BACKGROUND IMAGE: mattjeacock/iStock

Buyer's Handbook:

Multifactor authentication methods, use cases and products

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Explore multifactor authentication products in-depth

Discover some of the best multifactor authentication products currently on the market based on target industry and main features to help you make a final buying decision.

Multifactor authentication requires users to provide multiple methods of identification beyond the simple username and password to confirm their identities to then gain access to corporate networks and applications, as well as to perform online transactions.

Because so many vendors offer multifactor authentication (MFA) products and services, choosing the right one can be overwhelming. Here is a list of multifactor authentication products on the market to help get enterprises started. 

AuthPoint

AuthPoint is a cloud-based MFA tool from WatchGuard Technologies Inc. aimed at small to midsize businesses.

Deploying and managing WatchGuard's AuthPoint is possible from any location, without the need for expensive hardware. The service relies on WatchGuard’s AuthPoint app to simplify user authentication.

The company collaborates with many third parties to develop integrations for stronger security, easier deployments and better interoperability in companies' IT environments, enabling customers to use MFA to protect access to their networks, VPNs and cloud applications.

The features of AuthPoint include:

  • AuthPoint Mobile App: Enables users to view and manage any login attempts using push notifications, one-time passwords or QR code entries for users who are offline. A company press release claims, "The app is equipped to store third-party authenticators such as Google Authenticator, Facebook access and Dropbox."
  • Mobile device DNA: Distinguishes cloned login attempts from legitimate ones. "The AuthPoint app creates personalized 'DNA' signatures for users' devices and adds them to the authentication calculation," the same press release claims. Consequently, AuthPoint will reject authentication messages not originating from a legitimate user's phone.
  • Cloud-based management: Enables companies to save money on deployment and management, as it doesn't require on-premises equipment. Also offers an intuitive interface so businesses can view reports and alerts, as well as configure and manage deployments.
  • Supports the Security Assertion Markup Language (SAML) standard: Allows users to log on once to access a full range of applications and services.

Editor's note

Using extensive research into the MFA market, TechTarget editors focused on the vendors that lead in market share, plus those that offer traditional and advanced functionality. Our research included data from TechTarget surveys, as well as reports from other respected research firms, including Gartner and Forrester.

CA Strong Authentication

CA Strong Authentication, from CA Inc., is a multifactor authentication product that adds support for additional credentials -- including using biometrics and smartphones -- to standard username/password logins for a variety of servers and services, including Active DirectorySalesforce and the Outlook web app. The product helps enterprises deploy and manage a number of authentication methods, including passwords, knowledge-based authentication, as well as two-factor software tokens and hardware credentials.

CA Strong Authentication also provides out-of-band authentication methods, such as SMS, email or voice delivery of one-time passwords. In addition to supporting two-factor authentication with VPNs, CA Strong Authentication can protect access and transactions from PCs, laptops, tablets and mobile phones.

One drawback of using CA Strong Authentication is having to manage and coordinate multiple pieces. That can be a plus for users that don't need multiple components however, because they don't have to pay extra for them.

The capabilities of CA Strong Authentication include the following:

  • it supports a wide variety of credentials, including passwords, knowledge-based authentication methods, two-factor software and hardware tokens;
  • it eliminates the risk of stolen password files because it never stores passwords;
  • it adapts workstations, smartphones or tablets into a second-factor token;
  • it offers a wide variety of integration options, such as integration with SAML, APIs and Remote Authentication Dial-In User Service (RADIUS);
  • it shields users without corrupting an organization's web applications or network performance; and
  • it's available as a cloud service, managed services provider-hosted service or on premises, according to a company brochure.

Interoute MFA

Interoute MFA, a cloud-based service from Interoute Communications Ltd., enables organizations to replace user-generated passwords with one-time codes generated by hardware or software-based tokens. This software offers strong authentication to help enterprises protect assets, validate authorized users and ensure regulatory compliance.

Interoute provides management services via a secure VPN access service that has firewalls at each end, ensuring a separate connection for each client. The company also offers a flexible approach, allowing customers to purchase some or all of the services covered by its multifactor authentication tool.

