Interest in the market for two-factor authentication, which increases login security by making users carry a one-time password-generating token with them, is increasing in both the consumer and enterprise space.
RSA Security Inc will today announce that it will offer its SecurID tokens to America Online users, while rival VeriSign Inc will separately announce its entry into the token market, following a long beta test.
The RSA-AOL deal, believed to be among the first of its kind, will see AOL offer its substantial subscriber base the option to increase the security of their login with an SecurID one-time password token.
AOL is calling the service PassCode. Users will be charged a setup fee of $9.95 and an extra $1.95 to $4.95 per month for the service, depending on how many screen names they are protecting. Financial details of the RSA-AOL deal will not be revealed.
We’re very bullish, if you will, on the overall opportunity in the consumer space, said RSA VP of worldwide marketing John Worrall, citing an emerging crisis of confidence among internet users due to factors such as identity theft.
RSA is the market leader selling authentication tokens to the enterprise space, and its rivals have been slow to break the company’s lock on the market, despite aggressive competition on token pricing.
VeriSign announced its intention to get into two-factor authentication in February, and launched a parallel standards initiative that the firm claims will help get the overall market growing by reducing vendor lock-in.
VeriSign will today announce that its beta testing of its offering is at an end, and that it has signed its first three paying customers. The company will start offering Unified Authentication software and services from the end of the month.
The company said the software permits multiple types of credentials, including one-time passwords, USB Tokens, smart cards and others. It will support .509, RADIUS, LDAP, and ODBC, the firm said.
UA is an authentication service engine that will be offered as a product to large enterprises that want to manage it on-premises, and as a service to small and medium sized companies, as well as to service providers.
If RSA’s ACE/Server, the back-end for SecurID, does user provisioning, lifecycle management and password validation, then VeriSign’s UA does the validation bit and pushes the other two functions out to the directory, a VeriSign executive said.
The system has a web-based user self-service administrative console, which helps reduce the total cost of ownership from $45-$55 with other systems to $25-$35, according to VeriSign’s VP of authentication services, Mark Griffiths.
The system, which leverages tokens made by Aladdin Knowledge Systems Inc, does us a sequence-based one-time password algorithm coming from OATH, the Open Authentication Reference Architecture initiative, Griffiths said.
VeriSign cheekily used the keynote at the RSA Security Conference in San Francisco last February to launch OATH, which it characterized as a way to broaden the token market through standardization that could have an impact on RSA’s market share.
Named participants in OATH included at launch Aventail, ActivCard, Aladdin, ARM, Axalto, BEA, Gemplus, HP, IBM and Rainbow, but it is questionable how many of these named companies were as enthusiastic about OATH as VeriSign.
Also today, VeriSign will release a plug in for the Microsoft Management Console that allows administrators to provision authentication tokens to users via the Unified Authentication system.