Choosing a two-factor authentication solution provider. Part 1 of 2
So, for many it is no secret that simple password authentication will not protect your data from the hands of an attacker. It's not about the length of the password, and not about how often you change it. A simple phishing or virus on your computer will pass your complex twenty-character password to the person waiting for it. About how much you suffered, entering it every time in the login window, because it is not safe to store it in a file or browser cache.
Everyone has already heard about the solution to the problem. Of course, we are talking about the use of multifactor authentication (MFA). Factors can be knowledge, objects or biometric data (I plan to devote a separate article to the shortcomings of biometrics). Most often, two-factor authentication is used, which uses the usual password, as well as another one-time authentication ( OTP) It can be delivered to the user in various ways and is valid for only one authentication session. Also, in modern password generation algorithms TOTP (by time) and OCRA (by request), the one-time password is limited to 30 or 60 seconds, which greatly complicates the task for an attacker. There are various methods of delivery or autonomous generation: from printed lists of passwords on cards or checks from ATMs, SMS messages to the use of special devices for generating OTP tokens.
I am the leader of several development teams. By the nature of my activity, I have to be responsible for making this or that decision; if the decision is up to the customer, then it still relies on my opinion. When designing and developing systems related to financial transactions or the storage and processing of sensitive information, the security issue comes to the fore. At the moment, two-factor authentication systems are a standard tool for its support. At the beginning of my professional career, the choice of such a system was quite a difficult process for me, and now, when the rake has already been “stepped on” and not 1-2 solutions have been tried, I believe that I myself can give advice to those who are faced with this for the first time.
The purpose of this article is to determine the most appropriate 2FA provider according to your needs , in order to save your time and money and not repeat our mistakes. I will try to be objective, but please remember that conclusions will be made based on my experience and my life values.
The following providers are proposed for consideration: VASCO , SafeNet (Aladdin) , RSA (EMC) , Gemalto , Yubico , McAffe , Protectimus , DUO Security , smspasscode , Feitian .
This list can be expanded, taking into account the wishes of readers, but more than 10-12 participants should not do it, because an analysis of existing participants will see the big picture.
As the analysis criteria, I plan to take the following:
Sit back, move on.
In this section, we briefly consider: What place does the company occupy in the market? How long ago? Where does it come from and what is the market share? Finding a true answer to the last question is difficult, because the first 4 companies consider themselves leaders and write that they own 70% of the market each.
To begin with, what standards exist in the world of two-factor authentication. Everything is simple here: the solution is built in accordance with OATH or not. Compliance with standards, and therefore safety, assures the OATH community by subjecting the solution to a variety of test checks. In addition, many companies strive to become members of this community in order to enhance their prestige. There are two types of membership: Coordinating and Contributing. The first view even allows you to make suggestions for the development of the standard.
This section will discuss how quickly you can find out about price offers, get an answer to a technical question of interest, and get started with the system.
As you can see, the article is voluminous. I think that for the first part there is already enough information.
At the moment, we have identified a number of leaders, but in the end they can change, because currently only 4 criteria are considered (and the first paragraph is not taken into account).
See you later…
Everyone has already heard about the solution to the problem. Of course, we are talking about the use of multifactor authentication (MFA). Factors can be knowledge, objects or biometric data (I plan to devote a separate article to the shortcomings of biometrics). Most often, two-factor authentication is used, which uses the usual password, as well as another one-time authentication ( OTP) It can be delivered to the user in various ways and is valid for only one authentication session. Also, in modern password generation algorithms TOTP (by time) and OCRA (by request), the one-time password is limited to 30 or 60 seconds, which greatly complicates the task for an attacker. There are various methods of delivery or autonomous generation: from printed lists of passwords on cards or checks from ATMs, SMS messages to the use of special devices for generating OTP tokens.
I am the leader of several development teams. By the nature of my activity, I have to be responsible for making this or that decision; if the decision is up to the customer, then it still relies on my opinion. When designing and developing systems related to financial transactions or the storage and processing of sensitive information, the security issue comes to the fore. At the moment, two-factor authentication systems are a standard tool for its support. At the beginning of my professional career, the choice of such a system was quite a difficult process for me, and now, when the rake has already been “stepped on” and not 1-2 solutions have been tried, I believe that I myself can give advice to those who are faced with this for the first time.
