Buyer’s Guide to 9 multi-factor authentication products

multi factor authentication products 1
Multi factors

Since we last reviewed two-factor authentication products, the market has moved beyond two-factor authentication toward what is now being called multi-factor authentication. One of the key features being new types of hardware-based tokens. Here are individual reviews of nine MFA products. See the full review.

ALSO: 5 trends shaking up multi-factor authentication

Nok Nok Labs: A FIDO-compliant toolkit
Nok Nok Labs: A FIDO-compliant toolkit

This product is more of a FIDO-compliant toolkit for enterprise developers than a packaged software solution. For example, PayPal has incorporated NokNok’s client as part of the fingerprint recognition software in its Android version. The NokNok suite can be integrated with a variety of authentication methods, including biometrics, tokens and mobile phones. Eventually, if the FIDO standard does catch on, a universal MFA tool will become more useful with more authentications that can be accomplished from a single token. But we aren’t there yet. To get started with Nok Nok, you will need to spend at least $50,000. Given this price point, corporate developers will have to think big if they want to get started with FIDO.

PistolStar Inc. PortalGuard: SSO meets MFA
PistolStar Inc. PortalGuard: SSO meets MFA

The convergence of single sign-on portals with multifactor authentication is happening with more frequency. A good example is PistolStar’s PortalGuard, which comes as several Windows Server applications that will require a variety of Microsoft services, including IIS, SQL Server and .Net Framework. PortalGuardsupports an array of tokens, including Google Authenticator, its own mobile OTP app for Android and iPhones, RSA SecurID, and Yubico Yubikeys. The product comes with its own brand of risk-based authentication. A variety of APIs are available, so you can build into your own apps. The standard on-premises server starts at $15,000 for the first year with subsequent years at $5,000, including support, up to 10,000 concurrent users and tokens, both soft and some hard.

RSA Authentication Manager: Powerful, complex
RSA Authentication Manager: Powerful, complex

RSA’s Authentication Manager is a formidable product to install and configure: partly because there so many separate pieces. It is installed as a VM or as a physical hardware appliance, both running its own hardened Linux server. There are versions for VMware ESXi and Microsoft Hyper-V. Because the product is one of the most capable MFA tools on the market, it has wide support for a variety of hard and soft token types, application integrations and workflows. New to this version is a risk-based authentication engine that keeps track of each user’s device and behavior over time. Also new to this version is what RSA calls its Web Tier, which sets up a custom Web interface for handling user self-service requests and managing risk-based authentications. A 100-user VM costs $7,500, while the hardware appliance is $10,500, including 100 user licenses and hardware tokens, 25 software tokens and a year of maintenance.

Gemalto’s SafeNet: Solid product, good value
Gemalto’s SafeNet: Solid product, good value

Gemalto recently acquired SafeNet, but still calls its offering SafeNet Authentication Service. It offers the product as a hosted service or for running on a Windows Server.

The product continues its leadership in its support for token types, application integration and authentication methods. Setting up the hosted service took a matter of minutes. SafeNet has some of the best reports of any MFA vendor. It also has one of the most flexible and granular administrative roles around. SafeNet has the beginnings of risk-based authentication in what it calls “pre-authentication rules” that are set in the administrative console. SafeNet is one of the least expensive solutions on the market, with a typical cost of $1/user/month for enterprise volume purchases. Given the combination of price and functionality, this product should be on anyone’s short list.

Symantec Validation and ID Protection Service: Strong, SaaS-based offering
Symantec Validation and ID Protection Service: Strong, SaaS-based offering

While VIP has been around a long time, Symantec has continued to keep up with the market by offering a number of important innovations and extensions. One of the big advantages of VIP is that it supports a wide array of hardware tokens, mobile-based soft tokens, SMS and voice-based verification, push OTP, fingerprint authentication (available on both iPhones and iPads), and there is an app for the Apple Watch as well. After getting Symantec’s Enterprise Gateway operational, it supports risk-based authentication using device IDs and geolocation as mechanisms to step-up additional factors for logins. The product has a credential software development kit which makes embedding VIP credentials into mobile apps easier. For a three-year subscription, the cost is $55/user/year.

TextPower SnapID v1.1: Innovative approach
TextPower SnapID v1.1: Innovative approach

TextPower works in the reverse of most MFA tools: at login time, you are presented with an OTP code and a SMS destination number on your web browser screen. You text that code to that destination and that allows your computer access. This product hasn’t caught fire, but we still think this is an important technology. SnapID is better than using standard SMS OTP’s because it can’t be as easily intercepted with man-in-the-middle attacks. Since the OTP originates from the Web app, there really isn’t any “middle” where you can insert something to intercept the password dialog. Instead, SnapID leverages the cellphone’s internal hardware ID information. When you send your text message to its servers, SnapID will verify that you are who you say you are and it isn’t a spoofed number or device. As long as you have your web browser and your cellphone, you are good to go. SnapID is currently free.

Vasco DIGIPASS for Mobile and IDENTIKEY Authentication Server: Complex setup, excellent features
Vasco DIGIPASS for Mobile and IDENTIKEY Authentication Server: Complex setup, excellent features

Vasco is complex to install but with a very capable feature set. There are more than a dozen different software tools to install. On the other hand, there is a seemingly endless list of supported token types. Vasco continues to innovate with new token types and stronger authentication methods. Its latest tokens have cameras and screens that can capture full-color QR-type codes. Since we last looked at Vasco, it has beefed up its Web-based self-service user portal. You can now provision and deprovision multiple token types for a single user through this portal, along with manage your static PINs and other common tasks. Vasco’s biggest limitation is its SAML support: they have specific documentation only for Office 365, Salesforce, and Google Docs. Another downside is its pricelist, which is exceedingly complex.

Voice Biometrics Group: Voiceprint-based authentication
Voice Biometrics Group: Voiceprint-based authentication

Voice Biometrics Group (VBG) has been involved in voiceprint security since 2009. Voice as an additional authentication factor is tricky. Your system needs to collect enough information to match the user’s voiceprint. Also, having a database of voiceprints ups the ante on its security: once a voiceprint has been stolen, you can’t assign another voice to one of your employees. This is why voice should be just one of several other authentication factors. VBG has put together a series of demonstrations of their system that can be accessed via a Web portal. They also have a series of HTMLv5 applications that can be used to start your own development effort. VBG is a subscription-based managed service with pricing based either on transactions or individual voiceprints stored on their system.

Yubico Yubikey 4: USB-based keys
Yubico Yubikey 4: USB-based keys

Yubico has been a leader in USB-based keys for many years, with tokens that fit into the USB slot on your computer. Yubico tokens can be found in hundreds of different applications and the company was an early supporter of FIDO’s U2F standards. You easily can setup the keys to act as a second factor, using the security settings screens for each application or plug-in. Once you do so, you press a small gold button on one side of the key to send the key sequence to your application as part of the login process. Yubico also supports sending keys via near-field communications. Yubico has a long list of API libraries that support its keys, including code in C, Java and PHP.

Tokens can be purchased for $50 or less in quantities of 100.

Strom is the founding editor-in-chief of Network Computing magazine and has written thousands of magazine articles and two books on various IT and networking topics. His blog can be found at strominator.com and you can follow him on Twitter @dstrom.