A string of highly publicized security breaches in the last year has caused a series of headaches for data aggregators like ChoicePoint and Acxiom.
Subsequent Congressional hearings and threats of new laws to regulate data collection practices haven't helped. Neither have class action lawsuits like the one filed in California against ChoicePoint after the company admitted it sold information on 145,000 people to identity thieves.
But the privacy outcry has been a boon to at least one firm: RSA Security, a Bedford, Mass.-based company that sells a range of authentication technologies. It's best-known for its "SecurID" keychain fob and, in technology circles, for its popular conference held in the San Francisco Bay Area.
But its stock price has been battered recently over uncertainty caused by its chief financial officer's departure and an expensive $145 million acquisition of Cyota, which sells antiphishing and fraud detection services to financial institutions.
RSA CEO
CNET News.com spoke with Coviello about federal legislation, SecurID, and the company's February 2006 conference.
Q: You wrote an article with (RSA board member) Orson Swindle saying that regulations aren't enough and we already know best practices that some companies didn't follow. Do we need a law mandating best practices?They didn't legislate or regulate anything. They said a best practice for online financial transactions is to have some kind of authentication beyond a password. They said we really strongly urge you to have something done by the end of 2006. What's wrong with that? Industry's on notice and it's the right thing to do.
What do you think the effect of those federal regulations will be? What will most banks do?
Coviello: Most banks won't have it implemented by the end of 2006. As I talk to financial institutions, they say, "We think this is something that needs to be addressed and we've been wrestling with how to do it. We'll do our best to get done but we may not be ready by then."
Have you seen interest in your SecurID product as a result? Coviello: Huge. It's not just SecurID. I should qualify that.
Because we're so successful with the token, people misunderstand and think it's the only authentication product we have. We're a victim of our own success in that regard. We have software versions of the token. We have digital certificates. We have USB devices that have resident on them a digital certificate. We've made no secret that we're going to expand authentication (products).
We are absolutely getting a lot of inquiries about our product lines and our plans. It's obviously going to be very good for our business.
I have four bank accounts. Does that mean I have to juggle four different SecurID tokens? That sounds like a pain.
Coviello: We launched a consumer-oriented service this quarter that will allow people who have tokens to register them with other consumer-facing organizations (such as banks) who can then proxy their token to our service and we will authenticate them.
So you're saying that I'd just need one, as long as all my banks cooperate?
Coviello: Yes. For instance, if you have an E*Trade account and have an E*Trade token and go to Wells Fargo and both companies sign up for the service, you can use the same token for both. It's our job to get them interested.
When E*Trade offered SecurID tokens to nearly 3 million customers, only 20,000 signed up, and almost all of those had qualified for a free promotion. Is that a success story?
Coviello: The takeup rate is ongoing...The takeup rate for ourselves and E*Trade we've been pretty happy with. It's something that consumers are going to get used to. E*Trade isn't mandating the use of the tokens. But over time, as awareness builds, we'll increase the penetration.
No discussion exists, click here to start it.