Product Group Tests

Two-factor authentication (2006)

by SC Staff September 01, 2006
products

GROUP SUMMARY:

Our Best Buy award goes to RSA SecurID. It may have the potential of getting out of sync with its tokens, but this isn't that likely. It wins because its support is outstanding. Even where RSA doesn't provide direct support, someone else does. With the excellent integration guides on the website, it offers complete protection for your network.

Our first Recommended award goes to Secure Computing's SafeWord Premier Access. Its integration with Active Directory is excellent and it is also really easy to manage. The product is extendable, too, so you can add its support to other servers and applications.

Our second Recommended award goes to Koolspan SecurEdge. This product encrypts remote or local data, letting you add secure, authenticated traffic to your existing systems. It is incredibly simple to install and use.

No matter how safe you think you've made your networks, if the wrong person gets hold of a user password, it's all worthless. David Ludlow tests authentication methods that keep the bad guys out.

You might have the latest security products, firewalls coming out of your ears and a dedicated team of security experts at your disposal, but you can't sit back and relax quite yet. There's probably one weak link left in your armour: user passwords.

Try as you may, users generally have passwords that are easy to guess. Or, if you make them think of something more complicated, you risk having passwords written down on PostIt notes.

Once a password has been cracked, the intruder has free rein to your network. This becomes more of a problem for remote access, where an intruder can't be physically spotted.

Rather than thinking of more and more complex ways to shut down your systems, two-factor authentication can help protect them. These processes work in combination with your existing passwords and rely on unique tokens a user carries around. These generate a single-use password and, as your user is the only person to carry that token, chances are that the person logging on is a valid user. Plus, as the generated password is only valid for one use, it's practically useless if someone steals it. The normal password that's entered next seals the deal. And, best of all, the whole system is no more complex to use.

There are several variations on this theme, and we've tested the whole range. The traditional method, as used by RSA's SecurID, is to have a hardware token that refreshes the code automatically every minute. The server keeps track of the time and knows which code to expect next. This has its problems, though, particularly if the server and token get out of sync. For this reason, some products featured here use tokens that generate unique codes asynchronously on request.

This test shows how the technology has moved on, and we've got a huge range of authentication methods, suitable for different purposes. Smart cards have become a lot more popular, and most of the products we tested support authentication through this method. For financial systems, some of the products even accept bank cards as the smart card, so you can authenticate a financial transaction through the card used to pay for it. Biometrics is also gaining popularity.

Carrying a device around isn't always convenient, so software tokens or single-use passwords sent via SMS are just two other ways offered by some suppliers. A flexible approach is important when it comes to this kind of product, so we paid particular attention to the number of ways that users can be authenticated.

In reviewing these products, management of these tokens was key to our testing, as assigning tokens to all of your users can become a nightmare if you've got to do it manually. Fortunately, a lot of the products allow users to register their own hardware: you just give them their token and a website address and they follow the simple instructions.

For those situations where you don't want to let users register automatically, we were looking for products that make it simple to import and assign tokens to users.

General management was also important during our testing, as two-factor is supposed to add a second layer of authentication, not a second layer of management. For those products that integrate with Active Directory, we were particularly interested to see if they can be managed using your standard AD management tools. Otherwise we were looking for LDAP integration, so that you don't have to recreate your whole list of users.

The range of protection a product offers is very important depending on what you want to protect. For example, if you want to add two-factor authentication to your local workstation access and your web mail accounts, then there's very little point in choosing a product that will only do one of those jobs.

Finally, we've split our products into two groups: hardware and software. The software products require your own hardware to install the authentication server and have to be integrated with your existing systems. The hardware products have a wider range. First, we've got appliances, which come preinstalled with the authentication servers. They're generally easier to configure as you don't have to go through a lengthy installation procedure. Second, we've got some smaller products such as a USB key and a fingerprint reader. Generally designed for individual use, these can be important aids in protecting your enterprise.

The range of products we tested should cover most businesses' needs. Whether you want to add security to remote access, web applications or every company resource, two-factor authentication can give you that added security without additional complexity.

SC Webcasts UK

Sign up to our newsletters

FOLLOW US