Creation of OATH, Cross-Industry Reference Architecture for Open Strong Authentication Will Help Drive Adoption Across All Networks, Applications and Devices
SAN FRANCISCO, CA. - RSA Conference 2004 - February 23, 2004 - VeriSign, Inc. (Nasdaq:VRSN), the leading provider of critical infrastructure services for the Internet and telecommunications networks, today announced the Open Authentication Reference Architecture (OATH), a revolutionary new approach to driving the adoption of strong authentication technology across all networks. Based primarily on existing standards, OATH will ensure that secure credentials can be provisioned and verified by disparate software and hardware platforms, removing traditional barriers to widespread adoption and ultimately giving enterprise IT managers better control over their security environment.
Strong Authentication connotes a stringent level of security that combines a user ID with a software or hardware 'token' to form a unique device that validates a user's identity when accessing a software application or network. It represents a foundational element of trusted networks where multiple business partners can securely share confidential information.
Online identities secured only by static passwords can be exploited, resulting in identity theft or compromised systems. Existing two-factor authentication approaches, while more effective, are often expensive and complex, and their lack of interoperability poses significant barriers to adoption. An industry-wide collaborative effort to promote Open Strong Authentication will remove these barriers and broaden enterprises' use of the Internet to communicate, collaborate, and conduct commerce in new ways.
"As we've seen with personal computers, networking, and other advances, ubiquitous adoption of any technology accelerates with a fundamental shift from proprietary to open architecture," said Stratton Sclavos, chairman and CEO, VeriSign. "An Open Strong Authentication architecture such as OATH will be a key enabler and accelerator of secure communications and commerce. Customers demand choice, flexibility, and investment protection. Today's announcement supplies the missing pieces and sets forth a path the industry can take to offer enterprises a multitude of affordable solutions that can be deployed with unprecedented ease and scale."
OATH: A Collaborative Effort for Open Authentication
Leading hardware and software providers have joined with VeriSign in support of the OATH reference architecture, which will leverage widely adopted protocols and technology (for example, LDAP and RADIUS) as its foundation. In addition, the companies intend to develop new specifications for key missing standards for credential provisioning and a One Time Password (OTP) algorithm. These specifications will be brought forward and refined within appropriate groups, including the IETF, TCG, and Smart Card Alliance. With OATH, device manufacturers, software vendors, and service providers will be able to integrate these open interfaces within their products to create interoperable solutions. For example, makers of laptop computers, mobile phones, PDAs, and other handhelds will be able to embed Open Strong Authentication into their products knowing that interoperability with existing network and application platforms is assured. Similarly, software application and platform vendors will be able to support the broadest range of authentication devices by supporting a simple set of interfaces and protocols.
Through the adoption of OATH, customers will find more technology choices and lower total cost of ownership. V endors will be encouraged to create a new, more versatile generation of physical tokens that can combine three authentication methods, including OTP, PKI-based authentication (using X509.v3 certificates,) and SIM based authentication (for GSM and 3G networks.) Armed with such flexibility, the same device will be capable of securely authenticating an end-user across multiple networks and applications with much greater flexibility and interoperability. Customers will also be able to leverage their existing network, application, and directory infrastructure instead of having to purchase and deploy specialized proprietary solutions. By providing a coherent solution for integrating and coordinating multiple authentication and access solutions, OATH will give enterprises the control they need to more effectively manage their security and business environments.
"In working with a key cross-section of the industry, including hardware manufacturers and infrastructure providers, VeriSign hopes to help drive much-needed evolution in the authentication arena," said Mark Griffiths, vice president, Authentication Services, VeriSign Security Services. "As OATH adoption becomes ubiquitous, scalability requirements will move from enterprise to Internet scale. In addition to a full suite of OATH compliant solutions delivered in conjunction with partners, VeriSign will also be introducing the first network-based authentication utility. Based on our ATLAS infrastructure, this new service will offer unlimited scale and reliability further reducing the complexity and cost of enterprise deployment."
For more information on the organizations working with VeriSign, and endorsing the Open Authentication approach, please see the attached quote sheet.
For more information on OATH, please go to: http//www.openauthentication.org/.
An initial proposal for the reference architecture is available at: http://www.openauthentication.org/resources.asp
About VeriSign
VeriSign, Inc. (Nasdaq: VRSN), delivers critical infrastructure services that make the Internet and telecommunications networks more intelligent, reliable and secure. Every day VeriSign helps thousands of businesses and millions of consumers connect, communicate, and transact with confidence. Additional news and information about the company is available at http://www.verisign.com .
