Information Age: News, analysis & insight for IT & business leaders

Headline-grabbing security breaches have always been a good opportunity for vendors to get a bit of free advertising. News of security flaws on online banking sites Cahoot and Morgan Stanley was soon leapt upon by RSA Security, who said that forcing customers to use "strong, two-factor authentication" was the only responsible recourse for financial institutions.

One 'responsible' European bank is Credit Suisse, which made RSA's SecurID tokens - key rings which generate a new pass number every minute - mandatory for its customers in 1997. But nearly eight years on, that has not become a standard security practice; few banks have followed suit.

Meanwhile, a 2004 MORI poll, commissioned by RSA, found six million people in the UK are too worried by security threats to use online banks. Solving the problem, says RSA CEO Art Coviello, is an urgent challenge: "Information security is the engine of confidence in the Internet." Strong authentication has the potential to be the tipping point for ecommerce.

But the thrust of this message from RSA has changed little since launching SecurID over 20 years ago. Instead of just preaching to companies, RSA is now trying to take its message to end users. A deal with AOL, using branded SecurID tokens, marks the first large consumer roll-out of two-factor authentication. RSA hopes its deal with Microsoft to integrate SecurID authentication into Windows is of similar significance at the enterprise level.

The goal for RSA is for groups of organisations to "share" mutual customers' login details through identity federation. Although Credit Suisse failed to start an authentication craze, RSA hopes that it will succeed in doing that this time round by seeding the market at the broader base of Windows and AOL users.

Over time, it sees these initial agreements with third parties extending to industry-based 'communities of interest'. "We need to keep building until we reach critical mass," says Coviello. He cites the universal acceptance of credit and cash cards as proof that such a goal is attainable. An upcoming deal with a major online marketplace adds weight to his claims - although some issues remain over which federated partner will be liable if a breach occurs, and over who will pay for all these authentication tokens.

But while RSA leads the strong authentication market, it lags behind Novell and IBM in identity and access management. "It has yet to show significant and sustained growth in the ClearTrust [web access management] product line to compete with the leaders," say Gartner analysts, who position RSA as a 'visionary' but not a 'leader' in their Magic Quadrant for this market. RSA will need to strengthen its position if it is to profit from the new authenticated world it predicts is arriving. Its strong association with SecurID may be a hindrance here - its reputation confining it to technical, rather than managerial, decision-makers.

Security analyst Tom Scholtz of Meta Group says digital identity is the "cornerstone" around which federated communities are built. This, combined with a loyal user base, leaves RSA in a strong position. While the technology underpinning authentication is solid, adds Scholtz, its capabilities to manage the new relationships that authentication will allow are less proven.

So this opportunity is still open. But RSA needs to establish itself before its rivals get their act together. Computer Associates' (CA) purchase of Netegrity was a wake-up call. RSA - along with its rivals - will see short-term benefits while CA digests Netegrity, say Forrester analysts. But CA's purchase will not be the identity management industry's last: Oracle and SAP are soon expected to buy their way into the market, adding to the competition.