RSAs SecurID for Windows Still Falls Short of Expectations

Implementation challenges and a longer-than-expected sales cycle is keeping adoption of SecurID tokens short of what the company expected.

When RSA Security Inc. teamed with Microsoft Corp. in February 2004 to announce SecurID for Windows, RSA CEO Art Coviello hailed it as a major breakthrough in computer security. By integrating SecurID tokens more tightly with Windows, the two companies would make it easy to replace weak, static passwords with strong, two-factor authentication, he said then.

Almost two years later, however, Coviello acknowledged that the program has so far been a disappointment, with implementation challenges and a longer-than-expected sales cycle keeping adoption short of what the company expected.

RSA estimates that it has sold "tens of thousands" of SecurID for Windows tokens since launching the service in the last quarter of 2004. Sales have been hampered by a number of factors, including conflicts with companies that used nonstandard Windows log-in elements, Coviello said.

While the deal with Microsoft has translated into revenue in the "millions of dollars," Coviello said the results are not up to the companys expectations.

/zimages/6/28571.gifCoviello is betting on authentication and anti-fraud technology. Click here to read more.

Introduced at the 2004 RSA Conference in San Francisco, SecurID for Windows expanded RSAs support of the Windows platform, allowing companies to secure domain-level user access with Microsofts Active Directory, as well as "offline" access to the Windows desktop. In practice, however, getting SecurID for Windows to work with the incredible variety of Windows configurations has been a challenge, Coviello conceded.

"Any time you touch the desktop, theres going to be more testing," Coviello said. In particular, RSA customers who were using variations of a standard Windows component called the GINA (Graphical Identification and Authentication) DLL encountered problems using the SecurID token to log on, Coviello said. GINA is part of the Windows log-in process and performs identification and authentication for user interactions.

RSA ran into problems when it tried to insert password information from the SecurID token into the log-in process with nonstandard GINA DLLs, said Dana Epp, CEO of Scorpion Software Corp., a security software vendor in Vancouver, British Columbia.

The GINA problem is not specific to RSA; it is common to other companies that try to insert their technology into the Windows log-in process, Epp said.

RSA has fixed the problems with GINA and hopes to begin deriving more benefit from the SecurID for Windows program, Coviello said.

However, problems with Windows log-in components like GINA often have grave consequences for enterprises, such as system crashes that idle workers and tie up IT resources, Epp said.

To ease implementation, RSA is also considering offering SecurID for Windows as a service to its customers, leveraging the companys 15 million- to 20 million-user customer base , he said.

/zimages/6/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

But RSA faces a number of challenges as it tries to promote SecurID tokens for widespread use in enterprises.

Until recently, SecurID for Windows was hampered by inadequate user management features that didnt allow companies to configure offline authentication policies for particular users or groups, Epp said.

Pricing is also a problem. Dave Nickason, an IT manager at Dibble, Miller & Burger P.C. in Rochester, N.Y., said that his small law firm considered RSA tokens for users on its 30-desktop, three-server network but found them prohibitively expensive.

"In my opinion, they are too small-business unfriendly to warrant serious consideration," Nickason wrote in an e-mail, noting RSAs 25-user minimum license package and the cost of a dedicated Authentication Manager server to manage the tokens. "I cant handle the overhead in time and money for dedicated hardware to authenticate 50 or 60 remote log-ins a month."

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.