Friday, October 9

Cloud-Based Strong Authentication

Yesterday, RSA and Verisign announced a partnership on cloud-based secure authentication for the consumer market. Pretty interesting stuff. The management of these organizations should be commended for looking past their competitive rivalry to identify a new business opportunity.

The solution isn't new. Verisign has been offering its VeriSign Identity Protection (VIP) authentication services for quite some time. I've had a token that I use with my PayPal account (and my OpenID) for the past couple of years (made in China by ActiveIdentity). But adoption of the offering has been less than overwhelming.

We could probably all count on one hand the number of people we know with a non-work-based authentication token. And most of those are likely tokens handed out by banks and other financial companies that are tied to a single account. The VIP solution gives you a token to use across multiple sites. And there are a few other perks as well.

I don't know what they charge to add this strong authentication to your site. But, I expect that it's more competitive than implementing your own solution. And the end-users benefit from a single token that can be used across systems.

RSA hasn't been wildly successful in getting tokens into the hands of consumers. So, partnering with Verisign seems like a good move - leverage an existing solution to sell more product. And Verisign customers benefit from more choice. RSA has a lot of token options and some are impressive. Their manufacturing is done at their headquarters in MA and the quality assurance process is top rate (I've been through the tour).

In addition to overall quality, some provide additional convenience as well such as a token with an integrated smart chip (for access to encrypted laptops and digital signing) or the software tokens for BlackBerry, iPhone, Win Mobile, etc. that don't require an additional piece of hardware. I should note that the release only mentions hardware tokens, but in the consumer market, it would be a bad move to restrict usage to hardware only.

1 comment:

Matt Flynn said...

btw - ActivIdentity provides broad offerings. I don't want to sell them short. According to a company spokesman, they are leading the field in the OATH standard, are building alliances with endpoint security vendors to enable pre-boot authentication using smart cards or ISB tokens, and have an extensive array of soft-tokens (mobile, PC and web-based). (just a few examples)