The features of Interoute MFA include:

  • Software-based tokens: Installed on users' computers or mobile devices. Hardware tokens are available if required.
  • Universal usage: Supports a wide range of operating systems and users can run it on PCs, laptops, tablets or phones.
  • Self-service portal: Organizations retain control over user admin account to take actions such as token re-synchronization and PIN changes.
  • Easy integration: Integrates with a wide range of integration products, including RADIUS, SAML, APIs and agents.
  • Reporting: Makes token usage logs and any authentication events available via companies' web portals.
  • Comprehensive security options: According to the website, "Complements access via IPsec or SSL [Secure Sockets Layer] and also offers standalone services for enterprises' specific needs, such as web servers or access to cloud services."

Okta Adaptive Multi-Factor Authentication

Okta Inc. Adaptive Multi-Factor Authentication enables organizations to provide employees and customers with a secure way to access the tools they need.

Okta Adaptive MFA features risk-based authentication that uses contextual access policies. Based on a user's location, IP address or device, Okta Adaptive multifactor authentication products can provide the right step-up authentication factor to provide the user with secure access. Administrators can define the types of factors users need for access based on their role in the company.

The Okta Adaptive MFA product supports push-based and soft token authentication. Through a partnership with Yubico, users also have the option of hard token authentication with YubiKeys. Some users say it can be relatively pricey when adding features.

The features of Okta Adaptive Multi-Factor Authentication include:

  • Secure authentication for all environments: Protects identity and access to data wherever users go and wherever the data lives. Supports on-premises need for VPN, Remote Desktop Protocol (RDP) and Secure Socket Shell. Okta also covers hybrid environments and mobile users, which ensures access to apps and data is always secure.
  • Authenticate without a password: Enables user authentication using factors other than a password.
  • Seamless enrollment: Self-service multifactor authentication enrollment during initial login.
  • Flexible authentication: Choose from a variety of end-user experiences, including one-click authentication.
  • Simple reporting and auditing: Provides detailed authentication logs that include information such as login attempts and with preset reports for audits.
  • One-time passwords: Supports Okta Verify and Okta Verify with Push, as well as third-party tools, such as Google Authenticator and Duo.
  • Integration: Integrates with thousands of web apps via standards-based protocols and centrally enforces MFA across them. Okta's RADIUS Server Agent extends MFA to even more devices.

OneSpan Authentication Server -- formerly Vasco Identikey Authentication Server

OneSpan Inc. Authentication Server is a comprehensive, centralized and flexible authentication platform that aims to deliver complete authentication lifecycle management in a single integrated system.

OpenSpan's multifactor authentication products enable users to securely access corporate resources and applications, including SSL VPNs and cloud-based apps. OneSpan Authentication Server supports all of a company's authentication and signature tools and simplifies authentication management for users and administrators.

Any organization can utilize OneSpan Authentication Server, including its banking and financial services, if the company wants to centralize and simplify the way it manages its authentication processes for employees, partners and customers.

The features of OneSpan Authentication Server include:

  • Strong two-factor authentication: Combines OneSpan Authentication Server and the Digipass software authenticator to provide strong user authentication, enabling better security compared to reusable static passwords.
  • Authenticates transaction signatures: Meets the need for e-signatures in commercial and banking applications by offering strong authentication and validation of transaction signatures.
  • Remote and local access to employee applications: Offers secure authentication for remote access and to web-based application login.
  • Auditing and reporting: The audit console monitors incoming and outgoing events on the OneSpan Authentication Server. The audit console also gathers statistics that provide key details necessary to manage a remote access environment effectively. XML or HTML-formatted reporting is provided for help desk troubleshooting, system and security auditing, and accounting purposes.
  • Wide range of supported databases: Supports a wide range of open database, connectivity-compliant databases for data storage and ships standard with PostgreSQL. The Digipass-related data can be stored with the user's info in the Active Directory.

PingID

PingID is a multifactor authentication tool from Ping Identity Corp. delivered through the PingOne platform. PingID provides multifactor authentication for cloud-based applications, on-premises applications, VPNs, Windows Server, and RDP and Secure Shell. PingOne also hosts an admin console that manages the software via the PingID service.

