"It's crazy. An RSA token costs about $45 per person and it doesn't have to be that way." Those were the words of Mark Griffiths, VeriSign vice president of authentication services, as he announced the launch of a new industry initiative called the Open Authentication Reference Architecture (OATH). Griffiths is looking to provide an industry wide alternative to RSA's secure authentication products.

According to Griffiths, RSA Security has a lock on the strong authentication business (the type of authentication that requires more than just a username and password). According to Jason Lewis, RSA product management vice-president, the company has about 12 million users of its SecurID technology at approximately 14,000 companies. SecurID is a technology that generates a new one-time password every 60 seconds. It's available in a variety of form factors, including key fobs and smart cards, and it can be loaded as software into cell phones and PDAs.

For the server-side of the equation, customers of RSA's SecureID are uncomfortable buying anything but RSA's ACE Server or a certified-compliant solution from a member of RSA's Partner program, which is approximately 200 strong. RSA charges a fee for compliance testing.

The only way to break RSA's grip, according to Griffiths, is to come up with a standard where a token from any manufacturer can freely interoperate with the server-side technology from any other manufacturer. The resulting competition drives down the total cost of an authentication infrastructure.

SSL-based VPN appliance provider AEP Systems - whose solutions interoperate with RSA's SecurID tokens -- agrees that dealing with multiple token technologies is an added layer of complexity his company can do without. According to Rob Lane, AEP product management vice president, "If we only had one specification to develop to that supported a range of tokens, we'd have an easier time. Also, for customers, the resulting choice and competition would result in more cost advantages."

OATH's path to market acceptance won't be a cakewalk. Many companies (including IBM, BEA, HP and Sun) are on board, although RSA and Microsoft have yet to join the new organization. According to Lewis "[RSA] has not had discussions yet with VeriSign or other OATH members."

Striking a bit of a political balance, Microsoft just inked partnerships with RSA and VeriSign [LINK]. RSA is integrating SecurID with Windows-based systems and domains and VeriSign is extending Microsoft protocols with security services.

An obstacle to OATH will be compliance certification. One standard part of the success formula for specification-oriented ecosystems like SecurID and Java is that there is a testing regimen in place for certifying compliance, resulting in an official seal of approval.

According to a spokesperson for the new group, testing is on the agenda for the first working group meeting in April, but nothing has been formally worked out. Confirming the importance of testing, Lewis said, "We spent 15 years evolving our partnership program and making sure that the testing was rigorous enough so that SecurID could be used as a ubiquitous authentication technology. A testing program is not something that can be replicated overnight. I think that customers will demand the sort of testing that gives them the confidence that the strong authentication solutions they are buying will work out of the box with their applications."

OATH, like other self-proclaimed standards initiatives, may also have to work around the thorny issue of intellectual property (IP). Although Griffiths claims that the bulk of the specifications that OATH intends to work with are already based on open standards, he admits that some IP issues may need to be worked out.

Increasingly, standards bodies are finding less and less wiggle room to produce specifications that don't run afoul of some existing patent or copyright. More and more, this problem will hound the development of new standards, particularly where significant prior art (the phrase used to describe historical work that may or may not be patented or copyrighted) exists.

Griffiths says OATH's IP policies, which aren't fully worked out yet, will probably provide for tiered levels of membership. Membership in a contributor tier will require that a member's relevant IP be made available on a royalty-free basis, and membership in an "observer" tier will require less of a member.

But even a well-articulated IP policy can go only so far. Just because certain OATH members declare for defensive reasons that they have relevant IP (defensive declarations help prevent lawsuits) doesn't mean there isn't relevant prior art floating around outside of OATH's membership. In other words, nothing prevents a non-member from stepping forward with an infringement claim and submarining an entire specification.

Provided OATH can get past such intellectual property obstacles and its combined membership can attract the attention of enterprise buyers, it just might have a chance, especially when you consider Griffiths' vision of the future.

According to Griffiths, the first OATH standards to work their way out the door (in the first half of 2004) will be for dedicated USB tokens and shortly thereafter, for USB-based hybrid tokens. A dedicated token, like an ATM card, has uniquely identifiable static information that enterprise security infrastructures can depend on for everything from granting corporate network access to deciding which resources the person holding the token has access to and when. Hybrid tokens have the same functionality as the dedicated ones, but also include the ability to generate one-time passwords the way RSA's SecurID token can.

