RSA: Microsoft to shelve token support in Vista

OS update won't include built-in support for SecurID, even though it's been tested for two years.

Munir Kotadia Special to CNET News
3 min read
Microsoft has shelved plans to include built-in support for RSA Security's tokens in Windows Vista, even though the company has been testing out the authentication technology for almost two years.

In February 2004, Microsoft Chairman Bill Gates said that Windows would be able to support easy integration with RSA's popular SecurID tokens. That meant businesses would find it far easier to deploy a two-factor authentication system for logging on to networks and applications.

However, almost two years after the SecurID beta-testing program kicked off, RSA's chief executive, Art Coviello, disclosed that Windows Vista will not natively support the technology.

"Microsoft had said they would include the ability to support all kinds of One Time Password (OTP) and challenge-response type authentication in Vista. But they were unable to get it in with all the other issues they have had, so it is going to take longer," Coviello said in an interview on Tuesday morning in Sydney.

According to Coviello, sales of SecurID for Windows have "gone slowly" because Microsoft decided not to support the tokens natively in Windows. This meant that deploying a token-based system still required "some work," he said.

"It has gone slowly, and it has gone slowly for a number of reasons," Coviello said. "Microsoft has given us source code so we can replace the Microsoft logon screen. However, it is not yet native to the operating system. So it still requires some work at the desktop, which slows down the adoption rate."

Coviello expects Microsoft to add native support for SecurID in future updates to Vista, after which he hopes demand will increase significantly for two-factor authentication, where people present a second form of identification as well as their password.

"Admittedly, when Vista eventually includes support for onetime passcodes--as is expected in some future point release--people will be more aware generally," he said.

"Right now, we have a competitive advantage, and quite frankly, the adoption rate of our product, SecurID for Windows, is more about inertia in the market than about the technology," he said.

Although Microsoft has been slow to add support for SecurID and other password alternatives, Gates has frequently called on the industry to move away from passwords--including in a speech at this year's RSA Security show.

Vista is expected to include a password management system called InfoCards, which Gates announced at the RSA conference.

Microsoft said Tuesday that it had worked with several vendors and customers on whether to add native support in Vista for one-time passwords, via its Kerberos authentication protocol. RSA's SecurID token generates a different password for each attempt to log on to a service.

"Most customers told Microsoft they do not view one-time passwords as strategic and are looking long term to smart cards as their preferred strong-authentication mechanism," a representative for the software maker said.

The Vista update will let third parties write credential providers to add their authentication tool to the operating system, the representative added.

Munir Kotadia of ZDNet Australia reported from Sydney. CNET News.com staff contributed to this report.