Smartphones take center stage in two-factor authentication schemes

We all know that relying on a simple user ID and password combination is fraught with peril. One alternative is to use one of the single sign-on solutions we reviewed last year, but there are less expensive options that could also be easier to install.

That’s where two-factor authentication services come into play. Years ago, vendors came out with hardware-based two-factor authentication: combining a password with a token that generates a one-time code. But toting around tokens means that they can get taken, and in a large enterprise, hard tokens are a pain to manage, provision and track.

Enter the soft token, which could mean using a smartphone app, SMS text message, or telephony to provide the extra authentication step. We reviewed eight services that support up to five kinds of soft tokens: Celestix's HOTPin, Microsoft's PhoneFactor, RSA's Authentication Manager, SafeNet Authentication Service, SecureAuth's IdP, Symantec Validation and ID Protection Service (VIP), TextPower's TextKey, and Vasco's Identikey Authentication Server.  

Other vendors, such as Authentify, BehavioSec, eSet, PortalGuard, TeleSign, Trustwave, and Yubico either declined to participate or didn't quite fit into the review set. Here’s a link to a more complete list of vendors.

All of the products in our review offer some form of centralized management, and the ability to integrate additional authentication step into a series of application servers, VPNs and Windows Active Directory logins. (Watch a slideshow version of this story.)

[FOLLOWING BREACHES: Experts call for two-factor authentication]

The two-factor methods we tested harden your logins in one of three basic operational ways:

 Those that augment traditional Radius or Active Directory identities to validate the user. In this scenario, the identity request is passed from AD or a VPN to the two-factor server for the additional authentication step before being allowed to login to AD. In some cases, the two-factor product can synchronize its directory information back to the AD store as well

 Those that work as the identity provider to a Web service, such as with Google Docs or Salesforce cloud apps. In this case, the request uses Security Assertion Markup Language (SAML) and trusted certificates between the app and the two-factor server for the additional authentication step. This is how Gmail and iTunes have added second factor features to their services.

The advantage is that you don't have to touch the apps that are sitting in the cloud, and once your user completes the second factor, they are logged into the Web service directly. The downside is that not every Web service provider supports SAML, and some of the vendors we reviewed don't support it either. RSA and Vasco require separate products to provide SAML authentications.

 Logins to a Web server itself, using additional HTML code, such as SOAP, Perl or JavaScript. This code makes the connection between the server and the two-factor vendor's services. This could be relatively simple, especially for on-premises Web apps where you can adjust the pages quickly.

Vasco, SafeNet and PhoneFactor were the only vendors we reviewed that can cover all three operational methods.

All of the products we tested use out-of-band conversations to authenticate the second factor. When your phone is registered and you login to your account, you are sent an SMS message or asked to examine your phone's soft token app, or get an email with the secret code. The number you see on your phone or whatever you then type into your browser is how you authenticate yourself. This makes it difficult, but not completely impossible, to compromise the login process, even if a piece of malware has stolen your user name and password.

Finally, each product comes in at least two different components: First is a server with either a Windows or Web front end or a cloud-based service that runs the identity management, sets up your various security policies, and connects the tokens with the user directory stores.

Next is the Web service that users interact with if they need to add a new factor to their identities (such as a new cell phone number) or to change their passwords. Some of the products also include various agents that reside on different servers such as for VPNs, Sharepoint, Outlook Web Access, or database servers.

Given the number of moving parts, these products are not install-and-forget kinds of deals, and we were on the phone and exchanging lots of emails with the tech support reps for each vendor. Prepare for a lot of hand-wringing efforts, reading a lot of help files and downloading reams of documentation, and calling in your internal AD or security experts for help when choosing the right configuration parameters.

This is because the products touch a wide swatch of your enterprise network, and more effort is required if you connect them to your cloud-based apps too. They also come in several different forms, such as a cloud-based service, appliance or virtual machine.

SecureAuth IdP comes out on top

The products all demonstrated strong two-factor authentication capabilities, so picking a winner was very difficult. However, we felt that SecureAuth's IdP was the easiest to manage and deploy, had the lowest cost, and was the most capable. While its administrative interface can be daunting, it doesn't require installing and integrating multiple software pieces. Not available for our tests but now shipping is a smartphone app.

RSA and Vasco are two old-line token vendors that have very capable, but very costly products. A lower-cost alternative is Microsoft, but for any of these three you will need someone who is well-versed in deploying these solutions because there is a great deal of integration of different software pieces involved.

Here’s a more detailed breakdown of how we tested the products and which vendors excelled in which categories:

1. Enterprise management and value:

We looked at the administrative interface of the product to setup the various functional areas, create security policies, and synchronize with Active Directory. We also examined how a typical enterprise would handle setting up several hundred tokens and matching them to particular users, and how to revoke a token when an employee leaves a company.

SecureAuth, SafeNet and Microsoft had the best value for the number of features offered.

