• United States



9-vendor authentication roundup: The good, the bad and the ugly

Jun 06, 201632 mins
Data and Information SecuritySecurity

New ‘smart’ tokens and risk-based factors deliver tighter security, but setups remain complex and user interfaces need a facelift.

Due to numerous exploits that have defeated two-factor authentication, either by social engineering, remote access Trojans or various HTML injection techniques, many IT departments now want more than a second factor to protect their most sensitive logins and assets.

In the three years since we last reviewed two-factor authentication products, the market has responded, evolving toward what is now being called multi-factor authentication or MFA, featuring new types of tokens.

For this review, we looked at nine products, five that were included in our 2013 review, and four newcomers. Our returning vendors are RSA’s Authentication manager, SafeNet’s Authentication Service (which has been acquired by Gemalto), Symantec VIP, Vasco Identikey Authorization Server, and TextPower’s SnapID app. Our first-timers are NokNok Labs S3 Authentication Suite, PistolStar PortalGuard, Yubico’s Yubikey and Voice Biometrics Group Verification Services Platform.

Not all of these products are for the same purpose and a few are more akin to toolkits for application developers rather than turnkey enterprise products. For this reason, we’re not picking a winner or handing out scores. But we think all are worthy of inclusion in this review as representative of where the MFA market is heading. In addition, if you want to stay on top of MFA developments, we recommend you follow our Twitter list here.

How we tested MFA products

We asked vendors to submit a variety of their tokens to access their identity management service. Included in this option were software that made use of the SMS-based phone network, ran as an app on a smartphone, or some other mechanism other than the traditional one-time password hardware token.

+ ALSO ON NETWORK WORLD Multi-factor authentication goes mainstream +

We tested these tokens in a variety of situations, such as logins to a VPN, a Web service such as Google Docs, and Microsoft Windows Active Directory and Internet Information servers. Where we needed to install software, we used a Windows 2008 Server. We logged into these applications via a Windows 7 and 10 desktops and also used several smartphones and tablets including iPhones and a Google Pixel C Android tablet.

As with our prior review, we looked at similar metrics for each product. Sadly, no single product excelled in all areas, but here are some general conclusions.

Enterprise management and value

The administrative interfaces of all of the products were complex to navigate and will require some support and training to understand their workflows and operations. All of the products we tested could use substantial UI makeovers to simplify them, with Vasco being the worst offender.

When it comes to balancing the number of features offered and the price, SafeNet delivered the best value.

How secure apps are built

We were interested in examining the APIs that enable enterprise app developers to incorporate their solution directly, and how to configure and debug these installations.

TextPower, SafeNet and Yubico do a great job of documenting their APIs and posting them online. Many of the older MFA vendors are still stuck in the past where you first have to become a customer to gain access to this documentation, or hunt for it inside a particular PDF manual.

The end user experience

We looked at how the multiple factors come into play during the user login process, and how cumbersome/easy are they to enter. With some products, such as Symantec and Vasco, you can set up multiple token types, and then choose at login time whichever one is more convenient.

+ RELATED: 5 trends shaking up multi-factor authentication +

We also looked at the procedures involved in bypassing the MFA token if it isn’t working or if you leave it at home. Most vendors now have some kind of Web-based self-service user portal for this recovery or on-boarding process.

No single product stood out for having a superior user experience, but all were capable enough.

Reporting and monitoring

We examined the various reports available and what happens when something goes wrong and how IT managers are notified. Some products can export or schedule reports as well. Vasco and SafeNet have the best and most useful reports.

MFA product highlights

VendorPrice per 100 tokens per yearServer methodsMobile OS supportedTypes of tokensPublished API guide
NokNok Labs S3 Authentication SuiteStarts at $50,000SaaS, Linux serverAndroid, iOSMobileNo
PistolStar PortalGuard$15,000 (one-time) + $5000/yrSaaS, Windows ServerAndroid, iOSMobile, hardware, voice, SMS, emailNo
RSA Authentication ManagerStarts at $7500 (one-time)Appliance, Linux VMAndroid, iOS, Blackberry, Windows MobileSMS, mobile, email, hardwareNo
Gemalto/SafeNet Authentication Service$1,200/yrSaaS, Windows ServerAndroid, iOS, Blackberry, Windows MobileMobile, hardware, email, SMSYes
Symantec VIP$2000 (setup fee)+ $5500/yrSaaSAndroid, iOS, Blackberry, Windows PhoneVoice, biometrics, mobile, email, SMSNo
TextPower SnapIDfreeSaaSAny mobile phoneSMSNo
Vasco Identikey Authorization Server + Digipass for Mobile$6000 + $1000Windows Server, Linux Server, appliance, SaaSAndroid, iOS, Blackberry, Windows MobileMobile, voice, email, hardware, SMS,Yes
Voice Biometrics Group VSP$500/yr minimumSaaSAny mobile phoneBiometrics, voice, SMSNo
Yubico Yubikey$50 (one- time)SaaSNoneHardware tokenYes

