RSA to test new Web authentication service

The security company's new RSA Authentication Service is designed to let consumers securely access multiple Web sites using a single RSA security credential, such as the company's password-generating hardware tokens. RSA plans to test the service starting next month with four financial services companies, company executives said.

For example, a customer of both the E*Trade brokerage and a Wells Fargo bank could use a single device to authenticate their identity on the companies' sites, RSA Chief Executive Officer Art Coviello said in a meeting with reporters Wednesday in San Francisco. E*Trade and Wells Fargo are RSA customers, but RSA would not say whether they are part of the trial.

"We have a real opportunity with this service to get out there and become a de facto standard for strong authentication," Coviello said.

The trial of the new service comes as financial services companies are under increasing pressure to improve the security of online transactions. The Federal Financial Institutions Examination Council recommended on Wednesday that banks introduce multiple-factor authentication by the end of 2006.

RSA has been struggling to build its business and hopes the new service will remove barriers to mass adoption of its products. While praised as an alternative to insecure passwords, RSA's strong authentication products, especially in the United States, have not gained many users beyond corporate denizens and high net-worth banking customers.

A main obstacle is that U.S. businesses aren't ready to pay for the products and distribute the security gadgets among their customers, analysts have said. RSA is betting that consumers are now prepared to pay for a higher level of security and that banks and other online businesses will sign up for its service.

"When we do it right, the consumer-facing organizations won't have to sell tokens; we can sell them at Best Buy," Coviello said, referring to the large U.S. electronics retailer. He declined to specify a price for the tokens.

If the test is a success, RSA hopes to launch its new service in the first quarter of next year. Consumers would be able to buy an authentication gadget from RSA in retail stores and then register the device with the Web site of their bank, stockbroker or any other company that supports the RSA Authentication Service.

Two Internet users showed interest in the proposed RSA service, provided it doesn't cost too much. "I would like to participate, if it means I can use a single form of authentication against sites I visit," said Dexter Cheng, a systems administrator at a San Francisco law firm. "If it costs too much, I can just as easily resort to how I'm doing it now, with a set of $2 Post-It notes."

Cheng is willing to pay between $25 and $50 for the hardware, he said. That's much more than the $15 "at most" that Adam Waldron is prepared to spend. "And I definitely would not be willing to pay any reoccurring fees," said Waldron, an IT manager at a medical office in Pocatello, Idaho.

Still, Waldron sees clear benefits in RSA's service. "It would be great to...replace all the PIN numbers and passwords," he said. "It would also alleviate some of the concerns about identity theft, keystroke logging, etc."

To support the new RSA service, online businesses have to hand over part of their authentication process to RSA. Coviello said banks told him that although they would not trust one other to handle authentication information, they do trust RSA.

RSA offers a variety of credential options, including traditional tokens that fit on key chains, smart cards, USB authenticators or software-based tokens that can be installed on handheld computers. Each product randomly generates a code every 60 seconds which--when used to log in to a Web site--is vetted by RSA.

Consumers interested in the service should ask their banks and other online businesses for it, RSA said. Businesses interested in the service should contact RSA, the Bedford, Mass.-based company said.