Selection of a two-factor authentication solution provider. Part 1 of 2
So, for many it is no secret that simple password authentication will not protect your data from the hands of an intruder. The point here is not the length of the password or how often you change it. A simple phishing or virus on your computer will transfer your complicated twenty-character password to the person who is waiting for it. About how much you suffered, entering it every time in the login window, because storing it in a file or browser cache is not safe.
About solving the problem, everyone has heard a lot. Of course, we are talking about the use of multifactor authentication (MFA). Factors can be knowledge, subjects or biometric data (I plan to devote a separate article to the disadvantages of biometrics). The most commonly used two-factor authentication, which uses a familiar password, as well as another one-time ( OTP ). It can be delivered to the user in various ways and is valid for only one authentication session. Also, in modern algorithms for generating TOTP passwords (by time) and OCRA (by request), the one-time password validity time is limited to 30 or 60 seconds, which greatly complicates the task for the attacker. There are various delivery methods or autonomous generation: from printed lists of passwords on cards or checks from ATMs, SMS messages to the use of special devices for generating OTP tokens.
I am the leader of several development teams. By the nature of my business, I have to be responsible for making a decision; if the decision is up to the customer, then it is still based on my opinion. When designing and developing systems related to financial transactions or the storage and processing of sensitive information, the security issue comes to the fore. At the moment, the standard tool for ensuring it are two-factor authentication systems. At the beginning of my professional activity, the choice of such a system was quite a difficult process for me, and now, when the rake has already been “arrived” and not 1-2 solutions have been tried, I believe that I can give advice to those who have come across this for the first time.
The purpose of this article is to determine the most appropriate 2FA provider to suit your needs , to save you time and money and not to repeat our mistakes. I will try to be objective, but please remember that conclusions will be made on the basis of my experience and my life values.
')
The following providers are offered for consideration: VASCO , SafeNet (Aladdin) , RSA (EMC) , Gemalto , Yubico , McAffe , Protectimus , DUO Security , smspasscode , Feitian .
This list can be expanded, taking into account the wishes of readers, but more than 10-12 participants should not do it, because By analyzing the existing participants, the overall picture will be visible.
As the analysis criteria I plan to take the following:
Sit back, heading.
In this section, we briefly consider: What is the company's place in the market? How long ago? Where is it from and what is the market share? Finding the true answer to the last question is difficult, because The first 4 companies consider themselves leaders and write that they own 70% of the market each.
To begin with, what standards in the world of two-factor authentication exist. Everything is simple: the solution is built according to OATH or not. Compliance with standards, and therefore safety, is assured by the OATH community, exposing the solution to a variety of test checks. In addition, many companies seek to become members of this community to raise their prestige. Membership is of two kinds: Coordinating and Contributing. The first type allows you to even make suggestions for the development of the standard.
In this section, we will talk about how quickly you can find out about price offers, get an answer to a technical question of interest, and start working with the system.
As you can see, the article is voluminous. I think that for the first part there is already enough information.
At the moment, we have defined a number of leaders, but in the end they may change, because currently only 4 criteria are considered (and the first item is not taken into account).
See you later…
About solving the problem, everyone has heard a lot. Of course, we are talking about the use of multifactor authentication (MFA). Factors can be knowledge, subjects or biometric data (I plan to devote a separate article to the disadvantages of biometrics). The most commonly used two-factor authentication, which uses a familiar password, as well as another one-time ( OTP ). It can be delivered to the user in various ways and is valid for only one authentication session. Also, in modern algorithms for generating TOTP passwords (by time) and OCRA (by request), the one-time password validity time is limited to 30 or 60 seconds, which greatly complicates the task for the attacker. There are various delivery methods or autonomous generation: from printed lists of passwords on cards or checks from ATMs, SMS messages to the use of special devices for generating OTP tokens.
I am the leader of several development teams. By the nature of my business, I have to be responsible for making a decision; if the decision is up to the customer, then it is still based on my opinion. When designing and developing systems related to financial transactions or the storage and processing of sensitive information, the security issue comes to the fore. At the moment, the standard tool for ensuring it are two-factor authentication systems. At the beginning of my professional activity, the choice of such a system was quite a difficult process for me, and now, when the rake has already been “arrived” and not 1-2 solutions have been tried, I believe that I can give advice to those who have come across this for the first time.