Here are the individual reviews (see screenshots of each product):

Nok Nok Labs S3 Authentication Suite v4.0: A FIDO compliant toolkit

One of the first vendors compliant with the FIDO (Fast Identity Online) Alliance standard was Nok Nok Labs. However, their product is more of a toolkit for enterprise developers than a packaged software solution. To date, NTT Docomo and Alipay are two of its reseller/developers, the latter with more than a million users deployed.

PayPal has also incorporated NokNok’s client as part of the enabling fingerprint recognition software in its Android version: you have to swipe your finger 10 times to register it as an authentication method to use the app. But once you register your fingerprint, you can use that to initiate payments from your phone.

The NokNok suite can be integrated with a variety of authentication methods, including biometrics, tokens and mobile phones, and once you join its developer network you have access to sample code for both Android and iOS phones and other API documentation. You’ll need Android KitKat and iOS v8 or better versions to implement it. We tested its sample application and were able to get it working quickly. There are several different authentication methods that are incorporated, including the ability to scan a QR code by your smartphone or tablet, or use a static PIN to provide the additional factor when you are trying to login to a Web service.

Eventually, if FIDO does catch on, a universal MFA tool will become more useful with more authentications that can be accomplished from a single token. But we aren’t there yet, and like many IT innovations it is a chicken-and-egg problem. However, the FIDO Alliance has hundreds of members, including some very large corporations, so hopefully we’ll see additional progress.

NokNok doesn’t offer direct downloads: you have to request evaluation copies of its products, SDKs and other tools. To get started, you will need to spend at least $50,000. Given this price point, corporate developers will have to think big if they want to get started with FIDO.

PistolStar PortalGuard: The best of single sign-on and multi-factor authentication

As we mentioned, the convergence of SSO portals with MFA methods is happening with more frequency. A good example is PistolStar’s PortalGuard. They have 600 customers and millions of users, with its largest installation of 55,000 users. They compete with Ping, Okta, SecureAuth and others that started out in the federated identity space, as well as some of the newer authentication vendors that are focused on making SSO more usable, like Auth0.

PortalGuard comes as several Windows Server applications that will require a variety of Microsoft services, including IIS, SQL Server and .Net Framework. There are a lot of parameters to configure and after spending hours managed not to catch a single misplaced parameter that kept our server from running correctly.

PistolStar also setup a cloud-based instance for our testing, but most of their customers will want to run their own local server. This is because the majority of their configuration parameters will require you to access the Windows configuration sheets where you will find a very dense collection of options. While it is great that they are all collected in one place, it would be nicer if you had Web access across the board rather than having to switch between a series of Web-based and Windows-based dialogs, depending on what you need to accomplish.

The properties sheets are where you can set up specific OTP methods, and it supports an interesting array of tokens, including Google Authenticator, its own mobile OTP app for Android and iPhones, RSA SecurID, and Yubico Yubikeys. You can also set a cookie on your browser session that can expire after a specific time period to remember a particular user and device combination. Static password policies can also be set with another series of menus. And there is support for push-OTP, what PistolStar called passive keys, where the workstation software contains the token encryption code. Finally, there is also support for a series of pre-set challenge/response questions.

Like Vasco and Symantec, the product comes with its own brand of risk-based authentication, called Credibility-Based Authentication. It has a separate executable program with its own series of Windows menus to set up risk scores and thresholds. There is extensive documentation on how to configure the appropriate policies and authentication methods.

If users forget their passwords or don’t have their OTP token, they can also make use of a self-service portal to recover their account by one of the methods that an administrator has setup, such as to answer a series of challenge questions or use a temporary OTP. The user self-service portal is a different location from the SSO portal, which can be a bit confusing. PortalGuard can be configured to prevent users from having more than one concurrent login session.

