Multifactor authentication: A buyer's guide to MFA products
A collection of articles that takes you from defining technology needs to purchasing options
Multifactor authentication products can provide significant benefits to an enterprise, but the technology is complex and the tools themselves can vary greatly from vendor to vendor.
It's helpful to examine sample use cases for specific tools to show how a vendor's product can meet the multifactor authentication needs and requirements of an enterprise. Here is a comparison of four of the leading products in the MFA space: EMC RSA Authentication Manager, which is part of its SecurID technology; Symantec Verisign VIP; CA Strong Authentication ; and Vasco Identikey Digipass (NOTE: The author has a consulting relationship with VASCO).
All four are solid MFA tools that have been around for years and can handle a wide variety of situations, token types and applications; and all come in both cloud and on-premises versions, although there are some differences in labeling and packaging.
CA has two separate MFA products with different names (the cloud service is called Secure Cloud, the Windows version Strong Authentication); RSA is just for on-premises purposes, although several of their partners have virtual machine-managed hosted versions; and Symantec is sold only as a cloud-based service, although it has add-on agents that must be installed on-premises for connecting to particular local resources.
None of the four major MFA products deliver all three authentication uses -- Active Directory, Web services verification and Web server augmentation -- together in a single product; however, each requires add-on modules for either their SAML or Active Directory support (see table below). For example, RSA's Authentication Manager works with its Adaptive Federation Manager product to provide SAML Web services integration, and Symantec VIP requires the company's VIP Enterprise Gateway to integrate with Active Directory.
This is typical of the MFA product space, and is why it's so important to understand which applications -- and under which circumstances -- an organization may want to deploy additional factors.
Speaking of add-ons, before selecting an MFA solution based on its application support, it's important to understand how that support is delivered. All four of the top multifactor authentication vendors' products contain multiple server software components or agents that need to be installed to strengthen logins of such things as Outlook or SharePoint servers, for example (see the third column in the table below).
SSO or MFA: Which authentication method is better?
By David Strom
As you decide on an MFA product, you should also consider whether or not to look at single sign-on (SSO) tools instead. SSO isn't a new concept: products have been around for more than a decade and, as with MFA, there are dozens of vendors in that space, too.
What is happening, though, is SSO vendors are becoming more cloudy and branching out into the MFA space with support for a variety of tokens and access methods. SecureAuth and Ping Identity are products typical of this genre. Why would an enterprise use SSO rather than a pure-play MFA tool? Here are a few reasons:
First, if a company uses a lot of cloud-based services, it may want a better mechanism for users to connect to them. If provisioned correctly, an SSO tool can sign on to these services automatically, all without users having to remember their passwords (and with very strong passwords to boot).
Many of the more popular cloud services support SAML v2.0 standards, which is what most SSO tools use to create their connection. If an enterprise's set of services doesn't yet support SAML, then the organization probably won't be happy with either SSO or MFA tools.
However, if most of a company's apps are inside its data center, then it will probably want to make use of multifactor authentication tools that offer dedicated hardware or software appliances that can be deployed to protect these resources.
Second, if companies are less concerned about the additional authentication factors than about overall identity preservation and integrity, then SSO may be a better option. However, if an organization has one or two internal apps that it must protect with the multiple factors, then it will probably be better off going the MFA route.
While this helps widen their reach, it also increases the level of complexity of installation and operation, since there are multiple pieces to configure and keep track of. And, like Symantec VIP, some of the other multifactor authentication vendors' products have both cloud and on-premises pieces that need to work together to authenticate users to both kinds of servers and services. In addition, enterprises may want to consider a single sign-on product instead of a MFA product for certain circumstances (see sidebar on SSO versus MFA for more on how to make this decision).
Part of the evaluation process with MFA products is observing what happens as you go about using the normal day-to-day activities of these tools: registering new tokens and new users, setting up protection for a new application, modifying security policies, and figuring out why a user is in distress and can't login to corporate applications.
For example, enterprises can add additional factor authentication steps at various places in the login dialogs with both products. With the others, there are more limitations or users are taken to a self-service portal where they can set up their multifactor authentication particulars.
All four of these products include lots of different reports and various format export options.
RSA's and CA's multifactor authentication solutions are probably the weakest, with both on the level of glorified log files compared to the others' more robust reporting tools. This could be an issue for occasional users who might not have the time to search through the log files.
MFA tools and the rise of risk-based authentication
By David Strom
The top multifactor vendors are adding the ability to strengthen their authentication methods with a relatively new mechanism that is variously called risk-based authentication (RBA), context-aware or adaptive access controls. This mechanism allows their customers to screen login requests and score them based on a particular behavioral corporate network.
