Strengths: Support for multiple LDAP servers, swift, wizard-aided deployment, SMS codes better than tokens, preloading avoids SMS network delays, good value
Weaknesses: Nothing - it works perfectly
Verdict: This latest version of SecurAccess offers a range of unique features, making it a top two-factor authentication choice for businesses large and small
Two-factor authentication has long been the preferred alternative to simple username-and-password combinations, as it provides much stronger security. There are many solutions on the market with varying degrees of cost and complexity and SecurEnvoy's SecurAccess aims to be one of the easiest and most cost-effective.
SecurAccess offers a number of advantages as it supports any GSM mobile, allowing passcodes to be issued via simple SMS texts. Passcodes can also be sent via email, but SMS has always been its primary focus and SecurEnvoy is something of a pioneer in this area.
This latest version delivers new and welcome features, with support for any LDAP directory server at the top of the list. Along with AD and eDirectory, it can integrate with a wide range of other servers, including Microsoft's Adam, Sun Directory Server, Fedora and many more.
SecurAccess also now supports multiple LDAP domains. This makes it very useful to ISPs and service providers, helping them offer a variety of authentication services. It means they only need one instance of SecurAccess, which brings immediate cost benefits.
It's worth noting that many competing solutions use proprietary services and databases that require additional hardware and software platforms. RSA, for example, uses Oracle databases, so additional costs may need to be factored in. SecurAccess supports Radius authentication and you can either employ your own server or use the built-in version provided.
SecurEnvoy provides new sets of migration tools, with tokens as a primary focus. SecurAccess supports their continued use as it simply forwards these requests onto the token server until you choose to revoke them or the token has expired. This allows businesses to maximise their investment in hardware tokens before they phase them out and hand them back for recycling.
It can also provide a controlled migration away from single-factor authentication such as standard username/password schemes. After installation, it will allow users to authenticate normally until they have been made members of SecurAccess. There's yet more in v5.3, as the Windows Logon Agent extends SecurAccess to Windows Server 2003 Terminal services as well as domain logins and it now supports syslog servers for more detailed auditing.
We found installation simple enough and loaded SecurAccess on a Windows Server 2003 R2 system in minutes. During this process, you select an LDAP directory server, provide its address and enter details of a nominated administrative account. In this phase, you can enter details of other LDAP servers and it's worth noting that SecurEnvoy claims no known limits to the number it can support.
SecurAccess can use GSM modems to send SMS messages, but for testing we opted for the more popular web SMS gateway service. It supports all the main providers: aql, HSL, T-Mobile and Vfirst. For trial purposes, it provides an SMS gateway service plus 100 free messages.
SecurEnvoy's preloading feature is quite unique as it sends a user their first passcode as soon as they have been registered with the SecurAccess server. When they've authenticated, they will be sent the next one ready for use. As each SMS text is sent out, it overwrites the previous one, thus keeping your inbox more manageable.
The new on-demand service is for users who authenticate infrequently, where a passcode is requested during the portal login phase. Once a normal password has been entered, SecurAccess sends a flash SMS to their mobile with a PIN. After it has been read, it is deleted and administrators can set the period for which it is valid.
The ICE (In Case of Emergency) feature made SecurAccess unique when it was first launched and has since been emulated by much of the competition. ICE comes into action where access to premises may be denied in a disaster. Simply check one tick box to activate ICE and all users and groups with this privilege will be sent passcodes allowing them to securely access business resources remotely.
SecurEnvoy scores highly with its User Deployment Wizard, a good choice for large-scale deployments. The simple four-step process takes you through selecting a default passcode type, deciding on ICE membership and selecting a domain.
The list of undeclared users can be searched through for those with mobile numbers or email addresses in their user profile. SecurAccess is then deployed using either of these two messaging methods. SecurEnvoy advised us that it has seen rates in excess of 300 users per minute. It can also get users to provide their mobile numbers as it emails the first PIN, requests the mobile when they log on and automatically adds it to their profile.
Day-codes avoid having to hand out new codes each time a user authenticates. These are issued at a set time, remain valid for a few days and can only be sent out if the old ones have been used up. Multiple one-time passcodes in SMS texts can also be useful for users who can't get a signal but still need to access the network.
When we last looked at this software we weren't impressed with amateurish documentation and sloppy online help files. SecurEnvoy has since addressed these issues, leaving us with no complaints at all, making SecurAccess one of the most impressive and cost-effective two-factor authentication solutions on the market.