Smartphones take center stage in two-factor authentication schemes

RSA is the market leader with hardware tokens, and with this latest version of its Authentication Manager, it has caught up with the soft token space as well. The problem is the large collection of software components that are required: besides the Authentication Manager, there is also the Adaptive Federation Manager used for SAML logins, agents for Web servers (including a Microsoft Management Console snap-in), and the self-service user portal.  Most have Web-based front ends. They can be installed as VMs (which is how we tested them) or running on an appliance. Authentication Manager has a very wide collection of supported applications that can be protected with a variety of soft and hard tokens for desktops and phones.  

New to this version is its dashboard, which provides a consolidated view of a particular user, what tokens they have assigned, what groups they belong to, what protected resources they can access and what authentication activity they have performed in the last seven days. Navigating around the admin console is still somewhat painful, given the numerous configuration options.

Authentication Manager can be set up for some very complex token approval workflows, reflecting its hardware heritage where third-party partners supplied tokens. This can be useful if you want lost or additional token requests to be approved by administrators.

Reports are one of the weak areas of the product: while numerous, most are glorified log files, but they can be scheduled and exported in numerous formats. There are also real-time monitors of authentication and system activities.

The cost for a 100-token configuration is $15,325, and that assumes a mixture of hard and software tokens.  The base price starts at $8,500, and tokens cost $17 per year and up, depending on what form they take. This was the highest-price spread, and given the number of capable alternatives that cost a lot less, you might want to shop around if price is an issue.

SafeNet Authentication Service

SafeNet is one of the most flexible products we saw: it comes as a cloud-based service (which is what we tested), an appliance or as a collection of Windows Server 2008 software. Along with the server piece, there are numerous software agents that need to be set up for particular servers. And it supports both SAML and Radius identity stores, including Microsoft AD, Novell eDirectory and SunOne. It works with a wide and diverse token collection, including hard tokens and soft tokens for Windows and Mac desktops and smartphones, as well as using SMS messages.

SafeNet has the most extensive policies, role assignments and user groups of any of the products we tested, so you can set up different authentication levels for different individuals and groups.

As with the others that have user portals, you can automatically provision and revoke tokens for particular users without getting IT resources tied up. You can set up enrollment to happen automatically, or for users to receive activation codes via email or SMS for particular kinds of tokens.SafeNet's reporting module is one of its strengths, providing dozens of built-in pre-formatted auditing, billing, and usage reports that can be customized and scheduled to run and export their results via email.

The cost for a 100-token configuration for just soft token licenses is $2.10 per token per month, and this increases to $2.40 per token per month for both software and hardware tokens. This is on the lower end of the scale and represents good value for the money.

SecureAuth IdP

We think SecureAuth’s two-factor solution, called IdP, is the best of the breed that we tested. You can run it as an appliance or (what we tested) as a cloud service. It has a plethora of menus and choices. IdP features some odd true/false dialog boxes that can be a bit daunting, but underneath it all it is a very capable product.

IdP supports a wide variety of tokens, hard and soft. Indeed, IdP has an interesting workflow option where you can add third, fourth, fifth factors for your logins, if your users would bear with the additional authentications. You can mix and match authentication methods too, and also have a "silent" two-factor validation check happen in the background once a user has been identified. All of this is accomplished with IdP's Web-based management console.

Users have a self-service Web-based portal where they can update their second factor connections or even reset their Active Directory password without any IT involvement. You can set up a separate help desk Web app where you or the user can easily revoke certificates or disable tokens that have gone awry. There is no additional software to download or any agents to install, unlike some of the other products.  

One thing IdP doesn't do is two-way synchronization with any of its identity stores. Although it does support a wide collection of them, including Active Directory, Novell eDirectory, SunOne and other LDAP providers, it just uses these directories to validate the user ID and pull the relevant information for the second factor process. Others in this review can do two-way updates of their directories.

Given their expertise with SSO and SAML, it isn't surprising that they could easily setup two-factor logins to various Web services such as Google Apps and Salesforce with relative ease. But what is lacking is the ability to add Web code to a server as PhoneFactor and others do. They work around this issue by having a special agent that adds SAML federation to either IIS, JBoss or Tomcat servers and can translate the Web code into a SAML request that IdP understands.

Reports aren't as simple to setup as some of its competitors and will require some customization and configuration of the Web management console. Once created, they can be exported as well.

The cost for a 100-token configuration is $1,950 per year, the lowest cost product reviewed. This includes all the software and support. And the per-token cost could be lower still at higher quantities. We applaud their simple pricing model. Given the price and extensive feature set, IdP should be on anyone's short list.

Symantec Validation and ID Protection Service

Symantec has been in the two-factor authentication space for quite some time and it shows by the number of different ways that you can deploy and integrate their service. VIP has a wide selection of tokens, including desktop and smartphone apps for the majority of phones, using both the SMS service and voice calls, and various hardware tokens. VIP has more than 30 integration methods for common apps, such as Sharepoint, Cisco, Juniper and SonicWall VPNs, and others.   

