Multifactor authentication: A buyer's guide to MFA products
A collection of articles that takes you from defining technology needs to purchasing options
RSA Authentication Manager from RSA Security is a multifactor authentication software tool that adds additional security measures (via smartphones and biometrics) to standard username and password logins for a number of services and servers. By doing so, it prevents unauthorized logins, even when passwords have been compromised and are shared among many different services.
Like a number of other multifactor authentication (MFA) products, RSA Authentication Manager is especially suitable for those organizations that want to make use of a variety of external software-as-a-service products, such as Google Drive, Salesforce and Outlook Web App.
There are a number of authentication methods available, such as risk-based authentication, two-factor authentication, on-demand text messaging and tokens. SecurID is the token side of RSA Authentication Manager, and it handles the configuration of the individual tokens. RSA provides both SecurID hardware and software tokens. Given the wide range of authentication methods and token types supported, IT managers will want to spend some time with this tool to understand how it works.
RSA Authentication Manager pricing and licensing
RSA offers two different licenses for Authentication Manager: base and enterprise. A base license supports one replica of the primary user data store, while the enterprise license supports up to 15 different replicas for better load balancing and backup purposes.
The retail price is nearly ten times as expensive as the least-pricey MFA products, such as CA's Strong Authentication. This includes a perpetual software license and an annual fee for the software tokens. The quote price in the table below doesn't include an annual maintenance contract. Additional tokens cost $17 per user, per year. RSA sells Authentication Manager primarily through more than 500 channel partners worldwide, and not directly.
Authentication Manager administration and management
In addition to the various ways the software can be licensed, there are many basic pieces to RSA multifactor authentication.
- Authentication Manager, which is the server side providing the authentication management tasks and the self-service user portal.
- Adaptive Federation Manager, used for Security Assertion Markup Language (SAML) logins.
- Various agents for web servers (including a Microsoft Management Console snap-in).
- SecurID, which handles token management.
RSA SecurID is a widely adopted MFA tool because it has been around the longest, has a large number of supported applications that can be secured with its multiple factors (see table above) and it has the largest market share of hardware tokens, with over 25,000 deployments and more than 55 million tokens in service.
Most of these products have web-based management front ends, which is nice, but they also use various user interfaces, which is not. RSA customers can buy these multifactor authentication servers as virtual machines or as hardware-based appliances.
RSA offers SecurID Appliance 130 and Appliance 250, as well as rack-mountable hardware that validates users' identities, along with SecurID authenticators. RSA Authentication Manager is preloaded onto these units.
Authentication Manager also has an administrative dashboard, which provides a consolidated view of a particular user: what tokens they have been assigned, what groups they belong to, what protected resources they can access and what authentication activity they have performed in the last seven days. However, navigating around the admin console is somewhat painful given the numerous configuration options and menu branches. An admin can easily get lost if he or she isn't familiar with the workflows.
RSA Authentication Manager can be set up for some very complex token approval workflows, reflecting its long-standing support for a wide collection of various types of hardware tokens from third-party partners. This can be useful if a company wants lost or additional token requests to be approved by administrators. There is also a self-service web portal that end users can use for common token management tasks, such as the ability to reset PINs or move from hardware to software-based tokens.
Another good feature: Because of Authentication Manager's popularity, there are numerous managed service providers who offer hosted versions of the software. This makes for a very powerful ecosystem to support RSA's multifactor authentication product.
Authentication Manager reporting
Reporting is one of the weak areas in Authentication Manger. While there are more than 30 different types of reports, most are glorified log files. These reports can be scheduled and exported in numerous formats, however, which is a plus.
There are also real-time monitors for authentication and system activities.
Authentication Manager application support
RSA Authentication Manager supports a wide variety of applications and use cases, including VPNs, Outlook Web App, Salesforce, SharePoint, Microsoft Internet Information Services and others. With the RSA Ready Partner Program, users can find more than 400 application partnerships with leading industry vendors, so RSA can support nearly any technology in place today. The RSA Ready Partner Program allows partners to test interoperability between RSA SecurID (and other RSA software) and their applications.
There is also a web agent, which can sit on a web server and direct authentication requests to the RSA Authentication Manager server. This expands an organization's ability to authenticate home-grown applications that aren't explicitly supported via other methods.
RSA's MFA product has been around a long time and offers a wide variety of token types, supported applications and workflow and use methods. This is still a solid, albeit somewhat pricey option for handling multifactor authentication.
Here's a primer on multifactor authentication tools and how they can help your business
Learn how to effectively use two-factor authentication systems
Enable MFA for the public cloud