For more information, contact:
VeriSign Media Relations: Brendan P. Lewis, brlewis@verisign.com , 650-426-4470
VeriSign Investor Relations: Kathleen Bare, kbare@verisign.com , 650-426-3241
###
Statements in this announcement other than historical data and information constitute forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These statements involve risks and uncertainties that could cause VeriSign's actual results to differ materially from those stated or implied by such forward-looking statements. The potential risks and uncertainties include, among others, the ability of VeriSign to successfully develop and market new services and customer acceptance of any new services; and the risk that VeriSign's announced Open Strong Authentication Solutions initiative may not result in additional products, services, customers and revenues. More information about potential factors that could affect the company's business and financial results is included in VeriSign's filings with the Securities and Exchange Commission, including in the company's Annual Report on Form 10-K for the year ended December 31, 2002 and quarterly reports on Form 10-Q. VeriSign undertakes no obligation to update any of the forward-looking statements after the date of this press release.
INDUSTRY SUPPORT FOR OATH
ACTIVCARD:
"By participating in the Open Authentication Reference Architecture, ActivCard will lend its leadership and expertise towards establishing trusted digital identities as a key component of secure communications and transactions. Consistent with ActivCard's mission, the establishment and support of industry standards for strong authentication are essential for broad market acceptance and for providing lowest total cost of ownership."
Ed MacBeth, vice president of strategic alliances at ActivCard
ALADDIN:
"OATH Reference Architecture will provide validation of two-factor authentication as a mission critical element in network security. Aladdin's market proven eToken technology, and our newly launched device incorporating both smartcard-based PKI and OTP functionality, the industry's first-ever, will support the OATH architecture."
Avishai Ziv, vice president of business development at Aladdin Knowledge Systems
(Nasdaq: ALDN.)
ARM:
"ARM firmly believes in the Open Authentication Initiative and the part it will play in enabling a higher standard of security in mobile devices. Mobile security is of increasing concern as cellular phones and PDAs become a pervasive computing environment .Use of the ARM ® TrustZone (tm) solution in a Strong Authentication framework is a positive step for deploying M-Commerce in portable devices."
Tiago Alves, product manager, TrustZone technology, ARM.
AUTHENEX:
"Authentication is similar to the lock that opens the door to the network castle. Network security efforts have been concentrated on building thick walls, gated windows and reinforced doors, but the lock itself is weak. The adoption of OATH will deliver a strong authentication lock at a lower cost to safeguard every network."
Henry Hon, executive vice president, Authenex
AVENTAIL:
"SSL VPN technology is driving huge growth in anywhere application layer access from an unprecedented breadth of Internet-enabled devices. This level of access makes strong authentication for business partners and employees even more critical, but the cost of deploying strong authentication can be cost prohibitive. The OATH initiative will allow more enterprises to securely use the Internet and SSL VPNs as a business tool because it will drive the cost of strong authentication deployments down ."
Sarah Daniels, vice president of product management and marketing, Aventail Corporation.
AXALTO:
"Axalto e-gate USB smart cards bring a unique combination to OATH of portability, simplicity and the strongest cryptographic capabilities available. This initiative also opens up the ability to deliver higher value and interoperability to our customers through practical integration with important existing initiatives. The portable, secure identification supplied by e-gate USB tokens when combined with the Axalto One-Time Password or Axalto DeXa.Badge Identity Management solution makes a strong addition to the OATH initiative."
Francois Lasnier, vice president, Access and ID, Axalto
BEA SYSTEMS:
"Strong authentication based on open standards supports our quest to provide our enterprise customers with a strong application security infrastructure that's easy to use, integrate and deploy. Using the WebLogic Security Provider SSPI, WebLogic customers will be able to take full advantage of the benefits of OATH architecture."
George Kassabgi, vice president and general manager, application security infrastructure, BEA Systems
GEMPLUS:
"Open Architecture has proven to be valuable for an entire eco-system, bringing healthy competition together with strong industry support. We believe the industry needs direction. Currently, there isn't one solution for end-user authentication, rather multiple methods and solutions that must match diverse criteria, such as Enterprise IT security and Remote network access, be it Wireless or fixed. Gemplus believes this the OATH Reference Architecture will trigger new market opportunities by allowing Wireless Service providers to enable Business Travelers to remotely access their Enterprise resources."
Philippe Martineau, vice president, WLAN, Gemplus
HP:
"An open standards-based approach for stronger user authentication will allow enterprises to be more adaptive, better manage costs, and mitigate risks. Security needs to be built-in, not a bolt-on. The industry needs to work together towards a more interoperable standards-based approach to the use of authentication technologies in IT. HP sees the OATH initiative as a step in the right direction. HP will work with VeriSign and others to contribute to the completion of the OATH proposals and take them to the appropriate industry standards bodies."
Tony Redmond, vice president and head of HP's Security Office
IBM:
"Our customers want an open specification around strong authentication, and we look forward to working with VeriSign to bring this specification to a standards body for consideration. We plan to be the first to deliver an integrated identity management solution that works with OATH, giving our customers the power to provision identities to applications, operating systems and network devices."
Joe Anthony, director of integrated identity management, Tivoli Software, IBM.
RAINBOW TECHNOLOGIES:
"Open standards-based strong authentication will enable customers in all vertical markets, including government agencies, to share more critical information over a wider boundary while increasing information security. We look forward to working with VeriSign to deliver open and easy-to-deploy authentication solutions such as USB tokens that can securely contain multiple credentials."