Verisign, RSA Seek to Change the Face of Passwords

Verisign, RSA to unveil two-factor solutions.

Passwords as we know them could be yesterdays news if two-factor authentication solutions from VeriSign Inc. and RSA Security Inc. catch on with enterprises.

Two-factor solutions combine a pass phrase with a key chain token that continually generates unique passwords that are used only once each time a user logs on to a network. The process is in stark contrast to traditional password solutions, which involve a single, user-generated password thats used continually over a period of time.

VeriSign, of Mountain View, Calif., plans to debut its Unified Authentication managed service this week, which will give enterprises the ability to deploy USB (Universal Serial Bus) tokens to all their users for two-factor authentication, while allowing VeriSign to manage the infrastructure.

Also this week, RSA, of Bedford, Mass., is expected to announce a partnership with a major Internet service provider in which the ISP will give its vast broadband user base RSAs popular RSA SecurID hardware tokens—a first for a U.S.-based ISP.

/zimages/4/28571.gifClick here to read about the token-based plan touted by RSA and Microsoft in the spring.

In both cases, putting two-factor authentication technology into the hands of millions of security-challenged users could be a boon for the overall security of the Internet, protecting accounts from being hijacked by spammers or crackers and protecting users identities.

Potential customers of the VeriSign service say its integration with existing security and directory services will be key. "We currently use smart cards for log-in and identity purposes," said Mark Deason, network administrator at Silverside Equipment Inc., in Reno, Nev. "If they can keep the cost competitive with other systems, like smart cards, and less than other biometric devices and show that it is actually a secure device to the security community, they might have a shot."

/zimages/4/28571.gifFor insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

Both of the new offerings are grown-up steps on the road to eliminating the use of static passwords for authentication, a practice that is several decades old and is considered one of the weaker links in the Internet security chain. Most users, studies show, choose easily guessed passwords, while easy-to-use password-cracking tools are readily available.

To be sure, online fraudsters have not been shy about taking advantage of this state of affairs. The Federal Trade Commission received more than 214,000 complaints of identity theft in 2003, and victims of Internet fraud reported losses of $200 million last year.

One of the best ways around the problem of weak passwords is the use of hardware tokens, which can generate a one-time password that a user must enter, along with his or her user name or a PIN.

The new VeriSign Unified Authentication service will use a hybrid USB token/ smart card from Aladdin Knowledge Systems Inc., of Arlington Heights, Ill., which includes the ability to generate one-time passwords and store user credentials directly on the device.

/zimages/4/28571.gifClick here to read more about VeriSigns call for an Open Authentication standard.

RSA is betting the technology will help protect online consumers, who, until now, have not had access to this kind of security.

Under the terms of its new partnership, RSA will sell its SecurID cards to the ISP, which will in turn provide them to users of its premium broadband service. Instead of using a screen name and user-chosen password to log in, users will enter a PIN, along with the unique code that the SecurID token generates every 60 seconds.

RSA officials declined to identify the ISP involved in the deal but said it is one of the largest providers in the United States. RSA is working on extending this program to other major U.S. Internet providers in coming weeks.

Two-factor solutions

How they work:

  • User enters secret, static PIN and presses button on token to generate unique one-time password, then enters that password into PC
  • Subsequent log-ins require generation of new passwords

/zimages/4/28571.gifCheck out eWEEK.coms Security Center at for the latest security news, reviews and analysis.


Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page