Strengths: Integrates well for Microsoft users
Weaknesses: Tokens can get out of sync with the server
Verdict: Excellent protection for a Microsoft environment, but the tokens could work better with the server
Two-factor authentication is particularly useful for strengthening remote access to your corporate network and Gemalto's GemEvidence is designed to do just that in relation to VPN accounts.
It's a Microsoft-only product that requires Windows Server 2003 Enterprise Edition, SQL Server 2003, IIS Server 6, IAS server, Active Directory and RRAS. The device is pretty easy to install and is managed through a web portal that runs on IIS.
Keeping things simple, GemEvidence only works with GemEvidence Easy Tokens, which generate single-use passwords at the touch of a button. The server and keys have a counter to keep track of which password is due next. Pressing the Easy Token's button moves the counter on one, so they can get out of sync with the server quite easily. Fortunately, the server software lets you resynchronise them.
To prevent access should one of the keys be stolen, each user account can also have a separate static PIN associated with it.
The management interface is one of the easiest to use we've seen, providing layered access. First, there's the user portal, where users can register their tokens, change their PINS and unlock blocked PINs.
Then there's the helpdesk view, which allows support staff to resynchronise tokens, report a token as lost and, in that event, generate up to five single-use passwords to keep the user going while they're waiting for their new token to be sent out.
Finally, there is the administration portal, where you can do all of the above, plus create the LDAP query to link GemEvidence with your Active Directory, run reports and control new tokens.
The reports let you get a quick view of your system, showing who's got tokens, which ones are active and which users currently have access rights. Adding and activating a fresh token for a new user is easy too, as all you have to do is provide the username, their token's ID and two single-use passwords from each token.
However, there is no way to pull up a list of valid usernames from Active Directory, so you'll probably have to sit there with your user directory open so that you can get this right. An import option for multiple users and keys would also have been nice.
That said, for Microsoft VPN environments, GemEvidence is a simple, easy-to-manage two-factor authentication platform that offers excellent granular management controls.