Single sign-on solutions: How 9 top tools compare

RSA also has two different mobile MFA apps: RSA SecurID Access Authenticate, which supports push to approve, biometric face and voice authentications. This app will also provide MFA logins for a variety of SaaS apps.  It also has RSA SecurID Mobile OTP, which is its software token solution. RSA SecurID Access supports a wide variety of identity providers. In addition to SAML, Open ID Connect, RADIUS AD and Azure AD, it also integrates with Ping, Okta, OneLogin and others too.

The SecureID Access product is sold both through resellers and directly; pricing varies. RSA quoted me $1,830 a month for a 500-user package that includes user licenses, MFA authentication, biometric and FIDO support. The product has three different overall pricing tiers: basic is the SSO-only version, enterprise adds bulk provisioning and self-enrollment, and premium adds advanced risk analytics. Each plan starts at $1 per user per month and the premium plan can cost up to $5 per user per month.

CSO / IDG

SSO trends 

It’s all about the apps. What makes SSO work is the ability to automatically sign into as many apps as possible. While this seems obvious, the SSO vendors have drastically increased their app support in the past several years. Okta and OneLogin now support thousands in their catalog. Idaptive and NetIQ have a feature to make configuring apps that aren’t in their catalogs a lot easier, too.

Smartphone authentication apps have proliferated. Thanks to weaknesses in SMS MFA, a more secure authentication method is to use one of these apps that generate a one-time password on your phone. The number of these apps continues to grow, with Google Authenticator and Duo having the largest support among cloud and SaaS providers. There are also apps from Authy, OneSpan, HID Approve, Microsoft, SafeNetMobilePass and Sophos, along with the apps from the password manager and SSO vendors themselves.

The table below shows a few typical SaaS and IaaS providers and which MFA methods and smartphone apps they support. If you are planning on supporting more than a single app, you might want to check out this review of the most popular MFA apps on Google Play. 

CSO / IDG

Adaptive MFA is implemented in different ways. Most SSO tools support MFA. The question is how good this support is, especially for using specific MFA smartphone apps. Most tools start with an authentication app on your smartphone that you need to configure with the main SSO web portal management pages.  All the SSO vendors support this with the exceptions of ManageEngine and PerfectCloud. 

FIDO is still a maturing market. With Google and Microsoft now supporting FIDO authentication hardware keys for their G Suite and Windows logins, you would think FIDO would be more prevalent than it actually is. A few vendors support some version of these keys for authentication and are noted in the reviews, but it far from universal.

Mobile device management tools are in remission. A few years ago, it seemed as if SSO vendors were moving toward mobile device management features, with Centrify (now Idaptive) leading the way. Now it seems as if fewer customers care about this issue, and instead are using the mobile smartphone authenticator apps as their main bulwark against account compromises. Idaptive and Duo are the two leaders here.

More on SSO:

• What is single sign-on? How SSO improves security and the user experience
• Best tools for single sign-on (SSO)
• 5 best practices to secure single sign-on systems
• What is SAML? How it works and how it enables single sign on
• The perils of single sign-on
• Turbo-charging your single sign-on solution
• 4 authentication use cases: Which protocol to use?