As a cloud service, PingID reduces the hardware burden on administrators and users and integrates with a number of strong third-party authentication providers.

Ping ID balances secure access to applications with ease of use for the end user. It helps customers define and enforce authentication policies specifically for the needs of the business. With PingID, enterprises can apply multifactor authentication to specific applications or based on the group membership of certain users.

Some features of PingID include:

  • Numerous authentication methods and devices on the go: Mobile push authentication methods, such as tap, swipe, fingerprint and facial recognition, as well as SMS one-time passcodes (OTPs), are available on corporate-owned or personal mobile devices. If users don't have their mobile devices, they can still sign on securely using other alternative second factors, including voice and email OTPs, PIN-protected desktop applications, YubiKeys, Apple Watches and Nymi Bands.
  • Seamless security: PingID integrates with Azure Activity Directory and Active Directory Federation Services to provide seamless security for a wide range of Microsoft- and non-Microsoft-based applications and services.
  • Advanced MFA functionality: The PingID mobile software development kit enables customers to embed advanced MFA functionality directly into their iOS or Android mobile apps. With push notifications from a company's app, customers can approve high-value transactions and web authentication.

RSA Authentication Manager

RSA Authentication Manager, from RSA Security LLC, is the platform behind the RSA SecurID security token product. RSA Authentication Manager offers multifactor authentication as a virtual or hardware appliance. An enterprise can also mix and match within the same implementation.

The software enables RSA SecurID administrators to centrally manage authentication methods, user profiles, applications and agents across multiple physical sites. RSA Authentication Manager also verifies authentication requests and centrally administers enterprises' authentication policies for their end users.

The self-service console aims to address the most time-consuming and expensive tasks associated with managing an enterprise authentication tool -- i.e., users can change their own PIN codes, request replacement tokens, request emergency access and troubleshoot issues without directly contacting the help desk.

Reporting is one of the weak areas in RSA Authentication Manger. While there are more than 30 different types of reports, most are glorified log files. Users can schedule or export these reports in numerous formats, however, which is a plus.

The features of RSA Authentication Manager include:

  • Real-time risk engine: The RSA Risk Engine, which is built into RSA Authentication Manager, enables risk-based authentication by calculating risk level in real time based on information about users' devices and their usual login patterns.
  • Interoperability: Organizations can take advantage of over 400 fully supported technology integrations free of charge. RSA and over 200 certified technology partners jointly test these integrations.
  • Deployment options: RSA Authentication Manager Server can be deployed in Amazon Web Services, so organizations can move their RSA Authentication Manager infrastructures to the cloud. The most common operating platforms also support RSA Authentication Manager, as well as VMware, Microsoft virtual environments and hardware appliances with preloaded software.
  • Flexibility: RSA Authentication Manager is available as a virtual appliance or a hardware appliance.

SecureAuth IdP

SecureAuth IdP from SecureAuth offers more than 25 authentication methods, including SMS, phone, email one-time passcodes, push notifications, USB keys and push to accept. The tool only forces a multifactor authentication step if it identifies risk.

SecureAuth IdP is available for single sign-on, as well as for multifactor authentication. A cloud-based tool, SecureAuth IdP is appropriate for medium and large enterprises that use a range of SaaS-based services.

SecureAuth IdP adds additional security measures to standard username/password logins to a variety of servers and services. This prevents unauthorized logins, even when many different services can compromise or share user passwords.

One drawback to SecureAuth IdP is that the reports are harder to set up than those of its competitors, necessitating some customization on its web portal. However, once the company creates the reports, they can be exported into a CSV format.

The features of SecureAuth IdP include:

  • Customize authentication workflows: Enables users to develop different workflows in-house for a particular user, group of users or specific applications. Organizations can also customize the authentication workflow to specific risks.
  • Eliminate passwords from authentication: Enables authentication without passwords using fingerprints, layered risk checks and a convenient push-to-accept MFA method.
  • Reduce IT workload with user self-service: Enables users to securely reset their own passwords and unlock their own accounts at any time without assistance from the help desk. Users can also self-enroll for initial multifactor authentication.
  • Directory integrations: Integrates with various types of directories. including Lightweight Directory Access Protocol, SQL, Oracle, ASP.NET and other data stores.