2. How apps are secured:

We tested each product to harden a sample Web app running on a Microsoft IIS server along with connecting to SaaS-based services such as Google Docs and Salesforce.com. We also looked at how many specific apps can be connected to the two-factor product and what kind of documentation is available to configure and debug these installations.

RSA, SecureAuth and Symantec were the most capable here.

3. What is the end user experience?

We looked at how the second factor comes into play during the user login process, and how cumbersome/easy is it to enter. With some products such as Symantec and SecureAuth, you can set up multiple token types, and then choose at login time whichever one is more convenient. We also looked at the procedures involved in bypassing the token if it isn't working. Finally, we wanted to know if the product could scale. With the exception of TextPower, most were quite scalable.

4. Reporting and monitoring:

We examined the various reports available and what happens when something goes wrong and how IT managers are notified. Some products can export or schedule reports as well.

Microsoft, Vasco and Celestix had the best reports.

5. Pricing and free trials:

RSA and then Vasco were the most expensive and SecureAuth the least. While most vendors only charge a couple of bucks per month per token, with a large installation this can add up. There are quantity discounts, multi-year price breaks, and 24x7 support fees. Each vendor has different ways to calculate prices: some charge on a per-token basis, some on a per-user or per-server basis, and some have prices for added components.

Celestix, PhoneFactor, Safenet and Symantec all make it very easy to start a free trial of their services with sign up forms on their respective websites.

Here are the individual reviews:

Celestix HOTPin

If you are looking to protect your Microsoft infrastructure, Celestix HOTPin supports Microsoft's Forefront's Unified Access Gateway for Microsoft's VPN, Web, and Outlook/Exchange technologies.

HOTPin comes as a pre-installed hardware appliance or it can be installed on Windows Server 2008 R2, which is how we tested it. The first time we installed the software it didn't finish and had to be re-installed. We also had some trouble connecting it to our Active Directory store, but once we did it automatically synchronized our users between AD and itself. There is a separate Web interface to handle the configuration, reporting and management tasks, in addition to the Windows-based server and Web-based self-service user portal components.

HOTPin supports a wide variety of soft tokens, including smartphone apps, email and SMS messages, plus hardware tokens. It is primarily a RADIUS-based device, meaning that if you are using it as a second factor for your VPN login, it shouldn't take too long to get it setup, and there are documents on how to setup the leading VPNs and firewalls from Cisco, SonicWall, and several others.

However, it doesn't currently support any non-Microsoft Web or SAML apps, which is a big drawback if you are trying to use a second factor for that purpose. It also comes with a nifty QR code generator, so you can point your phone at the screen to capture the code and quickly install the app on your phone.

There are numerous reports including authentication events and error events that can be customized and exported, too.

The cost for a 100-token configuration is $5,995, with 24x7 support extra. One nice feature is that this price includes an unlimited supply of tokens for each user. Celestix also offers two evaluation licenses: one for 100 users for 30 days, and one for 25 users valid for the entire year.

Microsoft PhoneFactor

PhoneFactor was one of the first to provide ordinary outbound voice calls as the second authentication factor: after you login to a server that has been enabled with the software, it then calls your phone number and asks you to press the # key to verify who you are. You can also have the server send an SMS text message or send a notification to a smartphone app.

The company was purchased last year by Microsoft and will require deep knowledge of various Microsoft services and applications to setup. It comes with a Windows agent along with Web-based management service and user portal pieces. The agent runs on any Windows client or server from XP onwards, we tested it on a variety of machines. Other than the requirement that the machine run .Net Framework v2 or v3, it installed quickly.

But to really exploit its features, you will want to connect it to Active Directory, Microsoft's IIS and Terminal Services, and the Web services that you want to add extra authentication protection to. While there are wizards to help you set things up, you will still need to spend some time with dozens of configuration parameters that span the agent's menus along with entering parameters on the management Web portal.

PhoneFactor has an Active Directory synchronization service that will cross-pollinate its users with what is on AD, but chances are you don't have your user's mobile phone numbers entered into your AD store: you will need to have each of them self-register on the Web-based user portal to set this up. To set up a SAML link to a Web service, you use the Windows agent and swap site certificates to enable the trust relationship, or add code to your Web pages, making this one of the few products that can handle all three operational methods.

Debugging the Windows agent is excruciating: there are text configuration files to edit, check boxes to uncheck, and dozens of parameters that could trip you up spread across multiple menu screens. We came across one error in our configuration that took some help from PhoneFactor tech support: we would have never figured it out on our own.  

To delete users you need to use the Web-based management portal. This is also where you will find the various built-in reports. These can be downloaded or you can set up more than a dozen different usage reports to run automatically and be delivered on a schedule via email, a nice touch. Adding users can be done with the self-service user portal. Both of these portals are easy to use.

Overall, we think this is fine for Windows-only shops, and the variety of second factor methods is impressive. But for other purposes, this might not be your first choice. The cost for a 100-token configuration ranges from $15 to $25 per token per year, depending on the length of the total contract. This includes daytime business support hours.  

RSA Authentication Manager v8