SecurID Adoption Falls Short

When RSA Security Inc. teamed with Microsoft Corp. in February 2004 to announce SecurID for Windows, RSA CEO Art Coviello hailed it as a major breakthrough in computer security.

When RSA Security Inc. teamed with Microsoft Corp. in February 2004 to announce SecurID for Windows, RSA CEO Art Coviello hailed it as a major breakthrough in computer security. By integrating SecurID tokens more tightly with Windows, the two companies would make it easy to replace weak, static passwords with strong, two-factor authentication, Coviello said then.

Almost two years later, however, Coviello acknowledged that the program has so far been a disappointment, with implementation challenges and a longer-than-expected sales cycle keeping adoption short of what the Bedford, Mass., company expected.

RSA estimates that it has sold "tens of thousands" of SecurID for Windows tokens since launching the service in the last quarter of 2004. Sales have been hampered by a number of factors, including conflicts with companies that used nonstandard Windows log-in elements, Coviello said.

While the deal with Microsoft has translated into revenue in the "millions of dollars," Coviello said the results are not up to the companys expectations.

Introduced at the 2004 RSA Conference in San Francisco, SecurID for Windows expanded RSAs support of the Windows platform, allowing companies to secure domain-level user access with Microsofts Active Directory, as well as "offline" access to the Windows desktop. In practice, however, getting SecurID for Windows to work with the incredible variety of Windows configurations has been a challenge, Coviello conceded.

"Any time you touch the desktop, theres going to be more testing," Coviello said.

In particular, RSA customers who were using variations of a standard Windows component called the GINA (Graphical Identification and Authentication) DLL encountered problems using the SecurID token to log on, Coviello said. GINA is part of the Windows log-in process and performs identification and authentication for user interactions.

RSA ran into problems when it tried to insert password information from the SecurID token into the log-in process with nonstandard GINA DLLs, according to Coviello.

The GINA issue is not specific to RSA; it is common to other companies that try to insert their technology into the Windows log-in process, said Dana Epp, CEO of Scorpion Software Corp., a security software vendor in Vancouver, British Columbia.

RSA has fixed the problems with GINA and hopes to begin deriving more benefit from the SecurID for Windows program, Coviello said.

However, problems with Windows log-in components like GINA often have grave consequences for enterprises, such as system crashes that idle workers and tie up IT resources, Epp said.

To ease implementation, RSA is also considering offering SecurID for Windows as a service to its customers, leveraging the companys customer base of 15 million to 20 million users, he said.

But RSA faces a number of challenges as it tries to promote SecurID tokens for widespread use in enterprises.

Until recently, SecurID for Windows was hampered by inadequate user management features that didnt allow companies to configure offline authentication policies for particular users or groups, Epp said.

Pricing is also a problem. Dave Nickason, an IT manager at Dibble, Miller & Burger P.C., in Rochester, N.Y., said that his small law firm considered RSA tokens for users on its 30-desktop, three-server network but found them prohibitively expensive.

Scorpion uses technology from RSA competitor CryptoCard Corp., of Kanata, Ontario. For $500, the company could buy a package of five secure tokens and not have to pay any renewal fee. CryptoCard also offers its authentication server software for free, Epp said.

"In my opinion, they are too small-business-unfriendly to warrant serious consideration," Nickason wrote in an e-mail, noting RSAs 25-user minimum license package and the cost of a dedicated Authentication Manager server to manage the tokens. "I cant handle the overhead in time and money for dedicated hardware to authenticate 50 or 60 remote log-ins a month."