One of the tedious aspects of PortalGuard is that specific actions have their own and separate authentication methods. So, for example, you can setup normal logins one way – say with Yubico tokens – and use another authentication method to unlock a frozen account, such as answering a challenge question. This gets somewhat confusing. There is support for VPNs through Radius servers and SAML authentications via its own SSO portal. This portal has its own configuration editor.

PortalGuard supports SAML, CAS, WS-Fed and Shibboleth-based protocols, and these are setup in a separate series of dialogs under the identity provider configuration editor. There are pre-set templates for a few applications (Office 365, SharePoint and Outlook Web Access), but you’ll have to create your own SAML XML code if you want to add some other application. Other SSO products come with many more templates or supported SAML applications directly.

The product comes with nine pre-set reports, but most of these look like log files and would not be very helpful to managers unless they are further parsed. In order to access them, you will need to either cut and paste into a spreadsheet, or access the XML reports that are stored in its database manually.

A variety of APIs are available, including Java and Javascript, C++ and C# libraries, so you can build into your own apps. These aren’t very well documented and only are available in a published integration guide that isn’t online.

There are several pricing plans. The standard on-premises server starts at $15,000 for the first year with subsequent years at $5,000, including support, up to 10,000 concurrent users and tokens, both soft and some hard. A hundred Yubico tokens are an extra $2,000. If you need more concurrent users, that will require one of the enterprise licenses. You can also access a free trial of the product in the cloud-based version, which gives you limited access and supports just a few features.

RSA Authentication Manager v8.1 SP1: Powerful, complex

When we reviewed RSA’s Authentication Manager in 2013, it had just come out with a Web-based version. Since then it has been through a few minor revisions, added support for QR-code soft tokens, and cleaned up its interfaces.

It still is a formidable product to install and configure: partly because there are still a number of separate pieces. But because the product is one of the most capable MFA tools on the market, it has wide support for a variety of hard and soft token types, application integrations and workflows. Like many of its competitors, users can register multiple token types to authenticate their accounts. There are also multiple token provisioning methods that make use of different security methods.

New to this version is a risk-based authentication engine that keeps track of each user’s device and behavior over time. There’s an initial data collection period where the software operates silently, without challenging any login attempts. Once its engine has gathered enough data, it assigns a risk score to authentication attempts and if riskier than specified, the user is asked for additional authentication factors (such as OTPs delivered via SMS texts) before being allowed access to a particular resource.

You can also set a limit on the number of token types assigned to each user, or the amount of time that each token is registered to a user. While this is very flexible, like other parts of the RSA product, it will take some effort to get configured properly.

The Web-based self-service dashboard can enroll users, set up knowledge-based questions, troubleshoot tokens, reset your static PINs and reset risk-based device history in the case of a lost or stolen token.

New to this version is what RSA calls its Web Tier. This sets up a custom Web interface for handling user self-service requests and managing risk-based authentications. This tier also intercepts all network traffic to make your authentication server, which can remain behind a network DMZ, more secure. The tier can run either on Windows or Linux servers.

RSA has huge installations, befitting its tenure and tenacity in the MFA space. One installation has more than a million users, which is one reason its hardware-based SecurID tokens are so ubiquitous.

It still is installed either as a VM or as a physical hardware appliance, both running its own hardened Linux server. There are VM versions for VMware ESXi and Microsoft Hyper-V.

Once you get the VM installed (which took three hours of intense work and some help from their support staff), you access several different Web-based consoles: one for general security features, one for self-service users and one for daily operations. The reason for the multiple consoles is a good one, to segregate administrative roles. As with earlier product versions, these are very granular and have 13 different pre-set ones available, with two different admin roles installed by default.

Some of the configuration menus could use some cleaning up to make the workflows more obvious, and most are very text-heavy with dozens of configuration choices. The overall documentation set for this product spans nearly a dozen manuals with close to 1,000 pages of very detailed instructions.

The RSA server comes with a series of different authentication policies, including token policies, password complexity policies, lockout and self-service troubleshooting policies, workflow provisioning policies and risk-based authentication policies.

This is an incredibly complex but flexible and powerful collection, and will take some careful study and experimentation to implement your intentions, understand what defaults need adjusting, and how they relate to each other to form a coherent MFA deployment.

