Vasco DigiPass 780, DigiPass for Mobile, and Identikey Authentication Server
Depends on product and quantity.
Strengths: Excellent targeting of a serious problem, ease of use and superior customer service.
Verdict: This one is, beyond doubt, a keeper. It is especially well-suited to larger environments and the company's pricing model supports that. For topnotch features, customer service and ease of use, we make Vasco's tool set our Recommended product this month.
This is another rather specialised product but, as with many such niche products, it fills a very important need. Vasco has been around quite a while and the company has a strong portfolio of security products. This particular suite - it consists of a mobile device application or a hardware token (your choice) and a backend server - addresses malicious code injection through the judicious application of strong authentication and some additional neat techniques.
The problem this suite addresses is that malicious actors can intercept and decode online banking transactions. By providing strong authentication coupled with some additional tools to prevent malicious repackaging/tampering, keystroke monitoring and screen scraping, DigiPass and Identikey interdict and prevent these attacks from succeeding. While in many cases strong authentication by itself has become a staple of online banking, the unique addition of Vasco's tools adds a significant measure of protection to strong authentication by itself.
The DigiPass 780 and the DigiPass for Mobile behave identically. The 780 is a small token about the size of a pack of cigarettes and about a third of an inch thick. It is mostly screen. The Identikey server can be on-premise as a physical or virtual appliance or may be provided as a cloud-based SaaS. The process of using the DigiPass is deployed as a self-provisioning portal. The user first registers an account, then activates the DigiPass for Mobile or enables the DigiPass 780. From that point forward, the user can manage their account simply by authenticating to the portal.
To activate the service, the user logs into the portal where they complete an activation form with three steps: sign up on the portal, provide a password and scan the user licence. Then the user is presented with a graphic containing a pattern of colored dots. The user points their phone or DigiPass 780 at the graphic. And activation is automatic. From that point on, logging into the portal and authenticating with the graphic is all that the user needs to do. There are some alternative or, if you prefer, add-ons, such as facial recognition, a standard QR scan code or push notification.
However, there is a lot going on under the hood. For example, there is Vasco's risk management that helps detect fraud. The Vacant Controller supports just about any operating environment you can imagine and has wrappers for all popular languages, such as C#, etc. It doesn't care what database you use for the backend and it is highly scalable.
Pricing is a bit complicated because there are lots of possible combinations of products and services. The website is exactly what one would expect from a mature company such as Vasco. Everything is there: product literature, knowledge base, consulting, support, etc. Documentation is complete and there is a lot of additional supporting literature. There are training opportunities and something we rarely see on a support site: an end of life policy.
Something else we rarely see is an incident response mechanism for security flaws in Vasco products. We think that speaks volumes about professional responsibility and concern for customers. From a purely practical perspective, it also makes Vasco one of the "good guys" who are open about flaws and work hard to prevent or, if necessary, correct them.
We like this suite of products for its completeness and its focus on using well-supported strong authentication to address - in a creative manner - a serious problem. The experience of Vasco shows.