- 18 Hot IT Certifications for 2014
- CIOs Opting for IT Contractors Over Hiring Full-Time Staff
- 12 Best Free iOS 7 Holiday Shopping Apps
- For CMOs Big Data Can Lead to Big Profits
Page 2 of 9
Vasco, SafeNet and PhoneFactor were the only vendors we reviewed that can cover all three operational methods.
All of the products we tested use out-of-band conversations to authenticate the second factor. When your phone is registered and you login to your account, you are sent an SMS message or asked to examine your phone's soft token app, or get an email with the secret code. The number you see on your phone or whatever you then type into your browser is how you authenticate yourself. This makes it difficult, but not completely impossible, to compromise the login process, even if a piece of malware has stolen your user name and password.
Finally, each product comes in at least two different components: First is a server with either a Windows or Web front end or a cloud-based service that runs the identity management, sets up your various security policies, and connects the tokens with the user directory stores.
Next is the Web service that users interact with if they need to add a new factor to their identities (such as a new cell phone number) or to change their passwords. Some of the products also include various agents that reside on different servers such as for VPNs, Sharepoint, Outlook Web Access, or database servers.
Given the number of moving parts, these products are not install-and-forget kinds of deals, and we were on the phone and exchanging lots of emails with the tech support reps for each vendor. Prepare for a lot of hand-wringing efforts, reading a lot of help files and downloading reams of documentation, and calling in your internal AD or security experts for help when choosing the right configuration parameters.
This is because the products touch a wide swatch of your enterprise network, and more effort is required if you connect them to your cloud-based apps too. They also come in several different forms, such as a cloud-based service, appliance or virtual machine.
SecureAuth IdP comes out on top
The products all demonstrated strong two-factor authentication capabilities, so picking a winner was very difficult. However, we felt that SecureAuth's IdP was the easiest to manage and deploy, had the lowest cost, and was the most capable. While its administrative interface can be daunting, it doesn't require installing and integrating multiple software pieces. Not available for our tests but now shipping is a smartphone app.
RSA and Vasco are two old-line token vendors that have very capable, but very costly products. A lower-cost alternative is Microsoft, but for any of these three you will need someone who is well-versed in deploying these solutions because there is a great deal of integration of different software pieces involved.
Here’s a more detailed breakdown of how we tested the products and which vendors excelled in which categories:
1. Enterprise management and value:
We looked at the administrative interface of the product to setup the various functional areas, create security policies, and synchronize with Active Directory. We also examined how a typical enterprise would handle setting up several hundred tokens and matching them to particular users, and how to revoke a token when an employee leaves a company.