Windows Vista will include a framework designed to better support third-party multi-factor authentication systems, rather than native support for any one system, Microsoft said this week.
However, some industry observers dismissed the company's rhetoric about competition and openness. They said planned native support for RSA's SecurID tokens had simply fallen victim to time pressures, like numerous other grand schemes originally intended for Vista.
A spokesman confirmed to Techworld that SecurID is no longer planned for Vista. "Most customers told Microsoft they do not view one-time passwords as strategic and are looking long term to smart cards as their preferred strong authentication mechanism," the spokesman said.
Microsoft announced SecurID support in 2004 at a time of increasing interest from companies and online merchants in the use of two-factor authentication. This combines an account password with another "factor" such as a smart card, USB token or a one-time password, to combat a steep increase in online crimes that trick users into divulging sensitive financial information.
SecurID for Windows, announced in February 2004, is a handheld token that allows users to log on to Windows 2000 and XP machines using a one-time password, without requiring a connection to an RSA server to authenticate the user.
Use of the program still requires work by an administrator to deploy, a step that was to be eliminated with the launch of Vista, potentially driving two-factor authentication into the mainstream. RSA has said that in the absence of native support, sales of SecurID for Windows have been slow.
In reports, RSA has said Microsoft dropped SecurID support due to time pressures, a sentiment echoed by others in the industry. RSA said it still expects the technology to be natively supported in a later Vista update.
In the meantime, Microsoft said its decision was nothing to do with deadlines, but was about fostering competition around multi-factor authentication, rather than supporting any one scheme. Vista will introduce a new model for adding authentication methods, simplifying integration, according to the company.
Paul Roberts of Infoworld contributed to this report.