In terms of consumer applications, one-time password tokens are a popular form of security for the online banking sites of many foreign financial institutions. Given that the expense of tokens, like RSA's, can be inhibitor to the domestic adoption of such devices, Griffiths is hoping that OATH can drive down the costs. "Imagine if eBay could offer its customers the sort of security that they didn't have before for $2.00 per user," Griffiths said.

Meanwhile, RSA's Lewis argued that the average cost of an RSA SecurID token isn't as prohibitive as Griffiths implied. According to Lewis, "Most of the cost is in managing security, not in acquiring the tokens. If you really wanted to drive the cost of acquisition out, you could just go with usernames and passwords. They cost nothing right? But you still have the cost of managing and reassigning usernames and passwords. Each help desk call to change a password averages $20. Most of our customers have come to the conclusion that our average cost --which is $42-- isn't cost prohibitive."

Given the focus on USB as the form-factor for the first generation of OATH-compliant tokens, I asked Griffiths if he thought USB will prevail when compared to other token form factors such as chip-bearing credit cards (like JavaCards). The battle between the two is juxtaposed between what people are used to having with them (credit cards) and what technology is prevalent on most computers (USB).

According to Griffiths, "It's rare to find a PC that doesn't have USB, which is why we'll be out with USB first. We'll come out with smart card specifications in the fall. The challenge is that in order for smart cards to be useful, there has to be a card reader connected or integrated into the system for reading the magnetic stripe on the back. Today, that's not the case. But things may be different in five years."

Long term however, Griffiths thinks USB and smart cards will give way to RFID. "Wireless is the way to go," says Griffiths. "It avoids any mechanical problems that arrive from repetitive use. Possibilities include technologies like cell phones and Bluetooth, but the emphasis on low-cost is what makes RFID look so promising."

Griffiths was referring to the per unit cost of RFID tags that make the economics of RFID look so promising. "An RFID chip on a can of soup will be pennies," Griffiths said. "Adding authentication technologies to RFID will raise the cost. But longer term, there's no reason we can't get it down to less than a buck. The biggest challenge will be developing something more sophisticated that handles multiple forms of identification (such as static PKI and single-use password generation).

Lest anyone think that VeriSign is organizing such an alliance for purely altruistic reasons, the company hopes to use to drive the costs of authentication by providing it as a managed service to which enterprises can outsource everything from the authentication servers to the distribution and management of tokens. Given VeriSign's aspirations, it's easy to see why it's seeking a standard. For its managed service to succeed, it must easily interoperate with any token technology on the client-side, and any directory technology on the server-side.

The initial OATH deployment will support Microsoft's Active Directory and LDAP-flavored directories like Novell's eDirectory won't be far behind. According to Griffiths, in true ASP style, enterprises that choose to outsource their authentication will benefit from the same cost-reducing multi-tenancy that has driven the cost out of CRM for customers of salesforce.com, NetSuite, and RightNow Technologies. "Instead of bearing the cost and the headaches of running their own servers, companies can rely on our infrastructure instead" said Griffiths. "Between use of OATH-compliant products and outsourcing to our managed services, we think we can save companies somewhere between 30- and 40 percent over what they're spending today."

"However, details were again lacking when it came to specifics regarding how much VeriSign might charge for such a service, making me wish this announcement spent more time in the oven before being released.

Whenever the opportunity exists to create interoperable standards, the resulting competition can not only unseat the incumbent market leader, it gives IT buyers enormous leverage and tools with which to lower the total cost of ownership of their infrastructure. That's why I'm a big fan of royalty-free standards and I routinely encourage IT pros to not only select standard-compliant technology, but to demand it of their solution providers. VeriSign is not to be underestimated in terms of the weight it has to throw around in the security business (especially when it has the support of some, if not all, of the industry heavyweights). My fear is, however, that even after the company is done with the 800-pound gorilla act, enough obstacles remain that could ultimately foil OATH, which is why you should keep tabs on the iniative, but not derail any current authentication infrastructure plans until more of OATH's details are worked out.

You can write to me at david.berlind@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.