Entrust Inc. hopes to lower that barrier with a new one-time password (OTP) hardware token introduced this week. At US$5, it's less than half the price of similar tokens from rival vendors such as Vasco Data Security and RSA, EMC Corp.'s security division.
Entrust's so-called time-synchronous tokens allow users to authenticate themselves to a network or application using a one-time password that is generated every few seconds by the device. Such tokens have been used for authentication purposes for years now by banks, government agencies and others.
What makes Entrust's entry into the market interesting is that US$5 cost, analysts said. "The price is significantly less" than similar tokens from other vendors," said Paul Stamp, an analyst at Cambridge, Mass.-based Forrester Research Inc. At very high volumes, the difference between its price and that charged by other vendors may be somewhat less because of volume discounts. But even with that, Entrust's price is "extremely competitive," he said.
"From a security perspective hardware tokens are very good and viewed as being stronger," than several other approaches, including cookie and location-based authentication, Stamp said.
Ant Allan, an analyst at Stamford, Conn.-based Gartner Inc., said that the new Entrust tokens are likely to be a more attractive option for organizations that might have been considering other authentication technologies because of cost considerations. "At this price, Entrust's tokens are starting to compete" with the other approaches, he said.
Online travel service Expedia Inc. has signed up for the tokens and plans to start rolling them out to its employees later this year, said John Millican, the company's chief information security officer. Expedia was already in the process of implementing grid card-based strong authentication technology from Entrust to about 2,500 employees. With the Entrust tokens becoming available, about 1,500 of those employees will now get the new tokens instead, he said.
"We can now provide a higher level of security" to the people who need it at a cost comparable to the grid cards, Millican said. "The grid cards are useful in many areas, but they don't provide the high-level protection" that hardware tokens do, he said. And because both the grid cards and the hardware tokens work on the same Entrust IdentityGuard authentication infrastructure, there's no need to deploy a separate infrastructure to accommodate token-based authentication.
Toffer Winslow, vice president of marketing at RSA, said Entrust's entry into the market with its low-cost token is something the company takes "very seriously."
At the same time, it is important to note that token costs constitute only part of the overall price of hardware-based authentication, he said. Other costs include those associated with the authentication infrastructure, including integrating it and operating it, he said. "We think the right focus should be on the total cost of ownership. Looking at token costs alone misses the point," he said.
In an e-mailed comment, a spokeswoman from Vasco also stressed the importance of looking at the overall costs of the technology.
"Vasco scores very well with regards to [total cost of ownership]," she said, pointing to the five-to-10-year lifespan of its authentication devices, relatively low-integration and maintenance costs and the fact that authentication infrastructure supports over 50 different client authentication products.