VeriSign aims to filter out the fakes

The company announces a method for authenticating corporate users, as it takes on RSA Security in the market for identifying who's who on a network.

Michael Kanellos Staff Writer, CNET News.com
Michael Kanellos is editor at large at CNET News.com, where he covers hardware, research and development, start-ups and the tech industry overseas.
Michael Kanellos
3 min read
VeriSign is taking on RSA Security in the growing market for identifying who's who on the network.

The Mountain View, Calif.-based company has become a driving force behind Open Authentication Reference Architecture (OATH), a proposed method for authenticating users and controlling access to corporate networks.

Verisign announced the architecture Monday at the RSA Security Conference, which is taking place this week in San Francisco.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

With OATH, users log on to a network with a hardware "token" that can contain a smart card, a password generator and other identifiers. The person's credentials are then cross-checked against a company's existing directory as well as information kept on VeriSign's infrastructure. If everything matches, access is granted.

Currently, in many corporations, directory management for security purposes and authentication procedures are often handled by in-house dedicated servers running RSA software, said Mark Griffiths, vice president of authentication services at VeriSign.

With OATH, corporate buyers wouldn't have to buy equipment or software. Instead, they would manage their own directories and hire VeriSign to manage authentication procedures as a service. VeriSign said this could cut the total cost of ownership of these systems by 40 percent.

"The idea is to reduce the cost and complexity of authentication," Griffiths said.

Authentication is a key element of the growing market for identity management, the art of controlling and managing access inside sprawling networks.

Invite Michael Kanellos into your in-box
Senior department editor Michael Kanellos scrutinizes the hardware industry in a regular Enterprise Hardware column that ranges from chips to servers and other critical business systems.

Customers are increasingly allowed into parts--but not all regions--of internal networks. Employees often forget their passwords, which can also be cracked or pilfered. The rising popularity of virtual private networks has also meant that companies need to more often verify the ID of employees at remote locations.

Earlier this year, VeriSign unveiled a pilot program under which 12- to 17-year-olds were given digital ID tokens. The program was meant to bolster online safety for young Web surfers and to prevent people from masquerading as children online.

Still, history shows that growth for identification management has been unstable. Americans, in particular, have never warmed up to hardware access tokens such as smart cards and random password generators.

For VeriSign, OATH represents an opportunity to better use Atlas, its massive back-end computing infrastructure. Right now, the company uses only about 12 percent of its infrastructure, Griffiths said. As a result, authentication services will not require the company to install new hardware. VeriSign provides Internet infrastructure services and is primarily known for managing names in the .com domain.

To jumpstart the effort, however, VeriSign will get into the token business and begin to produce different types of log-in keys. Some will contain built-in smart cards as well as one-time password generators. Over time, the hardware tokens will likely be created by third parties.

A number of companies, including IBM, Gemplus and BEA Systems, have pledged to support OATH.

A test program will begin in April with commercial use to follow in late summer. The relatively rapid transition from testing to commercial use is possible, because the system largely relies on existing technology and standards. Token manufacturers, such as Aladdin Knowledge Systems, also are participating.

The main hurdle is getting the hardware token manufacturers to rally around a common standard for one-time password generation.