Finally, any setup will require opening up more than two dozen ports to the RSA server for different purposes. These are documented in the configuration guide.

RSA’s server supports a variety of Microsoft Active Directory versions for identity stores along with Sun and Oracle directories. There are also integrations with Windows logins, Citrix Storefront, IIS and Apache Web servers, along with what the company claims are more than 400 applications. There is no support in this product for SAML or other SSO-type integration; however, you’ll need to purchase a separate Via Access product for this purpose.

Pricing is fairly straightforward. A 100-user VM will cost $7,500, while the hardware appliance will cost $10,500. This includes 100 user licenses and hardware tokens, 25 software tokens and a year of maintenance. There is also a 90-day free trial for up to 25 users.

Gemalto’s SafeNet Authentication Service: Solid product, good value

Earlier this year, Gemalto acquired SafeNet, but still calls its offering SafeNet Authentication Service. It offers the product as either a hosted service or for running on a Windows Server. If you choose the local server option, you’ll have to open up more than a dozen ports for its various services, such as directory services, databases, logging agents and email servers. Like some of the other vendors, it has been around long enough to have customers with more than a million users.

The product continues its leadership in its support for token types, application integration and authentication methods. Token types include both hardware tokens and mobile software apps, SMS texts, push OTP, email and a special grid-style pattern-based soft token called GridSure. SafeNet also supports RSA SecurID hardware tokens. There are two mobile apps available for iOS and Android devices: the newer ones are called MobilePass+ and support the push OTP method mentioned in the introduction.

While the configuration is somewhat complex, once these tokens are assigned, they can make authentications easier because users just have to acknowledge the request rather than key in the actual OTP numbers. Unfortunately, only a subset of applications (such as Cisco and Sonicwall VPNs and Microsoft Office 365) supports the SafeNet push OTP methods currently.

It has published dozens of integration guides covering how to incorporate Google Docs, Cisco VPNs and numerous other products using SAML and SOAP protocols, and these documents are available to anyone online. Sadly that situation is more the exception than the rule for other MFA vendors.

Setting up the hosted service was very simple and took a matter of minutes, although we still needed some guidance to get started provisioning tokens by their tech support. You authenticate the first administrator with their own mobile OTP app and a Web browser by clicking on hot links in a special email message that automatically enrolls the token.

Once you are connected you can set up users, policies, tokens, and other details fairly quickly. The menu tree is simple to understand with just a few main levels and screens that expand as you add options. Unlike some of the other MFA vendors, SafeNet has made a nice balance between usability and displaying dozens of options on the screen.

There is also a Web-based user self-service portal which can handle lost tokens or to activate new ones. The portal is extremely customizable in its own series of configuration menus.

SafeNet has some of the best reports of any MFA vendor with more than 40 built-in reports covering an extensive range of usage, compliance and inventory management and billing areas. It also has one of the most flexible and granular administrative roles around: you set up each role with a custom collection of access rights and features by checking and unchecking the dozens of attributes that you wish for a particular class of users. Lots of other things are configurable too, from the text sent in SMS and email authentication messages to custom encryption keys for its authentication tokens.

SafeNet has the beginnings of risk-based authentication in what it calls “pre-authentication rules” that are set in the administrative console. For example, you can set particular time-of-day restrictions, limit logins to a particular IP address range, a particular authentication agent such as a Windows or IIS login, and a few other properties. This isn’t quite as capable as some of its competitors, but at least a beginning attempt at recognizing that some customers will want more restrictive policies.

Pricing is straightforward. SafeNet is one of the least expensive solutions on the market, and includes everything in a monthly subscription such as software tokens, support and maintenance. The typical cost is $1 per user per month for enterprise volume purchases. Given the combination of price and functionality, this product should be on anyone’s short list of MFA products.

Symantec Validation and ID Protection Service: Strong, SaaS-based offering

Symantec has also been in the authentication business for several years, and its Validation and ID Protection (VIP) Service now has customers with more than 70,000 credentials and the product has more than 7 million users in total. They have moved to a SaaS-based model completely with a somewhat tired Web-based console. This is where you can add users manually, setup their tokens, and keep track of any successful and unsuccessful login attempts across your enterprise.