The purpose of this article is to determine the most appropriate 2FA provider to suit your needs , to save you time and money and not to repeat our mistakes. I will try to be objective, but please remember that conclusions will be made on the basis of my experience and my life values.
')
The following providers are offered for consideration: VASCO , SafeNet (Aladdin) , RSA (EMC) , Gemalto , Yubico , McAffe , Protectimus , DUO Security , smspasscode , Feitian .
This list can be expanded, taking into account the wishes of readers, but more than 10-12 participants should not do it, because By analyzing the existing participants, the overall picture will be visible.
As the analysis criteria I plan to take the following:
- General information about the company. Specialization
- OATH or other certification. Is a member of OATH?
- No extra bureaucracy (registration, support service, access to materials)
- Type of service: SaaS or platform
- Is there a wide range of tokens? Supported One-Time Password Generation (OTP) Algorithms
- Cross-platform and cross-browser. Convenience of the interface
- Additional useful functionality
- Easy integration via API. In other words, how quickly you can start using in your system (on your resource)
- Availability of plug-ins for quick connection to popular services and applications
- Cost of
Sit back, heading.
1. General information about the company. Specialization
In this section, we briefly consider: What is the company's place in the market? How long ago? Where is it from and what is the market share? Finding the true answer to the last question is difficult, because The first 4 companies consider themselves leaders and write that they own 70% of the market each.
Detailed analysis
A major player in the two-factor authentication market. Please do not confuse with the Vietnam Air Services Company (VASCO). The company has offices in the USA and Switzerland (they used to write about Belgian origin, but now they did not find any mention of this), it is engaged in two-factor authentication and EDS . Tokens are produced in China. As practice shows, all the characteristics of a large bureaucratic enterprise are inherent in them, they are reluctant to deal with small clients (1000 or less users), they trust the resellers, and they increase the base cost several times.
An American company specializing in the development of information security systems. One of the world's largest suppliers of encryption technology and hardware protection. Their two-factor solution is one of many solutions that they offer on the market. Their history consists of many mergers and acquisitions , and now their turn has come.
RSA (EMC)
Another American monster in the market for products, services and solutions for storing and managing information with a long history of acquisitions .
Gemalto
A large international company with European roots and headquarters in Amsterdam, specializing in software, personal security devices such as smart cards and tokens, as well as their management systems.
Yubico
The company began its activities in 2007 as a Swedish, and is now positioned as an international company with headquarters in the United States. The production of tokens is carried out in Sweden and in the USA. The company specializes in two-factor authentication.
Mcaffe
Another American company, but it is famous not for two-factor authentication, but for its antivirus.
Protectimus
An innovative company fully specialized in integrated two-factor authentication solutions, registered in the UK. Production facilities are located in Hong Kong. It is pleasant that the sales and technical support service also speaks Russian.
DUO Security
Another young American company, which from a startup goes to success. Over the past four years, they have received $ 19 million investment . It is worth noting that they profess an innovative approach in the field of authentication.
smspasscode
German company with offices in several countries of the world. Their service offers simple functionality, but with an innovative approach. The main specialization is SMS delivery of one-time passwords.
Feitian
This is a Chinese hardware manufacturer (tokens, readers, etc.). Other companies use their tokens in their solutions, and companies such as FortiNet have released a white-label solution based on this brand.
VASCO
A major player in the two-factor authentication market. Please do not confuse with the Vietnam Air Services Company (VASCO). The company has offices in the USA and Switzerland (they used to write about Belgian origin, but now they did not find any mention of this), it is engaged in two-factor authentication and EDS . Tokens are produced in China. As practice shows, all the characteristics of a large bureaucratic enterprise are inherent in them, they are reluctant to deal with small clients (1000 or less users), they trust the resellers, and they increase the base cost several times.
SafeNet (Aladdin)
An American company specializing in the development of information security systems. One of the world's largest suppliers of encryption technology and hardware protection. Their two-factor solution is one of many solutions that they offer on the market. Their history consists of many mergers and acquisitions , and now their turn has come.
RSA (EMC)
Another American monster in the market for products, services and solutions for storing and managing information with a long history of acquisitions .
Gemalto
A large international company with European roots and headquarters in Amsterdam, specializing in software, personal security devices such as smart cards and tokens, as well as their management systems.
Yubico
The company began its activities in 2007 as a Swedish, and is now positioned as an international company with headquarters in the United States. The production of tokens is carried out in Sweden and in the USA. The company specializes in two-factor authentication.
