THE AUTHENTI CATI ON SCORECARD

The function of independently verifying a users identity

commonly referred to as authenticationis the essential
foundation for trust for any business process. Particularly for
electronic business process, authentication establishes trust by
proving the identities of the participants in a transaction
without authentication, after all, how do you know whos on the
other end? As the popular cartoon observed a few years ago, on
the Internet, no one knows youre a dog.
The Authentication Scorecard
W
H
I
T
E

P
A
P
E
R
WHI TE PAPER
THE AUTHENTI CATI ON SCORECARD
TABLE OF CONTENTS
I. WHY FOCUS ON AUTHENTICATION?
What Drives the Market for
Authentication?
Whats Holding it Back?
II. HOW RSA SECURITY CAN HELP
THE AUTHENTICATION SCORECARD
III. THREE MAJOR CATEGORIES,
TEN BASIC ATRIBUTES
Total Cost of Ownership
Strategic Fit (Users)
Strategic Fit (Corporate / System)
IV. DIFFERENT CUSTOMERS
=
DIFFERENT WEIGHTS
V THE NEXT STEPA QUANTITATIVE
APPROACH
VI. SUMMARY
Appendices listed
APPENDIX APASSWORDS
APPENDIX BRSA SECURID
HARDWARE TOKENS
APPENDIX CRSA SECURID
SOFTWARE TOKENS
APPENDIX DRSA DIGITAL
CERTIFICATES
APPENDIX ERSA SMART CARDS
PAGE 1
PAGE 1
PAGE 1
PAGE 2
PAGE 2
PAGE 4
PAGE 4
PAGE 4
PAGE 5
PAGE 6
PAGE 7
PAGE 7
PAGE 8
PAGE 10
PAGE 12
PAGE 14
PAGE 16
I . WHY FOCUS ON AUTHENTI CATI ON?
Increasingly, organizations are recognizing and leveraging
authentication as the foundation for other critical services
as well. Based on trust in the authenticated identity of a
user, device, application, group or organization, for
example, we can then implement additional services
such as:
Presentation/Personalization by customizing what the
user sees based on their authenticated and trusted
identity, we can define and enhance relationships
through quality of user experience.
Authorization/Access Management based on business
policies that define the relationships between
authenticated users and information, we can authorize
and control access to applications and services.
Audit the ability to know reliably who did what, where
and when is the basis for complying with regulations
and business policy regarding liability and assurance
for transactions.
In addition, authentication is at the core of Identity and
Access Managementthe current industry term that refers
to the process of creating, distributing, managing and
revoking online credentials over their lifetime.
What Drives the Market for Authentication?
The leading drivers for authentication technologies can be
grouped into three high-level categories. First, there is no
argument about the reality or impact of the trend towards
expanding access to information through the ever-
increasing numbers of mobile workers and telecommuters
and the extension of the enterprise network to customers
and business partners. The need for portable
authentication credentials is increasing, simultaneously with
an exponential increase in the size and complexity of our
networks.
1
THE AUTHENTI CATI ON SCORECARD
RSA Security Inc.
Second, the volume of sensitive and high-value information
accessed remotely continues to rise, and where there is
value there are people who will try to obtain itcalled the
Willy Sutton effect (Willy Sutton was a famous bank robber
from the 1930s; when asked why he robbed banks, he
reportedly answered because thats where the money is).
Reports and statistics abound of the high levels of
compromise and theft of information, and there is a
steadily growing awareness of the need for stronger
information security.
The third high-level driver for authentication technologies
can be referred to as the problem with passwords. Passwords
have always been recognized as providing relatively weak
security, but the proliferation of passwords has become
unmanageable for end-users and administrators alike, and
the authentication method once naively viewed as free is
actually surprisingly expensive in terms of ongoing
management and support costs.
Whats Holding It Back?
The market drivers listed above are compelling, so what
if anything is holding the market for authentication
technologies back?
Cost is certainly a considerationacquisition costs,
deployment costs and the perception (albeit not necessarily
the reality, especially when compared to passwords) of
additional administrative burden. Where there are physical
devices used for authentication (e.g., smart cards, tokens,
biometric devices, etc.), some people also have concerns
about the cost or inconvenience of
lost/forgotten/broken/stolen authenticators.
Deployability is sometimes a factore.g., the slow uptake
of installed base for smart card readers; the challenge of
implementing solutions that require software to be
installed on every end-user system; the lack of
interoperability with existing systems; and general concerns
about scalability to tens of thousands, hundreds of
thousands or millions of users.
Finally, there is often the reality of short-term focus on
other business objectives, where stronger security takes a
back seat to other priorities such as time-to-market. Business
justification can sometimes be difficult, especially where
security awareness is lacking, and it is an understatement to
note that it can sometimes be difficult to quantify the
return on investment for authentication technologies.
II. HOW RSA SECURITY

CAN HELP
THE AUTHENTICATION SCORECARD
Which brings us to the motivation for this paper. As the
longtime market leader in strong authentication
technology, RSA Security finds that its customers and
prospects ask three particular questions on a recurring
basis:
Which authentication solution should I use?
What is the business value from my
authentication investment?
What criteria should I use to select an
authentication vendor?
This paper specifically addresses the first question, by
providing a consistent, structured framework and a
corresponding toolthe Authentication Scorecardthat will
help organizations to understand, evaluate and select the
most appropriate authentication technology from amongst
a wide selection of alternatives. (Note: for the other two
questions, additional information on a practical business
justification/ROI model and general vendor selection criteria
is available on the RSA Security web site at
www.rsasecurity.com).