+ ALSO: If I were the next CEO of Symantec – Redux +

While VIP has been around a long time, Symantec has continued to keep up with the market by offering a number of important innovations and extensions. To truly make effective use of VIP, you’ll need to also install its Enterprise Gateway, which sets up an identity provider with either your own Active Directory or another LDAP and Radius-based directory. This software runs on either a Windows or Linux server. Getting both products up and running didn’t take very long, although we still needed some guidance and to review a long series of steps in various different documents.

One example of this is how to get SAML-based identities (such as with Salesforce) working: you have to go through a typical metadata and certificate exchange before you can start using VIP tokens to authenticate SaaS-based resources. Once you connect the enterprise gateway, you can also setup a self-service Web-based portal, where users can add their own tokens to their accounts. You can set a limit on the number of different authentication tokens that each user can add in the management console.

After you get the enterprise gateway operational, another option supports risk-based authentication using device IDs and geolocation as mechanisms to step-up additional factors for logins. Symantec calls this VIP Intelligent Authentication, and it can set risk scores for activities such as end-user behavior, device reputation, and browser and device attributes.

For example, you can assign a higher risk to those end users who switch between different devices or operating systems that aren’t consistent with their established patterns, or if a user logs in from a new location in another country. When risk scores exceed a particular threshold, the user login can be blocked. This software has setup options in both the VIP Manager and in the Enterprise Gateway.

You also can enable risk-based authentication in SaaS applications if you can insert special JavaScript code from Symantec. The user interface and instructions could be made simpler for this process, but it is nice that it part of the product should this be a consideration in your evaluation. Other vendors, such as Vasco, sell their risk-based authentication as separate products.

The product has a credential software development kit which makes embedding VIP credentials into mobile apps easier. However, this is not available to any customer but only those that Symantec deems worthy because it isn’t very turnkey and requires a great deal of support services to create any useful applications.

Otherwise, VIP supports more than 100 apps already via SAML and SOAP.

One of the big advantages of VIP is that it supports a wide array of hardware tokens, mobile-based soft tokens, SMS and voice-based verification, push OTP, fingerprint authentication (available on both iPhones and iPads), and there is an app for the Apple Watch as well. More than 700 devices can run various forms of VIP authentication software, showing how long Symantec has been in this market. Soft tokens can be directly downloaded from a webpage. Supported versions include at least iOS v7, Android v4 and Windows Phone v8.

Online help is fairly sketchy, with just the basic instructions to get started and minimal context-sensitive help. You’ll find that you will need to download several manuals to get the entire setup process completed. Less than a dozen reports are available, including transaction history and login security challenges. Again, the user interface for this section of the management console could use some work.

Pricing is relatively straightforward. To start with, there is a $2,000 account setup fee. For a three-year subscription (that includes gold-level 24/7 support, both MFA and risk-based authentication, SAML support, Enterprise Gateway, unlimited mobile or desktop credentials), the cost is $55 per user per year. There is a 60-day free trial that doesn’t include any SMS or voice credentials (which are extra-cost options based on usage), but these can be activated once you convert to a paid account. Volume discounts are available. Overall system requirements for the various services and mobile versions can be found here.

TextPower SnapID v1.1: Innovative approach

TextPower works in the reverse of most MFA tools: at login time, you are presented with an OTP code and a SMS destination number on your web browser screen. You text that code to that destination and that allows your computer access. We reviewed its first product three years ago under the product name TextKey, but since then they have added a tool for WordPress blog logins that can be added to any website. Sadly, they haven’t caught fire yet but we still think this is an important technology.

SnapID is better than using standard SMS OTP’s because it can’t be as easily intercepted with man-in-the-middle attacks. Since the OTP originates from the Web app, there really isn’t any “middle” where you can insert something to intercept the password dialog. Instead, SnapID leverages the cellphone’s internal hardware ID information. When you send your text message to its servers, SnapID will verify that you are who you say you are and it isn’t a spoofed number or device. As long as you have your web browser and your cellphone, you are good to go.

The description of SnapID is very similar to what the company produced with TextKey, its original product. However, there is one important distinction: with SnapID, you don’t enter your username and static password, just the OTP code that you get from its Web app. This makes logins, well, a snap. It also means that if someone tries to compromise your servers, there is literally nothing for them to steal, since there aren’t any usernames created. Of course, this means that you have to trust their service to deliver when one of your users wants to login.

There are two versions: one is similar to TextKey and takes the form of a piece of code that you add to your website login routines. The other is a WordPress plug-in.

