Due to numerous exploits that have defeated two-factor authentication, either by social engineering, remote access Trojans or various HTML injection techniques, many IT departments now want more than a second factor to protect their most sensitive logins and assets.
In the three years since we last reviewed two-factor authentication products, the market has responded, evolving toward what is now being called multi-factor authentication or MFA, featuring new types of tokens.
For this review, we looked at nine products, five that were included in our 2013 review, and four newcomers. Our returning vendors are RSA’s Authentication manager, SafeNet’s Authentication Service (which has been acquired by Gemalto), Symantec VIP, Vasco Identikey Authorization Server, and TextPower’s SnapID app. Our first-timers are NokNok Labs S3 Authentication Suite, PistolStar PortalGuard, Yubico’s Yubikey and Voice Biometrics Group Verification Services Platform.
Not all of these products are for the same purpose and a few are more akin to toolkits for application developers rather than turnkey enterprise products. For this reason, we’re not picking a winner or handing out scores. But we think all are worthy of inclusion in this review as representative of where the MFA market is heading. In addition, if you want to stay on top of MFA developments, we recommend you follow our Twitter list here.
How we tested MFA products
We asked vendors to submit a variety of their tokens to access their identity management service. Included in this option were software that made use of the SMS-based phone network, ran as an app on a smartphone, or some other mechanism other than the traditional one-time password hardware token.
+ ALSO ON NETWORK WORLD Multi-factor authentication goes mainstream +
We tested these tokens in a variety of situations, such as logins to a VPN, a Web service such as Google Docs, and Microsoft Windows Active Directory and Internet Information servers. Where we needed to install software, we used a Windows 2008 Server. We logged into these applications via a Windows 7 and 10 desktops and also used several smartphones and tablets including iPhones and a Google Pixel C Android tablet.
As with our prior review, we looked at similar metrics for each product. Sadly, no single product excelled in all areas, but here are some general conclusions.
Enterprise management and value
The administrative interfaces of all of the products were complex to navigate and will require some support and training to understand their workflows and operations. All of the products we tested could use substantial UI makeovers to simplify them, with Vasco being the worst offender.
When it comes to balancing the number of features offered and the price, SafeNet delivered the best value.
How secure apps are built
We were interested in examining the APIs that enable enterprise app developers to incorporate their solution directly, and how to configure and debug these installations.
TextPower, SafeNet and Yubico do a great job of documenting their APIs and posting them online. Many of the older MFA vendors are still stuck in the past where you first have to become a customer to gain access to this documentation, or hunt for it inside a particular PDF manual.
The end user experience
We looked at how the multiple factors come into play during the user login process, and how cumbersome/easy are they to enter. With some products, such as Symantec and Vasco, you can set up multiple token types, and then choose at login time whichever one is more convenient.
+ RELATED: 5 trends shaking up multi-factor authentication +
We also looked at the procedures involved in bypassing the MFA token if it isn't working or if you leave it at home. Most vendors now have some kind of Web-based self-service user portal for this recovery or on-boarding process.
No single product stood out for having a superior user experience, but all were capable enough.
Reporting and monitoring
We examined the various reports available and what happens when something goes wrong and how IT managers are notified. Some products can export or schedule reports as well. Vasco and SafeNet have the best and most useful reports.
MFA product highlights
|Vendor||Price per 100 tokens per year||Server methods||Mobile OS supported||Types of tokens||Published API guide|
|NokNok Labs S3 Authentication Suite||Starts at $50,000||SaaS, Linux server||Android, iOS||Mobile||No|
|PistolStar PortalGuard||$15,000 (one-time) + $5000/yr||SaaS, Windows Server||Android, iOS||Mobile, hardware, voice, SMS, email||No|
|RSA Authentication Manager||Starts at $7500 (one-time)||Appliance, Linux VM||Android, iOS, Blackberry, Windows Mobile||SMS, mobile, email, hardware||No|
|Gemalto/SafeNet Authentication Service||$1,200/yr||SaaS, Windows Server||Android, iOS, Blackberry, Windows Mobile||Mobile, hardware, email, SMS||Yes|
|Symantec VIP||$2000 (setup fee)+ $5500/yr||SaaS||Android, iOS, Blackberry, Windows Phone||Voice, biometrics, mobile, email, SMS||No|
|TextPower SnapID||free||SaaS||Any mobile phone||SMS||No|
|Vasco Identikey Authorization Server + Digipass for Mobile||$6000 + $1000||Windows Server, Linux Server, appliance, SaaS||Android, iOS, Blackberry, Windows Mobile||Mobile, voice, email, hardware, SMS,||Yes|
|Voice Biometrics Group VSP||$500/yr minimum||SaaS||Any mobile phone||Biometrics, voice, SMS||No|
|Yubico Yubikey||$50 (one- time)||SaaS||None||Hardware token||Yes|
Here are the individual reviews (see screenshots of each product):
Nok Nok Labs S3 Authentication Suite v4.0: A FIDO compliant toolkit
One of the first vendors compliant with the FIDO (Fast Identity Online) Alliance standard was Nok Nok Labs. However, their product is more of a toolkit for enterprise developers than a packaged software solution. To date, NTT Docomo and Alipay are two of its reseller/developers, the latter with more than a million users deployed.
PayPal has also incorporated NokNok’s client as part of the enabling fingerprint recognition software in its Android version: you have to swipe your finger 10 times to register it as an authentication method to use the app. But once you register your fingerprint, you can use that to initiate payments from your phone.
The NokNok suite can be integrated with a variety of authentication methods, including biometrics, tokens and mobile phones, and once you join its developer network you have access to sample code for both Android and iOS phones and other API documentation. You’ll need Android KitKat and iOS v8 or better versions to implement it. We tested its sample application and were able to get it working quickly. There are several different authentication methods that are incorporated, including the ability to scan a QR code by your smartphone or tablet, or use a static PIN to provide the additional factor when you are trying to login to a Web service.