Why an authentication scorecard? In light of expanding
access, the increasing value of information and the problem
with passwords (not to mention the numerous
authentication technologies already available) and ongoing
technical innovation, companies are frequently re-
evaluating their authentication strategies. But with so
many authentication alternatives available, how can they
objectively be positioned? Vendors who sell a single
authentication technology may not be the most objective
source of informationfor as the saying goes, when all
you have is a hammer, everything looks like a nail.
Of particular challenge is the fact that the market buzz
about certain authentication technologies does not always
equate to the market realities about how widely those
technologies are actually deployed. Biometrics, for example,
currently enjoy a hugely disproportionate share of press
coverage relative to their actual deployment. The Year of
the ______ is another readily recognized element of the
high-tech hype cycle, and we have sometimes seen
headlines of both ______ is Dead and ______ Rules in
close succession from the same industry analyst or trade
journal. It sells papers, but doesnt necessarily bring us
closer to making sense of it all.
Vendors, who quite naturally emphasize only the strongest
aspects of their particular solutions, tend to exacerbate the
problem by creating (either directly or indirectly) apples-
and-oranges comparisons between various authentication
technologies. For example, how can one objectively
compare the multi-purpose value proposition of a smart
badging solution (i.e., combining photo ID, building
access, network/application access and stored value on a
single physical device) with the low-cost, zero-footprint,
zero-deployment value proposition of a one-time passcode.
At RSA Security, our belief is that there will be no one silver
bullet for all authentication problems, no single technology or
approach that will optimally address all scenarios, no
universal solution that will meet all requirements. On the
contrary, there will continue to be a rich diversity of
authentication technologiesdifferent strokes for different
folks, and vive la diffrence. As a result, we develop, sell
and support solutions designed to work with a range of
authentication technologies, from traditional time-
synchronous tokens, to digital certificates, to smart cards
and USB tokens, to virtual credentials and virtual containers
even passwords. What we need, therefore, is a
consistent, structured framework that will help
organizations to understand, evaluate and select the most
appropriate authentication technology from amongst a
wide selection of alternatives. What we need is an
Authentication Scorecard.
I I I . THREE MAJOR CATEGORI ES, TEN BASI C
ATTRI BUTES
Ask an old security guy about this dilemma and he is likely
to say that all authentication solutions are a trade-off
between three variables: Security, Cost and Convenience
for example: you can have more security, but at higher
cost and lower convenience and assorted other
combinations. (Note: the old engineering guys sometimes
use a similar tri-part formula, involving Functionality, Cost
and Time-to-Market and the phrase pick any two but
thats a topic for another paper.) The Authentication
Scorecard is in some ways a contemporary version of this
old idea, an updated and expanded framework that reflects
not only RSA Securitys years of experience and market
leadership in strong authentication technology, but also the
additional structure and detail required to make an apples-
to-apples, rather than apples-to-oranges, comparison of
various authentication technologies.
2
THE AUTHENTI CATI ON SCORECARD
RSA Security Inc.
In the Authentication Scorecard framework, there are three
high-level categories, each of which can be broken down
slightly further for a total of ten basic attributes. Any
authentication technology can be comparedin a
consistent, apples-to-apples mannerusing this simple
framework. The following table outlines the Authentication
Scorecard framework, including a series of basic questions
3
THE AUTHENTI CATI ON SCORECARD
RSA Security Inc.
that can be used to compare and contrast various
authentication alternatives. The Appendices then use this
framework to give an objective assessment of several
specific authentication solutions (most of which are offered
by RSA Securityusing the framework for other solutions is
left as an exercise for the reader).
Table 1. A Consistent, Structured Framework
Total Cost of
Ownership
Strategic Fit
(users)
Strategic Fit
(corporate/
system)
Acquisition Cost
Deployment Cost
Operating Cost
Convenience/
Ease of Use
Portability
Multi-Purpose
Relative Security
Interoperability/
Back-end Integration
Robustness/Scale
Future Flexibility
What are the initial acquisition costs?
Include all additional hardware, software, servers, readers, services, etc. associated with
acquiring the authentication solution.
What are the costs to deploy the authentication solution?
This includes the distribution of any necessary hardware or software; ease of installation;
ease of setup and configuration; training of end-users; etc.
What are the ongoing operating costs?
This may include costs for replacement (e.g., expired / lost / stolen / broken)
authentication devices; ongoing management; upgrades; vendor support; help desk
support; etc.
What kinds of end-user population(s) will be supported?
How easy is it for end-users to learn how to use the authentication method?
How convenient is it for end-users to use the authentication method, day in and day out?
How portable is the authentication method?
Can it reliably be used to gain access from multiple locations (office, home, airport,
hotel, kiosk, etc.)
Can the authentication method be used for more than one purpose? e.g., network
access, physical access, application access, photo ID badge, electronic signature, stored
value, etc.
Does the authentication method leverage a device that is itself used for multiple
purposes? e.g., PC, PDA, phone, etc.
How strong is the authentication?
How secure is the implementation?
Is it adequate for the information being protected?
Does it meet regulatory requirements (if any) for the protection of information?
Does the authentication solution work natively with multiple products?
Does it work only with the installation of additional software?
How easy is it to integrate with back-end resources or applications? What resources and
applications need to be supported?
