RSA Security Inc gave an indication of where the market could be headed yesterday, when it guided financial analysts higher for its just-closed fourth quarter, saying its results, to be announced at the end of the month, are at the top end of expectations.
And the firm, long-time leader of the one-time password authentication market, said that in future quarters it will benefit from a seven-figure consumer banking win inked during Q4. RSA and its rivals, in recent interviews with ComputerWire, are really talking up this space.
The company said it expects revenue for the fourth quarter will come in at between $81m to $82m, compared to previous guidance of $78m to $82m, with earnings per share of between $0.15 and $0.19, the same as it previously guided.
RSA said it signed a $10m deal to sell SecurID keyfob-style OTP tokens to a major consumer bank. The tokens, over a million of them, will roll out to the bank’s customers over the coming year, and will have their revenue recognized over five years, but RSA said it’s a sign of things to come.
The company expects first-quarter revenue to come in a little better than analysts were expecting, at between $81m and $84m, with an additional $3m to $4m coming from its recently acquired Cyota business unit, which offers a lower-value authentication product.
In a conference call with financial analysts, RSA chief executive Art Coviello said that sales were strong in this space without even taking into consideration drivers such as the FFIEC regulations that were imposed upon the US financial services sector during the fourth quarter.
These regulations say that online banking needs to be secured with two-factor authentication by the end of this year. OTP vendors in the US are banking on this being a big sales driver. According to Coviello, however, things are playing out different elsewhere in the world.
The US market seems to be developing different from international market, which again is reinforcing the wisdom of having technology like Cyota’s, he said. The $10m deal is believed to have been inked with a European bank, but RSA is not talking publicly about the client’s identity yet.
Cyota has anti-fraud technology that does not require mass-market users to carry around OTP tokens. Online transaction fraud can be mitigated using server-side risk analysis algorithms, or providing familiar visual reassurance to users during transactions.
For example, according to RSA’s vice president of worldwide marketing John Worrall, consumers could upload a photograph of their dog to their bank’s web site. The picture would be displayed whenever the user is doing something risky, like entering a password, to protect against phishing.
For the banks, the Cyota software can also work at the back-end to score a transaction based on risk. If a user is logging in from an IP address known to be outside their regular geography, it could indicate a third-party fraud attempt, which could prompt the bank to require stronger authentication.
Coviello said that investors should not be too concerned with this lower-end type of authentication eating into its traditional token business, despite the fact that its consumer-oriented products typically have a lower average selling price than its enterprise hardware tokens.
Too much has been made of this ASP thing, he said. He later added: The question at hand . . . is whether or if this will start to cannibalize our success selling tokens, and my response is that this is a totally new market, an incremental green-field market for us.
There’s also a feeling in the industry that the consumer space will not just be driven by regulations. Consumers are increasingly fearful about phishing and fraud, according to vendors.
There’s a concern from banks that their consumers are ready to switch or stop doing online banking because of all the identity theft, all the articles they read about it, their friends getting phished and hacked, Stuart Vaeth, chief security officer of Diversinet Corp said in a recent interview.
According to Vaeth, in Europe, fraud is not so much of a driver, the banks’ cost models are built around that, but the driver from consumer banking clients is the cost savings from having more consumers doing online banking.
While RSA is just starting to make inroads in the consumer space, two of its competitors are already deeply focused on the space. Diversinet mainly offers OTP tokens as software that are supported on Java-enabled phones. Vasco, arguably the leader, offers hardware and software alternatives.
Software has a much lower cost than a hard token, said Vaeth. I’ve heard some banks say there’s no way they will deploy hard token for their consumer banking… it’s not just the cost of the token, it’s the cost of lifecycle management, people lose them, they throw them away.
