Product Group Tests
Multi-factor authentication (2008)
Our Best Buy goes to PassGo Defender v5.2. It is a feature-rich, user-friendly product that offers excellent value for organisations of most sizes.
TriCipher's TACS is our Recommended choice for its solid capability, flexibility and ease of use.
Full Group SummaryEmploying several factors to verify users can help take the risk out of passwords. Peter Stephenson looks at a market that has done much to address enrolment concerns and prohibitive costs.
Multi-factor authentication usually combines two factors: something you know and something you possess. There are a few examples of true multi-factor authentication with more than two simultaneous elements, but these are mostly for deployment in very high-security environments and almost always include some form of biometrics. However, the "something you possess" may be a token. For example, we saw products that used X.509 certificates.
This begs the question of whether a token, a password/PIN and a certificate constitute multi-factor authentication. The old definition of "something you have, something you know and something you are" starts to fall apart here. Is an X.509 certificate something you possess in the classical sense? Or is it something the computer possesses? That being the case, we're back to only something you know: the password/PIN to access the computer/certificate.
How, then, is this different from a PIN and a token? The answer is that the token is under your control. If it is not in the physical possession of the user, there is no way to match the known and the possessed. If, on the other hand, the certificate is on a laptop that is stolen, and the password to the computer is easily guessed, the certificate is in jeopardy. The bottom line? Multi-factor may not always be what it seems.
One thing we noticed this year was the variety of authentication methods supported. There were several products for which multi-factor means that you have a choice of several methods of authentication, not necessarily used in combination with each other. This adds lots of flexibility.
Cost has traditionally been a barrier for multi-factor authentication, especially if hardware tokens are involved. Judging from this group, that problem is being addressed. We saw per user costs of less than 50 pence. These low-cost options are also quite innovative: one of the products we tested has a stick-on paper label you can place on your company ID card to turn it into a proximity card.
Tokens now come in all types as well. Key fobs, hard cards and USB tokens are available, and all are competent and easy to use.
One major challenge for multi-factor authentication, regardless of how simple to use the tokens are, is enrolment. Distributing tokens across a geographically disbursed enterprise can be challenging. Somehow those tokens need to match up with their users, get into the system and the user needs to enroll. Questions arise as to how we know that the user enrolling the token is the person for which it is intended.
That, too, is improving. Self-enrolment is becoming the rule rather than the exception. These schemes work well and are secure.
How we tested
We began by installing any specialised software that was needed in our test bed, including things such as LDAP, Active Directory or SQL. Then we set up the server software and clients. Once the required software or hardware was in place we began enrolment. We were concerned about ease of use, especially in the enrolment process. Finally, we attempted to bypass the security for the token or tokenless service.
Generally we found that these products met the challenge of strong authentication well, although not all were as easy to use or administrate as we would have liked. We were unable to bypass security on any of the products and user spoofing was unsuccessful as well.
What to look for
Start by looking for true multi-factor authentication. Are the factors strongly connected through the user, for example? What authentication method is being used? Is it a one-time passcode being generated by the token or something built into the token? The former tend to be more secure - and more expensive - than things built into the token.
Next, look for ease of deployment, especially self-enrolment, and administration. Self-enrolment needs to be robust and secure. How does the process control distribution of the token to the user and the subsequent binding of identity, something the user knows and the token?
The final consideration is cost, which seems to range as widely as do the products themselves. Cost is a bit elusive in some cases. A few of these products do a lot more than authenticate a user to a computer. Some have the basis of single sign-on as part of their functionality. A few include other advanced features. Be sure that you actually need these because they all add to the price you'll pay.
- For details on how we test and score products, visit http://www.scmagazineus.com/How-We-Test/section/114/