VIP is cloud-based with various software agents, which is both convenient and frustrating, as there is a lot of software to download, install and configure. You sign on to the cloud-based service and start reading multiple manuals for each component. The first stop is the VIP Enterprise Gateway, which acts as a bridge between the cloud service and your on-premises network and AD user store. It requires the 64-bit version of Windows Server 2008 R2, and you'll also need Active Directory Federation Services v2, Visual C++ 2010 SP1, and IIS v7 to make the connection between VIP and AD. While that may seem like a lot of underlying software, you probably have most of it already in-house. Once this is working, you can synchronize your users in AD with the VIP service.

VIP supports multiple access methods: you can use the AD/Radius connectors for various other applications such as VPNs or install SOAP or Javascript code on particular Web services. It doesn't support SAML services directly, although they plan on adding it later this year. Once you set up all your connectors, you run the Web-based VIP Manager console to add or remove tokens to user accounts, run reports, and see what is going on across your entire token collection.  

VIP has two weaknesses: First is its reports, which are fewer than its competitors and not very customizable, although they can be exported. Second is the lack of policies for granular or group access: each user has to be set up with particular token credentials.

Three years of VIP service for 100 users is $9,500. Additional years are $1,500 per year, and volume discounts are available. These prices include an initial setup fee and some support and they are just for soft tokens: hardware tokens are extra. One downside is that Symantec charges 7 cents apiece for SMS messages and 25 cents for voice calls.

TextPower

Even though it is more of a tool kit than a product, we wanted to include TextPower in this review because of a very innovative method of handling the second factor authentication. Most phone-based systems call your phone and you acknowledge by copying the information into your browser.

But TextPower does this in reverse: It displays a one-time password code on the browser and asks that you text the code back to their servers from your phone. This serves two functions: first, you completely avoid any man-in-the-middle attacks because there is literally nothing in between you and the login server. Second, their system captures the originating phone number. If somehow a hacker had gotten your phone and if they attempt an intrusion, TextPower records the text message that is received. They then analyze the text to make sure it is coming from the phone associated with a particular user ID before access is granted.

The first time you use their system, you might forget that you have to text the code back from your phone. Once you get over this, it is very simple and easy to use.

TextPower can be used with Web servers and we had them create some sample PHP code that we added to our IIS server. It took a few minutes to install and get the second factor working.

The bad news is that while it does offer some Web protection, it can't be used for making SAML connections to Web services apps like Google Docs or Salesforce.com that don't allow you access to their inner workings. Also, unlike other products that have thousands of users and tokens out in the real world, TextPower is still mostly a demonstration project with no commercial installations. They also have some rudimentary reports that are still very much a work-in-progress.

For low-end installations that want ironclad protection on a budget, TextPower is worth looking into: the cost for a 100-token configuration is $2 per token per month or $2,400 per year, which is on the low end of our scale.

Vasco Identikey Authentication Server

In addition to RSA, Vasco is the other large player in the hardware token market. They have expanded into the soft token space and also into the federated authentication space. Unfortunately, to get all of this working will take some effort at installing and configuring a series of different pieces of software.

The basic authentication service is called the Identikey Authentication Server, and this handles Radius/Active Directory authentication of their hardware tokens. This runs either on Linux or, how we tested it, on Windows servers. It installs a bunch of different services, including an Apache Tomcat Web apps server and SQL database.

If you want SAML authentication, you will need to purchase the Identikey Federation Services and the enterprise grade version of the Authentication Server. This version includes a bunch of different application agents or connectors that go under the Digipass brand, including the ability to secure Web servers running Microsoft's IIS. If you want soft tokens, you will have to purchase at least one Digipass module for the particular form factor, such as mobile smartphone tokens.

You will also need to review separate manuals for each of these components, and sadly some of this doesn't quite match the menus displayed onscreen. Getting tokens activated is somewhat convoluted, and we needed help from Vasco's tech support.

Vasco supports a wide collection of tokens, including smartphone apps, SMS and email messages, and of course hardware tokens. Downloading the right smartphone app will also be vexing, as they have several Digipass versions that are listed in the iTunes Store but function in different ways. Once you have your smartphone app (and if you are using the latest v4 server software), you can capture a QR code picture from your phone to authenticate your token like some of the other vendors' apps.  

There are more than 30 report templates that can be customized in a variety of ways and downloaded once they are complete. And there are numerous pre-set policies that can be customized with menus that are just as complex as SecureAuth's choices.  

In addition to the complex software collection, there is an equally complex pricing scheme. You have three grades of server software: the standard level (which doesn't include any agents), the gold level (which has a few of them along with high availability support) and the enterprise level (which includes all connectors).

The cost for a 100 token configuration includes a 100-user license for the enterprise version of Identikey, including maintenance, is $14,944, which is the most expensive product in the test set. 

Strom is the founding editor-in-chief of Network Computing magazine and has written thousands of magazine articles and two books on various IT and networking topics. His blog can be found at strominator.com and you can follow him on Twitter @dstrom. He lives in St. Louis.

How we tested two-factor authentication products

We asked vendors to submit a soft token based identity management service that made use of the SMS-based phone network, a smartphone app, or some other mechanism, other than the traditional hardware token. We tested these tokens in a variety of situations, such as logins to a VPN, a Web service, and Microsoft Windows Active Directory and Internet Information servers. Where we needed to install software, we used either a Windows XP or Windows 2008 Server as well as a Windows Server 2008 running in Cloudshare.com's cloud-based service. We also used two AT&T cell phones: an iPhone 4S and an Android LG Optimus G to run various apps from each vendor.