Security tokens used to safeguard computer networks risk going the way of the rotary phone as EMC Corp.’s RSA unit, the top maker of the devices, is challenged by smartphones deployed as cyber-protection tools.
Vasco Data Security International Inc. and Gemalto NV, two companies with identification-software that runs on tokens, tablets and smartphones, saw their market share roughly double last year, reducing RSA’s portion to 60 percent from 76 percent in 2011, according to WinterGreen Research Inc.
As an increasing number of consumers shop and bank online and more workers access corporate networks via mobile devices, global sales of identity-protection products will surge to $6.43 billion by 2016, from $4.51 billion last year, according to IDC. Software startups seized on an opening created after hackers compromised millions of RSA tokens two years ago to promise corporate customers better protection at a lower price.
“There’s a lot of innovation going on right now because it’s a dangerous world,” Lee Congdon, chief information officer at Red Hat Inc., said in an interview. “Malicious people are becoming more adept. Folks are actively trying to steal your secrets and money.”
Red Hat, the biggest seller of Linux operating system software, began replacing RSA tokens with Gemalto’s tools last month, Congdon said.
“It’s considerably less expensive,” Congdon said. Gemalto’s tokens, paired with a free mobile application, cost less than half the price of protection from RSA, he said.
Undercutting RSA’s price -- which the company says starts at about $46 per user -- isn’t difficult with software that harnesses mobile-device features like cameras and microphones for image and voice verification. RSA tokens generate a random numeric code every 30 to 60 seconds to enable access to corporate networks.
“RSA sold tokens for more than 25 years,” said Sean Brady, director of product marketing at RSA. “We recognize that that solution is not the most cost-effective way anymore. We’ve sold software tokens since 2002.”
In a push to keep competitors at bay, EMC is also adding new security features and offering mobile apps. It charges fees for the mobile services, which many of its rivals provide at little or no cost.
More affordable options are gaining traction as more workers use personal mobile devices to access corporate data, according to Sally Hudson, an analyst at IDC. Adding to demand for token alternatives is the growing popularity of mobile payments and the increasing number of small and mid-size companies that must safeguard financial records on the Internet.
“The market is going to get bigger, and the market dynamics are changing,” Hudson said in an interview. “Enterprises have to accommodate these users, and tokens are just way too expensive.”
EMC, the world’s biggest maker of storage computers, posted net income of $2.89 billion last year on revenue of $21.7 billion. The Hopkinton, Massachusetts-based company agreed to buy RSA Security Inc. for about $2.1 billion in 2006. Sales for the unit rose 7.3 percent to $888.7 million last year, about half the growth rate in 2011.
In June 2011, EMC said it would replace millions of SecurID tokens after what the company has described as a hacker attack that may have been aimed at the defense sector and government agencies. One client, defense contractor Lockheed Martin Corp., said it was targeted in a cyber attack tied to the RSA breach. Other defense customers have included Northrop Grumman Corp. and Raytheon Co.
“There has been a gradual erosion of confidence in the product since,” Susan Eustis, president of WinterGreen, said in an interview. “Other companies were stimulated to make investment when RSA stumbled.”
In one sign of the lasting impact of hackers, EMC’s shares are trading at about a 22 percent premium to the Standard & Poor’s 500 Index on a price-to-earnings basis. Before EMC announced its token replacement plan, the premium was 91 percent. The shares fell less than 1 percent to $23.73 at 9:31 a.m. in New York.
“At first blush, it would seem intuitive that after the March 2011 breach, a lot of competitors would go in there and eat our lunch,” Jeff Carpenter, a product marketing manager at RSA, said in an interview. RSA said that didn’t happen, though, and the company anticipates gaining customers as the overall market expands.
While EMC remains the market leader, growth is slowing and its share is slipping as competitors challenge RSA on price and tell potential customers that hardware tokens -- the gold standard for more than two decades -- aren’t the safest option.
Nok Nok Labs was founded after RSA was hacked in 2011, promising to eliminate the need for user names and passwords responsible for “security pain,” according to the Palo Alto, California-based company’s website.
Applications for smartphones and tablets allow users to verify their identities by speaking into a microphone or snapping a picture of their face. The company expects to have 3 million users by the end of the year, said Brendon Wilson, director of product management.
“Cost would be significantly reduced versus RSA, due to our approach to leveraging the capabilities on the device the user already has,” Wilson said in an e-mailed statement.
Authy, which has won backing from the incubator Y Combinator, Box Inc. Chief Executive Officer Aaron Levie, and Salesforce.com Inc., is competing against RSA on convenience, said founder Daniel Palacio.
“With RSA, you have to contact a salesperson, get an account,” Palacio said in an interview. “With us, you sign up on the website. We don’t require a credit card for the smallest plan. It takes less than two minutes.”
The simple online enrollment process appealed to Daniel Kivatinos, co-founder of customer Drchrono Inc., a provider of software that allows doctors to access medical records and write prescriptions on mobile devices.
“They were a completely mobile company, like us,” Kivatinos said in an interview. “I didn’t want an actual, physical piece of hardware.”
“Most of our customers are first-time users,” Song said in an interview. “Many of them couldn’t afford it before.”