Burton Group Identity Blog

Blogger: Mark Diodati

Today, RSA and VeriSign announced a partnership where VeriSign can resell SecurID OTP tokens via its VIP managed authentication service. RSA can also resell the VIP authentication service.

The press release implies that the relationship between RSA and VeriSign has been co-operative and amicable. Don’t be fooled. In early 2005, VeriSign was the primary driver for the OATH industry group, expressly created to take on RSA’s “cash cow”–its SecurID OTP business. Since that time, VeriSign aggressively pursued RSA’s SecurID customers and competes against RSA in the consumer authentication space.

As applications move to the cloud (e.g., SaaS), it is essential that users are not required to carry more than one OTP to access SaaS applications from different providers. This scenario is very similar to what we’ve seen in the enterprise—the “token necklace”. Users carried multiple authenticators around their neck because the authentication domains did not speak to each other.  RSA and VeriSign launched managed authentication services (the aforementioned VIP service and RSA’s Go ID service) which can overcome the token necklace issue by enabling many organizations to leverage a single token for authentication. Now that RSA can resell the VIP service, is this the end (or more likely, the de-emphasis) of RSA’s Go ID service?

This agreement provides VeriSign with some powerful capabilities. The VIP service will now work with both VeriSign (OATH-based) and RSA SecurID tokens. It’s likely that customers can mix and match token types based upon their application support and price requirements. Because VeriSign can bundle SecurID into its managed service, I believe it got the better part of the deal.

RSA derives two benefits from the partnership. Presumably, RSA will sell more SecurID tokens. Also, RSA’s ability to resell the VeriSign managed service gives broader entry into the managed authentication services market and with it the ability to better address the emergence of cloud applications (which enables RSA to sell more tokens).

Over time, the OTP form factor of choice for cloud-based applications will be the software token installed on the user’s mobile phone. We discuss this in our research document “More, More, More: The Challenge of Extended Enterprise Authentication Mobility” (subscription required).