9-vendor authentication roundup: The good, the bad and the ugly

New ‘smart’ tokens and risk-based factors deliver tighter security, but setups remain complex and user interfaces need a facelift.

1 2 3 4 5 Page 4
Page 4 of 5

For example, you can assign a higher risk to those end users who switch between different devices or operating systems that aren’t consistent with their established patterns, or if a user logs in from a new location in another country. When risk scores exceed a particular threshold, the user login can be blocked. This software has setup options in both the VIP Manager and in the Enterprise Gateway.

You also can enable risk-based authentication in SaaS applications if you can insert special JavaScript code from Symantec. The user interface and instructions could be made simpler for this process, but it is nice that it part of the product should this be a consideration in your evaluation. Other vendors, such as Vasco, sell their risk-based authentication as separate products.

The product has a credential software development kit which makes embedding VIP credentials into mobile apps easier. However, this is not available to any customer but only those that Symantec deems worthy because it isn’t very turnkey and requires a great deal of support services to create any useful applications.

Otherwise, VIP supports more than 100 apps already via SAML and SOAP.

One of the big advantages of VIP is that it supports a wide array of hardware tokens, mobile-based soft tokens, SMS and voice-based verification, push OTP, fingerprint authentication (available on both iPhones and iPads), and there is an app for the Apple Watch as well. More than 700 devices can run various forms of VIP authentication software, showing how long Symantec has been in this market. Soft tokens can be directly downloaded from a webpage. Supported versions include at least iOS v7, Android v4 and Windows Phone v8.

Online help is fairly sketchy, with just the basic instructions to get started and minimal context-sensitive help. You’ll find that you will need to download several manuals to get the entire setup process completed. Less than a dozen reports are available, including transaction history and login security challenges. Again, the user interface for this section of the management console could use some work.

Pricing is relatively straightforward. To start with, there is a $2,000 account setup fee. For a three-year subscription (that includes gold-level 24/7 support, both MFA and risk-based authentication, SAML support, Enterprise Gateway, unlimited mobile or desktop credentials), the cost is $55 per user per year. There is a 60-day free trial that doesn’t include any SMS or voice credentials (which are extra-cost options based on usage), but these can be activated once you convert to a paid account. Volume discounts are available. Overall system requirements for the various services and mobile versions can be found here.

TextPower SnapID v1.1: Innovative approach

TextPower works in the reverse of most MFA tools: at login time, you are presented with an OTP code and a SMS destination number on your web browser screen. You text that code to that destination and that allows your computer access. We reviewed its first product three years ago under the product name TextKey, but since then they have added a tool for Wordpress blog logins that can be added to any website. Sadly, they haven’t caught fire yet but we still think this is an important technology.

SnapID is better than using standard SMS OTP’s because it can’t be as easily intercepted with man-in-the-middle attacks. Since the OTP originates from the Web app, there really isn’t any “middle” where you can insert something to intercept the password dialog. Instead, SnapID leverages the cellphone’s internal hardware ID information. When you send your text message to its servers, SnapID will verify that you are who you say you are and it isn’t a spoofed number or device. As long as you have your web browser and your cellphone, you are good to go.

The description of SnapID is very similar to what the company produced with TextKey, its original product. However, there is one important distinction: with SnapID, you don’t enter your username and static password, just the OTP code that you get from its Web app. This makes logins, well, a snap. It also means that if someone tries to compromise your servers, there is literally nothing for them to steal, since there aren’t any usernames created. Of course, this means that you have to trust their service to deliver when one of your users wants to login.

There are two versions: one is similar to TextKey and takes the form of a piece of code that you add to your website login routines. The other is a Wordpress plug-in.

Speaking of TextKey, they have an excellent online API reference here. However, the company has not yet had time to rewrite its documentation for the SnapID product, although they claim the two will share the majority of interfaces.

The Wordpress plug-in will take a few minutes to install and setup. Basically, you register your user ID with their service by texting back to their SMS destination number with an OTP. Thereafter, you can sign-in to your blog account without having to remember your static password, which adds an extra layer of security.

While we were testing SnapID they upgraded their SaaS servers and we had to re-authenticate ourselves to continue using SnapID. While understandable, that speaks to the stability of their software system. It still is an interesting idea and we hope that they develop other plug-ins to extend their services to common SaaS platforms. There is a solid amount of online documentation on their website on how to implement the system.

SnapID is currently free.

Vasco DIGIPASS for Mobile v4.9 and IDENTIKEY Authentication Server v3.9: Complex setup, excellent features

Vasco is a study in contrasts: it is complex to install but with a very capable feature set. There are more than a dozen different software tools before you can have a working solution. On the other hand, there is a seemingly endless list of supported token types. To implement its MFA solution, you’ll need two different lines of software tools: First is its Identikey Authentication Server, which handles device assignment, policy rules, and management dashboards. This line includes a separate Identikey Risk Manager that can be used to add risk-based authentication methods. Next is the Digipass line of tools that sets up different authentication factors and token activation methods.

There are other servers, such as to support federated identity for authentications across your app portfolio, a directory service connector (that supports multiple directory providers include Active Directory, Radius, eDirectory and IBM/Tivoli’s directory), and a message delivery service that allows OTPs generated by email, SMS texts, and voice response systems to be incorporated into its framework.

By the time you are done you will have installed several executable files. While complex, the combination is very feature-rich and as a result, Vasco is still a leader in the MFA world. Once you get this all setup, you access the various features via a Web-based management console, where there are numerous tabbed and very dense menu collections to set up users, security policies, and bulk token provisioning. These menus aren’t very attractive, and sadly haven’t changed much since we last looked three years ago. Like SafeNet they have more than 30 reports that cover a wide collection of information, and with a few new additions, mostly this hasn’t changed much since we reviewed them three years ago. Context-aware help files are easily available with the click of a button on every screen.

Vasco continues to innovate with new token types and stronger authentication methods, which is one reason that it has multiple customers with over a million users, including one deployment with 8 million users. They specialize in banking and medical vertical markets. Two of its latest tokens include the Digipass 760 and 780, both have cameras and screens that can capture full-color QR-type codes that they claim are more secure than some of their competitors’ one-time password applications, since you need to enter two different codes during the authentication process. These two are about the size of the iPod Nanos. They also have two Bluetooth tokens and a new Runtime Application Self-Protection feature that offers new protection for mobile apps, even if the device has been compromised with any malware.

Since we last looked at Vasco, it has beefed up its Web-based self-service user portal. You can now provision and deprovision multiple token types for a single user through this portal, along with manage your static PINs and other common tasks.

Vasco’s biggest limitation is its SAML support: it has specific documentation only for Office 365, Salesforce, and Google Docs. You can add others but unlike SafeNet you don’t have specific instructions. You have to follow a published API guide that comes as part of the software documentation. There is also an OpenID connector that you can use. They could take things a step further and like Yubico and others document their interface online and make it easier for developers to access this information.

Another downside is its price list. It is exceedingly complex and if printed out could dwarf a phone book for a small city. Purchasing its software almost guarantees buying a professional services contract to install and integrate its numerous options and modules. We had help from their engineers to debug a relatively modest installation in our test lab. Nevertheless, we calculate that a 100-token “starter” kit would end up costing about $7,000 for the first year, including a support contract. There are two support levels: one for five day by 10-hour support and one for full-time 24x7 support. The former is roughly 7% of the total purchase price while the latter adds an additional 20%.

1 2 3 4 5 Page 4
Page 4 of 5
SUBSCRIBE! Get the best of CSO delivered to your email inbox.