cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bjonah
Newcomer I

Can anyone recommend a very good MFA software?

Want to purchase one for remote access and critical financial applications.

 

Thanks

10 Replies
dougjaworski
Newcomer I

Duo, and it is easy.

Deyan
Contributor I

I've dealt with Gemalto - can't say we have not had issues but it works fine.

pejacoby
Viewer II

Currently working through an implementation of Gemalto/Safenet. The phone app and push notification token mode make the end-user experience pretty simple.  Provisioning via a QR code is also easy.  Plenty of flexibility for token types (push, OTP, SMS, email, grid, physical) as well.

The company's first foray into MFA, we'll be no doubt learning a lot as we start on our first wave of users who've never done this before....

denbesten
Community Champion

Over the years, I have used RSA, Safeword (now SafeNet/Gemalto), Symantec VIP, Microsoft and Google Authenticator, and have evaluated a bunch of others.  Overall, they all seem to be able to do the job; the differences are in the user and administrator experience.

 

If you need background, see NIST SP 800-63b.  It is very good.

 

Here are some of the issues we have encountered:

 

  • At one time, we used physical OTP tokens.  Distribution was a logistical nightmare in a large multi-national company. Even worse was the the physical OTP that self-destructed after N-years. 
  • Users like to put soft one-time tokens on the same device they are using. This introduces the risk that an intruder that gains control of the device also has gained control over all parts of the authentication process.
  • Out-of-band authenticators are well liked by users, but they tend to only work within one ecosystem.  If you use both Google and Office365, you will find yourself needing two apps on your phones. 
  • TOTP tokens (new number every 30 seconds) tend to change while users are typing, causing avoidable authentication failures. HOTP tokens (push a button for a new number) have lost the popularity race.
  • Tokens that distribute their "secret key" by QR code or "type in this secret" (ala Google Auth) risk non-repudiation because the user can make multiple copies of their token.  This is not an issue if the goal is to protect the users assets, but it can become a big problem if you are trying to protect corporate assets against less-trustworthy users.
  • Nowadays, we use AD username and password as the first factor.  This is much less administratively burdensome than using a stand-alone system.
  • You need to consider the border cases.  If somebody does not have mobile data, is there a backup mechanism, such as "type in a tokencode"?  If the token gets out of sync (clock drift or trust issues), how does a user get things straightened out when they are sitting in a hotel room?

In some cases, we decided to accept the risk; in others, it resulted in the product being removed from consideration or being replaced.

bjonah
Newcomer I

Thanks.

bjonah
Newcomer I

Thanks so much. What was your experience with RSA?

denbesten
Community Champion


@bjonahwrote:

Thanks so much. What was your experience with RSA?



We ceased using them 4 years ago, so your mileage may vary.

 

They were one of the first to market (i.e. 30+ years ago) and they are publicly held (part of EMC, which is part of Dell).  At the time, they also had the lions share of the market, so it was a nice conservative choice.  We have had 4 different token solutions over the past 20 years.  Twice we switched away from RSA for price reasons and we went back once for reasons of company-stability.  

 

Their software worked well, was stable and reliable.  There was a Windows API that could be leveraged for automation (which we did).  

 

We had always used physical tokens (SD 600 then SID700) This becomes administratively rich in a big global organization, primarily due to customs, international shipping and inventory management.  Compared to their competitors, logistics were worse with RSA, because their tokens need physical replacement when they expire (after 1-5 years), rather than just renewing a license on the server.  

 

Our current solution (Symantec VIP) uses soft tokens (although physical are available) and I would not go back  to physical.  Although physical offers better integrity, the improved user-acceptance and simplified logistics were the deciding factor.

 

To be fair, RSA how has soft tokens, "push notifications" and all the other cool toys.

BrianKunick
Newcomer II

Duo and Symantec VIP, as well as Google Authenticator for cost value.


@bjonahwrote:

Want to purchase one for remote access and critical financial applications.

 

Thanks


 

Robert
Newcomer II

 

I had experience deploying an OTP and transaction Signing solution for a financial institution using 4TRESS from HID (formerly ActivIdentity) .

 

I deployed their software version they now have an appliance variant. I always found the solution to be very stable with some nice features such as tamper evident audit logging. 

 

I see all the standard ones are mentioned on the thread its worth taking a look at 4TRESS