Authentication services on tap

VeriSign last week began offering a managed authentication service based on two-factor hardware tokens that online businesses can use as an alternative to hosting their own authentication servers or depending on less-secure, reusable passwords.

VeriSign last week began offering a managed authentication service based on two-factor hardware tokens that online businesses can use as an alternative to hosting their own authentication servers or depending on less-secure, reusable passwords.

The VeriSign Unified Authentication service relies on a handheld-hardware token, including a smart card with a digital certificate or a handheld key fob that generates one-time passwords. There are only a few services today for managed two-factor authentication servers, such as that from RedSiren, but VeriSign sees the potential for growth as companies increasingly appear willing to outsource security or tighten security in the face of regulatory-compliance requirements.

"Identity theft, phishing and the need for regulatory compliance are driving factors that make two-factor authentication preferred to a simple password," says Nico Popp, VeriSign's vice president of authentication services.

In the VeriSign-managed service, businesses can give the hardware token to their customers in lieu of assigning simple passwords. Some companies are wary of deploying public-key infrastructure or dynamic password tokens that are perceived as complex, and VeriSign's managed service is aimed at remote hosting of the necessary authentication servers in its own data centers.

However, for the authentication service to work, the company must be willing to install VeriSign's middleware on Microsoft Windows 2003, Active Directory and Microsoft Management Console, Popp says.

If the business uses Microsoft products, adding the VeriSign middleware to Active Directory will let Active Directory validate the token's form factor and one-time password through the middleware's so-called "validation utility" that will securely transmit the user's authentication data to VeriSign over the Internet.

Through its data centers, VeriSign would then complete the authentication process as a service, which frees the customer from having to maintain additional servers on site for certificate or password validation. Popp says the service costs about $25 per token user.

VeriSign rival in the digital certificate business, RSA Security, also is unveiling a two-factor variable-password authentication service with AOL. The service also relies on a key fob-based token device, and AOL has installed RSA Security's ACE/Server internally to authenticate users by means of variable passwords generated by the SecurID token. AOL is the first ISP to offer such a service to consumers who might want to forego use of less-secure, reusable passwords.

The service, called AOL PassCode, costs up to $4.95 per month, depending on the number of screen names on the account, plus $9.95 for the RSA Security key fob that generates a one-time, six-digit password every minute.

"It's based on the same RSA SecurID authentication used by business," says John Worrall, vice president of worldwide marketing at RSA. Worrall said some businesses, including Credit Suisse, Barclays Bank, and Wells Fargo, have distributed RSA SecurID tokens to customers, but mostly for expensive, high-risk transactions.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2004 IDG Communications, Inc.

IT Salary Survey: The results are in