Microsoft, RSA Detail New Dual-Layer Security System

RSA Security and Microsoft on Tuesday announced a partnership that could bring a new era for security on the Windows platform. With the use a security token device, passwords and authentication services, the new SecurID system for windows hopes to make lo

SAN FRANCISCO—RSA Security Inc. on Tuesday announced a partnership with Microsoft Corp. to develop a version of its SecurID token for the Windows operating system. Revealed at the RSA Conference here, the system will provide an additional layer of security for Windows customers.

Under the new plan, users will only be asked to remember a single PIN (personal identification number) when the SecurID system for Windows rolls out in the third quarter of 2004. A rotating password will be supplied by the RSA tokens, a keychain device with a small LED screen, which will add an additional layer of cryptographic complexity to the login process. RSA, based in Bedford, Mass., will make the SecurID capability free to its existing customers, executives said.

In a keynote address that examined the historical parallels between the transfer of goods via railroads, trucks, and the Internet, RSA president and chief executive Art Coviello said that the relative lack of e-commerce transactions made today over the Internet reflected a lack of confidence in the system.

In much the same way as the steam engine enabled a steam-fuelled locomotive, security should be considered the foundation of e-commerce, he continued. "Security is the core technology, the steam engine of confidence," Coviello said.

Although RSA has had its two-layer SecurID system in place for several years, the technology will be tightly integrated with the Windows login procedure. The technology may also be used to secure VPNs, Citrix servers, wireless LANs, and other networks, he said.

Currently, a Windows user enters a login name and password to access the operating system and the network. IT managers usually require users to change their passwords every month or 90 days, and some prevent users from using easily-remembered derivatives of older passwords, such as "password" and "password2".

"We need to move beyond passwords," Coviello said, who called them a "nuisance".

Under RSAs system, users will be issued a token device that rotates a six-digit PIN every 60 seconds. After entering a login name and personal PIN, the user will then append the six-digit token password to the end of the password field, creating a difficult password to crack.

The combination of the user PIN and token PIN will then be passed along to the RSA Advanced Server 9.0, a necessity for the service to work, said Scott Schnell, RSA senior vice president of marketing. Although the token device and the client PC are not directly connected, the tokens will keep accurate time, so the token PIN and the password on the computer will match up.

The hope is that the SecurID technology will make the Windows login process simpler, by eliminating passwords, and at the same time, more difficult for outside intruders to penetrate.

/zimages/5/28571.gifRead more here about Microsofts security initiatives introduced on Tuesday at the RSA Conference.

This simplicity may also equal lower cost said Ray Wagner, a security strategies analyst at Gartner Inc.. According to Gartner research, IT departments this year will spend over 5 percent of their budget specifically on security, a first.

"Its important for the long-term that security becomes invisible," added Jeff Jones, Microsoft senior director of trustworthy computing.

/zimages/5/67194.jpgThe technology will also allow mobile users not connected to a network to access Windows. Schnell said that IT administrators can set policies downloading two or three weeks worth of data into a client PC, allowing it to accept a token even when not connected to the network.

However, if the laptop is broken into, the unauthorized user will not be able to discover the secret algorithm, since its stored only on the server, Schnell said. When the laptop connects, the SecurID algorithm will synchronize with the server, much like an email application.

Users who lose the token—which is available as a small handheld device and a PC card, and on the Palm and PocketPC operating systems, as well as integrated into high-end European Nokia Corp. and Ericsson AB phones—may also be issued a provisional token by an IT administrator until a new device is issued.

The SecurID for Windows program will enter beta phase in May, and will ship later in the third quarter, Schnell said. Every Advanced Server 6.0 sale will include the SecurID technology for free, he said, with no maintenance fee. Existing AS 6.0 customers with a maintenance contract can also upgrade, he said.

In a separate announcement, RSA also introduced an RFID blocker tag to satisfy privacy concerns over the use of RFID tags used by retailers, an idea the company floated a year ago.

/zimages/5/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.
Be sure to add Our Security news feed to your RSS newsreader: