Toronto-based security vendor Diversinet announced Wednesday the launch of its one-time password authentication key, the MobiSecure USBToken.
The company has been around for a couple of years, and used to concentrate on soft tokens that transmitted passwords to mobile devices. But, said CEO Albert Wahde, customers had been calling for hard tokens, too, that could be used with their PCs. The new USB-based product contains a PIN challenge and leaves no trace on the user’s computer.
“The one-time password is important,” said Brian Bourne, steering committee member of the Toronto Area Security Klatch, president of CMS Consulting and a contributor to ITWorldCanada’s Security Insider blog. “There could be keyloggers, or, if people are connecting from open wireless networks Internet cafes, or a business centre, so they can’t be trusted…However, almost everyone has that. It isn’t terribly unique.”
MobiSecure USBTokens don’t require any software installation, said Wahde, which is often part of the package with other tokens. Instead, the customer buys the MobiSecure Authentication Server package that provides all the required registration, validation, and token lifecycle management. Said Wahde: “One server infrastructure runs it all.”
This can also come in handy for those on the road. Said Bourne: “You can’t really go around installing device drivers, so the biggest challenge can be if you required a driver and couldn’t install it.”
The solution is geared toward organizations that require strong authentication from many users and device types, especially in the financial, government, and retail sectors, said Wahde. The market is also getting bigger via the growing mobile workforce, including salespeople and road warrior-style execs.
One hole that Bourne sees in the security of these devices, however, are enterprises that don’t implement their protection across the board. He said, “You need to implement it in all of them or none of them. Like if someone is using a token with SharePoint, but not for Terminal Server and Citrix, then that’s kind of silly, and you do see that too often.”
Another barrier to adoption of these technologies, said Wahde, is the cost. Diversinet’s ploy is to offer a two-fer to customers—for every USBToken purchased, the customer will also get a free MobiSecure SoftToken or PCToken. When it comes to actual prices, said Wahde, someone buying in the range of 10,000 units could expect a price of $16 per token (plus the free token).
James Quin, a senior research analyst with Info-Tech Research Group, said that many companies do balk at the high cost of implementing these tokens. For instance, he said, products from big market players like RSA can run from $20 to $30 per token. But there are also companies like Entrust offering $5 tokens . “That’s cost-efficient,” he said, “While a $16 token is more of a ‘savings.’” He thinks that the main selling point could be the 2-for-1 deal on offer from Diversinet, which would bump up the savings.
Quin said, “Although the cynic or the skeptic might ask, ‘Why do you need two?’ But you might want that flexibility, and it would save a headache for the IT department when people lose them.”