On 13 February 2006, VeriSign introduced the VIP suite, which includes fraud detection, a shared token consumer authentication network and a self-service portal that enables customers to get their own VeriSign tokens. VIP's fraud detection capability will be enabled through VeriSign's $12 million purchase of Snapcentric. Yahoo has agreed to rely on VeriSign tokens, supplementing PayPal's and eBay's October 2005 agreement to issue 1 million VeriSign tokens. VeriSign also announced agreements with Motorola and SanDisk to embed Open Authentication (OATH) compliant one-time password (OTP) capability in their devices.

VIP is intended to make it easier for financial services and e-commerce companies to strengthen consumer authentication through a shared infrastructure. Key elements include shared token authentication and fraud detection. The shared authentication network could help solve the “necklace” problem — consumers needing a separate token for each service. However, this will mean little until PayPal or eBay starts issuing OTP tokens. There still has been no word on any definitive schedule for this. Further, based on our research, it's doubtful that U.S. consumers will choose to use tokens in large numbers.

Although it is still unproven in fraud detection, VeriSign does bring considerable resources to its new fraud detection network, including IP-related data from DNS (Domain Name System) attacks. VIP competes with similar products from RSA Security/Cyota and PassMark, as well as offerings from Entrust, TriCipher, Digital Envoy and others. VeriSign’s entry will exert price pressure on the other vendors.

VeriSign faces other challenges:

•            The need to find other markets for VIP, such as business-to-business commerce, government and the insurance industry.

 •           VeriSign’s presence in IT and security organizations doesn't automatically ensure that it will be accepted by e-business units that typically guide consumer authentication platform decisions.

 •           VeriSign will need to encompass already deployed, non-OATH OTP tokens within the shared network. This is important in European and Asian markets, where many banks have already issued several million OTP tokens, and a new VIP token would just add to the “necklace” problem.

Recommendations

•            Banks, brokerage firms and other consumer-facing organizations considering fraud detection and authentication products should evaluate VIP.

 •           Potential users of VIP should consider its fraud detection function separately from its authentication function. VIP supports OTP authentication methods, and will support public-key infrastructure and biometrics, but U.S. consumers and banks favor other available methods.

 •           Users of authentication services should leverage this announcement to extract lower prices and fees from VeriSign's competition.

Analytical Sources: Avivah Litan and Anthony Allan, Gartner Research

Recommended Reading and Related Research

• "RSA Security Acquires Cyota, but Relationship Will Need Work" — The acquisition of Cyota will help RSA penetrate the online fraud detection and consumer authentication market. By Avivah Litan
• "eBay/VeriSign Deal Could Remake the Online Payment Market" — The acquisition of VeriSign's payment gateway will enable eBay's PayPal subsidiary to offer more non-eBay retailers a low-cost alternative to credit and debit cards. By Avivah Litan

(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)