Multifactor authentication products can provide significant benefits to an enterprise, but the technology is complex,…
and the tools themselves can vary greatly from vendor to vendor.
It’s helpful to examine sample use cases for specific tools to show how a vendor’s product can meet the multifactor authentication (MFA) needs and requirements of an enterprise.
Here are four of the leading products in the MFA space:
All four are well-established multifactor authentication tools that can handle a wide variety of situations, token types and applications.
RSA Authentication Manager Server can be deployed in AWS, enabling organizations to move their RSA Authentication Manager infrastructure to the cloud. VMware and Microsoft virtual environments, as well as hardware appliances with preloaded software, support RSA Authentication Manager.
Symantec VIP is a cloud-based service with multiple software agents that delivers strong authentication without requiring a dedicated on-premises hardware server.
CA offers two separate MFA products with different names — the cloud service is called Secure Cloud and the Windows version is called Strong Authentication.
OneSpan Authentication Server supports all Vasco authentication technologies, including multifactor authentication software tools and Digipass tokens.
None of the four major multifactor authentication products deliver the top three authentication applications — Active Directory, web services verification and web server augmentation — together in a single product. Rather, each requires add-on modules for either Security Assertion Markup Language (SAML) or Active Directory support.
For example, RSA’s Authentication Manager collaborates with its Adaptive Federation product to provide SAML web services integration, and Symantec VIP requires the company’s VIP Enterprise Gateway to integrate with Active Directory.
This is typical of the MFA product space, and it’s why it’s so important to understand which applications — and under which circumstances — an organization may want to deploy for additional factors.
Speaking of add-ons, before selecting an MFA product based on its application support, it’s important to understand how each product delivers that support. All four of the top multifactor authentication vendors’ products contain multiple server software components or agents that need installation to strengthen logins for programs such as Outlook or SharePoint servers.
While this helps widen a company’s reach, it also increases the level of complexity of installation and operation, as multiple pieces need to be configured and tracked. Some multifactor authentication vendors’ products have both cloud and on-premises pieces that need to work together to authenticate users to both kinds of servers and services.
Enterprises may want to consider a single sign-on (SSO) product instead of an MFA product for certain circumstances. However, you can also coordinate MFA with SSO tools — see sidebar on SSO versus MFA for more on how to make this decision.
Part of the evaluation process with MFA tools is observing how normal, day-to-day activities function with these systems, such as registering new tokens and new users, setting up protection for a new application, modifying security policies, and figuring out why a user can’t log into corporate applications.
Some of the products offer a lot more flexibility when it comes to token workflow processes. This reflects — in part — how long they have been in the multifactor business. For example, some products enable enterprises to add additional factor authentication steps at various places in the login dialogs. Others have more limitations, such as programs that place users in a self-service portal where they can set up their multifactor authentication particulars.
All four of these products include different reports and various format export options.
CA Strong Authentication includes reports to track administration, user authentication and transactional — including login — risk assessment. The product works with most major applications, including VPNs, the Outlook web app, Salesforce and SharePoint.
OneSpan Authentication Server provides extensive XML or HTML-formatted reporting for help desk troubleshooting, system and security auditing, as well as for accounting purposes.
Reporting is one of the weak areas in RSA’s Authentication Manger. While it has more than 30 different types of reports, most are glorified log files. Users can schedule and export these reports in numerous formats, however, which is a plus.
While Symantec VIP offers fewer customizable reports than its competitors, it does provide exporting capabilities, which is the minimum its competitors offer.
All of the leading MFA products, however, offer the ability to schedule specific reports and have real-time monitoring for alerts and other activities.
As more workers use their mobile devices for their computing needs, MFA vendors have to support logins from mobile devices and web-based applications. Enterprises may also want a way to store multiple factors on users’ phones and tablets so they don’t have to carry — and the company doesn’t have to deploy and support — traditional, hardware-based key fob tokens.
Each of these four products still supports the four mobile operating systems most commonly found in enterprises: Apple iOS, Android, Windows Phone and BlackBerry. This is true for most multifactor authentication vendors these days, so it shouldn’t be an issue except in the case of aging phone OSes or the odd Android handset in the mobile fleet that a chosen vendor does not cover.
Be sure to check the fine print for the supported OS versions when investigating multifactor authentication tools.
Multiple token support
RSA, Symantec and OneSpan are top choices when it comes to tokens. Each product has a wide collection of hardware and software tokens that deploy as additional authentication factors if necessary. This gives them the most flexibility in terms of securing particular logins and services that can meet just about any situation.
Meanwhile, some of the products, such as Symantec’s VIP, offer desktop software in addition to their mobile apps to run the one-time password generators. While this can be a useful feature, unless most of a business’ users are exclusive to their desktops, it’s probably not a reason to choose one product over other MFA products.
Many vendors — and other organizations — with an interest in MFA are members of the FIDO Alliance, including RSA, CA Technologies, SafeNet and OneSpan.
FIDO’s goal is to consolidate authentication across a wide swath of web-based resources and remove the need to store the digital identity on any particular site. Only two of these four major multifactor authentication vendors, RSA and OneSpan, offer FIDO-certified products, however.
Any of these four MFA products would do a solid job providing multifactor authentication protection. All of them support mobile token methods, have somewhat flexible authentication methods and have moved into risk-based methods.
The differences are more a matter of packaging, pricing and whether an organization’s staff can understand and act upon the various reports the products produce. These four products should be in the starting lineup for any requests for proposals or pilot projects.
Linda Rosencrance contributed to this report.