RSA Security late last year acquired privately held Cyota, which offers online security and anti-fraud services to help financial institutions protect consumer accounts. CEO Art Coviello recently sat down with Ellen Messmer to discuss the Cyota acquisition and RSA's views on the future of authentication. With its anti-fraud services for banks, Cyota is a very different type of business than RSA Security traditionally has been in with its SecurID products for two-factor authentication and the BSAFE encryption toolkits.

What made you think of acquiring Cyota?

We started 2005 flattish, and I was more than a little unhappy. I said to employees, if there's such a great market for authentication, we have to create it. We spent April to July figuring out strategy options that would call us to drive the market. We asked, 'What are the choices we need to give people?' A different approach we noticed is risk-based analytics, especially on the consumer side. That was Cyota.

How do the Cyota analytics work?

At Cyota, they'll monitor consumer transactions based on several things: computer profile, browser and transaction behavior, to have servers in the bank looking at fraud monitoring. We're gathering data about legitimate users so when they come again, we'll know them.

So suppose the Cyota bank service spots what the risk-based analytics determine is a criminal trying to imitate a legitimate customer?

We work with the ISPs and shut them down. We do forensics and provide that to law enforcement. The fraudster gets pushed away and shut down. About 10 large banks, and now eTrade Financial, use Cyota to share information about fraud collaboratively as part of Cyota's eFraudnetwork.

Isn't this a lot different business than what RSA Security has been involved in up to now?

I don't think we're getting away from our roots. We're just getting more pragmatic.

Cyota is a start-up. Is it profitable yet? What does it cost to a financial enterprise to use Cyota?

Cyota is about to make money. As far as the fraud-based services, Cyota costs about US$1 to $2 per user, per year.

The Cyota service is typically used to guard against fraud based on reusable passwords. But RSA has long held that strong two-factor or encryption-based authentication provides better security than reusable passwords. How do you reconcile this somewhat contradictory viewpoint after advocating for so many years that people get away from reusable passwords?

We have a passion for authentication. When it's something in between, Cyota will ask you for more information, such as identifying an image you picked out earlier.

On the topic of strong authentication and the RSA SecurID token for generating a one-time password, what's the status there?

The second major decision we made in addition to buying Cyota was to launch what we call 'credentials everywhere.' That means embedding the SecurID token in cell phones, memory sticks, SanDisk flash memory, [Research in Motion] devices, the Motorola Q smart-phone. We're developing sales and distribution relationships based on embedding the SecurID in these types of devices. Today, SecurID is available for the Palm and BlackBerry.