Driven by a need to secure far-flung employees' access to its computer systems, First Union Corp. has ordered 22,000 network security devices from Security Dynamics Technologies Inc.
The Charlotte, N.C., banking company said that 20,000 of these SecurID authenticator cards are already in use and that it would double the number over the next two years.
Peter S. Browne, First Union senior vice president in charge of information security, said the banking company needs a higher level of security because more employees have been working away from the office. The SecurID devices deliver that in the form of "two-factor authentication," the combination of a conventional password and a randomly generated number unique to a given transaction.
"Telecommuting is growing exponentially," Mr. Browne said. "We have a whole preponderance of people who are working at home," including data base and system administrators and technology specialists. The banking company is encouraging the practice, making all employees eligible for discounts on Dell personal computers.
First Union employees also use the SecurID when checking their e-mail from a remote site, he said.
"The people needing this kind of security number in the thousands -- I envision a day when 90% of our employees will use it," he said. First Union has more than 71,000 employees.
First Union, which has $230 billion of assets, requires all employee data transfers to and from the company's network to be protected by two-factor authentication.
"This product provides the requisite strong authentication capability for anyone accessing the in-house computer systems through an insecure medium, like the Internet, or when dialing in," Mr. Browne said.
Security Dynamics, a Bedford, Mass., company that has sold 5 million authenticators to 4,500 companies, regards the purchase decision by a banking company of First Union's stature as "quite significant," said Bill McQuaide, director of product marketing. "First Union is obviously a very valued customer."
First Union also relies on two-factor authentication devices in dealings with corporate customers that connect to the bank via personal computers. However, these tokens are supplied by Vasco Data Security Inc., a direct competitor of Security Dynamics.
Vasco, which is based in Oakbrook Terrace, Ill., said in January that First Union would distribute 20,000 of its Digipass 300 tokens to corporate customers. The internal move toward Security Dynamics was announced in June.
Mr. Browne said that the company uses both SecurID and Digipass because First Union's internal systems administrators and the corporate banking unit "separately standardized with each of the two firms' products."
Mr. McQuaide of Security Dynamics suggested that SecurID could fill Vasco's role. Reaching banks' corporate customers "would be our next step," he said. "Our direction is to make it ubiquitous in the marketplace."
But Vasco, which recently settled a patent infringement lawsuit brought by the larger Security Dynamics, has set its sights on being the No. 1 security provider for banking customers, said spokesman Mike Lange.
Vasco is "happy to concede the classic remote access market to Security Dynamics -- they had a head start and make that a core part of their business," Mr. Lange said. "But the profit centers, the business units, and the customers who need this technology have been going with us over Security Dynamics."
Mr. Browne, who has become influential in industrywide security discussions through his co-chairmanship of a steering committee of the Financial Services Roundtable's Banking Industry Technology Secretariat, said First Union is not necessarily intent on making a single-vendor decision because authentication methods are in a state of flux.
"We expect this technology will change in two to four years," Mr. Browne said. "These kinds of security tokens will change into a digital certificate-based structure."
Digital certificates, roughly equivalent to driver's licenses for assuring that parties to an on-line transaction are who they claim to be, are only gradually making their way into the banking industry. In October 1998, First Union made an open-ended announcement with Verisign Inc., saying the bank would use Verisign's OnSite service for a potentially large-scale digital certificate program.
Mr. Browne said that if the digital credential approach becomes widespread in the not-too-distant future, the Digipass-versus-SecurID question could become moot.
"When the digital certificate structure becomes ubiquitous, we will join forces with our corporate cash management department and put a request for bids out," Mr. Browne said. "I'm sure both Security Dynamics and Vasco will bid on that, as well as plenty of others."