Does the authentication solution scale to the degree required now?
Three years from now?
What future options may be available from the selection of this authentication solution
(whether you currently intend to use them or not)?
What future options might be of interest?
Total Cost of Ownership
Cost is a critical consideration, but we need to consider all
the elements of costtoo often, the focus is on acquisition
cost alone. For example, passwords are free in terms of
acquisition cost, but they are surprisingly expensive in terms
of ongoing management and support costs.
Fortunately, the total cost of ownership can be reasonably
well-quantified. Using the questions in Table 1 as a starting
point, one could readily estimate costs based on the simple
3x4 matrix in Table 2.
Strategic Fit (Users)
Depending on the specific user populations under
consideration (employees, business partners, customers and
various sub-segments of each), the requirements for
convenience and ease of use may vary.
Portability will also vary by user population and is often
tightly linked to costfor example, solutions that require
the installation and support of client-side software are
generally more costly and may also limit portability (are all
the required readers, software, drivers, cables, etc. available
at work? At home? At the airport? In the Hotel? From a
kiosk?) Portability can be a factor in other ways as wellfor
example, solutions that send one-time passcodes to a
mobile device (phone, pager, etc.) are extremely portable,
provided that the end-user is in a coverage area for the text-
delivery service.
Some authentication solutions are based on single-purpose
devices; authentication is all they do. Other solutions
feature a multi-purpose value proposition, in one of two
ways: first, it might combine multiple functions in a single
device (e.g., photo ID, building access, network credentials
and stored value); second, it might be based on a device
that the end-user already uses for other purposes (e.g., a
phone, pager or personal digital assistant).
4
THE AUTHENTI CATI ON SCORECARD
RSA Security Inc.
Strategic Fit (Corporate/System)
The matters of relative security, interoperability/back-end
integration and robustness/scale are relatively
straightforward based on the questions in Table 1 and the
solution-specific examples provided in the Appendices, but
a few additional comments are in order for the topic of
future flexibility.
Future flexibility is like having an option. Options have real
value today, not because you use them today but because
they represent something that you could take advantage of
sometime in the future. Of course, some options are never
exercisedbut having options definitely gives you a degree
of future flexibility. Its possible to quantify the value of
options (e.g., using the widely accepted Black-Scholes
option pricing model), but for the purposes of this paper
we will stick with a qualitative perspective on the element
of future flexibility.
One example of future flexibility can be found when
considering digital certificates, a solution which might be
used today for user authenticationand which has the
potential to be leveraged in the future for encryption and
for digital signing. Another example might be a system
that today is used for user authentication within the
enterprisebut which has the capability to issue assertions
about identity and other user attributes that can be
consumed and acted upon outside the enterprise, perhaps
by a business partner. Whether or not we have firm plans
to use these additional capabilities, the option to use them
exists and that provides a degree of future flexibility.
Table 2. Total Cost of Ownership Matrix
Acquisition Cost
Deployment Cost
Ongoing Management Cost
Products/Technologies People Process Plant/Facilities
I V. DI FFERENT CUSTOMERS
=
DI FFERENT WEI GHTS
In Part III, we introduced a consistent, structured
framework that will help you understand, evaluate and
compare a wide range of alternative authentication
technologies. This is necessary, but not sufficient. In Part 2,
what we need to do is help you to select the most
appropriate authentication technology for your users, your
applications, your company and your industry.
In other words, context is crucial. Different customers have
different needs! Organization A may value portability,
high security and integration above all other
requirements, while Organization B may value multi-
purpose, good security and future flexibility. Organizations
A and B can both use the same Authentication Scorecard
to understand, evaluate and compare various
authentication alternatives, but they are applying
different weights to the ten basic attributes. Organizations
A and B are likely to select different authentication
solutions. One size does not fit all!
5
THE AUTHENTI CATI ON SCORECARD
RSA Security Inc.
Example 2: Major Insurance Company
Background
Major Health Insurance provider
Needed to comply with state and federal privacy laws
(e.g., HIPAA).
Required to protect patient and customer
information while giving authorized access to its
network of agents
Thousands of agents and growing
Desire to leverage web access and reduce dial-up
expenses
Planning to deploy digital forms signing application
in
the future
Authentication Solution Considerations (in order
of importance)
Scalable, low cost solution
Strong(er) security (compared to passwords)
Comply with HIPAA regulations
Relatively low-value transactions
Future flexibility
Forms signing
System interoperability and integration
Method must support a VPN solution
Access to web-based and legacy applications
Multi-purpose
Authentication and digital signing
Ease of use
Selected Authentication Solution
Digital Certificates with RSA Certificate Management
Example 1: Large Financial Services Company
Background
Aggressive growth through acquisition created
security and integration challenges
Tens of thousands of usersboth employees and
customers
Employees require remote access via VPN
High-value customers require access to banking
services
Many disparate remote dial-in solutions
Different security methods and policies with unique
support and training needs
Authentication Solution Considerations
(in order of importance)
Strong Security
High value transactions
Auditing capability
End User Considerations
Ease of use
Flexible access methods
Highly portable credentials
Total Cost of Ownership
System Integration & Interoperability
Scale
Selected Authentication Solution
RSA SecurID

hardware tokens
V. THE NEXT STEPA QUANTI TATI VE APPROACH
The qualitative approach to the Authentication Scorecard
outlined above is useful and highly illustrative, but many
customers ask us if there is a more quantitative approach.
