February 23, 2004 10:50 AM PST
VeriSign aims to filter out the fakes
The Mountain View, Calif.-based company has become a driving force behind Open Authentication Reference Architecture (OATH), a proposed method for authenticating users and controlling access to corporate networks.
Verisign announced the architecture Monday at the RSA Security Conference, which is taking place this week in San Francisco.
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
Currently, in many corporations, directory management for security purposes and authentication procedures are often handled by in-house dedicated servers running RSA software, said Mark Griffiths, vice president of authentication services at VeriSign.
With OATH, corporate buyers wouldn't have to buy equipment or software. Instead, they would manage their own directories and hire VeriSign to manage authentication procedures as a service. VeriSign said this could cut the total cost of ownership of these systems by 40 percent.
"The idea is to reduce the cost and complexity of authentication," Griffiths said.
Authentication is a key element of the growing market for identity management, the art of controlling and managing access inside sprawling networks.
Earlier this year, VeriSign unveiled a pilot program under which 12- to 17-year-olds were given digital ID tokens. The program was meant to bolster online safety for young Web surfers and to prevent people from masquerading as children online.
Still, history shows that growth for identification management has been unstable. Americans, in particular, have never warmed up to hardware access tokens such as smart cards and random password generators.
For VeriSign, OATH represents an opportunity to better use Atlas, its massive back-end computing infrastructure. Right now, the company uses only about 12 percent of its infrastructure, Griffiths said. As a result, authentication services will not require the company to install new hardware. VeriSign provides Internet infrastructure services and is primarily known for managing names in the .com domain.
To jumpstart the effort, however, VeriSign will get into the token business and begin to produce different types of log-in keys. Some will contain built-in smart cards as well as one-time password generators. Over time, the hardware tokens will likely be created by third parties.
A number of companies, including IBM, Gemplus and BEA Systems, have pledged to support OATH.
A test program will begin in April with commercial use to follow in late summer. The relatively rapid transition from testing to commercial use is possible, because the system largely relies on existing technology and standards. Token manufacturers, such as Aladdin Knowledge Systems, also are participating.
The main hurdle is getting the hardware token manufacturers to rally around a common standard for one-time password generation.