The purpose of this article is to determine the most appropriate 2FA provider according to your needs , in order to save your time and money and not repeat our mistakes. I will try to be objective, but please remember that conclusions will be made based on my experience and my life values.
The following providers are proposed for consideration: VASCO , SafeNet (Aladdin) , RSA (EMC) , Gemalto , Yubico , McAffe , Protectimus , DUO Security , smspasscode , Feitian .
This list can be expanded, taking into account the wishes of readers, but more than 10-12 participants should not do it, because an analysis of existing participants will see the big picture.
As the analysis criteria, I plan to take the following:
- General information about the company. Specialization
- OATH or other certification. Is a member of OATH?
- Lack of excessive bureaucracy (registration, support service, access to materials)
- Type of service: SaaS or platform
- Is there a wide range of tokens? Supported One-Time Password (OTP) Algorithms
- Cross-platform and cross-browser. UI Convenience
- Additional useful functionality
- Easy integration through API. In other words, how quickly you can start using it in your system (on your resource)
- Availability of plugins for quick connection to popular services and applications
- Cost
Sit back, move on.
1. General information about the company. Specialization
In this section, we briefly consider: What place does the company occupy in the market? How long ago? Where does it come from and what is the market share? Finding a true answer to the last question is difficult, because the first 4 companies consider themselves leaders and write that they own 70% of the market each.
Detailed analysis
A major player in the two-factor authentication market. Please do not confuse with Vietnam Air Services Company (VASCO). The company has offices in the USA and Switzerland (they used to write about Belgian origin, but now I haven’t found any mention of it), it is engaged in two-factor authentication and digital signature . Tokens are produced in China. As practice shows, all the characteristics of a large bureaucratic enterprise are inherent in them, they are reluctant to engage in small clients (1000 or fewer users), trust this to resellers, and they increase the base cost significantly.
An American company specializing in the development of information security systems. One of the world's largest suppliers of encryption technology and hardware security. Their two-factor solution is one of many solutions that they offer on the market. Their history consists of many acquisitions and mergers , and now their turn has come .
RSA (EMC)
Another American monster in the market of products, services and solutions for storing and managing information with a long history of acquisitions .
Gemalto
A large international company with European roots and head office in Amsterdam, specializing in software, personal security devices such as smart cards and tokens, as well as in their management systems.
Yubico
The company began operations in 2007 as a Swedish company, and is now positioned as an international company with headquarters in the United States. Token production is carried out in Sweden and in the USA. The company specializes in two-factor authentication.
McAffe
Another American company, but it is famous not for two-factor authentication, but for its antivirus program.
Protectimus
UK-based innovative company, fully specialized in integrated two-factor authentication solutions. Production facilities are located in Hong Kong. It's nice that the sales and technical support service also speaks Russian.
DUO Security
Another young American company that is moving from startup to success. Over the past four years, they have received $ 19 million in investment . It is worth noting that they profess an innovative approach in the field of authentication.
smspasscode A
German company with offices in several countries around the world. Their service offers simple functionality, but with an innovative approach. The main specialization is SMS delivery of one-time passwords.
Feitian
This is a Chinese hardware manufacturer (tokens, readers, etc.). Other companies use their tokens in their solutions, and companies such as FortiNet have released a white-label solution based on this brand.
Vasco
A major player in the two-factor authentication market. Please do not confuse with Vietnam Air Services Company (VASCO). The company has offices in the USA and Switzerland (they used to write about Belgian origin, but now I haven’t found any mention of it), it is engaged in two-factor authentication and digital signature . Tokens are produced in China. As practice shows, all the characteristics of a large bureaucratic enterprise are inherent in them, they are reluctant to engage in small clients (1000 or fewer users), trust this to resellers, and they increase the base cost significantly.
SafeNet (Aladdin)
An American company specializing in the development of information security systems. One of the world's largest suppliers of encryption technology and hardware security. Their two-factor solution is one of many solutions that they offer on the market. Their history consists of many acquisitions and mergers , and now their turn has come .
RSA (EMC)
Another American monster in the market of products, services and solutions for storing and managing information with a long history of acquisitions .
Gemalto
A large international company with European roots and head office in Amsterdam, specializing in software, personal security devices such as smart cards and tokens, as well as in their management systems.