The answer is yesRSA Security has developed a more
quantitative model based on the general approach outlined
in Table 3.
First, each authentication solution under consideration is
given a numerical score between 1 and 10 for each of the
ten basic attributes of the Authentication Scorecard. Higher
scores are better, so a score of 8 is better security than a
score of 3 and a score of 8 is lower cost than a score of 6.
If a particular solution got numerical scores of 10 for all 10
categories, the maximum sum of all scores would be 100
(however such a solution does not currently exist!). These
scores are admittedly somewhat subjective and one could
easily debate whether a particular solution should have
received a 6 or a 7 in a given category. Others will
argue for more significant digits. All these things are
possible, but for the purposes of this paper we are striving
to keep it simple. See the spider charts for each solution
in the Appendices for the numerical scores that represent
the best judgment of the product management team at
RSA Security.
Next, based on discussion and information about your
user population(s), application(s) and company, and
industry-specific considerations, a % weight must be
assigned to each of the ten basic attributes of the
Authentication Scorecard. Higher % values indicate higher
weights and all weights must add up to exactly 100%. This
last part is critical; it forces the relative ranking of the ten
basic attributes against one another, which is required for
the quantitative approach. For example, if you cared about
relative security above all else, you would assign 100% to
that attribute and therefore 0% to everything else. Most
companies have a balance amongst several attributes,
however, and they would therefore need to spread the
100% around the various elements, giving more weight or
less weight to individual elements to reflect their user-
specific, application-specific, company-specific and industry-
specific preferences and priorities. In our experience, this
part of the exercise has proven to evoke some of the most
interesting and ultimately highly useful internal discussions
at our customers and prospects!
6
THE AUTHENTI CATI ON SCORECARD
RSA Security Inc.
Table 3. A Quantitative Approach to Selection
Solution Attributes
Acquisition Cost
Deployment Cost
Ongoing Management Cost
Convenience/ Ease of Use
Portability
Multi-Purpose
Relative Security
Interoperability/Integration
Robustness/Scale
Future Flexibility
Customer-Specific
Weights
%
%
%
%
%
%
%
%
%
%
Sum = 100%
Solution-Specific
Values
1-10
1-10
1-10
1-10
1-10
1-10
1-10
1-10
1-10
1-10
Sum <= 100
Score X =
7
THE AUTHENTI CATI ON SCORECARD
RSA Security Inc.
For additional information about an interactive
Authentication Scorecard spreadsheet, contact your
RSA Security sales representative or authorized RSA Security
Channel Partner. (Sales partners may be found at
http://partnerfinder.rsasecurity.com/). Based on our
experience in using this tool, we have found that it is most
effective when someone who is familiar with it guides its
initial useafter which it makes an excellent tool for
ongoing evaluation, discussion and narrowing down of
specific authentication solutions.
VI . SUMMARY
Which authentication technology should I use? RSA
Security is addressing this recurring question by providing a
consistent, structured framework and a corresponding
toolthe Authentication Scorecardthat will help
organizations to understand, evaluate and select the most
appropriate authentication technology from amongst a
wide selection of alternatives. We have been using it
successfully to help our customers and prospects make
sense of the many available options in a consistent,
structured, apples-to-apples framework, and ultimately to
narrow the selection of authentication solutions that strike
the ideal balance amongst multiple objectives. Additional
information and quantitative tools on this important topic
are readily available. We invite you to talk to the experts at
RSA Security and its authorized Channel Partners to take
the next step on your road to authentication!
Appendices
A. Passwords
B. RSA SecurID Hardware Tokens
C. RSA SecurID Software Tokens
D. RSA Digital Certificates
E. RSA Smart Cards
For Authentication Scorecards on additional authentication
technologies, contact your RSA Security sales representative
or channel partner, or check the RSA Security web site at
www.rsasecurity.com.
8 RSA Security Inc.
Total Cost of Ownership Considerations
Cost of Acquisition
Passwords are free, i.e., no Acquisition
costs - but they are surprisingly expensive
when considering Deployment and
Management costs
Cost of Deployment
No hardware or software to deploy
Cost of Management
Password-related Help Desk calls estimated
at 3.8/user/year
Cost per call, including lost wages and
productivity ~$58/call
Absence of centralized administration
requires multiple data sources to be
updated and maintained independently
Strategic Fit User Considerations
Convenience and Ease of Use
Users typically required to remember
multiple passwords
Passwords that are easy to remember
compromise good security
Users tend to re-use the same password
for multiple systems, compromises
good security
Good security practice dictates nonsense
passwords, unique passwords and frequent
changeshard to remember, so end users
write them down and compromise
good security
Frequent calls to Help Desk for password
reset add to both end-user dissatisfaction
and high management cost
Portability
Works anywhere
Multi-Purpose
Has only one purpose
Strategic Fit Corporate Considerations
Relative Security
Very weak form of security
Easily guessed
Prone to shoulder surfing
Easily detected as they traverse the network
User is not aware when a password is stolen
Passwords stored on the server are vulnerable to readily available
password-cracking tools
Trojan horses installed on desktops can capture and deliver
keystrokes to a hacker
Users tend to re-use the same password for multiple systems
Users write down their passwords and frequently lose the paper
No logging or reporting functionality is provided - therefore no user
accountability
No centralized administration. Vulnerable to security holes as new
devices, applications and communication methods are added and
users are added, deleted or change roles
No roles based access capability
Interoperability and Integration
Requires password management for each resource protected
Robustness and Scalability
Does not provide for replication
Does not provide fail-over capability
No imbedded disaster recovery
No centralized administration capability
Future Flexibility
No accommodation for future use of smart cards or other stronger
forms of authentication
No support for future use of electronic signature
AUTHENTI CATI ON SCORECARD
APPENDI X APASSWORDS
9 RSA Security Inc.
Vendor Selection Considerations
Total Cost of Ownership
Functionality
Technical Architecture
Vision
Financial Viability
Trustworthiness
Service & Support
See Total Cost of Ownership Considerations above.
