With the rise in identity theft and online security breaches, RSA Security seems poised to take off. But how far it goes depends on how well the company is able to expand its authentication technology to new markets and devices.

With its SecurID tokens, "RSA is the undisputed market leader in two-factor authentication for the enterprise," says Ranjini Chandirakanthan, an analyst at ThinkEquity Partners. According to IDC, RSA held 73 percent of the worldwide market for traditional authentication tokens in 2004. Its closest competitor, Vasco Data Security International, had less than 10 percent.

RSA, which had US$310 million in revenue in fiscal year 2005, has been successful in the enterprise market because it has such a robust back-end server that manages the authentication process, Chandirakanthan says. But with the market becoming somewhat saturated, it must look elsewhere if it wants to achieve high growth, she adds.

The company sees plenty of opportunity to leverage its technology in other areas.For example, more U.S. commercial institutions are becoming aware of the need to protect consumers against identity theft. That means RSA has an opportunity to help enterprises extend SecurID to their customers. The Federal Financial Institutions Examination Council, made up of five U.S. financial services regulators, issued guidance in October 2005 that encourages all financial institutions to implement strong authentication in their Internet-banking applications. "It doesn't mandate a technology, but it makes it clear that this is a best practice that needs to be adopted, so it has created a flurry of activity and a great opportunity for us," says Art Coviello, RSA's CEO.

Extended security

Since last summer, RSA has made several moves to extend its technology; all are designed to make passwords more effective and to help enterprises create security infrastructures around them, Coviello says. For one, it enhanced its single sign-on software, Sign-On Manager. In addition, RSA will offer multiple authentication technologies that work with passwords. Some of the technologies come from the company's US$145 million acquisition of Cyota in December 2005, which brought RSA a way to offer corporations risk-based, layered authentication for their online consumers. Depending on the level of risk, cost and convenience required by a given application, a company can choose from a variety of authentication techniques, an offering Coviello calls adaptive security. "It's all about balancing three things: risk, convenience and cost," he says, adding that RSA hopes to make security "as inexpensive and as convenient as possible while minimizing risk."

Hudson Advisors, which manages commercial mortgages and real estate assets, adopted Sign-On Manager and SecurID last fall, says Mark Lynd, global technology officer and vice president of technology at the Dallas-based company. "We're managing people's mortgage information - security is 60 percent of our worldwide IT budget," he says.

The technologies not only increased security but also brought tremendous productivity benefits, because employees no longer have to sign on to each of their accounts, Lynd says. A nice side benefit, he adds, is that Sign-On Manager lets employees gain access to personal online accounts from their work PCs. That helps reduce the chances that an employee will fall for a phishing e-mail and click on a rogue link, he says.

Beyond tokens

RSA also is extending its technology to other devices and platforms. Its technology today is deployed predominantly on tokens. The company needs to be neutral in terms of the way it delivers its technology, because the value is in RSA's back-end management tools, says Jon Oltsik, senior analyst of information security with the Enterprise Strategy Group. "It is really selling an authentication solution. Others just sell tokens," he says.

RSA announced in February that a number of companies, including M-Systems, Microsoft, Motorola, Research In Motion and SanDisk, have agreed to include its SecurID technology in their products. "How would you like a SecureID token on your BlackBerry, or your cell phone, or in a memory stick - something that you're always carrying?"Coviello asks. The goal is to "create tokens out of things you carry around every single day," he says, noting that more partnerships will follow.

RSA also is developing a managed authentication service that would let consumers use the same token to log in to multiple online institutions such as brokerages and banks.

An authentication service would go a long way toward helping enterprises extend authentication to their customers, says Lynd, whose company is considering extending access to its investors and partners. "As Web applications become richer, it's going to be more and more important to verify and authenticate someone's identity."

Harbert is a freelance writer in Rockville, Md. She can be reached at tharbert@comcast.net.