Soft tokens at the new Interop show

A core rap against two-factor authentication based on hardware tokens is the cost of deployment and management, which puts it out of range of any company looking to use the technology to secure communications with consumers. Diversinet’s MobiSecure soft tokens, on the other hand, are generated by a small application that can be deployed to cell phones, PDAs or even Windows-based PCs.

The first East Coast Interop since 2002 bowed in in New York just before Christmas, and while small by Interop standards, was focused and decently attended.

The show featured about 100 vendors vs. the 270 that showed up in Las Vegas last May, but was conspicuously missing the support of longtime backers Cisco and Microsoft. Anchoring the show floor were Foundry and AT&T, with other large booths taken by APC, CA, Extreme and HP.

Vendors expressed mixed reactions about attendance levels; some were pleased to see buyers from big local companies, while others said attendance was too light. There were, however, many interesting technologies on display.

One company on the show floor that was telling an interesting story was Diversinet, which was talking up its software-based two-factor authentication technology.

A core rap against two-factor authentication based on hardware tokens is the cost of deployment and management, which puts it out of range of any company looking to use the technology to secure communications with consumers.

Diversinet’s MobiSecure soft tokens, on the other hand, are generated by a small application that can be deployed to cell phones, PDAs or even Windows-based PCs, says Wally Kowal, vice president of marketing.

In use, the MobiSecure tokens are employed the same way as hard tokens. When users log on they are asked for a password and the code generated by their token (the second factor). The algorithm on the user’s device creates the one-time code by combining a secret client credential (loaded during provisioning) with a sequential counter. The validation server knows the credential and sequence for that given client and, if it generates the same code, grants access.

After the session ends, the sequence number is incremented so that code can never be used again, Kowal says. The sequencing is the primary difference between MobiSecure and hard tokens from companies such as RSA Security, which keep the validation server and tokens in sync at all times.

Diversinet’s technology is compliant with the reference architecture for strong authentication from the Initiative for Open Authentication (OATH). Launched in 2004, OATH is backed by companies including IBM Tivoli, VeriSign and Citrix.

Although they might not be as secure as hardware technologies, the market for soft tokens such as MobiSecure has to be much larger. This is interesting stuff that we can expect to hear more about when Fall Interop arrives back in New York on Sept. 18.