Skip Links

Smartphones take center stage in two-factor authentication schemes

SecureAuth IdP wins test of 8 software-based authentication systems that deliver enterprise-level security

By David Strom, Network World
May 20, 2013 06:01 AM ET

Page 8 of 9

The first time you use their system, you might forget that you have to text the code back from your phone. Once you get over this, it is very simple and easy to use.

TextPower can be used with Web servers and we had them create some sample PHP code that we added to our IIS server. It took a few minutes to install and get the second factor working.

The bad news is that while it does offer some Web protection, it can't be used for making SAML connections to Web services apps like Google Docs or Salesforce.com that don't allow you access to their inner workings. Also, unlike other products that have thousands of users and tokens out in the real world, TextPower is still mostly a demonstration project with no commercial installations. They also have some rudimentary reports that are still very much a work-in-progress.

For low-end installations that want ironclad protection on a budget, TextPower is worth looking into: the cost for a 100-token configuration is $2 per token per month or $2,400 per year, which is on the low end of our scale.

Vasco Identikey Authentication Server

In addition to RSA, Vasco is the other large player in the hardware token market. They have expanded into the soft token space and also into the federated authentication space. Unfortunately, to get all of this working will take some effort at installing and configuring a series of different pieces of software.

The basic authentication service is called the Identikey Authentication Server, and this handles Radius/Active Directory authentication of their hardware tokens. This runs either on Linux or, how we tested it, on Windows servers. It installs a bunch of different services, including an Apache Tomcat Web apps server and SQL database.

If you want SAML authentication, you will need to purchase the Identikey Federation Services and the enterprise grade version of the Authentication Server. This version includes a bunch of different application agents or connectors that go under the Digipass brand, including the ability to secure Web servers running Microsoft's IIS. If you want soft tokens, you will have to purchase at least one Digipass module for the particular form factor, such as mobile smartphone tokens.

You will also need to review separate manuals for each of these components, and sadly some of this doesn't quite match the menus displayed onscreen. Getting tokens activated is somewhat convoluted, and we needed help from Vasco's tech support.

Vasco supports a wide collection of tokens, including smartphone apps, SMS and email messages, and of course hardware tokens. Downloading the right smartphone app will also be vexing, as they have several Digipass versions that are listed in the iTunes Store but function in different ways. Once you have your smartphone app (and if you are using the latest v4 server software), you can capture a QR code picture from your phone to authenticate your token like some of the other vendors' apps.  

There are more than 30 report templates that can be customized in a variety of ways and downloaded once they are complete. And there are numerous pre-set policies that can be customized with menus that are just as complex as SecureAuth's choices.  

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News