Skip Links

Smartphones take center stage in two-factor authentication schemes

SecureAuth IdP wins test of 8 software-based authentication systems that deliver enterprise-level security

By David Strom, Network World
May 20, 2013 06:01 AM ET

Network World - We all know that relying on a simple user ID and password combination is fraught with peril. One alternative is to use one of the single sign-on solutions we reviewed last year, but there are less expensive options that could also be easier to install.

That’s where two-factor authentication services come into play. Years ago, vendors came out with hardware-based two-factor authentication: combining a password with a token that generates a one-time code. But toting around tokens means that they can get taken, and in a large enterprise, hard tokens are a pain to manage, provision and track.

Enter the soft token, which could mean using a smartphone app, SMS text message, or telephony to provide the extra authentication step. We reviewed eight services that support up to five kinds of soft tokens: Celestix's HOTPin, Microsoft's PhoneFactor, RSA's Authentication Manager, SafeNet Authentication Service, SecureAuth's IdP, Symantec Validation and ID Protection Service (VIP), TextPower's TextKey, and Vasco's Identikey Authentication Server.  

Other vendors, such as Authentify, BehavioSec, eSet, PortalGuard, TeleSign, Trustwave, and Yubico either declined to participate or didn't quite fit into the review set. Here’s a link to a more complete list of vendors.

All of the products in our review offer some form of centralized management, and the ability to integrate additional authentication step into a series of application servers, VPNs and Windows Active Directory logins. (Watch a slideshow version of this story.)

[FOLLOWING BREACHES: Experts call for two-factor authentication]

The two-factor methods we tested harden your logins in one of three basic operational ways:

 Those that augment traditional Radius or Active Directory identities to validate the user. In this scenario, the identity request is passed from AD or a VPN to the two-factor server for the additional authentication step before being allowed to login to AD. In some cases, the two-factor product can synchronize its directory information back to the AD store as well

 Those that work as the identity provider to a Web service, such as with Google Docs or Salesforce cloud apps. In this case, the request uses Security Assertion Markup Language (SAML) and trusted certificates between the app and the two-factor server for the additional authentication step. This is how Gmail and iTunes have added second factor features to their services.

The advantage is that you don't have to touch the apps that are sitting in the cloud, and once your user completes the second factor, they are logged into the Web service directly. The downside is that not every Web service provider supports SAML, and some of the vendors we reviewed don't support it either. RSA and Vasco require separate products to provide SAML authentications.

 Logins to a Web server itself, using additional HTML code, such as SOAP, Perl or JavaScript. This code makes the connection between the server and the two-factor vendor's services. This could be relatively simple, especially for on-premises Web apps where you can adjust the pages quickly.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News