Multifactor authentication is an all encompassing grouping for products that provide a second- and/or third-factor method for validating a user’s identity.
These products can include items such as tokens, certificates, biometric devices, one-time passwords, challenge-response solutions, mouse and keystroke pattern matching, and geolocation solutions. There are many sub-offerings in each of the above categories that we will discuss in more detail in our product reviews. The value that this technology can deliver in validating an identity of someone wanting to access systems or applications is clear. With an ever-growing list of government and private sector breaches, adding further levels of validation to confirm the basic credentials we all use in our jobs and personal lives should be a no-brainer. Today’s security risks employ sophisticated techniques that challenge even seasoned security professionals. What is worse is the growing “low-tech” targeting of our user base through simple social engineering and phishing attacks. The latter is what we wish to resolve through the validation of our users’ credentials via an additional source of information.
For this month’s Group Test review, we tested multifactor authentication products. There were definitely some trends and a few surprises in the product sets, prompting us to do some additional research. One surprise in the products we examined was the limited participation of any true biometric offerings and even the lack of support for these devices. We all know simple name and password authentication methods are inherently insecure. Multifactor products offer a huge advantage in added security.
That said, as passwords can be compromised, physical keys can be stolen. There is no such possibility in biometrics. TechNavio’s analysts forecast the global biometrics technology market will reach $9.3 billion by 2014. We find that there is quite a bit of consolidation going on in this space. The standard fingerprint-and-hand geometry solutions are still there. We are seeing more and more work being done in the voice recognition space for the purposes of verifying identities and authenticating people.
Another technology that came out of our research – that we did not have a chance to review, but is still worth mentioning – are the products that play in the continuous authentication space. These offerings attempt to address the risk of having a set of credentials comprised by revalidating the user beyond login.
The tools we reviewed this month all supported multiple forms of second-factor authentication technologies. We did have a few that supported standard fingerprint readers and an authentication method. The solutions provided authentication against a user’s PC or directory, as well as offering additional authentication protection for various application, VPN and web-based services.
One of the knocks against multifactor authentication solutions used to be the overhead involved in deploying in an enterprise environment. It was a pleasure to see that the products we reviewed really eliminated this as an issue.
We were pleased with the availability of deployment capabilities, key management, recovery abilities, and management and alerting options. Most of the offerings provided an easy means of deploying client software. There was also good support for user self-enrollment of tokens and self reset for PIN and password issues, reducing the IT overhead associated with supporting these technologies.
Pricing varied among the solutions, and it is important to understand the licensing as some are yearly renewals while others are one-time fees. Some of the offerings are also available in a SaaS model. As well, some products include token support, while others require separate purchasing. In any case, the price point of the solutions we reviewed really delivered a lot of protection for a very reasonable expense.