RSA Lands ETrade for Risk-Based Authentication

RSA Security announces its first product using anti-fraud technology from Cyota, and ETrade says it will use the service to secure online brokerage log-ins.

RSA Security on March 1 announced a new risk-based authentication product and said that ETrade Financial would use the program to secure log-ins for all its online brokerage customers.

RSA Adaptive Authentication is a multi-tiered authentication scheme that combines RSAs SecurID tokens and tokenless "risk-based" authentication from Cyota. The new service will allow banks and financial services companies to extend more security to the masses of online banking customers. The announcement is the first salvo in multipronged consumer security play by RSA, according to Chris Young, senior vice president and general manager of RSA Cyota Consumer Solutions, in Bedford, Mass.

ETrade said it will use the new risk-based authentication service to protect its brokerage customers, according to Greg Framke, CIO of ETrade, in Merrifield, Va.

Adaptive Authentication is the first RSA product to use fraud detection technology from Cyota. The product makes good on promises RSA made to integrate the Cyota technology when it acquired the privately held company for $145 million in December, Young said.

The new product includes Cyotas risk-based authentication technology—also known as eSphinx—transaction monitoring and data from the Cyota eFraudNetwork. RSA will offer its traditional hardware and software tokens, such as SecurID tokens, as "segment-based authentication" to high-risk or security-conscious customers, RSA officials said.

Adaptive Authentication allows banks and financial services companies to apply different levels of risk mitigation to customer transactions.

For example, at ETrade, all brokerage customers will be analyzed by the Cyota risk engine and have risk profiles generated. When those customers log in using their password, the Cyota technology will compare the log-in attempt against that risk profile. Most customers wont notice anything different. However, customers who suddenly attempt to log in to ETrade from a shared computer or a new location may be prompted with additional questions or be asked to make a phone call to confirm their identity, Framke said.

Customers whose log-in is flagged, and who then try to carry out high-risk transactions, such as wiring money to a new destination, could even have the transaction blocked, he said.

ETrade began offering RSA SecurID tokens to its customers last year. The company wont say how many customers have signed up to receive the token since then. However, ETrade sees the Cyota technology as complementary to SecurID, Framke said.

"Its not a one-size-fits-all thing. We want to deploy a number of products that span the gambit of customer online security," he said.

/zimages/3/28571.gifImplementation challenges and a longer-than-expected sales cycle is keeping adoption of SecurID tokens short of what RSA expected. Click here to read more.

Even customers who already use the SecurID token will get assessed by the Cyota risk engine, though using the token should fast-track a user who is attempting to log in, Framke said.

Young said that RSA doesnt expect that the new Adaptive Authentication program will reduce demand for the companys SecurID technology, such as key-fob tokens and smart cards. However, SecurID sales are besides the point.

This isnt about selling more tokens or selling fewer. Its about being able to protect as many users out there in online financial services and e-commerce as possible," he said.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.