9-vendor authentication roundup: The good, the bad and the ugly

New ‘smart’ tokens and risk-based factors deliver tighter security, but setups remain complex and user interfaces need a facelift.

Due to numerous exploits that have defeated two-factor authentication, either by social engineering, remote access Trojans or various HTML injection techniques, many IT departments now want more than a second factor to protect their most sensitive logins and assets.

In the three years since we last reviewed two-factor authentication products, the market has responded, evolving toward what is now being called multi-factor authentication or MFA, featuring new types of tokens.

For this review, we looked at nine products, five that were included in our 2013 review, and four newcomers. Our returning vendors are RSA’s Authentication manager, SafeNet’s Authentication Service (which has been acquired by Gemalto), Symantec VIP, Vasco Identikey Authorization Server, and TextPower’s SnapID app. Our first-timers are NokNok Labs S3 Authentication Suite, PistolStar PortalGuard, Yubico’s Yubikey and Voice Biometrics Group Verification Services Platform.

Not all of these products are for the same purpose and a few are more akin to toolkits for application developers rather than turnkey enterprise products. For this reason, we’re not picking a winner or handing out scores. But we think all are worthy of inclusion in this review as representative of where the MFA market is heading. In addition, if you want to stay on top of MFA developments, we recommend you follow our Twitter list here.

How we tested MFA products

We asked vendors to submit a variety of their tokens to access their identity management service. Included in this option were software that made use of the SMS-based phone network, ran as an app on a smartphone, or some other mechanism other than the traditional one-time password hardware token.

+ ALSO ON NETWORK WORLD Multi-factor authentication goes mainstream +

We tested these tokens in a variety of situations, such as logins to a VPN, a Web service such as Google Docs, and Microsoft Windows Active Directory and Internet Information servers. Where we needed to install software, we used a Windows 2008 Server. We logged into these applications via a Windows 7 and 10 desktops and also used several smartphones and tablets including iPhones and a Google Pixel C Android tablet.

As with our prior review, we looked at similar metrics for each product. Sadly, no single product excelled in all areas, but here are some general conclusions.

Enterprise management and value

The administrative interfaces of all of the products were complex to navigate and will require some support and training to understand their workflows and operations. All of the products we tested could use substantial UI makeovers to simplify them, with Vasco being the worst offender.

When it comes to balancing the number of features offered and the price, SafeNet delivered the best value.

How secure apps are built

We were interested in examining the APIs that enable enterprise app developers to incorporate their solution directly, and how to configure and debug these installations.

TextPower, SafeNet and Yubico do a great job of documenting their APIs and posting them online. Many of the older MFA vendors are still stuck in the past where you first have to become a customer to gain access to this documentation, or hunt for it inside a particular PDF manual.

The end user experience

We looked at how the multiple factors come into play during the user login process, and how cumbersome/easy are they to enter. With some products, such as Symantec and Vasco, you can set up multiple token types, and then choose at login time whichever one is more convenient.

+ RELATED: 5 trends shaking up multi-factor authentication +

We also looked at the procedures involved in bypassing the MFA token if it isn't working or if you leave it at home. Most vendors now have some kind of Web-based self-service user portal for this recovery or on-boarding process.

No single product stood out for having a superior user experience, but all were capable enough.

Reporting and monitoring

We examined the various reports available and what happens when something goes wrong and how IT managers are notified. Some products can export or schedule reports as well. Vasco and SafeNet have the best and most useful reports.

MFA product highlights

VendorPrice per 100 tokens per yearServer methodsMobile OS supportedTypes of tokensPublished API guide
NokNok Labs S3 Authentication Suite Starts at $50,000 SaaS, Linux server Android, iOS Mobile No
PistolStar PortalGuard $15,000 (one-time) + $5000/yr SaaS, Windows Server Android, iOS Mobile, hardware, voice, SMS, email No
RSA Authentication Manager Starts at $7500 (one-time) Appliance, Linux VM Android, iOS, Blackberry, Windows Mobile SMS, mobile, email, hardware No
Gemalto/SafeNet Authentication Service $1,200/yr SaaS, Windows Server Android, iOS, Blackberry, Windows Mobile Mobile, hardware, email, SMS Yes
Symantec VIP $2000 (setup fee)+ $5500/yr SaaS Android, iOS, Blackberry, Windows Phone Voice, biometrics, mobile, email, SMS No
TextPower SnapID free SaaS Any mobile phone SMS No
Vasco Identikey Authorization Server + Digipass for Mobile $6000 + $1000 Windows Server, Linux Server, appliance, SaaS Android, iOS, Blackberry, Windows Mobile Mobile, voice, email, hardware, SMS, Yes
Voice Biometrics Group VSP $500/yr minimum SaaS Any mobile phone Biometrics, voice, SMS No
Yubico Yubikey $50 (one- time) SaaS None Hardware token Yes

Here are the individual reviews (see screenshots of each product):

Nok Nok Labs S3 Authentication Suite v4.0: A FIDO compliant toolkit

One of the first vendors compliant with the FIDO (Fast Identity Online) Alliance standard was Nok Nok Labs. However, their product is more of a toolkit for enterprise developers than a packaged software solution. To date, NTT Docomo and Alipay are two of its reseller/developers, the latter with more than a million users deployed.

PayPal has also incorporated NokNok’s client as part of the enabling fingerprint recognition software in its Android version: you have to swipe your finger 10 times to register it as an authentication method to use the app. But once you register your fingerprint, you can use that to initiate payments from your phone.

The NokNok suite can be integrated with a variety of authentication methods, including biometrics, tokens and mobile phones, and once you join its developer network you have access to sample code for both Android and iOS phones and other API documentation. You’ll need Android KitKat and iOS v8 or better versions to implement it. We tested its sample application and were able to get it working quickly. There are several different authentication methods that are incorporated, including the ability to scan a QR code by your smartphone or tablet, or use a static PIN to provide the additional factor when you are trying to login to a Web service.

Join the CSO newsletter!

Error: Please check your email address.

More about 24/7ApacheAppleBiometricsCentrifyCiscoCitrixDropboxFacebookGatewayGemaltoGoogleIdentikeyLinuxMicrosoftOktaOraclePayPalQRRadiusRSASafeNetSymantecTivoliTwitterVasco

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Strom

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place