Speaking of TextKey, they have an excellent online API reference here. However, the company has not yet had time to rewrite its documentation for the SnapID product, although they claim the two will share the majority of interfaces.

The WordPress plug-in will take a few minutes to install and setup. Basically, you register your user ID with their service by texting back to their SMS destination number with an OTP. Thereafter, you can sign-in to your blog account without having to remember your static password, which adds an extra layer of security.

While we were testing SnapID they upgraded their SaaS servers and we had to re-authenticate ourselves to continue using SnapID. While understandable, that speaks to the stability of their software system. It still is an interesting idea and we hope that they develop other plug-ins to extend their services to common SaaS platforms. There is a solid amount of online documentation on their website on how to implement the system.

SnapID is currently free.

Vasco DIGIPASS for Mobile v4.9 and IDENTIKEY Authentication Server v3.9: Complex setup, excellent features

Vasco is a study in contrasts: it is complex to install but with a very capable feature set. There are more than a dozen different software tools before you can have a working solution. On the other hand, there is a seemingly endless list of supported token types. To implement its MFA solution, you’ll need two different lines of software tools: First is its Identikey Authentication Server, which handles device assignment, policy rules, and management dashboards. This line includes a separate Identikey Risk Manager that can be used to add risk-based authentication methods. Next is the Digipass line of tools that sets up different authentication factors and token activation methods.

There are other servers, such as to support federated identity for authentications across your app portfolio, a directory service connector (that supports multiple directory providers include Active Directory, Radius, eDirectory and IBM/Tivoli’s directory), and a message delivery service that allows OTPs generated by email, SMS texts, and voice response systems to be incorporated into its framework.

By the time you are done you will have installed several executable files. While complex, the combination is very feature-rich and as a result, Vasco is still a leader in the MFA world. Once you get this all setup, you access the various features via a Web-based management console, where there are numerous tabbed and very dense menu collections to set up users, security policies, and bulk token provisioning. These menus aren’t very attractive, and sadly haven’t changed much since we last looked three years ago. Like SafeNet they have more than 30 reports that cover a wide collection of information, and with a few new additions, mostly this hasn’t changed much since we reviewed them three years ago. Context-aware help files are easily available with the click of a button on every screen.

Vasco continues to innovate with new token types and stronger authentication methods, which is one reason that it has multiple customers with over a million users, including one deployment with 8 million users. They specialize in banking and medical vertical markets. Two of its latest tokens include the Digipass 760 and 780, both have cameras and screens that can capture full-color QR-type codes that they claim are more secure than some of their competitors’ one-time password applications, since you need to enter two different codes during the authentication process. These two are about the size of the iPod Nanos. They also have two Bluetooth tokens and a new Runtime Application Self-Protection feature that offers new protection for mobile apps, even if the device has been compromised with any malware.

Since we last looked at Vasco, it has beefed up its Web-based self-service user portal. You can now provision and deprovision multiple token types for a single user through this portal, along with manage your static PINs and other common tasks.

Vasco’s biggest limitation is its SAML support: it has specific documentation only for Office 365, Salesforce, and Google Docs. You can add others but unlike SafeNet you don’t have specific instructions. You have to follow a published API guide that comes as part of the software documentation. There is also an OpenID connector that you can use. They could take things a step further and like Yubico and others document their interface online and make it easier for developers to access this information.

Another downside is its price list. It is exceedingly complex and if printed out could dwarf a phone book for a small city. Purchasing its software almost guarantees buying a professional services contract to install and integrate its numerous options and modules. We had help from their engineers to debug a relatively modest installation in our test lab. Nevertheless, we calculate that a 100-token “starter” kit would end up costing about $7,000 for the first year, including a support contract. There are two support levels: one for five day by 10-hour support and one for full-time 24×7 support. The former is roughly 7% of the total purchase price while the latter adds an additional 20%.

Voice Biometrics Group Verification Services Platform: Voiceprint-based authentication

Voice Biometrics Group (VBG) has been involved in the voiceprint security field since 2009, and has some of the largest voice-related installations, some of which comprise more than a million individual voiceprints. The company has been involved in some interesting applications, such as being used in double-blind clinical medical trials, where the clinician doesn’t know the subjects yet needs to validate their identity through their voiceprints.

