Microsoft shelves RSA token support for Vista

Microsoft has shelved plans to include built-in support for RSA Security's tokens in Windows Vista, even though the company has been testing out the authentication technology for almost two years.

In February 2004, Microsoft chairman Bill Gates said Windows would be able to support easy integration with RSA's popular SecurID tokens. That meant businesses would find it far easier to deploy a two-factor authentication system for logging on to networks and applications.

However, almost two years after the SecurID beta-testing programme kicked off, RSA's chief executive, Art Coviello, disclosed that Windows Vista will not natively support the technology.

Coviello said in an interview on Tuesday morning in Sydney: "Microsoft had said they would include the ability to support all kinds of One Time Password (OTP) and challenge-response type authentication in Vista. But they were unable to get it in with all the other issues they have had, so it is going to take longer."

According to Coviello, sales of SecurID for Windows have "gone slowly" because Microsoft decided not to support the tokens natively in Windows.

He explained: "It has gone slowly, and it has gone slowly for a number of reasons. Microsoft has given us source code so we can replace the Microsoft log-on screen. However, it is not yet native to the operating system. So it still requires some work at the desktop, which slows down the adoption rate."

Coviello expects Microsoft to add native support for SecurID in future updates to Vista, after which he hopes demand will increase significantly for two-factor authentication, where people present a second form of identification as well as their password.

He said: "Admittedly, when Vista eventually includes support for onetime passcodes - as is expected in some future point release - people will be more aware generally.

"Right now, we have a competitive advantage, and quite frankly, the adoption rate of our product, SecurID for Windows, is more about inertia in the market than about the technology."

Although Microsoft has been slow to add support for SecurID and other password alternatives, Gates has frequently called on the industry to move away from passwords - including in a speech at this year's RSA Security show.

Vista is expected to include a password management system called InfoCards, which Gates announced at the RSA conference.

Microsoft said on Tuesday that it had worked with several vendors and customers on whether to add native support in Vista for one-time passwords, via its Kerberos authentication protocol. RSA's SecurID token generates a different password for each attempt to log on to a service.

A representative for the software maker said: "Most customers told Microsoft they do not view one-time passwords as strategic and are looking long term to smartcards as their preferred strong-authentication mechanism."

The Vista update will let third-parties write credential providers to add their authentication tool to the operating system, the representative added.

CNET News.com staff contributed to this report

Munir Kotadia writes for ZDNet Australia