An anonymous reader writes: However, critics like Moy say that the choice to stick with the old, compromised tokens is less a risk-based decision and more a pragmatic one. "I'm sure there's always going to be customers who are comfortable with that," he says. "It's very hard to rip out the plumbing in your house to put in new plumbing and that's essentially what the identity solution is."
It's a matter of both inertia on the part of RSA customers and what Phil Lieberman, CEO of privileged identity vendor Lieberman Software calls 'incompetence' on the part of RSA's competitors in failing to draw more disillusioned SecureID users in the wake of the breach that has kept things pretty much in stasis despite the severity of the breach.
"It doesn't seem to matter that RSA's tokens have been compromised; nobody is getting off of them, nobody is changing," he says. "The competitors who could potentially make hay on the opportunity simply don't want the business. The concept of making products ubiquitous with off-the-shelf SKUs as RSA has done seems to elude all of the competitors that they have. In a sense, it's somewhat like what happened with Microsoft and Novell. Novell was better, but Microsoft made it easy and they were better at marketing and better at market control."
Nevertheless, the breach may have stirred some organizations that were already squirrelly about the security of one time passwords to look for more secure alternatives. According to Aberdeen Group, the percentage of IT departments planning to deploy PKI smart cards in the next 12 months increased two-fold between December 2010 and May 2011, and the demand for one-time passwords dropped three-fold. The firm's analysts pinned that fluctuating demand curve on the RSA breach.
Even if smart cards are not the multi-factor flavor of choice, and if an organization would prefer to work with OTPs, many within the authentication space say the RSA breach has at least brought the debate to a head as to whether or not it is a good idea to outsource the sensitive seed information fundamental to these tokens to an outside vendor. As the attack on RSA shows, all of that information for every customer can prove a tantalizing target for hackers.
As a representative vendor that provides just such an alternative, allowing organizations to program their own tokens, Stina Ehrensvard of Yubico says she's seen a lot of prospects not only from RSA's customer base but from other organizations that use OTPs from other vendors that also hold onto a big repository of seeds waiting to be stolen.
"They've said the best way to be sure that it is secure and that there isn't a bunch of secrets being stolen from a database is if you control those secrets yourself and program the tokens in-house," says Ehrensvard, CEO and founder of Yubico. "We heard from one Department of Defense contractor that made a security audit of their tokens that were manufactured and programmed in Asia, and it turned out there was a copy of their seeds not only in Asia, but also Europe. They were two databases that they had no control over and weren't sure if they'd already been copied."
