Eventually, if FIDO does catch on, a universal MFA tool will become more useful with more authentications that can be accomplished from a single token. But we aren’t there yet, and like many IT innovations it is a chicken-and-egg problem. However, the FIDO Alliance has hundreds of members, including some very large corporations, so hopefully we’ll see additional progress.
NokNok doesn’t offer direct downloads: you have to request evaluation copies of its products, SDKs and other tools. To get started, you will need to spend at least $50,000. Given this price point, corporate developers will have to think big if they want to get started with FIDO.
PistolStar PortalGuard: The best of single sign-on and multi-factor authentication
As we mentioned, the convergence of SSO portals with MFA methods is happening with more frequency. A good example is PistolStar’s PortalGuard. They have 600 customers and millions of users, with its largest installation of 55,000 users. They compete with Ping, Okta, SecureAuth and others that started out in the federated identity space, as well as some of the newer authentication vendors that are focused on making SSO more usable, like Auth0.
PortalGuard comes as several Windows Server applications that will require a variety of Microsoft services, including IIS, SQL Server and .Net Framework. There are a lot of parameters to configure and after spending hours managed not to catch a single misplaced parameter that kept our server from running correctly.
PistolStar also setup a cloud-based instance for our testing, but most of their customers will want to run their own local server. This is because the majority of their configuration parameters will require you to access the Windows configuration sheets where you will find a very dense collection of options. While it is great that they are all collected in one place, it would be nicer if you had Web access across the board rather than having to switch between a series of Web-based and Windows-based dialogs, depending on what you need to accomplish.
The properties sheets are where you can set up specific OTP methods, and it supports an interesting array of tokens, including Google Authenticator, its own mobile OTP app for Android and iPhones, RSA SecurID, and Yubico Yubikeys. You can also set a cookie on your browser session that can expire after a specific time period to remember a particular user and device combination. Static password policies can also be set with another series of menus. And there is support for push-OTP, what PistolStar called passive keys, where the workstation software contains the token encryption code. Finally, there is also support for a series of pre-set challenge/response questions.
Like Vasco and Symantec, the product comes with its own brand of risk-based authentication, called Credibility-Based Authentication. It has a separate executable program with its own series of Windows menus to set up risk scores and thresholds. There is extensive documentation on how to configure the appropriate policies and authentication methods.
If users forget their passwords or don’t have their OTP token, they can also make use of a self-service portal to recover their account by one of the methods that an administrator has setup, such as to answer a series of challenge questions or use a temporary OTP. The user self-service portal is a different location from the SSO portal, which can be a bit confusing. PortalGuard can be configured to prevent users from having more than one concurrent login session.
One of the tedious aspects of PortalGuard is that specific actions have their own and separate authentication methods. So, for example, you can setup normal logins one way – say with Yubico tokens – and use another authentication method to unlock a frozen account, such as answering a challenge question. This gets somewhat confusing. There is support for VPNs through Radius servers and SAML authentications via its own SSO portal. This portal has its own configuration editor.
PortalGuard supports SAML, CAS, WS-Fed and Shibboleth-based protocols, and these are setup in a separate series of dialogs under the identity provider configuration editor. There are pre-set templates for a few applications (Office 365, SharePoint and Outlook Web Access), but you’ll have to create your own SAML XML code if you want to add some other application. Other SSO products come with many more templates or supported SAML applications directly.
The product comes with nine pre-set reports, but most of these look like log files and would not be very helpful to managers unless they are further parsed. In order to access them, you will need to either cut and paste into a spreadsheet, or access the XML reports that are stored in its database manually.
A variety of APIs are available, including Java and Javascript, C++ and C# libraries, so you can build into your own apps. These aren’t very well documented and only are available in a published integration guide that isn’t online.
There are several pricing plans. The standard on-premises server starts at $15,000 for the first year with subsequent years at $5,000, including support, up to 10,000 concurrent users and tokens, both soft and some hard. A hundred Yubico tokens are an extra $2,000. If you need more concurrent users, that will require one of the enterprise licenses. You can also access a free trial of the product in the cloud-based version, which gives you limited access and supports just a few features.
RSA Authentication Manager v8.1 SP1: Powerful, complex
When we reviewed RSA’s Authentication Manager in 2013, it had just come out with a Web-based version. Since then it has been through a few minor revisions, added support for QR-code soft tokens, and cleaned up its interfaces.
It still is a formidable product to install and configure: partly because there are still a number of separate pieces. But because the product is one of the most capable MFA tools on the market, it has wide support for a variety of hard and soft token types, application integrations and workflows. Like many of its competitors, users can register multiple token types to authenticate their accounts. There are also multiple token provisioning methods that make use of different security methods.
New to this version is a risk-based authentication engine that keeps track of each user’s device and behavior over time. There’s an initial data collection period where the software operates silently, without challenging any login attempts. Once its engine has gathered enough data, it assigns a risk score to authentication attempts and if riskier than specified, the user is asked for additional authentication factors (such as OTPs delivered via SMS texts) before being allowed access to a particular resource.
You can also set a limit on the number of token types assigned to each user, or the amount of time that each token is registered to a user. While this is very flexible, like other parts of the RSA product, it will take some effort to get configured properly.
The Web-based self-service dashboard can enroll users, set up knowledge-based questions, troubleshoot tokens, reset your static PINs and reset risk-based device history in the case of a lost or stolen token.
New to this version is what RSA calls its Web Tier. This sets up a custom Web interface for handling user self-service requests and managing risk-based authentications. This tier also intercepts all network traffic to make your authentication server, which can remain behind a network DMZ, more secure. The tier can run either on Windows or Linux servers.
RSA has huge installations, befitting its tenure and tenacity in the MFA space. One installation has more than a million users, which is one reason its hardware-based SecurID tokens are so ubiquitous.
It still is installed either as a VM or as a physical hardware appliance, both running its own hardened Linux server. There are VM versions for VMware ESXi and Microsoft Hyper-V.
Once you get the VM installed (which took three hours of intense work and some help from their support staff), you access several different Web-based consoles: one for general security features, one for self-service users and one for daily operations. The reason for the multiple consoles is a good one, to segregate administrative roles. As with earlier product versions, these are very granular and have 13 different pre-set ones available, with two different admin roles installed by default.
Some of the configuration menus could use some cleaning up to make the workflows more obvious, and most are very text-heavy with dozens of configuration choices. The overall documentation set for this product spans nearly a dozen manuals with close to 1,000 pages of very detailed instructions.
The RSA server comes with a series of different authentication policies, including token policies, password complexity policies, lockout and self-service troubleshooting policies, workflow provisioning policies and risk-based authentication policies.