The Annual Pitch For Two-Factor Security

VeriSign (NASDAQ: VRSN) has been preaching the merits of two-factor authentication for years.

With the start of the annual RSA security conference in San Francisco this week, the online certificate and security provider is back again with another pitch for two levels of security beyond the one password-driven login process that dominates the Web.

This year, it’s working with a new developer API (define) and partnership with AOL. It is anything but bored with the technology.

“We don’t get bored of pitching it {two factor authentication} and I think it’s a very exciting time for our industry,” Jeff Burstein, VeriSign’s product manager told

Among the reasons why Burstein is excited this year is because VeriSign is now opening up its VeriSign Identity Protection (VIP) with developer APIs (define).

The move extends the VIP service that VeriSign made at the 2006 RSA Conference. VIP is a two-factor authentication service that enables users to authenticate across VIP-enabled sites with a VIP-enabled security device.

At the time, eBay and Paypal were the first sites to get on board.

“It may have announced in 2006 but it took a while to really get it out there,” Burstein admitted. “It wasn’t released to the public as a beta until 2007 and launched as an official eBay and Paypal product in June of 2007. We now have ‘about’ several hundred thousand users that are live in the U.S., U.K. and Australia and demand has exceed expectations.”

The VIP Test Drive for Developers effort that provides access to the VIP APIs is VeriSign’s attempt to broaden the effort at two-factor authentication adoption. Burstein explained that developer APIs run as a SOAP (define) Web Service, that enable developers to hook into the VIP service with XML.

Once a test drive is completed, if an enterprise wants to formally deploy a full-scale VIP deployment, the cost would be in the range of $7-10 per user per year, Burstein estimated.

Beyond the test drive for developers, AOL will also be testing VeriSign’s VIP service. Burstein explained that AOL will have a trial offering pairing VIP with AOL’s OpenID service, providing an additional layer of authentication.

VeriSign is a big backer of the OpenID effort and is a founding member of the OpenID Foundation. OpenID offers the promise of a broadly deployed open standards based single sign-on service. By layering two-factor authentication on top, users get an additional degree of identity protection.

AOL itself is also no stranger to two-factor authentication announcements either. As far back as 2004, AOL was trying out the security scheme to add more security layers for users.

So what will it take to final bring two-factor authentication to the masses? It’s a bit of a chicken and egg issue.

“With any kind of network deployment there is always a double critical mass problem – you need more sites that will accept credential and that will drive more users,” Burstein commented.

VeriSign’s VIP used the OATH (open authentication) standard for the token encryption algorithm. “What will bring two factor authentication to the several hundred million users [will be] embedding it into devices that users already carry,” Burstein said. “That’s really where it’s going to go; it’s the power of the open standard.”

Article courtesy of

Latest Articles

Follow Us On Social Media

Explore More