On the flip side, authentication products designed for integration into multiple networks and applications, such as Lucent NavisRadius, Novell Nsure SecureLogin, RSA SecurID and Secure Computing SafeWord PremierAccess, carry the standard software purchase and maintenance costs but compensate with facilities that make it easier to integrate the authentication process into multiple software platforms (for a review of several of these authentication products, see "Not Just a Token Effort,").
Reducing integration costs will take on greater importance as organizations get serious about SSO and identity federation (more about them later), and as users force their employers to get serious about minimizing the PITA factor of strong authentication. The push to lower integration costs should lead more organizations to explore third-party authentication systems, which offer richer feature sets and the ability to meld multiple authentication transactions into a single user experience.
The same factors that attract organizations to third-party authentication will make smart cards a strong two-factor authentication option. Users are comfortable with the format, so internal training and political costs will be low. Beyond the human factor, smart cards are already being used in commerce and premises security applications, so integration into other transaction capacities should be easier than with simple hardware tokens or USB devices. With the addition of RFID capabilities, smart cards can be used for proximity authorization, providing access to devices that don't include keyboards or conventional card readers.
The regular cycles of security purchasing mean an increased interest in authentication is on the horizon, according to Forrester's Steve Hunt, who adds that security deployment moves in waves of authentication, authorization, administration and auditing. He says we're in the audit portion of the cycle, with systems being put into place to demonstrate compliance with laws protecting customer and patient information. As the audit phase passes its peak, the authentication phase begins in earnest; Hunt says Forrester expects the cycle to crest in late 2005 through 2007.
Fortunately, standards bodies have begun acting to bring some regularity to the market, and products adhering to some of the first standards should be in place soon. One example, OATH, the Open Authentication Reference Architecture, developed by the Initiative for Open Authentication, is a proposed standard for strong authentication under development by an industry consortium initiated by VeriSign and joined by vendors including ActivCard, Aladdin, Aventail, BEA Systems, Hewlett-Packard and IBM. Some industry leaders, such as RSA and Secure Computing, have not yet joined the consortium or made public statements about OATH, which is unfortunate, because a true industrywide standard for hardware tokens would be a huge win for customers.
