RSA Puts Forth Token Effort

The new service employs Cyota's risk-based authentication.

RSA Security on March 1 announced its first products using fraud detection technology from Cyota, which it purchased in December.

RSA Adaptive Authentication is a multitiered authentication scheme that combines RSAs SecurID tokens and tokenless "risk- based" authentication from Cyota. The new service will allow banks and financial services companies to extend more security to the masses of online banking customers.

The announcement is the first salvo in a multipronged consumer security play by RSA, according to Chris Young, senior vice president and general manager of RSA Cyota Consumer Solutions, in Bedford, Mass.

ETrade Financial said it will use the new risk-based authentication service to protect its brokerage customers, according to Greg Framke, CIO of ETrade, in Merrifield, Va.

The Adaptive Authentication announcement makes good on promises RSA made to integrate the Cyota technology when it acquired the privately held company for $145 million in December.

The new product includes Cyotas risk-based authentication technology—also known as eSphinx—transaction monitoring and data from the Cyota eFraudNetwork. RSA will offer its traditional hardware and software tokens, such as SecurID tokens, as "segment-based authentication" to high-risk or security-conscious customers, RSA officials said.

/zimages/6/28571.gifClick here to read more about RSAs risk-based authentication deal with ETrade.

Adaptive Authentication allows banks and financial services companies to apply different levels of risk mitigation to customer transactions.

For example, at ETrade, all brokerage customers will be analyzed by the Cyota risk engine and have risk profiles generated. When those customers log in using their password, the Cyota technology will compare the log-in attempt against that risk profile.

Most customers wont notice anything different. However, customers who suddenly attempt to log in to ETrade from a shared computer or a new location may be prompted with additional questions to confirm their identity, Framke said.

"Its not a one-size-fits-all thing. We want to deploy a number of products that span the gamut of customer online security," Framke said.

Even customers who already use the SecurID tokens will get assessed by the Cyota risk engine, though using the token should fast-track a user who is attempting to log in, Framke said.

/zimages/6/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

The Adaptive Authentication announcement is the first step in RSAs expansion into a potentially lucrative consumer authentication business, Framke said.

RSA will offer the new service as an on-premises or as a hosted solution, using its Go ID Network, which allows customers to share a one-time password across accounts at Go ID partner sites.

In the coming months, RSA expects to announce an expansion of its consumer business. The company is hoping to build on large-scale consumer deployments at ETrade and Washington Mutual and tap demand for strong authentication driven by the escalation in online fraud, Young said.

For example, RSA is considering ways to add features such as client health screening to Adaptive Authentication. The company also plans to integrate its authentication technology with the new "InfoCard" architecture from Microsoft, unveiled at this years RSA Conference, Young said.

/zimages/6/28571.gifRead an eWEEK Labs review of RSAs Sign-On Manager 4.5 here.

Risky business

RSA Security is championing "risk-based" authentication, but what is it? Risk-based authentication combines risk analysis checks with user name and password information before and during online sessions. A risk rating considers information such as:

* The users PC identity and IP address

* The users behavior—the kinds of actions the user takes online

* Fraud data from other banks and ISPs

Users who get flagged may have to answer "life questions" in addition to providing legitimate log-in credentials.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.