VeriSign CEO Calls for Open Authentication

In his RSA Conference keynote, VeriSign's Stratton Sclavos on Wednesday said that the drag of security threats on new technology requires an industry shift away from proprietary authentication, while touting the company's OATH initiative and Microsoft par

SAN FRANCISCO—With security threats slowing the adoption of promising new technologies, the time has come for the security industry to move away from proprietary technologies and embrace open and interoperable standards for authentication, said VeriSign Inc. Chairman and CEO Stratton Sclavos.

Speaking here at the RSA Conference 2004 on late Wednesday, Sclavos used his keynote presentation to tout a VeriSign-led initiative called the Open Authentication Reference Architecture, or OATH, as a path toward standards-based authentication. VeriSign launched OATH at the RSA show on Monday.

"It is time to rethink authentication," Sclavos said. "A fundamental shift needs to be made from proprietary systems to open solutions."

Propelling the shift is the drag that security threats has on the adoption of new technologies. WiFi, Web services, voice over IP and radio frequency identification are among the technologies being slowed because of security concerns, he said.

Along with more interoperability, the IT security industry needs to offer enterprises better visibility and intelligence about potential security threats and remove the complexity for end users, Sclavos said.

"If given a choice, our end users will always choose ease of use over better security," he said. "So we better make it easy."

With OATH, Sclavos explained, VeriSign has offered a reference architecture for authentication using a universal key recognized among applications, on multiple devices and across internal and external networks.

As part of that strategy, VeriSign earlier in the day announced a partnership with Microsoft Corp. for tying VeriSigns authentication services into Windows Server 2003 by this summer. Sclavos said that the combined offering will be OATH-compliant.

Sclavos demonstrated the VeriSign-Microsoft offering, showing both how a network administrator can provision user credentials using Active Directory and Microsofts Management Console and how an end user could be authenticated while in the office and on the road using an OATH-complaint hardware token.

The USB token demonstrated was Aladdin Knowledge Systems Inc.s eToken NG with One-Time Password, which will be part of VeriSigns April beta of the authentication service. The token combines a PKI store with one-time password functionality.

The OATH initiative will be developing new standards over the next six months as well as adding new partners, from application and infrastructure vendors to hardware makers, Sclavos said.

"It gives the ability to strongly authenticate every user, on every device they have and on every network they transverse," Sclavos said of OATH. "We need the ability to make the network secure by only letting good people, good content and good devices on board."

/zimages/3/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.