See Strategic Fit Considerations above.
Application vendors apply their technical expertise to the product, not the password management
system. They are not experts in user authentication
Does not apply. Password management is a side feature of the resource being protected
Viability of the vendor varies depending on the resource being protected
Multiple vendors to rely on based on the resources being protected
Application vendors apply their technical expertise to the product, not the password management
system. They are not experts in user authentication.
AUTHENTI CATI ON SCORECARD
Authentication Scorecard
UserID / Password
0
2
4
6
8
10
Acquisition Costs
Deployment Costs
Ongoing Management Costs
Convenience/Ease of Use
Portability
Multi-Purpose
Relative Strength
Interoperability/Integration
Robustness/Scale
Future Flexibility
Source: RSA Security product management
APPENDI X APASSWORDS
10 RSA Security Inc.
Total Cost of Ownership Considerations
Cost of Acquisition
More expensive than passwords.
Less expensive than smart cards (which
include additional cost for required card
readers and middleware).
Less expensive than biometric devices
(which include additional cost for required
devices and enabling software).
Cost of Deployment
Requires distribution of the hardware token
only there is no need to deploy software,
drivers, readers or cables.
Lower deployment costs than solutions with
client-side software (such as smart cards or
biometrics) that must be deployed on every
end-user desktop.
RSA Authentication Deployment Manager
(bundled at no extra charge with RSA
Authentication Manager Enterprise Edition
can significantly lower cost of deployment.
Cost of Management
Reduced password-related Help Desk calls
can significantly lower ongoing operating
costs compared to passwords (for detailed
comparison, see white paper titled
Authentication Scorecard: Passwords vs.
RSA SecurID).
Centralized administration in
RSA Authentication Manager software
eliminates the need to manage multiple
data stores.
Strategic Fit User Considerations
Convenience and Ease of Use
Token passcode eliminates the need for
users to remember multiple passwords.
Easy to use just enter the displayed code.
Most end-users already familiar with
concept of the combination of a PIN and a
device (the token).
Always on device
Portability
Works anywhere zero footprint
solution.
Small size fits in your pocket
Multi-Purpose
Single function generates a new
passcode every 60 seconds.
A single hardware token can serve
as the means of access for multiple
resources the RSA Secured

SecurID
Ready program has certified interoperability
for over 295 applications and products from
over 195 Partners, ranging from remote
access to VPN to web-based applications to
Wireless LAN.
Strategic Fit Corporate Considerations
Relative Security
Two-factor authentication results in very strong form of security.
Passcodes are generated dynamically and are less vulnerable to
cracking tools.
Passcode changes every 60 seconds, eliminating the threat of visual
theft of passcodes and Trojan horse threats.
Passcodes cannot be guessed or predicted.
Users are aware when a token is stolen or lost.
Network transmission of token codes cannot be easily detected.
Improves security by eliminating the need to write down passwords.
RSA Authentication Manager software provides logging and
reporting functionality for greater end-user accountability.
Centralized administration eliminates security holes as new devices,
applications and communication methods are added and users are
added, deleted or change roles.
Provides role-based access control.
Robustness and Scalability
Replication, failover capability and disaster recovery features ensure
high availability.
1 Master and up to 10 Replicas per Realm, for up to 6 Realms
RSA Authentication Manager is engineered to scale to hundreds of
thousands of users.
Interoperability and Integration
Interoperable with over 295 certified applications and products from
over 195 Partners.
Unlike competitive partner programs, RSA Secured

SecurID Ready
partner products undergo extensive testing and documentation
before being certified.
Future Flexibility
Can be used to provide secure access to digital certificates.
RSA SecurID authentication has added value over many years across
constantly evolving technologies, from dial-up to web to VPN to
Wireless LAN.
RSA Secured SecurID Ready partner program helps ensure continued
access to new solutions.
AUTHENTI CATI ON SCORECARD
APPENDI X BRSA SECURI D HARDWARE TOKENS
11 RSA Security Inc.
Vendor Selection Considerations
Total Cost of Ownership
Functionality
Technical Architecture
Vision
Financial Viability
Trustworthiness
Service & Support
See Total Cost of Ownership Considerations above.
See Strategic Fit Considerations above.
RSA Authentication Manager software provides:
Ability for replication.
Automatic fail-over capability.
Disaster recovery, including easy promotion of replicas.
Capability for centralized administration.
Interoperability with existing data repositories, including LDAP.
Nearly 20 years of leadership and experience in e-security.
Leader in standards initiatives such as Liberty Alliance, PKCS, PKI Forum, OASIS and Identity Management
solutions.
World-renowned RSA Laboratories.
Global company with more than 15,000 customers.
2003 revenues of $250M
Industry leader with more than 72% market share for strong authentication.
RSA Security is already trusted by 82% of the Fortune 100 and 88% of the world's top 50 banks.
