Tokens Gain Momentum

The standard process of using static passwords to access applications is passé. That was the message at last week's RSA Conference.

Two security vendors unveiled tokens, small pieces of hardware that users can carry on key chains to gain access to computers, often through a USB port. Tokens issue one-time passwords that become invalid after a user accesses an application, or they contain user-authentication data as an enhancement or a replacement to passwords and user names.

RSA Security Inc.'s new USB-enabled token, the SecurID SID800, stores electronic credentials such as one-time passwords, digital certificates, and standard passwords. RSA also took the wraps off the SecurID SID700, which is 35% smaller than its traditional SecurID tokens.

SecurID SID800 tokens can be used for "strong authentication" (two or more ways of identifying a user) for RSA's Sign-On Manager identity-management application. A 64,000-Kbyte smart chip sports enough room for up to seven digital certificates and three sets of user-name and password credentials. While pricing varies by quantities purchased, the SecurID SID700 averages around $42 per device and the SecurID SID800 is priced at around $50.

Strong-authentication competitor VeriSign Inc. revealed that it will soon make available two new tokens. The company says it will offer a one-time password token with a total cost of operation per user of less than $10 a year. VeriSign also is releasing a dual-purpose USB token with either 128 Mbytes or 265 Mbytes of secure storage. The USB devices can be used to store one-time passwords and public key infrastructure credentials and provide functionality similar to that of smart cards.

Some users say that while tokens and other forms of strong authentication have their uses, they're not widely deployed in their companies. "The password is definitely not dead," says Don Michniuk, corporate manager of information security at Bechtel Corp. "Stronger authentication has its place, but only for high-security environments and for senior executives so they don't have to remember their passwords."