Multifactor authentication products can provide significant benefits to an enterprise, but the technology is complex,...
and the tools themselves can vary greatly from vendor to vendor.
It's helpful to examine sample use cases for specific tools to show how a vendor's product can meet the multifactor authentication (MFA) needs and requirements of an enterprise.
Here are four of the leading products in the MFA space:
- RSA Authentication Manager, the platform behind its SecurID technology;
- Symantec VIP -- Validation and ID Protection;
- CA Strong Authentication; and
- OneSpan Authentication Server -- formerly Vasco Identikey Authentication Server.
All four are well-established multifactor authentication tools that can handle a wide variety of situations, token types and applications.
RSA Authentication Manager Server can be deployed in AWS, enabling organizations to move their RSA Authentication Manager infrastructure to the cloud. VMware and Microsoft virtual environments, as well as hardware appliances with preloaded software, support RSA Authentication Manager.
Symantec VIP is a cloud-based service with multiple software agents that delivers strong authentication without requiring a dedicated on-premises hardware server.
CA offers two separate MFA products with different names -- the cloud service is called Secure Cloud and the Windows version is called Strong Authentication.
OneSpan Authentication Server supports all Vasco authentication technologies, including multifactor authentication software tools and Digipass tokens.
None of the four major multifactor authentication products deliver the top three authentication applications -- Active Directory, web services verification and web server augmentation -- together in a single product. Rather, each requires add-on modules for either Security Assertion Markup Language (SAML) or Active Directory support.
For example, RSA's Authentication Manager collaborates with its Adaptive Federation product to provide SAML web services integration, and Symantec VIP requires the company's VIP Enterprise Gateway to integrate with Active Directory.
This is typical of the MFA product space, and it's why it's so important to understand which applications -- and under which circumstances -- an organization may want to deploy for additional factors.
Speaking of add-ons, before selecting an MFA product based on its application support, it's important to understand how each product delivers that support. All four of the top multifactor authentication vendors' products contain multiple server software components or agents that need installation to strengthen logins for programs such as Outlook or SharePoint servers.
While this helps widen a company's reach, it also increases the level of complexity of installation and operation, as multiple pieces need to be configured and tracked. Some multifactor authentication vendors' products have both cloud and on-premises pieces that need to work together to authenticate users to both kinds of servers and services.
Enterprises may want to consider a single sign-on (SSO) product instead of an MFA product for certain circumstances. However, you can also coordinate MFA with SSO tools -- see sidebar on SSO versus MFA for more on how to make this decision.
SSO or MFA: Which authentication method is better?
As you consider MFA products, you should also consider how to coordinate them with SSO tools. Integrating MFA with SSO enables you to define stronger security policies for accessing systems that are very sensitive.
What is happening, though, is SSO vendors are branching out into the MFA space with support for a variety of tokens and access methods. SecureAuth and Ping Identity are products typical of this genre. Why would an enterprise use SSO rather than a pure-play MFA tool? There are a few reasons.
First, if a company uses a lot of cloud-based services, it may want a better mechanism for users to connect to them. If provisioned correctly, an SSO tool can sign onto these services automatically, all without users having to remember their passwords -- and with very strong passwords to boot.
Many of the more popular cloud services support the SAML 2.0 standard, which is what most SSO tools use to create their connection. If an enterprise's set of services doesn't yet support SAML, then the organization probably won't be happy with either SSO or MFA tools. However, if most of a company's apps are inside its data center, then it will probably want to make use of multifactor authentication tools that offer dedicated hardware or software appliances to protect these resources.
Second, if companies are less concerned about the additional authentication factors than about overall identity preservation and integrity, then SSO may be a better option. However, if an organization has one or two internal apps that it must protect with multiple factors, then it will probably be better off going the MFA route.
There is also the option of integrating both SSO and MFA together, which companies usually offer, as well.
Part of the evaluation process with MFA tools is observing how normal, day-to-day activities function with these systems, such as registering new tokens and new users, setting up protection for a new application, modifying security policies, and figuring out why a user can't log into corporate applications.
Some of the products offer a lot more flexibility when it comes to token workflow processes. This reflects -- in part -- how long they have been in the multifactor business. For example, some products enable enterprises to add additional factor authentication steps at various places in the login dialogs. Others have more limitations, such as programs that place users in a self-service portal where they can set up their multifactor authentication particulars.
All four of these products include different reports and various format export options.
