Entrust has added a US$5 security token to its arsenal of e-security software and services, creating an instant rivalry with vendors such as Ottawa-based CryptoCard.
Entrust provides multi-factor authentication to businesses, including machine fingerprinting, question-and-answers, grid authorization, and out-of-band services, according to the company’s chief technology officer, Chris Voice. It offers three platforms that cover authentication, transaction protection and fraud detection, and encryption.
Entrust’s security token, which works on its authentication platform, IdentityGuard, is a time-synchronous, one-time password device. About the size of a car-key fob, the device’s LCD screen displays a six-digit number that changes every 60 seconds.
“It’s securely and randomly generated using cryptographic techniques,” said Voice. Users type in the number beneath their user-name and password, which then goes to the back-end, where the server verifies that the token matches the number the back-end has.
As a US$500 million dollar market, according to an IDC report, said Voice, security tokens are “definitely hot.” But the price point for security tokens was much too high, he said. “It’s a commodity, so (other companies) are overcharging,” he said. “It’s so frustrating because there’s huge promise here. All they do is maximize revenue.”
According to Voice, other companies sells tokens for ten times as much. “(Our price) reflects the real value of the hardware,” said Voice.
CryptoCard, an Ottawa-based authentication provider, is wary of such an inexpensive technology. “Entrust were selling PKI encryption, and they were doing really well, but now we’re seeing a lot of people moving away from that and that market going downhill, so they have to go low-end with a cheap, no-feature product,” said CryptoCard’s vice president of North American sales, David Scott.
Voice said that it makes no sense for companies with certain, more basic security needs to splurge on the more expensive tokens: “(For them,) we also have SmartCards with chips on them for higher-end security.”
Judy Anjowski, CryptoCard’s director of global partner relations, balked at the five-year lifespan of Entrust’s token. “Our tokens never expire — you can replace the batteries.”
“We offer a range of solutions,” said Voice. “If it makes sense to go with a $5 chip, then we say ‘Giddy-up, let’s go.’”
Anjowski is also not a fan of the time-based method Entrust has gone with — CryptoCard’s security tokens, which include SmartCards and USB-port-enabled tokens, are event-based, instead of time-based, meaning that users have to push a button to change the number. This will, according to CryptoCard sales engineer Patrick Fleury, cut down on clock-drift. Due to timekeepers losing a minute every few days or so, he said, the Entrust tokens will eventually be running on the wrong time, forcing the server to open a window to catch up, which could raise data security issues.
“The same thing can happen with both push-button tokens and timed ones,” said Voice. “If you push the button a hundred times, it will also be a few seconds behind, so you can expect a couple of resynchronizations — smart software will accommodate it.” He said that administrators can also adjust the server’s sensitivity to account for these lapses, and that the odds of a security infraction in those few moments are “marginal.”
In a world where large-scale data breaches are becoming more and more commonplace, Voice said that these tokens will be another layer to add to a company’s breach defenses. In spite of the growing number of security snafus, Voice said he feels that the vast majority of companies either have a layered defense approach in place or intend to have one.
Anjowski, however, said that 75 per cent of businesses still only use static passwords, leaving the market wide open for e-security companies to market things like security tokens, especially with the high profile of data protection.
“With so many initiatives coming down, a lot of companies will join in, but we’d be surprised if they could get in,” she said, citing companies’ preference for security token and authentication specialists like RSA and CryptoCard itself.
Yet Voice is confident that the burgeoning market will embrace Entrust’s foray into it: “I’d stack our chip against any in the business. . .(Companies like CryptoCard) offer point solutions that you get locked into, and are very narrow: they make tokens and sell them.”
Comment: [email protected]
