Currently working through an implementation of Gemalto/Safenet. The phone app and push notification token mode make the end-user experience pretty simple. Provisioning via a QR code is also easy. Plenty of flexibility for token types (push, OTP, SMS, email, grid, physical) as well.
The company's first foray into MFA, we'll be no doubt learning a lot as we start on our first wave of users who've never done this before....
Over the years, I have used RSA, Safeword (now SafeNet/Gemalto), Symantec VIP, Microsoft and Google Authenticator, and have evaluated a bunch of others. Overall, they all seem to be able to do the job; the differences are in the user and administrator experience.
If you need background, see NIST SP 800-63b. It is very good.
Here are some of the issues we have encountered:
In some cases, we decided to accept the risk; in others, it resulted in the product being removed from consideration or being replaced.
Thanks so much. What was your experience with RSA?
We ceased using them 4 years ago, so your mileage may vary.
They were one of the first to market (i.e. 30+ years ago) and they are publicly held (part of EMC, which is part of Dell). At the time, they also had the lions share of the market, so it was a nice conservative choice. We have had 4 different token solutions over the past 20 years. Twice we switched away from RSA for price reasons and we went back once for reasons of company-stability.
Their software worked well, was stable and reliable. There was a Windows API that could be leveraged for automation (which we did).
We had always used physical tokens (SD 600 then SID700) This becomes administratively rich in a big global organization, primarily due to customs, international shipping and inventory management. Compared to their competitors, logistics were worse with RSA, because their tokens need physical replacement when they expire (after 1-5 years), rather than just renewing a license on the server.
Our current solution (Symantec VIP) uses soft tokens (although physical are available) and I would not go back to physical. Although physical offers better integrity, the improved user-acceptance and simplified logistics were the deciding factor.
To be fair, RSA how has soft tokens, "push notifications" and all the other cool toys.
Duo and Symantec VIP, as well as Google Authenticator for cost value.
Want to purchase one for remote access and critical financial applications.
I had experience deploying an OTP and transaction Signing solution for a financial institution using 4TRESS from HID (formerly ActivIdentity) .
I deployed their software version they now have an appliance variant. I always found the solution to be very stable with some nice features such as tamper evident audit logging.
I see all the standard ones are mentioned on the thread its worth taking a look at 4TRESS