Approximately one billion RSA BSAFE-enabled applications.
Over 14 million RSA SecurID authenticators installed.
World-class support and professional services organizations.
24x7 Follow the Sun telephone support.
AUTHENTI CATI ON SCORECARD
APPENDI X BRSA SECURI D HARDWARE TOKENS
12 RSA Security Inc.
Total Cost of Ownership Considerations
Cost of Acquisition
More expensive than passwords.
Less expensive than hardware tokens.
Less expensive than biometric devices
(which include additional cost for required
devices and software).
Cost of Deployment
Requires installation of the RSA SecurID
Software Token application software and
token seed record(s) onto client platform.
No hardware deployment necessary.
Lower deployment costs than solutions
requiring the use of device drives (such as
smart cards or biometrics).
Web-based downloadable applications
enable deployment of client-side software
without touching every end user system.
RSA Authentication Deployment Manager
(bundled with RSA Authentication Manager
Enterprise Edition license) can significantly
lower deployment costs.
Cost of Management
Reduced password-related calls to Help
Desk can significantly lower ongoing costs
(for detailed comparison, see white paper
titled Authentication Scorecard: Passwords
vs. RSA SecurID).
Centralized administration in
RSA ACE/Server software eliminates the
need to manage multiple data stores.
Strategic Fit User Considerations
Convenience and Ease of Use
Token passcode eliminates the need for
users to remember multiple passwords.
Easy to use just enter the displayed code.
Most end-users already familiar with
concept of the combination of a PIN and a
device (the token).
Designed for easy integration with other
client applications, allowing a seamless
extra layer of security on client workstations
or other trusted computing devices.
Portability
RSA SecurID Software token versions for
Palm hand-helds, Pocket PC devices,
RIM/Blackberry devices, WAP phones
and Microsoft

Windows

workstations
enable a wide range of portable
computing platforms to function
as portable RSA SecurID token
passcode generators.
Multi-Purpose
RSA SecurID Software Tokens perform a
single function generating token codes
every 60 seconds.
RSA SecurID Software Tokens are designed
to work on host devices that perform
multiple functions, such as PDAs or
smart phones.
RSA SecurID Software Tokens integrate
directly with client applications on host
devices, or with over 295 back-end
applications from over 195 vendors through
the RSA Secured partner program.
Strategic Fit Corporate Considerations
Relative Security
Two-factor authentication results in very strong form of security.
PINPad operation encrypts a PIN together with the token code
minimizing threats from keyboard or network sniffing.
Passcodes are generated dynamically and are less vulnerable to
cracking tools.
Passcode changes every 60 seconds eliminating the threat of visual
theft of passcodes and Trojan horse threats.
Randomly generated token codes cannot be guessed or predicted.
Network transmission of token codes cannot be easily detected.
RSA Authentication Manager software provides logging and
reporting functionality for greater end-user accountability.
Centralized administration eliminates security holes as new devices,
applications and communication methods are added and users are
added, deleted or change roles.
Provides roles-based access control.
Robustness and Scalability
Replication, fail-over capability and disaster recovery features ensure
high availability.
RSA Authentication Manager software is designed to scale to
hundreds of thousands of users
Interoperability and Integration
SDK available for client-side application integration.
Login Automation function automates dialer-based remote access.
PC version offers silent migration to facilitate version upgrades.
Interoperable with over 295 certified applications and products from
over 195 Partners.
Unlike some competitive partner programs, RSA Secured

SecurID
Ready Partner products undergo extensive testing and
documentation before being certified.
Future Flexibility
RSA SecurID Software Token products are steadily expanding to
cover the increasing variations of portable devices.
RSA Security is working with device vendors to embed or bundle
software into host platforms, to enable native RSA SecurID operations.
RSA SecurID Software Token seed provisioning via RSA
Authentication Deployment Manager saves time and increases
convenience for setting up tokens on host systems.
RSA SecurID authentication can be used to provide secure access to
digital certificates.
RSA SecurID authentication has evolved from dial-up to web to VPN
to Wireless LAN.
RSA Secured SecurID Ready partner program helps ensure continued
access to new solutions.
AUTHENTI CATI ON SCORECARD
APPENDI X CRSA SECURI D SOFTWARE TOKENS
13 RSA Security Inc.
Vendor Selection Considerations
Total Cost of Ownership
Functionality
Technical Architecture
Vision
Financial Viability
Trustworthiness
Service & Support
See Total Cost of Ownership Considerations above.
See Strategic Fit Considerations above.
RSA Authentication Manager software provides:
Ability for replication.
Automatic fail-over capability.
Disaster recovery, including easy promotion of replicas.
Capability for centralized administration.
Interoperability with existing data repositories, including LDAP.
Nearly 20 years of leadership and experience in e-security.
Leader in standards initiatives such as Liberty Alliance, PKCS, PKI Forum, OASIS and Identity Management
solutions.
World-renowned RSA Laboratories.
Global company with more than 15,000 customers.
2003 revenues of $250M
Industry leader with more than 72% market share for strong authentication.
RSA Security is already trusted by 82% of the Fortune 100 and 88% of the world's top 50 banks.
Approximately one billion RSA BSAFE-enabled applications.
Over 14 million RSA SecurID authenticators sold.
World-class support and professional services organizations.
24x7 Follow the Sun telephone support.
