January 21, 2013
Between £6 and £16 per user per year, including gold-level support
- Ease of Use:
- Value for Money:
- Overall Rating:
- Strengths: Exceedingly simple to deploy and use, product design philosophy allows for easy fraud detection
- Weaknesses: Hosted solution, no workstation authentication
- Verdict: If you’re comfortable with a hosted solution and need multi-factor authentication now, PhoneFactor is a must
Companies looking for a turnkey out-of-band authentication solution need look no further than PhoneFactor. It is, quite simply, one of the easiest to implement multi-factor authentication solutions we've ever seen. It is a hosted solution, however, which may be a turn-off to some administrators.
Deployment of the product was incredibly simple. After creating an account on PhoneFactor's website and providing a phone number to associate with that account, we downloaded the agent application. The agent needed to be installed on each application server we wanted to augment with the product. Using our Outlook Web Access server as a test bed, we ran the installation package, and after the files were copied we were prompted to log in with the user credentials we provided when setting up our account on the website.
Once we entered our login credentials, the PhoneFactor service placed a call to the phone we provided when initially setting up our account - all we had to do to authenticate was answer the call and press '#'. Out-of-the-box, the product supported a number of applications, including Outlook Web Access. All we had to do was check the appropriate box, provide the base URL, and add a user. We were able to import our users from Active Directory and assign phone numbers to each of them. From that point on, any time one of those users attempted to log into OWA, they received a phone call from PhoneFactor and needed to authenticate just as we did when setting up the agent software. That was it - configuration complete.
PhoneFactor serves as an additional authentication layer for applications. It does not allow for multi-factor workstation authentication (i.e. local Windows login), but does support Windows Terminal Services. Additionally, IIS applications, Citrix Web Interface, websites that use forms-based authentication and applications that authenticate using Radius, including VPNs, are all supported out-of-the-box. The available SDKs allow that support to be extended further, with SDKs for Perl, Ruby, PHP, .NET and Java applications all downloadable from PhoneFactor's website.
By default, the product places a call to a specified mobile phone number, however SMS messaging and PINs are also available as authentication methods, as well as Oath tokens and a mobile phone app that can push authentication challenges to the user. The product's user portal account management tool can be set up as an end-user self-service website, allowing users to register their own phone numbers, activate the mobile app and set up security questions that can later be used to authenticate the user in case of a forgotten password or lost or stolen phone. The hosted online management portal allows administrators to assign new phone numbers to users, change PINs, or provide a one-time bypass of the PhoneFactor authentication process in case of emergencies. Reports based on usage, agent status, system changes and other items can be generated and viewed on the site, exported to CSVs, or scheduled and automatically emailed to administrators in an encrypted format. Client-based logging is also available; the system can be configured to use flat files or transmit log data to a syslog server.
The product's documentation was decent. The text was detailed enough, with plenty of screenshots, but the formatting was no-frills, no bookmarking or indexing.
PhoneFactor offers two support tiers: gold level is ten-hours-a-day/five-days-a-week, providing phone, email and web-based support; and platinum level extends those hours to 24/7. Unfortunately it offers no real knowledgebase or technical FAQs, but then again the product is so simple that there's no real need.
PhoneFactor retails between £6 and £16 per user per year, including gold level support. The platinum support package can be purchased for an additional ten per cent of the total expenditure.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Security Architect, Cardiff - to £70k Basic
Infosec People - Cardiff, Wales
Interim CISO (Chief Information Security Officer) - Cyber Security Director
CYBER EXECS - London (Central), London (Greater)
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Cyber Security Architect
CYBER EXECS - London (Greater)
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Investigatory Powers and Digital Economy Bills could threaten economy
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Microsoft update left Azure Linux virtual machines open to hacking
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- 9.2 million medical records for sale on darkweb
- Microsoft Office 365 hit with massive Cerber ransomware attack, report