Gartner Blog Network

Will Symantec discover Internet Identity with VeriSign acquisition?

by Avivah Litan  |  May 19, 2010  |  Comments Off on Will Symantec discover Internet Identity with VeriSign acquisition?

Symantec finally confirmed its rumored purchase of VeriSign’s security business for a whopping $1.28 billion. (Kudos to Verisign for getting such a high price from Symantec!).

Presumably, Symantec is excited to get into the identity business that it just acquired by buying VeriSign’s VIP business. After all there’s been a lot of talk about identity on the Internet lately. Facebook thinks they own it (and they come the closest actually), Howard Schmidt, the new national Cybersecurity czar, endorsed a federated identity system (but didn’t specify the government’s involvement) in his recent keynote at a FDIC conference last week, PayPal has been making noises about flexing its muscle and becoming an identity provider to others on the Internet, and OpenID is tightening it’s infrastructure so that it can work with higher assurance federated identity applications. Cloud computing is getting everyone to think about cloud identity services, and vendors are salivating at the thought of getting rich off of them.

But so far, no one in the United States  – VeriSign included – has figured out how to be the custodians of shared electronic identities. VeriSign’s VIP service has very few real users – it’s an authentication service in the cloud but it doesn’t provide any assurance for the identities it authenticates (and never did try to get into the business of assurance). And it has failed to get any real traction in getting authentication (token) customers to participate in a federated authentication environment where tokens issued by one company can be used at a second one by a consumer who is a customer at both, thereby reducing the token and maintenance costs for both companies.

This type of federated business is achievable however, as proven in Scandinavia. There, the banks have successfully rolled out such an infrastructure, where they issue and back electronic identities for their customers, and issue and distribute EMV CAP authentication cards and readers that can be then used at all the participating banks as well as government agencies who pay the banks for this service.

But here in the U.S., we don’t see this type of success on the near horizon until a courageous and non-contentious entity steps up to the plate and says “Yes I will take responsibility for this identity and issue a credential/authentication token for him/her that you all can rely on for a fee.”

Facebook and PayPal obviously have millions and millions of users that they would like to make more money off of by becoming such an identity provider. But there are lots of privacy hurdles and issues they will have to overcome before they can leverage their customer data for an identity business.

In the meantime, technology providers like Symantec won’t solve the problems with empty shell technology. In the end, the problem of Internet Identity won’t be solved with technology. It’s a business problem – it always has been and it always will be.

(Please refer to Gartner’s upcoming First Take on this acquisition for more information).


Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.