With new software to be launched by RSA Security Inc. on Sept. 4, users will be able to authenticate their identities with their mobile phones on Web sites and corporate networks that use RSA's SecurID authentication system.
RSA wanted to extend the use of SecurID from the corporate market to authenticating consumers' Web transactions, but "one of the obstacles in the consumer area is deploying hardware," said Sarah Kent, RSA's business development manager for Europe, the Middle East and Africa.
SecurID requires two factors to authenticate an identity: Something that the user has -- a token -- and something the user knows -- a password. One factor is useless without the other. Existing tokens that can be used in the SecurID system include smart cards, electronic key fobs, and software applications running on notebook or handheld computers, but these all involve delivering the token securely to the user before they can access the system.
Looking around for a way to deliver authentication tokens to users without the hassle of deploying another electronic device, RSA hit upon the idea of using the mobile phones users already carry with them.
"Particularly in Europe and Asia, people carry their mobile phones everywhere, and there's a big overlap between mobile phone users and Internet users," Kent said.
The new product, RSA Mobile, will ship later in September. It consists of a server-side software component and a link to a GSM (Global System for Mobile Communication) mobile phone network for the transmission of SMS (Short Message Service) text messages. No extra hardware or software is required by the end user: what RSA calls a "zero footprint" system.
Visitors to a website equipped with RSA Mobile enter their username and password in the usual way. The system then searches for the mobile phone number associated with each user name, and sends a one-time access code in an SMS to the mobile phone. The user then types the access code to log in.
There is a danger that delays in delivering text messages containing the access codes could make the system awkward to use. However, in tests conducted by RSA, 90 percent of access codes were delivered in less than 8 seconds, Kent said. Future versions of the software could be developed to deliver access codes by e-mail, or to other portable communications devices such as Research in Motion Ltd.'s BlackBerry, she said.
RSA has carried out trials of the system in Australia, Denmark, France, Germany, Hong Kong, Italy, New Zealand, Sweden, the U.K. and the U.S., Kent said. The company has not yet built an interface between RSA Mobile and the Japanese I-mode mobile data service, she said. Japanese mobile networks don't offer the same support for SMS as the GSM networks used elsewhere in Asia, in Europe and in the Americas.
Pricing for the RSA Mobile software will be announced on Sept. 4, Kent said. Pricing for the link to the mobile phone network, and transmission of the messages containing the access codes, must be negotiated with the network operator.
Large organizations such as banks probably already have a direct link with a preferred mobile network operator, perhaps for notifying customers by SMS of their account balances. Smaller organizations may choose to negotiate such a direct link with the network operator for themselves, but another option is to turn to intermediaries such as Red Message AB in Gothenburg, Sweden, which specialize in linking businesses and mobile networks, Kent said.
RSA Mobile is primarily aimed at enterprises, for use by their employees or their customers. But, said Kent, "Network operators or service providers could use this as a managed service."