Mcaffe
Another American company, but it is famous not for two-factor authentication, but for its antivirus.
Protectimus
An innovative company fully specialized in integrated two-factor authentication solutions, registered in the UK. Production facilities are located in Hong Kong. It is pleasant that the sales and technical support service also speaks Russian.
DUO Security
Another young American company, which from a startup goes to success. Over the past four years, they have received $ 19 million investment . It is worth noting that they profess an innovative approach in the field of authentication.
smspasscode
German company with offices in several countries of the world. Their service offers simple functionality, but with an innovative approach. The main specialization is SMS delivery of one-time passwords.
Feitian
This is a Chinese hardware manufacturer (tokens, readers, etc.). Other companies use their tokens in their solutions, and companies such as FortiNet have released a white-label solution based on this brand.
2. OATH or other certification. Is a member of OATH?
To begin with, what standards in the world of two-factor authentication exist. Everything is simple: the solution is built according to OATH or not. Compliance with standards, and therefore safety, is assured by the OATH community, exposing the solution to a variety of test checks. In addition, many companies seek to become members of this community to raise their prestige. Membership is of two kinds: Coordinating and Contributing. The first type allows you to even make suggestions for the development of the standard.
Detailed analysis
VASCO
Contributing Members, their solution is certified.
SafeNet (Aladdin)
Contributing Members, their solution is certified.
RSA (EMC)
Cannot be a member of OATH, because it uses its proprietary algorithm. Is it good or bad? Enter in the search engine "rsa token hacking" and find out why RSA has replaced millions of tokens. However, vulnerability tokens can still be purchased online.
Gemalto
Coordinating Members - the highest degree of participation, their decision is certified.
Yubico
Contributing Members, their solution is certified.
Mcaffe
Not a member of OATH, their solution is not certified, but the phrase about the support of standard tokens slipped on their website: “any OATH-based token”.
Protectimus
Coordinating Members - the highest degree of participation, their decision is certified.
DUO Security
Not a member of OATH, but supports standard OATH tokens.
smspasscode
Not a member of OATH.
Feitian
Contributing Members, their solution is certified.
Contributing Members, their solution is certified.
SafeNet (Aladdin)
Contributing Members, their solution is certified.
RSA (EMC)
Cannot be a member of OATH, because it uses its proprietary algorithm. Is it good or bad? Enter in the search engine "rsa token hacking" and find out why RSA has replaced millions of tokens. However, vulnerability tokens can still be purchased online.
Gemalto
Coordinating Members - the highest degree of participation, their decision is certified.
Yubico
Contributing Members, their solution is certified.
Mcaffe
Not a member of OATH, their solution is not certified, but the phrase about the support of standard tokens slipped on their website: “any OATH-based token”.
Protectimus
Coordinating Members - the highest degree of participation, their decision is certified.
DUO Security
Not a member of OATH, but supports standard OATH tokens.
smspasscode
Not a member of OATH.
Feitian
Contributing Members, their solution is certified.
3. Lack of unnecessary bureaucracy (registration, support service, access to materials, price list)
In this section, we will talk about how quickly you can find out about price offers, get an answer to a technical question of interest, and start working with the system.
Detailed analysis
VASCO
A very large company and there are certain inconveniences for end users. There are a lot of links and information on their website, which often do not bring any benefit. An answer to a request by mail (I’m not talking about a template letter in which they write that they are happy about my interest in their company) may take more than six months. This is a real fact.
SafeNet (Aladdin)
I have a sad personal experience of implementing this solution and communicating with their technical support service. Until now, Skype has a bunch of contacts of their technical support. After 3 months of trying to resolve my issue with a local representative, I had to contact their main office. The company suffers from problems inherent in large organizations: to find out the prices and / or get the SDK , you need to make inquiries and wait.
RSA (EMC)
Another monster with billions in turnover. Only IBM is bigger than them (joke).
For any questions you need to contact their representatives, because it is difficult to find useful information on the site.
Gemalto
Another company with 10,000 employees and billions in revenues. If you find something on their website using a search, then consider yourself lucky.
Yubico
Everything is simple: they bought a token with one click and downloaded a server that is publicly available. They promise free authentication for their tokens in their cloud service for life.