Yubico
The company began operations in 2007 as a Swedish company, and is now positioned as an international company with headquarters in the United States. Token production is carried out in Sweden and in the USA. The company specializes in two-factor authentication.
McAffe
Another American company, but it is famous not for two-factor authentication, but for its antivirus program.
Protectimus
UK-based innovative company, fully specialized in integrated two-factor authentication solutions. Production facilities are located in Hong Kong. It's nice that the sales and technical support service also speaks Russian.
DUO Security
Another young American company that is moving from startup to success. Over the past four years, they have received $ 19 million in investment . It is worth noting that they profess an innovative approach in the field of authentication.
smspasscode A
German company with offices in several countries around the world. Their service offers simple functionality, but with an innovative approach. The main specialization is SMS delivery of one-time passwords.
Feitian
This is a Chinese hardware manufacturer (tokens, readers, etc.). Other companies use their tokens in their solutions, and companies such as FortiNet have released a white-label solution based on this brand.
2. OATH or other certification. Is a member of OATH?
To begin with, what standards exist in the world of two-factor authentication. Everything is simple here: the solution is built in accordance with OATH or not. Compliance with standards, and therefore safety, assures the OATH community by subjecting the solution to a variety of test checks. In addition, many companies strive to become members of this community in order to enhance their prestige. There are two types of membership: Coordinating and Contributing. The first view even allows you to make suggestions for the development of the standard.
Detailed analysis
VASCO
Contributing Members, their solution is certified.
SafeNet (Aladdin)
Contributing Members, their solution is certified.
RSA (EMC)
Cannot be a member of OATH because it uses its proprietary algorithm. Is this good or bad? Enter in the search engine “rsa token hack” and find out why RSA has replaced millions of tokens. However, tokens with vulnerabilities can still be purchased on the Internet.
Gemalto
Coordinating Members - the highest degree of participation, their solution is certified.
Yubico
Contributing Members, their solution is certified.
McAffe is
not a member of OATH, their solution is not certified, but the phrase about supporting standard tokens: “any OATH-based token” slipped on their website.
Protectimus
Coordinating Members - the highest degree of participation, their solution is certified.
DUO Security
Not a member of OATH, but supports standard OATH tokens.
smspasscode is
not a member of OATH.
Feitian
Contributing Members, their solution is certified.
Contributing Members, their solution is certified.
SafeNet (Aladdin)
Contributing Members, their solution is certified.
RSA (EMC)
Cannot be a member of OATH because it uses its proprietary algorithm. Is this good or bad? Enter in the search engine “rsa token hack” and find out why RSA has replaced millions of tokens. However, tokens with vulnerabilities can still be purchased on the Internet.
Gemalto
Coordinating Members - the highest degree of participation, their solution is certified.
Yubico
Contributing Members, their solution is certified.
McAffe is
not a member of OATH, their solution is not certified, but the phrase about supporting standard tokens: “any OATH-based token” slipped on their website.
Protectimus
Coordinating Members - the highest degree of participation, their solution is certified.
DUO Security
Not a member of OATH, but supports standard OATH tokens.
smspasscode is
not a member of OATH.
Feitian
Contributing Members, their solution is certified.
3. Lack of unnecessary bureaucracy (registration, support service, access to materials, price list)
This section will discuss how quickly you can find out about price offers, get an answer to a technical question of interest, and get started with the system.
Detailed analysis
VASCO
A very large company and there are certain inconveniences for end users. On their site there are a lot of links and information, which, often, is not useful. An answer to a request by mail (I’m not talking about a template letter in which they write that they are glad of my interest in their company) may take more than six months. This is a fact.
SafeNet (Aladdin)
I have personal sad experience implementing this solution and communicating with their technical support team. There are still a bunch of contacts on Skype for their tech support. After 3 months of trying to resolve my issue with a local representative, I had to contact their main office. The company suffers from the problems inherent in large organizations: to find out the prices and / or get the SDK, you need to make requests and wait.
RSA (EMC)
Another monster with billions of revolutions. Larger than them only IBM (joke).
For any questions you need to contact their representatives, because it is difficult to find useful information on the site.
Gemalto
Another company with 10,000 employees and billions in revenue. If you find something on their website using the search, then consider that you are lucky.
Yubico
Everything is simple for them: I bought a token with one click and downloaded the server, which is in the public domain. They promise for their tokens free authentication in their cloud service for life.