Voice as an additional authentication factor has a lot of subtleties and will require some careful implementations. Unlike an OTP, verifying a voice is a matter of statistics and not a yes/no decision: your system needs to collect enough information to match the recorded voiceprint attached to a particular speaker. How the audio is recorded – whether the speaker is in a quiet or noisy room, using a cell phone or land line, and speaking a particular language – are all key elements of whether the match will be made by a voiceprint system.

Also, having a database of voiceprints ups the ante on its security: imagine if such a database were hacked or compromised. Once a voiceprint has been stolen, you can’t assign another voice to one of your employees. This is an overall issue with any biometric factor and one of the reasons why this hasn’t become as popular as the other authentication methods used in this review. This is why voice should be just one of several other authentication factors and needs to be supplemented with SMS or phone calls to be more secure. No one uses a voiceprint system as the sole authentication factor, mainly because voices can be recorded and played back to defeat such simple use cases.

However, everyone has a unique voice, so that has appeal if you are trying to deploy a system around the world where sending a hardware token could be an issue.

VBG has put together a series of demonstrations of its system that can be accessed via a Web portal. This can be used to set up and record the voiceprints and show how they can be used as part of a typical interactive voice response phone application. There is a second Web-based portal that is its main administrative and management console. This has menu options to download a transactions report, show the status of voice records, and is used to classify voices as either male or female speakers.

VBG also has a series of HTMLv5 applications that can be used to start your own development effort that are included as part of the resources. Their systems are based on a RESTful API that is fairly simple, with less than a dozen different commands.

The dashboard and reports are very simplistic, although the company is working on improving their UI in the near future.

What isn’t included is any support for SAML or OAuth or other typical authentication protocols. This is more intended for custom-built applications that typically would be combined with a voice-response system in a call center.

VBG is a subscription-based managed service with a minimum fee of $500 per month. Pricing is based either on transactions or individual voiceprints stored on their system, and typical engagements will make use of their professional services organization, with minimum fees there starting at $10,000. A 60-day free trial is available, provided you sign a non-disclosure agreement.

Yubico Yubikey 4: USB-based keys

Yubico has been a leader in USB-based keys for many years; its tokens have a very interesting form factor: it fits into the USB slot on your computer and has a variety of keys to support dozens of applications and identity providers. The fourth generation of their keys came out last November. These keys don’t require any additional driver to work with most Windows, Mac and Linux systems.

One example is that the YubiKey 4 can be used to digitally sign GitHub and Docker code during initial development and through subsequent updates to ensure the integrity of the developed applications. This “touch-to-sign” feature has many different applications besides signing code: you could implement it for testing for “proof of life” situations too.

Yubico tokens can be found in hundreds of applications and the company was an early supporter of FIDO’s U2F standards. This means that the same Yubikey can be used to authenticate yourself with several applications: currently these include Google Docs, Dropbox, password managers like Dashlane single sign-on tools such as Centrify and several other systems via plug-ins to WordPress and Django content management systems. One indication of their popularity is that every Google and Facebook employee makes use of their keys to secure their logins.

Regardless of U2F support or not, their keys don’t store any cryptographic information: instead, they contain a long string of alphanumeric sequences that are used as complex passwords.

You easily can setup the keys to act as a second factor for all of these accounts, using the security settings screens for each application or plug-in. Once you do so, you have to press a small gold button on one side of the key to send the key sequence to your application as part of the login process. It certainly beats typing in a complex password sequence. Note that this isn’t a OTP application: the same numeric sequence is used repeatedly.

In addition to the USB-based keys, Yubico has also a newer YubiKey NEO device that supports sending keys via near-field communications protocols. These can be used with smartphones and other devices supporting this method.

Yubico has a long list of API libraries that support its keys, including code in C, Java and PHP. There is extensive documentation that can be used by corporate developers to build their own Yubikey-based authentication system, numerous code snippets, and detailed instructions on how to put everything together. The documentation is freely available at their developer portal and there is no charge to become part of its program. The amount and quality of this documentation and code samples and breadth of programming language support should be a model for the other MFA vendors.

Enterprise developers make use of their Management and Personalization Software utility, which runs on Windows, Mac OS X and several Linux operating systems to assign and revoke keys to users.

Tokens can be purchased for $50 or less in quantities of 100.

Strom is the founding editor-in-chief of Network Computing magazine and has written thousands of magazine articles and two books on various IT and networking topics. His blog can be found at and you can follow him on Twitter @dstrom. He lives in St. Louis.