SecurAccess MFA

SecurAccess MFA from SecurEnvoy Ltd. offers token-free multifactor authentication for VPN, SSL, Remote Desktop, Wi-Fi, web portal and laptop encryption. SecurAccess is available for implementation for on-premises, as part of a managed service or in the cloud. Small, medium and enterprise organizations across every vertical can utilize the software.

SecurAccess offers users a range of authentication options, including biometric fingerprint login, push notifications, SMS, smartphone apps, tablet apps, laptop apps and even QR codes. SecurAccess offers support for YubiKey when users can't use soft token authentication methods via their PCs, Macs or mobile devices.

SecurAccess multifactor authentication products integrate with Microsoft's Active Directory and enable an enterprise to reuse its existing authentication database infrastructure, avoiding the need to redesign, deploy, back up and manage a secondary user database.

The features of SecurAccess MFA include:

  • Sharing passcodes sharing via secure email.
  • Soft token apps for every device.
  • Real-time SMS passcodes for on-demand and session lock.
  • Preloaded, one-time passcodes.
  • Reusable passcodes that can change every day or every few days;
  • All security methods available for online or offline authentication.
  • Native support for wearables.
  • Offers simple-to-follow integration guides for VPNs, cloud apps and on-premise apps so organizations can quickly set up their security platforms.

Symantec VIP (Validation and ID Protection)

Symantec VIP is a cloud-based, strong authentication service that provides secure access to sensitive data and applications.

Symantec VIP multifactor authentication tools helps enterprises prevent unauthorized access to sensitive networks and applications, comply with data protection laws and enforce security best practices.

Symantec VIP enables organizations to secure all their users -- i.e., their employees, remote workers, partners, contractors, vendors and customers. However, some users have said that it's a hassle to add new tokens.

The features of Symantec VIP include:

  • Cloud-based infrastructure: Delivers authentication without the need for a dedicated on-premises hardware server.
  • Integration with single sign-on: The VIP Access Manager single sign-on creates one access point to secure cloud and on-premises apps.
  • Risk-based intelligent authentication: Uses behavior and device profiling to prevent risky login attempts but doesn't change a legitimate user's login experience.
  • Biometric fingerprint, proximity login and push notification: Eliminates the need for passwords through the use of biometric fingerprints, hands-free proximity login, as well as one-tap or one-swipe push verification.
  • Wide range of OTP options: Organizations can deploy hardware tokens and free software or mobile OTP credentials, as well as email, out-of-band support via SMS text messages and phone calls.
  • Embedded two-factor authentication: Allows enterprises to add strong authentication using the VIP web services APIs for their web applications or by embedding VIP into their mobile apps with the VIP Credential Development Kit.

Dig Deeper on Two-factor and multifactor authentication strategies

Join the conversation

5 comments

Send me notifications when other members comment.

Please create a username to comment.

How do you decide which multifactor authentication tool suits your company's needs?
Cancel
What is the method of access your clients or employees use?  What is the risk you are addressing?  How many different devices may a user use to access your systems?

Cancel
I would suggest the decision starts with understanding what the various factors of a Multi-Factor Authentication solution could be.  What You Have - a key a card a phone or a device.  What you Know - a password, a PIN or a secret.  What You Are - a fingerprint, your voice a behavior or your location.

The key is to make sure what you decide also respects the idea of the False Accept Rate and False Reject Rate of these factors.  We know PINs and Passwords can be compromised.  We appreciate that there are issues with Biometrics being accepted every-time and people have figured out how to copy yours.

The Secure thing is what we should think first and foremost about.  
Cancel
You forgot to include Route1's MobiKEY - used by the Department of Defense, Navy, Marines, Army www.route1.com
Cancel
Multi-Factor Authentication Made Simple

1.  What You Have a thing your computer, Phone, Card or FOB with a Secure Element, Trusted Execution Environment or Trusted processing Module inside
2. What You Are a biometric like a behavior, Finger, Face, Location linked to the thing you  have to prove you are in possession.  This factor is impossible to guarantee 100% reliable.
3. What You Know the secret that you do not share cannot be guessed or otherwise exposed.  PIN or Password.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close