralized service. There is no federation involved. eBay does not have to talk to Yahoo, and vice versa.
The problem with federation is that you’re asking Paypal to share identities with Yahoo or your bank, Popp said. They don’t want to do that. They have privacy and competition concerns.
Similarly, under VIP, VeriSign knows nothing about the user, Popp said. VeriSign holds information about the token so that it can verify each one-time password is correct, but it knows nothing about the users’ identity. Yahoo and eBay retain ownership of that information.
While Paypal has agreed to act as a token distributor, Yahoo has merely agreed to support the sign-ins, without at first actually handing out tokens to its users, Popp said. VeriSign will also issue tokens directly through its web site, he said.
All manner of token formats will be supported. While Paypal has not decided what form factor to use yet, it will get to choose from the traditional hard key-fob token, USB devices, smart cards and soft tokens that can be installed on PCs or cell phones.
VeriSign will also announce partnerships with SanDisk Inc and Motorola Inc as part of the VIP announcement. Motorola has agreed to make its phones compatible with the service, while SanDisk will put tokens on flash cards used in cell phones.
The move puts competitive pressure on market leader RSA Security Inc, which has started to see most of its token business, in terms of volume at least, coming from the consumer market. The company recently announced a million-token deal with a coalition of Japanese banks.
RSA’s problem is it does not have the hosted infrastructure credentials to be able to immediately compete with VIP. The company does a good job selling tokens and the supporting identity management software, but lags VeriSign on managed services.
If VeriSign excels anywhere, it’s in its ability to complete internet-based directory lookups on a massive scale. VeriSign’s infrastructure also includes the .com and .net domain name registries, the largest SSL certificate validation service, and the root product code database for RFID tags.