In October 2005, Lloyds TSB became the first UK bank to undertake a large-scale trial of security tokens to its online banking customers. For many familiar with the technology, strong second-factor authentication systems are synonymous with RSA Security's SecurID, which generates "one-time passwords" (OTPs) on a keyring-sized device.
But Lloyds gave the contract to Vasco, a company a tenth RSA's size but with a strong presence in the banking industry. Chris Young, RSA's VP for consumer managed services, trots out the snubbed vendor's standard line: "The good news is it validates that they recognise the kind of solution they need to make available for consumers. It will help other banks be more comfortable in moving forward more quickly with these solutions."
Analysts from research house Forrester Research are more sceptical: they say the lack of a system based on a card reader ruled out RSA, with Lloyds opting for a technology that could be integrated into next-generation credit and debit cards.
While RSA does have a smartcard business, it has never pushed the technology as hard as the various forms of SecurID. Here it has focused on the technologies' perceived problems with usability: it has shipped a USB-enabled device, so users do not have to type in the one-time password manually, and as software embedded in BlackBerry mobile devices.
While internal deployments remain RSA's main line of business, at 2004's RSA Conference in Europe the company was promoting strong authentication for consumers and communities of federated identity, backed by high-profile deals with AOL and E*Trade Financial. This year saw, among others, the announcement that UniCredit Banca, one of Italy's largest banks, plans to deploy SecurID to over 500,000 of its online banking customers.
But the consumer and federation markets have failed to gain the momentum RSA had hoped for – as is reflected in its lacklustre financial results. The first and second quarters of 2005 have seen year-on-year increases in revenue of just 5% and 6% respectively and RSA is expecting third quarter sales of $76.0 million, a small drop on the same period in 2004, when turnover grew 18% on 2003.
Tacitly acknowledging this, the company's momentum at this year's RSA Conference in Vienna returned to existing customers, with announcements around Windows desktop integration and simplifying deployment of back-end systems. RSA hopes to encourage more use of SecurID for employees within the firewall, as well as the traditional remote user. This in turn might increase adoption of single sign-on systems, which replaces multiple passwords for multiple applications with one secure login, and so build a stronger presence in the corporate access management market on top of its strong installed base of SecurID.
Oracle, Computer Associates and BMC have all bought into this market over the last year, and RSA remains a potential acquisition target itself with stock at half its value a year ago. Forrester analyst Jonathan Penn notes that while these larger vendors tend to focus on horizontal applications of identity services, such as helpdesk, asset management and security information management, RSA concentrates on partnering or building to offer a top-to-bottom identity management stack, with strong authentication at its core.
But along with high prices, Penn says the lack of extra digital credentials beyond tokens is one of RSA's biggest inhibitors. "Many companies also want to adopt physical signatures or move towards some degree of convergence between physical and logical security," he says. "Smart cards are far more appealing to those types of organisations. I believe tokens are a short-term solution and firms will move off them to other methods in a few years."
Ongoing trends of remote working, identity theft and regulatory compliance will bolster SecurID sales for some time yet but Burt Kaliski, head of RSA's research labs, acknowledges the need to develop new authentication factors: "It's part of the theme for our research to look at as many ways as possible for users to authenticate themselves to the system and the system to themselves. SecurID has worked well for a particular set of applications and user community, but for other applications, the prevailing approach is some kind of password and those cases may not be as well served by a token that the user has to carry."
Kaliski says RSA will investigate combinations of mobile devices, biometrics and device characteristics, as well as more off-the-wall ideas like signal-emitting belly-button rings. Some of these ideas, at least, need translating into products sooner rather than later, lest RSA miss more contracts like Lloyds TSB.