RSA: Microsoft to shelve token support in Vista

RSA: Microsoft to shelve token support in Vista

Summary: The OS update won't include built-in support for SecurID, even though the technology has been under testing for two years.

SHARE:
Microsoft has shelved plans to include built-in support for RSA Security's tokens in Windows Vista, even though the company has been testing out the authentication technology for almost two years.

In February 2004, Microsoft Chairman Bill Gates said that Windows would be able to support easy integration with RSA's popular SecurID tokens. That meant businesses would find it far easier to deploy a two-factor authentication system for logging on to networks and applications.

However, almost two years after the SecurID beta-testing program kicked off, RSA's chief executive, Art Coviello, disclosed that Windows Vista will not natively support the technology.

"Microsoft had said they would include the ability to support all kinds of One Time Password (OTP) and challenge-response type authentication in Vista. But they were unable to get it in with all the other issues they have had, so it is going to take longer," Coviello said in an interview on Tuesday morning in Sydney.

According to Coviello, sales of SecurID for Windows have "gone slowly" because Microsoft decided not to support the tokens natively in Windows. This meant that deploying a token-based system still required "some work," he said.

"It has gone slowly, and it has gone slowly for a number of reasons," Coviello said. "Microsoft has given us source code so we can replace the Microsoft logon screen. However, it is not yet native to the operating system. So it still requires some work at the desktop, which slows down the adoption rate."

Coviello expects Microsoft to add native support for SecurID in future updates to Vista, after which he hopes demand will increase significantly for two-factor authentication, where people present a second form of identification as well as their password.

"Admittedly, when Vista eventually includes support for onetime passcodes--as is expected in some future point release--people will be more aware generally," he said.

"Right now, we have a competitive advantage, and quite frankly, the adoption rate of our product, SecurID for Windows, is more about inertia in the market than about the technology," he said.

Although Microsoft has been slow to add support for SecurID and other password alternatives, Gates has frequently called on the industry to move away from passwords--including in a speech at this year's RSA Security show.

Vista is expected to include a password management system called InfoCards, which Gates announced at the RSA conference.

Microsoft said Tuesday that it had worked with several vendors and customers on whether to add native support in Vista for one-time passwords, via its Kerberos authentication protocol. RSA's SecurID token generates a different password for each attempt to log on to a service.

"Most customers told Microsoft they do not view one-time passwords as strategic and are looking long term to smart cards as their preferred strong authentication mechanism," a representative for the software maker said.

The Vista update will let third parties write credential providers to add their authentication tool to the operating system, the representative added.

CNET News.com staff contributed to this report.

Topics: Software, Operating Systems, Security, Software Development, Windows

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • For the sake of accuracy:

    "via its Kerberos authentication protocol". That's PLAIN WRONG. Kerberos doesn't belong to microsoft. It could be their Kerberos authentication protocol <b>implementation</b>... at most.
    anonymous