VeriSign VIP: The Identity Service Provider?

Yesterday at RSA, VeriSign announced their VeriSign Identity Protection strategy, called VIP. Cute, eh? Focusing on providing broad strategy to provide "identity protection for consumers who conduct business online" (their words, not mine). The VIP will be initially integrated into eBay/PayPal (through the payments platform VeriSign sold to them) and Yahoo, which is a good start.

As I've been researching the identity management market for the upcoming Battle Plan, it's become clear that one of the impediments to wide-scale, truly ubiquitous identity is the lack of a central body to vouch for those identities. You can use your favorite drivers license analogy here to illustrate the need. But without a somewhat universally trusted entity to vouch for these credentials, we will always be having to do one-off business relationships, which is neither efficient nor scalable.

It seems that VIP is focused initially on consumer financial applications, continuing to go up against RSA and VASCO in that space. To be clear, tokens are not novel anymore. The eventual winner in this space will surround the token (or whatever other authentication mechanism) with value added services to create a more complete solution.

So for RSA, that value add is in the form of Cyota's "contextual authentication" capabilities. They can figure out what kind of transaction is being attempted and provide the "right" amount of hoops for the customer to jump through.

VeriSign's value-add is their network, and they are playing to their strengths. The fact that their trust hierarchy is present in EVERY browser in the world is critical. As VeriSign undertakes greater levels of authentication to establish an identity, a VeriSign VIP credential becomes more trusted and somewhat universal. Combine that with a strong business development effort to permeate the VIP "agent" in all the web sites out there and this could be a pretty powerful option.

Seems a lot like Security Dynamics' (yes, the forefather of today's RSA) strategy in the early 90's. Get your agent deployed in all the applicable network equipment and customers don't have a choice but to work with you. It was brilliant and worked like a charm. They are still the leader 10 years later based on that strategy.

Will VeriSign execute as well? I suspect not, the world is much harder today and competitors are much more capable of building to similar APIs to remove any kind of API lock-in. That's one of the "benefits" of web service standards. It's also not clear that consumers will accept a commercial Identity Service Provider.

It's also interesting that VeriSign does not seem to be playing with the Liberty Alliance in this initiative. What they are describing is basically Federation, but for consumers oriented applications. This will go over like a lead balloon in identity Management circles that have worked pretty hard to establish standards and rules of engagement for federation. But VeriSign has always been a bit of a maverick relative to working with other folks.

What VeriSign does have is the network and a trusted brand driven by their SSL business. So, they've got a chance, and given the true need for the "Identity Service Provider" that is progress.