By BRIAN BERGSTEIN, AP Technology Writer
It was a Friday afternoon for the computer encryption folks at RSA
Security Inc., and summertime greenery filled the countryside view
from Art Coviello's office.
Even so, the RSA chief could have been excused if he didn't seem
relaxed. RSA had just announced its second straight set of quarterly
results that didn't dazzle Wall Street analysts, and RSA's stock was
flirting with a 52-week low.
But Coviello shrugged it off. Analysts, schmanalysts. More
importantly, he said, lots of factors are about to turn in RSA's
favor, namely the need for more secure, traceable financial
transactions in a world beset by online fraud and identity theft.
"The whole thing's moving a lot more slowly than it ought to,"
Coviello said. "We've got to keep pounding and pounding until we reach
a tipping point, and we will take advantage of it."
The lack of an obsession over quarterly results isn't the only unusual
thing about RSA, which still bears the marks of an academic past
despite being a $300 million company with 1,200 employees and
customers in government, banking and health care.
RSA is named for three Massachusetts Institute of Technology
professors, Ron Rivest, Adi Shamir and Len Adelman. Though they are no
longer involved with the company they founded in 1986, their invention
of a seminal method of cryptography set the tone for the company and
is crucial in online commerce.
Today RSA is perhaps best known for staging a prestigious annual
security conference and for selling 20 million little devices that
display a six-digit code computer users must type to gain access to
computer networks. The code, which changes every minute as determined
by an RSA-created algorithm, is unique to each "SecureID" token,
making it useless to a snoop.
The requirement that users enter the code in addition to a password is
known as two-factor authentication, an approach that figures to gain
ground over simple passwords as more and more sensitive data move
online.
Indeed, RSA's sales of authentication products jumped 16 percent last
year, as RSA's overall profits more than doubled, to $35
million. E-Trade Financial Corp. and America Online Inc. began
offering SecureID devices to some customers over the past year. The
Associated Press also uses the tokens for network access.
"It is the Kleenex or Q-Tip of two-factor identification," said Gregg
Moskowitz, an analyst with the Susquehanna Financial Group. "SecureID
is the brand name."
But wide deployment in consumer applications has come slowly.
In theory, every institution that does business on a Web site could
increase its security by offering its users RSA tokens.
But practically, it would be a nightmare to have 20 different devices
with their own codes. And banks apparently don't trust one another
enough to accept a competitor's authentication token.
RSA hopes to smash such hang-ups by acting as an intermediary,
launching a new "hosted" service this fall in which its servers will
check whether a consumer entered the proper token code -- even if the
token was made by an RSA rival -- then relay the "yea" or "nay" back to
the bank. RSA already provides such a service for companies' internal
access control, but has yet to offer it for consumer applications.
Investors will be watching closely. Although Coviello is confident
that wider trends in access control -- such as rampant identity theft
and abuse of Social Security numbers -- should play to RSA's
strengths, he acknowledges that RSA needs to do more to push the
market rather than wait for it.
That means RSA has to be much more than the company known for
authentication tokens -- a product that some analysts say is coming
down in price because of competition. RSA also hopes to expand its
sales of software and security consulting services, where heftier
rivals such as VeriSign Inc. and International Business Machines
Corp. also lurk.
"When you consider all the identity theft that is taking place now,
the challenge for RSA is to monetize that," Moskowitz said. "It's
easier said than done."
RSA believes one key differentiator can be its research arm, including
the eight people in "RSA Labs," a group so focused on the advanced
mathematics behind cryptography that it is described as an academic
institution within the company.
RSA researchers are expected to dream up ways to expand the use of
two-factor authentication, though sometimes that puts the company a
bit ahead of the market.
One system being developed would use radio-frequency chips in keyless
office access cards so employees wearing one can automatically access
their secured computers as soon as they near them. Such a system would
use a fingerprint reader on the computer to confirm identity. That
product won't be ready, though, for a year or two.
Then there's an effort, led by labs director Burt Kaliski, to give
users a better way to confirm the legitimacy of Web sites -- and avoid
"phishers" who set up phony sites to lure passwords and account
information from the unsuspecting.
Kaliski envisions a system in which Web browsers or even computer
operating systems act as an intermediary between a user and a
site. Through the principles of encryption, the intermediary software
could tell the Web site that the user entered the proper password
without sending the actual password.
In another realm, RSA has created a "blocker tag" that ensures that
radio-frequency identification chips can be scanned only by designated
readers. It could be an elegant answer to the question of whether RFID
chips, which are designed to streamline corporate inventory systems,
might pose privacy risks for consumers. (The chips also are coming to
U.S. passports, raising fears that American travelers overseas could
be surreptitiously, remotely tracked.)
But for now this and other RFID solutions sit on the shelf, since the
deployment of such tags has been slower than predicted.
"That is the hardest thing for a technology company to do," Coviello
said. "You have to anticipate a market, not get too far ahead of
customers, but you want to be there when they come around."
But he quickly added: "We've been around 20 years, and I think the
market opportunity ahead of us is richer than ever before."
On the Net:
RSA's security blog:
http://www.rsasecurity.com/blog/about.asp
Copyright 2005 The Associated Press.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. Additional news at
http://telecom-digest.org/td-extra/newstoday.html
Brian Bergstein (ap-tech@telecom-digest.org)