How does RBA work?
Access to a particular business application goes through a series of trust hurdles, with riskier situations requiring more security so users don't necessarily know their logins are being vetted more carefully. Moreover, this all happens in real time, just like the typical multifactor methods. This is similar to how many of the next-generation firewalls operate with their own risk scoring tools of internal network packet behavior.
Risk-based authentication uses elements such as:
• Role-based: Is the user a member of a privileged class, such as network administrators or account supervisors? If so, they need to pass a more stringent authentication dialog.
• Location-based: Either by detecting the physical endpoint or specific geographic location. For example, if the user logged in ten minutes ago from Canada, and is now trying to log in from China, it's definitely considered a higher-risk transaction. Other attributes can figure into the overall risk score, too.
• Activity-based: For example, large-value account transfers have a higher risk associated than just a balance inquiry.
• Changes in usual transaction patterns: If a user is doing something that doesn't match his or her purchase history, then that becomes a riskier transaction, and authentication requests and logins are challenged with additional authentication measures. Challenging unusual spending patterns creates a barrier that a hacker or fraudster can't easily circumvent without doing the customer the disservice of demanding such authentication in a blanket manner.
Pricing can get complicated when RBA mechanisms are added to the MFA equation, however. As an example, with Symantec's VIP multifactor authentication product, RBA adds an extra charge of $3 per circumstances before a customer enters a user per month to the price tag. This makes calculating the ultimate price tag that much more complex.
Symantec VIP, on the other hand, offers a variety of reports -- including user, credential and audit reports -- and interactive graphics on its home page dashboard. While VASCO, for its part, has more than 35 different reports across a wide variety of topics.
All of the leading MFA products, however, offer the ability to schedule particular reports and have real-time monitoring of alerts and other activities.
As more users make use of their mobile devices for more of their computing needs, the MFA vendors have to support logins from mobiles and Web-based applications. Enterprises may also want a way to store multiple factors on users' phones and tablets so they don't have to carry around (and the company doesn't have to deploy and support) traditional hardware-based key fob tokens.
Each of these four products supports the basic four mobile operating systems: Windows Phone, Apple iOS, Android and BlackBerry. This is true for most of the multifactor authentication vendors these days, so it shouldn't be an issue unless there are some aging phone OS versions or an odd Android handset in the mobile fleet that isn't covered by the chosen vendor.
Be sure to check the fine print for the particular OS versions supported when investigating MFA products.
Multiple token support
RSA, Symantec and VASCO are tops when it comes to tokens: Each product has a wide collection of hardware and software tokens that can be deployed as additional authentication factors. This gives them the most flexibility in terms of securing particular logins and services that can meet just about any situation.
Meanwhile, some of the products, such as VASCO's and Symantec's, offer desktop software in addition to their mobile apps to run the one-time password generators. While this is a nice-to-have feature, unless most of a business' users are exclusive to their desktops, this is probably not a reason to choose either of those products over other MFA products.
One nice feature of Symantec VIP, when compared to other products, is its ability to push one-time passwords to mobile devices.
Lastly, before selecting tokens, read the sidebar on risk-based authentication (see above) to see if that relatively new -- and complimentary -- authentication mechanism is something that could be included in the MFA package.
RSA, CA, Ping Identity, Dell, Safenet and VASCO are all MFA vendors that are members of the FIDO Alliance. That's great, but in this particular case, membership doesn't mean all that much, at least not yet.
The promise of FIDO is to consolidate authentications across a wide swath of Web-based resources, and remove the need to store the digital identity on any one particular site. It is still more of a promise than a reality, however.
So, for example, none of the four major multifactor authentication vendors actually deliver support for FIDO in their products yet, while other authentication vendors, such as Nok Nok Labs, have released FIDO-ready products.
If this is of interest, then start with them or one of the other FIDO-ready vendors already out there.
Any of these four products would do a solid job in providing MFA protection. All of them support mobile token methods, have somewhat flexible authentication methods, and some are even rising to the challenge with moving into risk-based methods, too.
Their differences are more a matter of packaging, pricing and whether an organization's staff can understand and act on the various reports that each produces, which is more a matter of style than substance. Certainly, these four should be in the starting lineup for any request for proposals or pilot projects.
Read David Strom’s reviews of the latest multifactor authentication methods:
Symantec’s Validation and ID Protection (VIP) Service
Vasco’s IDENTIKEY Server v3.6
SecureAuth IdP v8.0
CA Strong Authentication
SafeNet Authentication Service
EMC RSA Authentication Manager and SecurID
Learn why security experts believe multifactor authentication is a critical component for cloud security.
Find out how Amazon added MFA to its WorkSpaces cloud desktop service.