Mcaffe
By filling out a dozen fields, you can access their system in demo mode. Like some previous companies, the site has a lot of marketing information (a description of application cases, the advantages of their decisions, etc.), which is of a weak informative nature.
Protectimus
The easiest registration (mail and password). As a result, you immediately get a working account for the production. On the account put 25 dollars to test the system. The integration process through the API is well described. All materials are available without registration in both Russian and English. Answers to questions quickly.
DUO Security
Simple registration (6 fields). The integration process through plug-ins is well described. All materials are available after registration.
smspasscode
Only demo mode is available. The registration form contains 8 fields. You also need to specify the number of your phone number, which they will call back. Documentation on integration through API is not found on the site. The trial period must be ordered.
Feitian
The site is easy to find information about tokens and the program part, but how to buy it and how much it costs is not a word. So - you need to write, call, wait for an answer ...
A very large company and there are certain inconveniences for end users. There are a lot of links and information on their website, which often do not bring any benefit. An answer to a request by mail (I’m not talking about a template letter in which they write that they are happy about my interest in their company) may take more than six months. This is a real fact.
SafeNet (Aladdin)
I have a sad personal experience of implementing this solution and communicating with their technical support service. Until now, Skype has a bunch of contacts of their technical support. After 3 months of trying to resolve my issue with a local representative, I had to contact their main office. The company suffers from problems inherent in large organizations: to find out the prices and / or get the SDK , you need to make inquiries and wait.
RSA (EMC)
Another monster with billions in turnover. Only IBM is bigger than them (joke).
For any questions you need to contact their representatives, because it is difficult to find useful information on the site.
Gemalto
Another company with 10,000 employees and billions in revenues. If you find something on their website using a search, then consider yourself lucky.
Yubico
Everything is simple: they bought a token with one click and downloaded a server that is publicly available. They promise free authentication for their tokens in their cloud service for life.
Mcaffe
By filling out a dozen fields, you can access their system in demo mode. Like some previous companies, the site has a lot of marketing information (a description of application cases, the advantages of their decisions, etc.), which is of a weak informative nature.
Protectimus
The easiest registration (mail and password). As a result, you immediately get a working account for the production. On the account put 25 dollars to test the system. The integration process through the API is well described. All materials are available without registration in both Russian and English. Answers to questions quickly.
DUO Security
Simple registration (6 fields). The integration process through plug-ins is well described. All materials are available after registration.
smspasscode
Only demo mode is available. The registration form contains 8 fields. You also need to specify the number of your phone number, which they will call back. Documentation on integration through API is not found on the site. The trial period must be ordered.
Feitian
The site is easy to find information about tokens and the program part, but how to buy it and how much it costs is not a word. So - you need to write, call, wait for an answer ...
4. Type of service: SaaS or platform
Detailed analysis
VASCO
Service and platform.
SafeNet (Aladdin)
Service and platform.
RSA (EMC)
Platform.
Gemalto
Platform (I did not find information about the service).
Yubico
Service (YubiCloud) and platform (Validation Server). They even supply a hardware and software system — the server in which the platform is installed. All this is open-source with a minimum of functionality.
Mcaffe
The platform from the company nordicedge, which is now part of McAffe - the ends will be difficult to find.
Protectimus
The service and the platform are complete, complete solutions.
DUO Security
Full SaaS solution.
smspasscode
Service and platform.
Feitian
Platform (FEITIAN OATH Authentication System) and service (Cloudentify).
Service and platform.
SafeNet (Aladdin)
Service and platform.
RSA (EMC)
Platform.
Gemalto
Platform (I did not find information about the service).
Yubico
Service (YubiCloud) and platform (Validation Server). They even supply a hardware and software system — the server in which the platform is installed. All this is open-source with a minimum of functionality.
Mcaffe
The platform from the company nordicedge, which is now part of McAffe - the ends will be difficult to find.
Protectimus
The service and the platform are complete, complete solutions.
DUO Security
Full SaaS solution.
smspasscode
Service and platform.
Feitian
Platform (FEITIAN OATH Authentication System) and service (Cloudentify).
As you can see, the article is voluminous. I think that for the first part there is already enough information.
At the moment, we have defined a number of leaders, but in the end they may change, because currently only 4 criteria are considered (and the first item is not taken into account).
Scoring Scheme
You can find out the current result here.
See you later…
Source: https://habr.com/ru/post/238589/
All Articles