Authentication Scorecard
RSA SecurID Software Tokens
0
1
2
3
4
5
6
7
8
9
10
Acquisition Costs
Deployment Costs
Ongoing Management Costs
Convenience/Ease of Use
Portability
Multi-Purpose
Relative Strength
Interoperability/Integration
Robustness/Scale
Future Flexibility
Source: RSA Security product management
AUTHENTI CATI ON SCORECARD
APPENDI X CRSA SECURI D SOFTWARE TOKENS
14 RSA Security Inc.
Total Cost of Ownership Considerations
Cost of Acquisition
Per user costs start at a high of $30 per user
for low volume of users.
The only renewal cost is maintenance
(excluding web SSL certificates).
Cost of Deployment
RSA Digital Certificate OneStep easy-
to-use enrollment process minimizes
the burden of deployment for
information technology administrators
Web-based deployment of certificates
is designed to enable quick, easy and
cost efficient deployment.
Cost of Management
Suspension and revocation of digital certificates
is easily and centrally controlled. This means
that digital certificates can be managed without
physically accessing certificate.
Real-time Online Certificate Status Protocol
ensures instant certificate status checking
Strategic Fit User Considerations
Convenience and Ease of Use
RSA Digital Certificate OneStep is
engineered to make enrollment very easy.
Application integration enables virtual
transparent use of certificates from the end
users perspective.
Portability
Digital certificates stored in the browser
restrict the use of these credentials to
the desktop/laptop.
Multi-Purpose
Digital certificates enable strong authentication
across a wide range of applications including:
web applications, e-mail, VPN as well as client/
server applications.
In addition to authentication, digital certificates
serve other e-business functions such as ensuring
data and transaction integrity, enabling digital
signing and providing support for non-
repudiation.
Strategic Fit Corporate Considerations
Relative Security
Digital certificates can be locked down within the browser so they
cannot be exported and are pass-phrase protected.
Digital certificates provide strong protection against brute force
attack with high encryption strength.
Robustness and Scalability
RSA Certificate Manager has been independently tested to scale to
over 8 million certificates per Certificate Authority instance.
A real-life example shows one customer who purchased RSA
Certificate Manager (formerly Keon Certificate Authority) in late Q2
2002 and deployed 100,000 certificates in two months.
Interoperability and Integration
RSA Certificate Manager-issued digital certificates are based on
industry standards for wide scale interoperability.
Leading vendors of VPNs, e-mail and a variety of web-based
applications have inherent support for digital certificates.
RSA Security offers RSA BSAFE toolkits to help organizations become
certificate-aware regarding their legacy-based or
custom-developed applications.
Future Flexibility
Extensible nature of digital certificates ensures future flexibility and
investment protection for customers.
Uses include: web-based, client/server and device strong
authentication.
Application uses include: digital signing for online forms and
documents, secure e-mail and others.
AUTHENTI CATI ON SCORECARD
APPENDI X DRSA DI GI TAL CERTI FI CATES
15 RSA Security Inc.
Vendor Selection Considerations
Total Cost of Ownership
Functionality
Technical Architecture
Vision
Financial Viability
Trustworthiness
Service & Support
See Total Cost of Ownership Considerations above.
See Strategic Considerations above.
First in its category to be certified for Common Criteria EAL (Evaluation Assurance Level) 4+.
One of the only commercially available products to support both the European Union (EU) Directive on
Electronic Signatures and the Russian-based GOST Public Key Digital Signature Algorithm.
Addresses international standards by including the necessary field extensions to support EU Qualified
Certificates (RFC 3039).
Allows organizations to define and self-administer their own security procedures, trust relationships,
certificate formats and rules for certificate life cycles that serve as a foundation for corporate
security policies.
Nearly 20 years of leadership and experience in e-security.
Leader in standards initiatives such as Liberty Alliance, PKCS, PKI Forum, OASIS and Identity Management
solutions.
World-renowned RSA Laboratories.
Global company with more than 15,000 customers.
2003 revenues of $250M.
Industry leader with more than 65% market share for strong authentication.
RSA Security is already trusted by 82% of the Fortune 100 and 88% of the worlds top 50 banks.
Approximately one billion RSA BSAFE-enabled applications.
Over 14 million RSA SecurID authenticators.
World-class support and professional services organizations.
24x7 Follow the Sun telephone support.
Authentication Scorecard
Digital Certificates
0
2
4
6
8
10
Acquisition Costs
Deployment Costs
Ongoing Management Costs
Convenience/Ease of Use
Portability
Multi-Purpose
Relative Strength
Interoperability/Integration
Robustness/Scale
Future Flexibility
Source: RSA Security product management
AUTHENTI CATI ON SCORECARD
APPENDI X DRSA DI GI TAL CERTI FI CATES
Strategic Fit User Considerations
Convenience and Ease of Use
Easy certificate enrollment with RSA Digital
Certificate OneStep auto enrollment
Multiple functions in one smart card
Minimal user interaction with the
digital certificate
Digital certificates on smart cards
and RSA SecurID Passage support
single sign-on
Portability
With RSA Web Passport, you
can access certificates remotely from any
browser
Smart cards with certificates are highly
portable and non-intrusive
Credentials travel with the end user
rather than residing on the client.
Credential usage is not tied to
single seat.
