Added Security With Strong AuthenticationAdded Security With Strong Authentication

It's hard to say what's growing faster, security threats or security solutions. Attacks on E-commerce sites have quadrupled, according to Symantec Corp. In the first six months of 2004, E-commerce sites were hit by nearly 16% of online attacks, up from the 4% reported during the previous six months, according to Symantec's latest Internet Security Threat Report.

Earlier this week, online security and infrastructure provider VeriSign Inc. added yet another security system to the industry with VeriSign Unified Authentication. The authentication system, available either as a service or software, is an extension of the company's VeriSign Intelligence and ControlSM Services. It integrates with a company's current IT infrastructure, including popular directory and application servers such as Active Directory, LDAP, and ODC databases, to enable businesses to address strong authentication needs with a single system.

Meanwhile, RSA Security Inc. revealed this week AOL PassCode, a new consumer service that provides America Online accounts with strong authentication via a key-chain-sized device that generates onetime pass codes every minute.

Strong authentication typically uses something you have (a token) and something you know (a pass code) to authenticate a user's identity.

The double dose of security that VeriSign and RSA are offering may be for naught. Laura Koetzle, a principal analyst at Forrester Research, says it remains to be seen whether strong authentication will catch on. Companies outside high-security industries, such as financial services, aerospace, defense, and high-tech manufacturing, have found the technology too costly for the benefits it provides, she says.

But VeriSign's announcement brings much-needed competition to a market dominated by RSA Security, she says. "It's good for customers because it gives them choice," she says, noting that VeriSign's tokens cost less.

"The fact that these two announcements came simultaneously is not coincidental," says Koetzle, who notes that users of RSA's strong authentication products among financial-services companies have expressed a desire for more-affordable protection. But if RSA and AOL can deliver the technology to consumers for a onetime fee of $9.95 and from $1.95 to $4.95 per month, the cost to businesses may come down, too.

VeriSign is rolling out two USB tokens, one of which features onetime password capabilities. "Identity theft has been a challenge," says Mark Griffiths, VP of security services at VeriSign. "Enterprises that are trying to integrate either business partners or consumers are saying, 'We need to find a better way of doing stronger authentication of the person logging into our network or Web-based application.' "

The technology will appeal to companies concerned about workers accessing the network remotely or business partners connecting to an extranet, Griffiths says.

It may also interest those concerned about Windows login authentication. In a separate but related announcement, VeriSign said that its United Authentication system delivers on a plan disclosed last year to bring strong authentication to the Microsoft Windows environment.

VeriSign's security infrastructure has been integrated with the Microsoft Windows Server 2003 platform to take advantage of Microsoft technologies, including Active Directory, Microsoft Certificate Server, and the Microsoft Internet Authentication Services components. It will be available at the end of September.

Soon thereafter, a new service component, VeriSign's Certificate Interoperability Service, will allow those who are using the Microsoft CA server as part of a Windows Server 2003 or Windows 2000 Server installation to extend encrypted communication beyond their own networks to external partners.

VeriSign officials claim their strong authentication offering will ease the costs and complexities associated with the technology. That could reduce some of the awkward workarounds companies have implemented, Griffiths says. For example, he says Australian banks have turned to cell phones and Short Message Service technology to distribute onetime passwords for online access. In Sweden, some companies rely on scratch cards with 30 or so preprinted onetime passwords, Griffiths says.

To demonstrate the potential of its new service, VeriSign has partnered with i-Safe, a government funded nonprofit that promotes Internet safety for children, to offer the i-Stik. This USB token, to be issued by participating schools, will authorize access to youth-oriented chat rooms that might otherwise attract pedophiles or similarly undesirable visitors. VeriSign is donating the infrastructure and hardware.