I've dealt with Gemalto - can't say we have not had issues but it works fine.

Over the years, I have used RSA, Safeword (now SafeNet/Gemalto), Symantec VIP, Microsoft and Google Authenticator, and have evaluated a bunch of others.  Overall, they all seem to be able to do the job; the differences are in the user and administrator experience.

If you need background, see NIST SP 800-63b.  It is very good.

Here are some of the issues we have encountered:

• At one time, we used physical OTP tokens.  Distribution was a logistical nightmare in a large multi-national company. Even worse was the the physical OTP that self-destructed after N-years. 
• Users like to put soft one-time tokens on the same device they are using. This introduces the risk that an intruder that gains control of the device also has gained control over all parts of the authentication process.
• Out-of-band authenticators are well liked by users, but they tend to only work within one ecosystem.  If you use both Google and Office365, you will find yourself needing two apps on your phones. 
• TOTP tokens (new number every 30 seconds) tend to change while users are typing, causing avoidable authentication failures. HOTP tokens (push a button for a new number) have lost the popularity race.
• Tokens that distribute their "secret key" by QR code or "type in this secret" (ala Google Auth) risk non-repudiation because the user can make multiple copies of their token.  This is not an issue if the goal is to protect the users assets, but it can become a big problem if you are trying to protect corporate assets against less-trustworthy users.
• Nowadays, we use AD username and password as the first factor.  This is much less administratively burdensome than using a stand-alone system.
• You need to consider the border cases.  If somebody does not have mobile data, is there a backup mechanism, such as "type in a tokencode"?  If the token gets out of sync (clock drift or trust issues), how does a user get things straightened out when they are sitting in a hotel room?

In some cases, we decided to accept the risk; in others, it resulted in the product being removed from consideration or being replaced.

Thanks.

Thanks so much. What was your experience with RSA?

---

@bjonahwrote:

Thanks so much. What was your experience with RSA?

---

We ceased using them 4 years ago, so your mileage may vary.

They were one of the first to market (i.e. 30+ years ago) and they are publicly held (part of EMC, which is part of Dell).  At the time, they also had the lions share of the market, so it was a nice conservative choice.  We have had 4 different token solutions over the past 20 years.  Twice we switched away from RSA for price reasons and we went back once for reasons of company-stability.  

Their software worked well, was stable and reliable.  There was a Windows API that could be leveraged for automation (which we did).  

We had always used physical tokens (SD 600 then SID700) This becomes administratively rich in a big global organization, primarily due to customs, international shipping and inventory management.  Compared to their competitors, logistics were worse with RSA, because their tokens need physical replacement when they expire (after 1-5 years), rather than just renewing a license on the server.  

Our current solution (Symantec VIP) uses soft tokens (although physical are available) and I would not go back  to physical.  Although physical offers better integrity, the improved user-acceptance and simplified logistics were the deciding factor.

To be fair, RSA how has soft tokens, "push notifications" and all the other cool toys.