Works easily with RSA Digital Certificate
Solutions like VPN, Secure Mail and
Web, from anywhere, anytime
Multi-Purpose
Multi-application usage reduces number of
systems to manage
Multifunction smart card with digital
certificates supports the following:
Logical access with certificate
authentication; physical access (HID
proximity or magnetic stripe)
Picture ID
Electronic wallet
RSA SecurID solution for two-factor
authentication
Strategic Fit Corporate Considerations
Relative Security
Smart cards can ensure high security for digital certificate and
private key storage
Real-time certificate status checking with Online Certificate Status
Protocol
Certificate authority root keys stored in bundled FIPS 140-1 Level 1-3
compliant HSM
Secure, web-based administration and certificate issuance through
authenticated SSL sessions
RSA Certificate Manager common criteria validated at
EAL-4 level
Robustness and Scalability
Independently tested to scale to 8 million users for a single
certificate authority deployment.
Designed to maintain performance when scaled, supporting massive
demand for signing operations, PKI queries and large-scale
certificate storage and management.
Also supports the geographic distribution of many RAs with multiple
administrators.
RSA SecurID Passage is a highly scalable client-side solution.
The solution uses Java platform technology.
Interoperability and Integration
RSA Certificate Manager is built on open Internet and PKI standards
Cross-certification and validation with other PKIs based on IETF PKIX
industry standards
Web browser ubiquity: root certificate embedded Microsoft Internet
Explorer and Netscape Navigator
Third party data repositories: Netscape Directory Server, Microsoft
Active Directory and Peerlogic i500
Hardware Security Modules: nCipher, Chrysalis
Privilege Management Infrastructure (PMI): Netegrity,
RSA ClearTrust

solution
Email programs: Microsoft

Outlook

, Netscape Messenger
Virtual private network (VPN) devices and clients:
Checkpoint VPN-1/Firewall-1, Cisco VPN 3015, Nortel VPN
Identrus support
Leverages use of digital certificates for stronger authentication.
Stores them on a secure device the smart card - for portability.
Future Flexibility
No physical limitations to the number of certificate authorities and
RAs that can be deployed.
Customer can mirror their organizational structure by setting up any
number of certificate authorities, RAs and administrators.
Digital certificate use can be extended to include secure e-mail, e-
forms, VPN and web access and SSL server certificates.
Smart card use can be extended to include secure logical access,
physical access, picture ID, e-wallet and so on.
Comprehensive backup and replication system for credentials.
RSA SecurID Passage middleware and related credentials pushed
out transparently.
RSA SecurID Passage single sign-on functionality.
Automated, remote pin unlocking.
16 RSA Security Inc.
Total Cost of Ownership Considerations
Cost of Acquisition
One-stop shopping for digital certificate
management system and smart cards
Competitively priced at low user volumes
Aggressively priced at very high user volumes
Cost of Deployment
With RSA Digital Certificate OneStep
Auto Enrollment, enrolling and issuing
certificates is cost-effective
RSA Certificate Manager is built to be
flexible, easy to install and configure
and highly scalable
Easy deployment of certificates and
applications to smart cards
Cost of Management
Intuitive, web-based certificate authority
configuration and administration
Remote administration with RSA Registration
Manager
With RSA SecurID Passage, you can deploy
new applications to smart cards after they
are issued
AUTHENTI CATI ON SCORECARD
APPENDI X ERSA SMART CARDS
Authentication Scorecard
Smart Cards + Certificates
0
2
4
6
8
10
Acquisition Costs
Deployment Costs
Ongoing Management Costs
Convenience/Ease of Use
Portability
Multi-Purpose
Relative Strength
Interoperability/Integration
Robustness/Scale
Future Flexibility
Source: RSA Security product management
17 RSA Security Inc.
Vendor Selection Considerations
Total Cost of Ownership
Functionality
Technical Architecture
Vision
Financial Viability
Trustworthiness
Service & Support
See Total Cost of Ownership Considerations above.
Industry leading and award winning digital certificate management solutions that are flexible and
highly scalable.
Smart cards provide highly secure digital certificate and private key storage.
Based on open Internet and PKI standards to help ensure interoperability and integration with
industry standard systems
All configuration and administration functions are available through a web interface.
RSA Certificate Manager provides centralized management and fail-over services.
Designed to integrate easily into new or existing data stores.
Multi-platform support for RSA Certificate Manager.
RSA SecurID Passage middleware provides a client side solution.
Pioneer in extensible smart card technologies digital certificate solutions.
Nearly 20 years of leadership and experience in e-security.
Leader in standards initiatives such as Liberty Alliance, PKCS, PKI Forum, OASIS and Identity
Management solutions.
World-renowned RSA Laboratories.
Global company with more than 9,000 customers.
2002 revenues of $232M.
Industry leader with more than 65% market share for strong authentication.
RSA Security is already trusted by 82% of the Fortune 100, 88% of the worlds top 50 banks.
Approximately one billion RSA BSAFE-enabled applications.
Over 14 million RSA SecurID authenticators.
World-class support and professional services organizations.
24x7 Follow the Sun telephone support.
AUTHENTI CATI ON SCORECARD
APPENDI X ERSA SMART CARDS
BSAFE, RSA, RSA Security, RSA Secured, SecurID and Confidence Inspired are registered
trademarks or trademarks of RSA Security Inc. in the United States and/or other countries.
All other products or services mentioned are trademarks of their respective owners.
2004 RSA Security Inc. All rights reserved.
ASC WP 0904
THE AUTHENTI CATI ON SCORECARD AUTHENTI CATI ON SCORECARD