Problem solve Get help with specific problems with your technologies, process and projects.

Why wait for FIDO? Multifactor authentication methods you can use now

FIDO-ready tech could take a while, but there are a variety of multifactor authentication methods available now to make your logins secure.

As the first FIDO-ready technology starts to emerge, the specifications the Fast Identity Online (FIDO) Alliance...

proposes represent just the latest effort to provide stronger authentication mechanisms. Multifactor authentication continues to evolve, and these technologies can offer a layered defense to enterprises that seek better tools to manage passwords and online authentication.

One form of two-factor authentication requires hardware-based security tokens that people carry around and use as part of the authentication process. These smartcards or key fobs display a series of numbers that are only valid for a short time, and they have to be entered correctly for users to successfully log in to network and online systems. RSA's SecurID is one well-known version, although dozens of vendors supply hardware-based tokens.

In recent years, soft tokens have become more popular than the hardware-based type. Using either an app on a smartphone, or the phone itself, soft tokens supply a secret code for the login authentication.

FIDO alternatives

The first public drafts of the FIDO specifications appeared in February. If you don't want to wait for FIDO, one of these multifactor authentication products might be the ticket for more secure logins. The downside is that if you have multiple apps that need the stronger security, you have to add the security to each one individually.

Most of the two-factor authentication tools use one of three methods: securing a RADIUS or Active Directory user's identity (see Fig. 1); providing identity information to a Web service using some form of SAML (Security Assertion Markup Language) and trusted certificates; or securing logins to a local network Web or application server itself using JavaScript or some other mechanism. Some vendors support multiple methods; Vasco, SafeNet and Microsoft support all three. (This is where FIDO will eventually shine, by the way, because many of these issues go away.)

Let's look at Microsoft's Azure Multi-Factor Authentication, which comes with a cloud-based service and Windows agents and supports a variety of mobile phones including Windows, Android and iOS. After you log in to a server that it installed, the service will call your phone and ask you to press the # key to verify your identity. The Microsoft authentication server can also send you a text message or send a notification to a smartphone app. 

The simplest process is to add the authentication to your Windows servers; if you have a third-party Web server you'll have to use the supplied SDK.

PhoneFactor Agent

Figure 1. Microsoft’s authenticator main agent dashboard shows you the level of granularity and potential configuration parameters needed.

You'll need to understand Microsoft servers, the .NET Framework and Active Directory to implement the Microsoft authentication system. Debugging the Windows agent is complicated: There are text configuration files to edit, check boxes to uncheck and dozens of parameters that could trip you up, all spread across multiple menu screens. The service costs $24 per user per year; you can find more details available here.

FIDO-ready technology is coming and should provide good security. But in the meantime it's important to keep your logins secure. Hardware tokens and soft tokens, available right now, are your best options.

About the author:
David Strom is a freelance writer and professional speaker based in St. Louis. He is former editor in chief of, Network Computing magazine and Read more from Strom at

Next Steps

Learn more about the basics of multifactor authentication in the enterprise

Read this comparison of the latest multifactor authentication methods

Check out David Strom's reviews of CA Strong Authentication, RSA Authentication Manager and SecurID, Dell Defender and Okta Verify.

This was last published in April 2014

Dig Deeper on Two-factor and multifactor authentication strategies

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Lower the number of cases of identity theft on the Internet is an extra layer of security that is known as multi factor authentication that requires not only a password and username makes it harder for potential intruders to gain access and steal that person's personal data or identity
Different companies use different ways for generating secure code for multifactor authentication. Some companies use SMS facility to send you secure code on your mobile. Since only you can have your mobile, it’s become very difficult for hackers to get the secure code.
SMS of secure codes or OTP's is a very poor alternative for MFA. Trojans including Zeus, Zitmo and Citadel all successfully target stealing OTP and other information from the open SMS channel on the mobile. One need only look at the Eurograbber attack to see the effects of the vulnerability. Over $45m in losses in 30,000 accounts at multiple banks due to an attack vector that compromised both SMS and OTP. That is why subsequently the Australian Telco's have advised the banks their to stop using SMS to convey OTP's and other sensitive financial data
It is very worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”. Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected with the devices finally locked, they would have to see the device reset. Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x%) and that of a password (y%). The sum (x% + y% - xy%) is necessarily larger than the vulnerability of a password (y%), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password. As for an additional vulnerability unique to biometrics, we could refer to Needless to say, so-called 2-factor systems with a password remembered as the first factor and something possessed as the second factor are generally operated by (1), providing raised security at the sacrifice of lowered convenience.
The problem is also in a vast number of log in points that users has to manage somehow. This becomes a work delegated back onto customers - not good.