Microsoft, RSA Team on Windows User Authentication

Microsoft and RSA Security have said they will work together to develop authentication technology, making it easier to secure Windows and keep sensitive corporate information safe. The announcement came at RSA’s annual security conference in San Francisco.

Specifically, Microsoft said it will use RSA’s SecurID technology to offer an alternative to traditional password-based access control. SecurID uses authentication tokens in addition to a personal identification number (PIN).

The keychain-size tokens generate new, random digital passwords every 60 seconds that only work when the PIN number is also provided by the user.

Two Heads

This so-called two-factor authentication eliminates the need to constantly change user passwords and reduces the risk that unauthorized users will access a network. Unlike other options, however — such as biometrics or other smart-card solutions — the RSA option does not require that additional hardware be added to the network.

Art Coviello, RSA’s CEO, called the solution a “smart, simple alternative to static passwords” that will help enterprises avoid “expensive and damaging security breaches.”

“Customers have told us they want strong, integrated authentication technology,” Microsoft security chief Michael Nash said.

Slow Going

The security industry has long tried to encourage enterprises to adopt more vigorous forms of identification and access control. Employees often choose easy-to-remember — and therefore easy to decipher — passwords, and passwords used for long periods of time can be stolen by hackers simply by tracking a user’s keystrokes.

Despite the shortcomings of traditional passwords, hardware-based solutions such as smart-card readers have been slow to catch on, in part because of their added expense and in part because there is no single standard that would make smart cards universal, Gartner research director Mark Nicolett told the E-Commerce Times.

“Card or token readers are still viewed as too costly and too risky an option by most enterprises,” Nicolett said.

While the RSA solution cannot do as much as a smart card, which can contain a host of information about a user, including limitations on how he or she can use certain information, it may catch on because of its ease of implementation. “Anything that doesn’t require ripping up the network or adding hardware that may or may not be the standard in five years is going to get a long look,” Nicolett added.

Window to the World

Not surprisingly, making Microsoft deployments more secure is a key theme at the RSA confab. IDC analyst Allan Carey said while the improvement over passwords addresses only one of the many types of security concerns surrounding Windows installations, it may signal to Windows customers that Microsoft is serious about making it secure on all fronts.

“Anything Microsoft can be seen doing to make its products safer is going to be a positive in the minds of customers,” especially those who may be considering alternatives such as Linux, Carey told the E-Commerce Times.

Also on Tuesday, Sun Microsystems announced plans to roll out an identity-management solution for Windows and other Microsoft environments.

Sun said its Identity Manager, based on technology it acquired from Waveset Lighthouse, will enable centralized management of user identities across all different applications used in an enterprise.

Gates on Security

Both announcements came just ahead of a much-anticipated keynote speech by Microsoft chairman Bill Gates at the RSA conference. Gates used that keynote to highlight the various fronts on which Microsoft is working on the security problem, citing a laundry list of industry partnerships and technology efforts.

Gates also demonstrated a number of security features that Microsoft is including inits Windows XP service pack, including the built-in firewall and enhancements built into the Internet Explorer browser.

1 Comment

  • Most of the security tokens today are old technology, expensive, uneasy to carry and manage.
    The CAT (Cellular Authentication Token) is new technology, low cost, you carry it with you anyway (your cellular) and there is no management or hidden costs like when you loose it or the token expires.
    Technologies like the CAT (Cellular Authentication Token of Mega AS Consulting Ltd http://www.megaas.co.nz) are the answer. Here we see a usage of the popular Cellular token to enhance users security when logging into Internet Servers. The main point is, that almost all the Internet users already have a Cellular, and the companies do not have to deal with expensive propriety hardware for authentication. With TFA OTP secured access available to all, we can reduce drastically the eCommerce and eBanking scams and let the services grow.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Keith Regan
More in Security

LinuxInsider Channels