Quick steps to improved ID and security management
Relying on a simple user ID and password is fraught with peril. That’s where two-factor authentication services come into play. We tested 8 two-factor schemes that use soft tokens, which could mean using a smartphone app, SMS text message, or telephony to provide the extra authentication step. The vendors are: Celestix, Microsoft, RSA, SafeNet, SecureAuth, Symantec, TextPower, and Vasco.
1. Celestix Hotpin
Celestix Hotpin is a Microsoft-centric solution that supports a wide variety of soft tokens, including smartphone apps, email and SMS messages, plus hardware tokens. It is primarily a RADIUS-based device, meaning that if you are using it as a second factor for your VPN login, it shouldn't take too long to get it setup. However, it doesn't currently support any non-Microsoft Web or SAML apps. It also comes with a nifty QR code generator. The cost for a 100-token configuration is $5,995, with 24x7 support extra.
2. Microsoft PhoneFactor
PhoneFactor provides outbound voice calls as the second authentication factor: after you login, it calls your phone number and asks you to press the # key to verify who you are. You can also have the server send an SMS text message or a notification to a smartphone app. The company was purchased last year by Microsoft. To really exploit its features, you will want to connect it to Active Directory, Microsoft's IIS and Terminal Services, and the Web services that you want to add extra authentication protection to. The cost for a 100-token configuration ranges from $15 to $25 per token per year, depending on contract length.
3. RSA Authentication Manager v8
RSA is the market leader with hardware tokens, and with this latest version of its Authentication Manager, it has caught up with the soft token space as well. However, setup requires a large collection of software components. Authentication Manager has a very wide collection of supported applications that can be protected with a variety of soft and hard tokens for desktops and phones. New to this version is its dashboard, which provides a consolidated view of a particular user. The cost for a 100-token configuration is $15,325, and that assumes a mixture of hard and software tokens.
4. SafeNet Authentication Service
SafeNet comes as a cloud-based service, an appliance or as a collection of Windows Server 2008 software. Along with the server piece, there are numerous software agents that need to be set up. And it supports both SAML and Radius identity stores. It works hard tokens and soft tokens for Windows and Mac desktops and smartphones, as well as SMS messages. SafeNet has the most extensive policies, role assignments and user groups of any of the products we tested. The cost for a 100-token configuration for just soft token licenses is $2.10 per token per month.
5. Secure Auth IdP
We think Secure Auth’s two-factor solution, called IdP, is the best of the breed that we tested. You can run it as an appliance or as a cloud service. While Secure Auth recently added smartphone apps, they are currently just for their own VPN gateway. Otherwise, they support a wide variety of tokens, hard and soft. You can mix and match authentication methods too, and also have a "silent" two-factor validation check happen in the background. All of this is accomplished with IdP's Web-based management console. The cost for a 100-token configuration is $1,950 per year.
6. Symantec Validation and ID Protection Service
Symantec has been in the two-factor authentication market for quite some time and it shows by the number of ways that you can deploy and integrate their service. VIP has a wide selection of tokens, plus more than 30 integration methods for common apps. VIP is cloud-based with various software agents, which is both convenient and frustrating, as there is a lot of software to download, install and configure. VIP has two weaknesses: reports and lack of policies for granular or group access: each user has to be set up with particular token credentials. Three years of VIP service for 100 users is $9,500.
TextPower features a very innovative method of handling the second factor authentication. Most phone-based systems call your phone and you copy the information into your browser. But TextPower does this in reverse: They display a one-time password code on the browser and you text the code back to their servers from your phone. This eliminates man-in-the-middle attacks. However, TextPower is still mostly a demonstration project. They also have some rudimentary reports that are still very much a work-in-progress. The cost for a 100-token configuration is $2 per token per month or $2,400 per year.
8. Vasco Identikey Authentication Server
Vasco is the other large player in the hardware token market. They have expanded into the soft token space, but it takes quite a bit of effort to get all of the required pieces of software working. The basic authentication service is called the Identikey Authentication Server, and this handles Radius/Active Directory authentication of their hardware tokens. If you want soft tokens, you will have to purchase at least one Digipass module for the particular form factor, such as mobile smartphone tokens. Vasco supports a wide collection of tokens and there are more than 30 report templates that can be customized in a variety of ways. The cost for a 100 token configuration totals $15,393.