Microsoft turns mobiles into 'Passports'

RSA 2002: A deal between Microsoft and RSA will see mobile phones used to add extra security when authenticating Passport users

Microsoft and RSA are to team up on security in a deal that will enable e-commerce sites using Microsoft's Passport authentication service to bolster security using mobile phones.

The deal is just one of several between the two companies announced at the RSA security conference in Paris this week, where Microsoft became the major supporting act for RSA's announcement extravaganza.

RSA, which is the market leader in authentication, said it plans to work more closely with Microsoft products in future, and hopes at the same time to make its products more usable.

RSA's RSA Mobile authentication mechanism, announced in September, which sends a one-time access code to the user's mobile phone, will be used to add two-factor authentication to Microsoft's Passport authentication service.

UK-based managed security provider iRevolution will use RSA Mobile to give e-commerce sites the option of authentication based on more than just the single password users need to be authenticated by Passport.

The iRevolution service -- which is not yet available -- will require a second access code before the user's credentials for a particular site are downloaded. This code will be sent to the user's mobile phone, so that authentication is based on two factors, both something you know (your Passport password), and something you have (your phone). "It's a virtual smart card," said John Worrall, marketing vice president of RSA. "It is up to iRevolution how they implement this, and they will offer vendors a choice."

RSA has developed a version of its SecurID authentication token to run on Microsoft's Pocket PC. This is a software version of the hardware tokens that many users have on their keyrings -- it will run on iPaqs or other PDAs, generating one-time codes for access to applications, so the PDA becomes the something-you-have part of two-factor authentication. "This is not as secure as a hardware token," said Worrall," but it is more effective than a simple password."

Despite the number of Microsoft partnership announcements, RSA also committed to working with other players. There has been a software version of SecurID on the Palm OS for about four years, said Worrall, and the product also runs on Ericsson 380 smartphones and the Nokia Communicator.

In another non-Microsoft announcement, RSA certified Oracle's 9i Application Server to work with all its authentication products, including the ClearTrust Web access management product, and the Keon digital certificate management system.

Microsoft has licensed RSA's SecurID two-factor authentication software, and will build a SecurID agent into the Microsoft ISA 2000 firewall/cache product. "This will push authentication out to the perimeter of the network," said Stuart Okin, chief security officer for Microsoft UK. "It is a good idea to get it out as far as you can, so that unauthenticated users are not allowed into the heart of the corporate network."

Peter Judge reported from the RSA Conference in Paris.

For all your GNU/Linux and open source news, from the latest kernel releases to the newest distributions, see ZDNet UK's Linux News Section.

Have your say instantly, and see what others have said. Go to the Linux forum.

Let the editors know what you think in the Mailroom.