Mcaffe
By filling in a dozen fields, you can access their system in demo mode. Like some previous companies, the site has a lot of marketing information (description of application cases, advantages of their solutions, etc.), which is of a weak informative nature.
Protectimus
The easiest registration (mail and password). As a result, you immediately get a working account on the production. They put $ 25 on the account to test the system. The integration process through the API is well described. All materials are available without registration in both Russian and English. The questions are answered quickly.
DUO Security
Simple registration (6 fields). The integration process through plugins is well described. All materials are available after registration.
smspasscode
Only demo mode is available. The registration form contains 8 fields. You must also indicate your phone number on which they will call back. I didn’t find documentation on integration through the API on the site. The trial period must be ordered.
Feitian
On the site it is easy to find information about tokens and the software part, but how to buy it and how much it costs is not a word. So - you need to write, call, wait for an answer ...
A very large company and there are certain inconveniences for end users. On their site there are a lot of links and information, which, often, is not useful. An answer to a request by mail (I’m not talking about a template letter in which they write that they are glad of my interest in their company) may take more than six months. This is a fact.
SafeNet (Aladdin)
I have personal sad experience implementing this solution and communicating with their technical support team. There are still a bunch of contacts on Skype for their tech support. After 3 months of trying to resolve my issue with a local representative, I had to contact their main office. The company suffers from the problems inherent in large organizations: to find out the prices and / or get the SDK, you need to make requests and wait.
RSA (EMC)
Another monster with billions of revolutions. Larger than them only IBM (joke).
For any questions you need to contact their representatives, because it is difficult to find useful information on the site.
Gemalto
Another company with 10,000 employees and billions in revenue. If you find something on their website using the search, then consider that you are lucky.
Yubico
Everything is simple for them: I bought a token with one click and downloaded the server, which is in the public domain. They promise for their tokens free authentication in their cloud service for life.
Mcaffe
By filling in a dozen fields, you can access their system in demo mode. Like some previous companies, the site has a lot of marketing information (description of application cases, advantages of their solutions, etc.), which is of a weak informative nature.
Protectimus
The easiest registration (mail and password). As a result, you immediately get a working account on the production. They put $ 25 on the account to test the system. The integration process through the API is well described. All materials are available without registration in both Russian and English. The questions are answered quickly.
DUO Security
Simple registration (6 fields). The integration process through plugins is well described. All materials are available after registration.
smspasscode
Only demo mode is available. The registration form contains 8 fields. You must also indicate your phone number on which they will call back. I didn’t find documentation on integration through the API on the site. The trial period must be ordered.
Feitian
On the site it is easy to find information about tokens and the software part, but how to buy it and how much it costs is not a word. So - you need to write, call, wait for an answer ...
4. Type of service: SaaS or platform
Detailed analysis
VASCO
Service and Platform.
SafeNet (Aladdin)
Service and platform.
RSA (EMC)
Platform.
Gemalto
Platform (service information not found).
Yubico
Service (YubiCloud) and platform (Validation Server). They even supply a hardware-software complex - a server in which the platform is installed. All this is open-source with a minimum of functionality.
McAffe
Platform from nordicedge, which is now part of McAffe - the ends will be difficult to find.
Protectimus
Service and platform are complete, complete solutions.
DUO Security
Complete SaaS solution.
smspasscode
Service and platform.
Feitian
Platform (FEITIAN OATH Authentication System) and service (Cloudentify).
Service and Platform.
SafeNet (Aladdin)
Service and platform.
RSA (EMC)
Platform.
Gemalto
Platform (service information not found).
Yubico
Service (YubiCloud) and platform (Validation Server). They even supply a hardware-software complex - a server in which the platform is installed. All this is open-source with a minimum of functionality.
McAffe
Platform from nordicedge, which is now part of McAffe - the ends will be difficult to find.
Protectimus
Service and platform are complete, complete solutions.
DUO Security
Complete SaaS solution.
smspasscode
Service and platform.
Feitian
Platform (FEITIAN OATH Authentication System) and service (Cloudentify).
As you can see, the article is voluminous. I think that for the first part there is already enough information.
At the moment, we have identified a number of leaders, but in the end they can change, because currently only 4 criteria are considered (and the first paragraph is not taken into account).
Results calculation chart
Find out the current result here.
See you later…