Monday, April 6, 2009

SecureID on the iPhone, and it's Free!

For a quarter century now, the security standard for logon access control has been the SecurID card from RSA Security. The card generates a random number, which when combined with your password, provides what is called two-factor authentication: the password being something you know, and the random number proving you have the SecurID card in your possession. This random number, sometimes called a passcode, changes every minute so even a man-in-the-middle attack is likely to fail.

You can get make your iPhone into a security card by downloading a free application, VIP Access, developed by VeriSign. And VeriSign has already signed up AOL, PayPal, and eBay as sites that will verify both your password and passcode when you log in.

When I read about this new application in the NY Times I immediately called Ken Weiss, the inventor of the SecurID card, and we both downloaded it. The installations went flawlessly. I also checked the comments on the iTunes site, and almost every reviewer gave it five stars.

VeriSign’s strategy is to provide the iPhone software for free. They intend to sell the server-side software to banks and other consumer oriented sites that demand extra identity verification. If you are developing your own application with both a server and smart phone component, you could do the same thing.

When introduced, the SecurID cards cost $50 each; the price has come down, but still far exceeds zero. How can VeriSign support this price breakthrough? Easily, because the SecurID cards are provided by RSA Security, a division of EMC Corp. But the original patents have expired, so VeriSign is now free to exploit the technology.

Incidentally, as the mathematically trained know, no machine-generated number is truly random, but it can be truly unpredictable, which the passcode is. Another application would be for you to start your own lottery, with a payoff every sixty seconds. Give it a try.

Dr. Kenneth Weiss was the inventor of the SecurID card and developed the framework of one, two and three factor authentication which is almost universally used today. Ken was the founder of Security Dynamics; I was the original CEO. Security Dynamics later purchased RSA Corp., the inventor of Public Key Encryption. The resulting Company was renamed RSA Security, which became the first computer security company to have a public stock offering.

1 comment:

  1. Wow very cool! I worked for RSA back when they were Security Dynamics, in Bedford. What a great step in the evolution of SecureID!