(December 7, 2005) In the debate between advocates of software-based authentication and backers of hardware devices, the former are winning, and this week's acquisition of Cyota Inc. by RSA Security Inc. proves it, says PassMark Security LLC. "To have the largest token provider in the world recognize no-hardware, two-factor authentication, it clearly endorses the category [of software-based authentication]," says Mark Goines, chief marketing officer at PassMark. "We consider it validation."

Bedford, Mass.-based RSA, a supplier of devices consumers and businesses use to gain access to networks, announced Monday it was buying Cyota, a New York-based vendor of anti-phishing and other transaction-checking software, for $145 million in a deal expected to close in 30 days. RSA has had some success selling its high-tech tokens, which generate temporary, one-time passwords, to large enterprises but the cost of the devices—at least $20 each—has stymied consumer usage as banks have shied from subsidizing mass distribution. Cyota's software has, among other things, allowed issuing banks to take advantage of so-called 3D Secure authentication technology, such as Visa's Verified by Visa program, to identify buyers of products on the Internet.

PassMark, which introduced its commercial product last year (Digital Transactions News, June 1, 2004), markets a system that allows banks to authenticate online banking users by certain characteristics of the computers they use, such as the IP address. At the same time, the product allows consumers to verify that messages and Web sites presented by banks are legitimate—rather than spoofs produced by fraudsters—by means of a small picture, or PassMark, known only to the consumer and the bank and presented as part of the message or site. Since its founding, PassMark has been a strong advocate of such software-based authentication solutions, since unlike tokens they require little action from consumers. Now, RSA's decision to buy Cyota could signal that even the largest companies are rethinking the case for hardware-based authentication, says Goines. "We think tokens will be replaced with (software) technology," he says.

Certainly, PassMark has begun to make headway. Goines says the company will have 20 million users on its system by the end of the first quarter of 2006. It has installed its software for four clients so far and says it has another 20 implementations under way for other, unnamed customers. By far the largest client is Bank of America Corp., which will account for 14.5 million of those 20 million PassMark users, Goines says, now that the bank has begun to require online-banking customers to enroll in PassMark. Also stimulating discussion, if not yet sales, is a guidance issued in October by the Federal Financial Institution Examination Council that declares single-factor authentication inadequate and requires banks to complete reviews of their online authentication systems by the end of 2006 (Digital Transactions News, Oct. 26). "The FFIEC has put everyone on notice they need to have a plan in place [to move to strong authentication]," Goines says. "We have hundreds of discussions under way."

PassMark charges anywhere from 10 cents per customer per year up to $1 per customer, depending on volume. Pricing is deliberately based on the number of PassMark images stored to encourage usage. Its minimum charge is $50,000 annually, up from $25,000 when the company started. "We've been focusing on the top 50 credit unions and top 50 banks," says Goines.

One of the issues PassMark and other providers of software-based authentication confront is the question of consumer benefit, says Goines. A clear case could be built that banks may benefit by preventing fraud losses, and certainly consumers benefit from that as well. But it's not clear to what extent increased consumer confidence drives online banking usage. "There's not a lot of data on that," says Goines. "But if confidence is a resistance point, that has to be removed."