In discussions since releasing its first quarter 2006 numbers last month, Bedford, Mass.-based RSA Security Inc. has clearly stated its intention to grow equally in all three of its main business areas: enterprise, consumer (by which it means its sales to businesses that concentrate on consumer authentication and access needs) and developer.
To be sure, the bulk of RSA's business is in the enterprise space -- about $76 million of its total first-quarter revenue of $87.5 million. It's worth noting, however, that first-quarter consumer growth of 20% from the year-ago period isn't without appeal. As we prepared this piece, RSA announced a deal with Financial Fusion Inc. to provide RSA's risk-based authentication to its consumer and corporate banking products.
In the past six months, RSA has bought antifraud and two-factor authentication vendor Cyota for $145 million, and, well, antifraud and two-factor authentication vendor PassMark Security for $45 million. The Cyota purchase sealed several high-profile new consumer deals, including E*Trade Financial Corp., which bought RSA's antiphishing and Adaptive Authentication products; Barclays Bank plc, which upgraded from RSA's FraudAction to Transaction Monitoring; and Susquehanna Bancshares Inc., which signed on to RSA FraudAction antiphishing services. These additions were part of what RSA says were two dozen such deals last quarter.
RSA said that in the first quarter of 2006, it shipped 1.7 million units of authentication credentials, 11% more than during the same period a year ago. And while it said growth is roughly equal in all its sectors, it said 623,398 of those credentials were in the consumer space -- up 20% from the fourth quarter of 2005. Part of that surely is attributable to the addition of E*Trade.
Revenue was up 15.7% to $87.5 million, from $75.6 million in the year-ago period, with earnings of $5.3 million, or $0.07 per diluted share. The company noted that in the year-ago period, net income of $7.2 million, or $0.10 per diluted share, did not include stock-based compensation charges. Non-GAAP earnings of $0.14 beat Wall Street expectations by a penny. At the end of the first quarter, it had about $57 million in cash and cash equivalents.
RSA is keenly aware that it trails Vasco Data Security International Inc. in the one-time password (OTP) business, and it has been establishing partnerships left and right to gain what it calls ubiquitous authentication. Essentially the idea is to make the shift from hard tokens -- those little plastic fobs that produce time-sensitive OTPs -- into the realm of deploying the RSA SecurID product on devices that customers already have. These devices include mobile phones, PDAs, trusted computing modules and smartcards, from vendors such as Microsoft, Motorola Inc., M-Systems Inc., RedCannon Security Inc., Renesas Technology Corp., Research in Motion Ltd. and SanDisk Inc. RSA and Pointsec Mobile Technologies, a wholly owned subsidiary of Protect Data AB, have announced that Pointsec has integrated RSA technologies into the Pointsec for PC product, using RSA SecurID SID800 USB-enabled authenticators and RSA Smart Cards for pre-boot authentication to Pointsec-protected mobile devices.
We think a clear and interesting acquisition target here for RSA is Diversinet Corp., which provides RSA with over-the-air self-service deployment of soft tokens on mobile devices. The Diversinet product line and expertise would allow RSA to greatly expand its abilities to provision mobile devices with OTP. Granted, RSA licenses these technologies today from Diversinet, and the question of 'why buy the cow when the milk is so cheap' comes up regularly when we talk about this, but some of the biggest markets for consumer OTP soft-token deployment are in Asia, and there RSA would do well to own, not rent: in April, Diversinet announced a deal with SK Infosec, which will distribute Diversinet's OATH-compliant MobiSecure software tokens and MobiSecure Authentication Service Center (MASC) provisioning service in Korea. RSA has also launched recent forays into the Korean market -- who needs the distraction of competing against another OEM player? Plus, we think this technology is disruptive: if that's true, the last thing RSA wants to do is depend on a company with extremely low revenue and high cash burn to carry the ball.
