RSA Security, a unit of EMC Corp. of Hopkinton, Mass., has acquired the Fort Lauderdale, Fla., security firm Verid Inc. to improve its authentication capabilities.
EMC announced Monday that the purchase had closed Friday, but it did disclose the price.
In September, RSA said it would integrate Verid's software into its own technology. EMC said its unit will start offering Verid's technology next quarter.
Verid's software provides knowledge-based authentication, a method that requires people to answer questions drawn from public information, such as utility and driving records. The questions typically are multiple-choice ones that can be generated without any enrollment by the consumer.
RSA has said some banks may prefer this approach to the traditional security question format, which requires people to enroll by providing personal information, and then later uses this data to ask fill-in-the-blank challenge questions. Since Verid's questions come from public databases, they can be presented even to new customers.
Marc Gaffan, marketing director for RSA's consumer solutions group, said the unit found that Verid's information could be used for a variety of security techniques.
"The technology is far superior to what we ever thought," because "it's really not about the data itself," he said. "It's about the analytics of using data."
Most notably, Verid can judge the difficulty of questions and use this judgment to present questions it knows customers can answer. "You don't want to ask [customers] questions that are too hard to answer," Mr. Gaffan said. However, "if something is considered high-risk, let's ask something that is hard to answer."
RSA uses its eFraudNetwork, which pools observations from all its customers, to help banks spot potential fraudsters.
For example, the network can observe whether someone is trying to access accounts at several banks at once. In such a case, where the user might have obtained passwords and basic identity information, an RSA bank might present a question that even a legitimate customer would have difficulty answering, he said.
This method would be invoked only when other factors have indicated the bank is dealing with a fraudster, since difficult questions could drive a customer to use more expensive channels, he said.
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said the acquisition could improve Verid's software.
Verid clients already say that some of its questions are too hard for some consumers to answer — as many as 15% of customers either fail to get into a bank's Web site or are intimidated into not trying, she said. (RSA would say only that Verid's "pass rates" are the highest in the industry, though they could be improved.)
"People are already failing on the easy questions," Ms. Litan said. A connection to the eFraudNetwork should help Verid choose better questions.
Another issue is that the databases Verid uses do not have much data on some people, so it cannot find questions to ask them. In some cases, "it's a legitimate person, but they're an immigrant or they don't have a lot of data on them."
Nevertheless, Verid's system is sometimes preferable to the fill-in-the-blank questions RSA uses today, Ms. Litan said.
She predicted that Verid's system would be used most often for new customers, because it does not require enrollment and the bank may not have a lot of information about the customer.
The acquisition also is EMC's first in consumer authentication since it acquired RSA last year.
Jacob Jegher, a senior analyst for the Boston market research firm Celent LLC, said that EMC may build RSA further without buying more technology.
"The market for authentication solutions is absolutely enormous," he said. "There's still a lot of potential out there."
The Verid buy is "a good opportunity for RSA," but in the future it may need to expand geographically, Mr. Jegher said.
For example, it could turn its attention to Canada, where banks have not been facing the same regulatory pressure to strengthen online authentication but still recognize the need for such technology, he said.