CA Strong Authentication includes reports to track administration, user authentication and transactional -- including login -- risk assessment. The product works with most major applications, including VPNs, the Outlook web app, Salesforce and SharePoint.
OneSpan Authentication Server provides extensive XML or HTML-formatted reporting for help desk troubleshooting, system and security auditing, as well as for accounting purposes.
Reporting is one of the weak areas in RSA's Authentication Manger. While it has more than 30 different types of reports, most are glorified log files. Users can schedule and export these reports in numerous formats, however, which is a plus.
While Symantec VIP offers fewer customizable reports than its competitors, it does provide exporting capabilities, which is the minimum its competitors offer.
All of the leading MFA products, however, offer the ability to schedule specific reports and have real-time monitoring for alerts and other activities.
MFA tools and the rise of risk-based authentication
The top multifactor vendors are adding the ability to strengthen their authentication methods with a relatively new mechanism that is variously called risk-based authentication (RBA) or adaptive authentication. This mechanism allows their customers to screen login requests and score them based on a particular behavioral corporate network.
How does RBA work?
Access to a particular business application goes through a series of trust hurdles, with riskier situations requiring more security, so users don't necessarily know their logins are being vetted more carefully. Moreover, this all happens in real time, just like the typical multifactor methods. This is similar to how many next-generation firewalls operate with their own risk scoring tools of internal network packet behavior.
Risk-based authentication uses elements such as the following:
- Role-based authentication: Is the user a member of a privileged class, such as network administrators or account supervisors? If so, they need to pass a more stringent authentication dialog.
- Location-based authentication: Either by detecting a user's physical endpoint or a specific geographic location. For example, if the user logged in ten minutes ago from Canada and is now trying to log in from China, that is definitely considered a higher-risk transaction. Other attributes can figure into the overall risk score, too.
- Activity-based authentication: For example, large-value account transfers have a higher risk associated with them than a balance inquiry.
- Changes in usual transaction patterns: If a user is doing something that doesn't match his or her purchase history, then that is a riskier transaction and authentication requests and logins will be challenged with additional authentication measures. Challenging unusual spending patterns creates a barrier that a hacker or fraudster can't easily circumvent without doing the customer the disservice of demanding such authentication in a blanket manner.
Pricing can get complicated when RBA mechanisms are added to the MFA equation, however. As an example, with Symantec's VIP multifactor authentication product, RBA adds an extra charge of $3 per circumstance before a customer can add a user per month to the price tag. This makes calculating the ultimate price tag that much more complex.
As more workers use their mobile devices for their computing needs, MFA vendors have to support logins from mobile devices and web-based applications. Enterprises may also want a way to store multiple factors on users' phones and tablets so they don't have to carry -- and the company doesn't have to deploy and support -- traditional, hardware-based key fob tokens.
Each of these four products still supports the four mobile operating systems most commonly found in enterprises: Apple iOS, Android, Windows Phone and BlackBerry. This is true for most multifactor authentication vendors these days, so it shouldn't be an issue except in the case of aging phone OSes or the odd Android handset in the mobile fleet that a chosen vendor does not cover.
Be sure to check the fine print for the supported OS versions when investigating multifactor authentication tools.
Multiple token support
RSA, Symantec and OneSpan are top choices when it comes to tokens. Each product has a wide collection of hardware and software tokens that deploy as additional authentication factors if necessary. This gives them the most flexibility in terms of securing particular logins and services that can meet just about any situation.
Meanwhile, some of the products, such as Symantec's VIP, offer desktop software in addition to their mobile apps to run the one-time password generators. While this can be a useful feature, unless most of a business' users are exclusive to their desktops, it's probably not a reason to choose one product over other MFA products.
Many vendors -- and other organizations -- with an interest in MFA are members of the FIDO Alliance, including RSA, CA Technologies, SafeNet and OneSpan.
FIDO's goal is to consolidate authentication across a wide swath of web-based resources and remove the need to store the digital identity on any particular site. Only two of these four major multifactor authentication vendors, RSA and OneSpan, offer FIDO-certified products, however.
Any of these four MFA products would do a solid job providing multifactor authentication protection. All of them support mobile token methods, have somewhat flexible authentication methods and have moved into risk-based methods.
The differences are more a matter of packaging, pricing and whether an organization's staff can understand and act upon the various reports the products produce. These four products should be in the starting lineup for any requests for proposals or pilot projects.
Linda Rosencrance contributed to this report.