The price is probably as appealing as the technology -- Diversinet shares trade in the $0.70 range, and it has a market cap of about $17 million. It posted 2005 revenue of $1.1m and first-quarter 2006 revenue of $473,000, up 33% year-on-year and 197.5% sequentially. The company narrowed its net loss to $730,000 ($0.03 per share) from $1.3 million ($0.07) in the first quarter of 2005. Diversinet also slowed its cash burn rate from $1.2 million in the fourth quarter of 2005 to $406,000 in the first quarter of 2006. Its expertise in the mobile area and its ability to innovate make it a ripe acquisition target. The 52-week trading high of $0.86 would seem to be the top end of a take-out price range, making a purchase price around $21m about right.
One of the interesting aspects of the PassMark acquisition was the company's biometric capabilities. These are based on its claimed ability to provide biometric authentication for password resets using a voiceprint taken via telephone (PassMark acquired the assets of Vocent Solutions, which developed the technologies, in August 2005 for an undisclosed amount). Leaving aside for the moment questions about whether the narrow audio bandwidth of a telephone line permits authentication strong enough to be trusted with the contents of, say, a checking account, RSA's attitude toward biometrics has been clear for some time: interesting stuff, we're not sure about the business case for it, we're looking into it.
However, consumer understanding of the need for two-factor and bi-directional authentication has been rising, while the prices of fingerprint readers have been falling at the same time as their quality has improved. Clearly, RSA -- the leader in authentication and access management -- must be doing more than thoughtfully rubbing its chin. We've commented on purchases in this space by Viisage Technology Inc., such as the pending $770m acquisition of Identix Inc., which will make Viisage the only U.S. company to sell a full complement of multimodal biometric recognition offerings for iris, finger and face, including biometric devices, software applications and services. But that's high tech stuff used by police departments and the military.
For banks, meanwhile, it makes good marketing sense to provide "good enough" security -- an extra layer providing a not-so-strong additional factor (a case in point being PassMark's search for a secure cookie or Flash object on the user's machine to use as a second factor, or indeed PassMark's use of telephonic voiceprint as a biometric third factor). Banks are thus able to inform their customers that they are doing everything to secure accounts (RSA tells us the E*Trade deal was driven by the company's marketing department, not its security officer). RSA might entertain the acquisition of some smaller biometrics players. These needn't even be players like UPEK Inc., Cross Match Technologies Inc., SecuGen Corp. or AuthenTec Inc., with a Bioscrypt Inc. Bioscrypt Core and a scanner licensed from any one of those vendors, a clever integrator -- and there are hundreds of those, ranging from tiny to fairly large -- could be of great interest.
We're convinced that RSA is not done buying in this space yet, and we don't think that some product overlap with its existing portfolio would matter too much: to an extent, PassMark duplicated certain functionality of Cyota, but RSA was interested in it regardless, and remains interested in similar plays for the simple reason that it wants to be the undisputed leader in risk-based authentication products. We therefore don't think that it is out of the question to ponder whether RSA might consider layering its offerings by acquiring a sophisticated fraud detection company such as Business Signatures Corp, Cydelity Inc., Digital Envoy Inc.'s Digital Resolve unit and The 41st Parameter Inc. (which closed an $11.2 million series B funding round on May 8 led by Kleiner Perkins Caufield & Byers, with participation from its series A investor Norwest Venture Partners).
In the UK, consumers have been alarmed by reports of fraud involving chip-and-PIN card readers, which provide point-of-sale processing of credit and debit cards using a four-digit PIN in place of a signature. It's an old-fashioned skimming job -- the scammers copy the magnetic card details rather than the chip -- but it's a sexy story and the media is running with it. We're not saying that this news makes RSA rub its hands gleefully, but purchases made using cloned debit and credit cards are just the kind of thing that the antifraud, risk-based security vendors have been claiming to be good at stopping (RSA says that of every two transactions highlighted by its Cyota antifraud technology, one turns out to be fraudulent). When the Tesco supermarket chain is forced to re-case 2,000 ATMs to prevent fraudsters from attaching skimming devices to the card readers, RSA would certainly expect someone at Tesco to give it a ring.
To be able to provide some concrete answers once that call comes through, RSA will have to keep buying innovators in antifraud, risk-based security, biometrics and one-time passwords.
Nick Selby is a Boston-based analyst covering enterprise security for The 451 Group.