As Entrust Inc. enters the hardware token market selling tiny one-time password (OTP) tokens at $5 each, analysts say the vendor's entry into the market could drive down prices across the board.
Called Entrust IdentityGuard, the tokens are manufactured using cheaper materials but with the same feature set and functionality of other OTP tokens. Tokens typically generate new pin numbers every 30 to 60 seconds and are used in addition to user IDs and passwords for authentication.
An Entrust spokesperson said that some major patents protecting mass production of token devices expired last year, giving vendors the opportunity to enter the market with cheaper devices.
Entrust entered the authentication market in 2004 with an identity card authentication platform called IdentityGuard. The new tokens can be integrated as one of the many authentication methods in use with its platform.
The new tokens are water resistant, come with a one year warranty and Entrust said the battery life is estimated at 3-5 years. Entrust expects to sell them beginning in the second quarter of 2007, the vendor said. Online travel vendor Expedia will be the first company to use the new token.
Experts say that it could take time for Entrust to ramp up sales of the cheaper devices as it goes up against some well established competitors. RSA Security, now part of EMC, sells similar hardware token devices for $25-$40 with a subscription model that's based on the number of tokens that are purchased. Password device manufacturer Vasco also sells one-time password devices at $12-$18 each, and VeriSign also sells hardware tokens.
Despite a recommendation last year from the Federal Financial Institutions Examination Council (FFIEC) that banks implement two-factor authentication to protect their Internet banking sites, the market for hardware authentication tokens has grown slowly in recent years, said Ray Wagner, a research director at Stamford, Conn.-based Gartner Inc. Enterprises can choose from a number of other authentication methods besides directly authenticating applications, he said
Microsoft is also heavily committed to supporting its smartcard infrastructure, which is a major issue for all hardware token vendors, he said.
"RSA was the only one in the game for a long time and built its product on top of infrastructure that people liked, but because there's a good ROI argument here, Entrust could see some momentum," Wagner said. "This could potentially extend use beyond just remote access users."
Expedia chief information officer John Millican said his company moved to Entrust's platform in October and would soon begin using the firm's tokens for authentication. RSA tokens were recently phased out after maintenance expenses proved difficult to control, Millican said. Expedia also uses Entrust for content monitoring, public key infrastructure, and security governance, he said.
"We phased out RSA because the experience was problematic," Millican said. "Implementation and ongoing operations with it was difficult and expensive and that led us to move on."
Tony Luongo, vice president of sales of Woburn, Mass.-based reseller Go2 Communications Inc., said sales of hardware authentication tokens are usually coupled with a larger security installation. While cost is a factor, customers will want tokens backed by a brand they know and trust, he said.
"When you have market share and clout and great support mechanisms behind your product, customers are going to pay a premium," Luongo said. "We won't see customers buying Entrust just because it's a cheaper token. It has to fit into their security strategy and easily integrate with the solutions they've already got in place."