Product Group Tests
Two-factor authentication (2007)
We award our Best Buy award to Entrust's IdentityGuard for its simplicity, practicality and value for money.
We rate MXI Security's Stealth MXP as Recommended for its features and convenience.
Full Group Summary
As network perimeters get harder to define, we require more secure methods of identifying users before giving them access. Two-factor authentication products are a strong solution. By Justin Peltier
Perhaps the greatest vulnerability in today's IT environments is the loosely defined network perimeter. In times past, an organisation's computing took place inside a bricks-and-mortar computer room. This model evolved into distributed computing, where processing took place anywhere inside the physical building. Once the laptop was introduced, the perimeter was extended again to allow processing anywhere the laptop was. Now, with the advent of PDAs, BlackBerrys and other mobile devices, we are extending the network out beyond even the laptop.
This introduces several new security holes:
- Wireless networks: by allowing the network to reach beyond the building, WiFi networks can create a jumping-on point for unauthorised users.
- "Webification": this is a common development where legacy applications that were originally restricted to the physical building are now available over the internet. These applications were never designed to function in this way, but today are a critical part of an organisation's access to its IT infrastructure.
- Remote access and VPNs: laptop users are now accessing the network via remote connections. These are common targets for attackers.
- The network: as networks increase in size and complexity, the network perimeter becomes less determinate. Therefore, it is easier to connect devices to the network that violate the organisation's security policy.
These security holes mean the old standbys of user IDs and passwords are no longer sufficient - particularly under current compliance legislation - to secure a network.
Which brings us to two-factor authentication. Often the best solution to the fuzzy perimeter problem, using two steps to ID your users also brings your organisation into line with current compliance rules.
Two-factor authentication provides greater assurance that the user is authorised, regardless of whether that person is connected via a VPN connection or to a wireless network, a web-enabled application or a critical device such as a router or a firewall.
A common feature of two-factor authentication systems is the "once-only" password - passwords that are used for a single logon. This prevents an unauthorised user capturing the password and using it to break into the system at a later date.
Two-factor authentication generally combines two of the following three elements:
- Something the user is: most often these are either biometric or behaviour-based tags and are unique to the user, for example, fingerprints.
- Something the user knows: a password, passphrase or PIN.
- Something the user has: this could be a hardware device, such as a USB device, a key fob, a card with a single-use password chart, or a biometric device.
The most common approach for two-factor authentication is to provide the user with a token and something that generates a single-use password or PIN.
Most of the products we tested supported all or most of these options. In some cases, the cost of these devices or the requirement to carry the device made it necessary for the manufacturer to also offer a software client that would generate the single-use password.
Most of the test products fell into one of two categories: enterprise two-factor authentication, which allows for large-scale implementation, and stand-alone two-factor authentication, which permits secure access to a laptop by modifying the existing login set-up.
Most implementations used a software component installed on a server (most often Windows Server 2000 or 2003). The notable exception was the RSA offering, which is a hardware appliance.
The standalone devices often included a secure USB flash drive that provides secure storage in addition to the single-use password component. This is an interesting feature, because authentication is required to access the flash-drive storage. This made it an ideal place to store digital certificate files, a password list or other sensitive data.
How we tested
We installed each of the products and, in most cases, activated the two-factor authentication device. Once the device was active, we used the interface for the product to attempt to authenticate.