Comparison of authentication solutions

From HandWiki

Authentication is the act of confirming the truth of an attribute of a single piece of data (a datum) claimed true by an entity. Out of different types of authentication two-factor authentication is a method that provides identification of users by means of the combination of two different components. There are number of two-factor authentication and multi-factor authentication methods. Multi-factor authentication products can provide significant benefits to an enterprise, but the methods are complex and the tools themselves can vary greatly from provider to provider.[1]

Legend

The term phishing refers to attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.

Malware, short for malicious software, is any software used to disrupt computer operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising.

Password guessing refers to cracking a password, which is the process of recovering passwords illegally from data that have been stored in or transmitted by a computer system.

A man-in-the-middle attack (often abbreviated to MITM, MitM, MIM, MiM attack or MITMA) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other

Server side data breaking refers to an incident in which sensitive, protected or confidential data has potentially been viewed, stolen from servers or used by an individual unauthorized to do so.

Shoulder surfing refers to using direct observation techniques, such as looking over someone's shoulder, to get information. It is commonly used to obtain passwords, PINs, security codes, and similar data.

One-time password (OTP) interception refers to a service provider sending a one time password to user's contact (SMS, E-mail, etc.) for authentication purpose, but that doesn't reach the user, possibly intercepted by a fraudulent person.

Side channel vulnerabilities allow attackers to infer potentially sensitive information just by observing normal behavior of a software system. The attacker is a passive observer.[2]

A hardware token is an authenticator in the form of a physical object, where the user's interaction with a login system proves that the user physically possesses the object. Proving possession of the token may involve one of several techniques.[3]

A software token is a type of two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone and can be duplicated. This is in contrast to hardware tokens, where the credentials are stored on a dedicated hardware device and therefore cannot be duplicated (absent physical invasion of the device).

TOTP - Time-based one-time password

EOTP - Event-based one-time password

Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time, being a default mode of authentication in some protocols (IKE, SSH) and optional in others (TLS).

Biometric authentication is a type of system that relies on the unique biological characteristics of individuals to verify identity for secure access to electronic systems.

Scalability is the capability of a system, network, or process to handle a growing amount of work, or its potential to be enlarged in order to accommodate that growth.

Transaction signing is a term used in internet banking that requires customers to digitally "sign" transactions in order to preserve the authenticity and integrity of the online transaction.

Threat coverage

Provider Phishing Malware Password guessing Man in the middle Re-used password attacks Server-side Database Break-in Shoulder Surfing Theft of Authenticator OTP Interception Channel vulnerabilitiess
Authenticator Plus N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
Authentify Inc Yes N/A N/A Yes N/A N/A N/A N/A N/A N/A
AuthPoint Yes N/A N/A Yes N/A N/A N/A Yes Yes N/A
Authy Yes[4] Yes[4] Yes[5] Yes[5] N/A N/A N/A N/A N/A N/A
Azure Multi-Factor Authentication Yes[6] Yes[7] N/A N/A N/A N/A N/A N/A N/A N/A
Clef Yes[8] N/A Yes[8] N/A N/A Yes[8] N/A Yes N/A N/A
Cognalys Inc N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
CryptoPhoto Yes[9] Yes[9] Yes[10] Yes[10] Yes[10] Yes[10] Yes[9] Yes[10] Yes[10] Yes[10]
Duo Security Yes N/A N/A Yes[11] N/A N/A N/A N/A N/A N/A
Entersekt Yes[12] Yes[12] Yes[12] Yes[12] N/A N/A N/A N/A N/A N/A
FreeOTP N/A N/A N/A Yes N/A N/A N/A N/A N/A N/A
Google Authenticator No N/A N/A N/A N/A No[13] N/A N/A N/A N/A
Latch N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
LaunchKey N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
LoginTC Yes N/A Yes Yes Yes Yes[14] Yes[14] Yes[14] Yes[14] Yes[14]
MePIN N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
Mi-Token Yes Yes N/A Yes N/A N/A N/A Yes N/A N/A
Nexmo N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
Nexus Smart ID[15] Yes N/A Yes Yes N/A N/A Yes N/A Yes N/A
OASIS OASIS2FAM[16] Yes N/A Yes Yes Yes Yes Yes Yes Yes N/A
OpenOTP Token Yes Yes Yes Yes Yes N/A N/A Yes Yes N/A
Ping Identity N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
PortalGuard Yes[17] N/A N/A Yes[17] N/A N/A N/A N/A N/A N/A
privacyIDEA Yes[18] N/A Yes N/A Yes Yes[19] N/A N/A N/A N/A
Protectimus N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
Rublon N/A Yes[20] Yes[20] N/A N/A N/A N/A N/A N/A N/A
SAASPASS Yes Yes N/A Yes N/A N/A N/A N/A N/A N/A
SAT Mobile ID N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
SecSign Yes[21] Yes[21] Yes[21] N/A N/A N/A N/A N/A N/A N/A
SecureAuth[22] Yes[22] Yes[22] Yes N/A Yes Yes Yes Yes Yes[23] N/A
SecurePass N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
SmartSign N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
Solidpass[24] Yes Yes N/A Yes N/A N/A N/A N/A N/A N/A
SyferLock GridGuard[25] Yes Yes Yes Yes Yes N/A Yes N/A Yes Yes
Symantec/Verisign VIP N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
TeleSign Yes[26] N/A Yes[26] N/A Yes[26] N/A N/A N/A N/A N/A
TextPower N/A Yes[27] N/A Yes[28] N/A N/A N/A N/A N/A N/A
Token2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
Toopher N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
Totp.Me N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
VASCO Data Security Yes N/A N/A Yes N/A N/A N/A N/A N/A N/A
WWPass Yes Yes N/A Yes N/A N/A N/A N/A N/A N/A
WiKID Systems N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
Yubico Yes Yes N/A Yes N/A N/A N/A N/A N/A N/A
RSA Security[29] Yes Yes Yes Yes Yes N/A Yes Yes Yes N/A

Transport methods

Provider SMS[30] Phone Call Email[31] Hardware token Software implementation Recovery method[31]
Authenticator Plus[32] No No No No Yes Email
Authentify Inc[33] Yes Yes No Yes Yes Email
RSA Security Yes Yes Yes Yes Yes Email / helpdesk
Authy[34] Yes Yes No Yes Yes Email[35]
Azure Multi-Factor Authentication[36] Yes Yes No No Yes Email
Clef[37] No No No No Yes Email
Cognalys Inc No Yes No No Yes Email
CryptoPhoto No No No No Yes Paper TAN
RCDevs OpenOTP Yes No Yes Yes Yes SMS/Email
Duo Security Yes Yes No Yes Yes Email[35]
Entersekt No No No No Yes Email
FreeOTP No No No No Yes Email
Google Authenticator Yes Yes No No Yes Paper TAN[35]
Latch No No No No Yes Email
LaunchKey No No No No Yes Email
LoginTC No No No Yes[38] Yes Email
MePIN Yes No No Yes Yes Email
Mi-Token Yes Yes Yes Yes Yes Email
Nexmo Yes Yes No No No Email
Nexus Smart ID[15] Yes No Yes Yes Yes SMS/Email
OASIS2FA[16] No No No Yes Yes Email/Recovery Codes/Helpdesk
Ping Identity Yes Yes No No Yes Email
PortalGuard No Yes Yes No Yes Email
privacyIDEA Yes No Yes Yes Yes Email / helpdesk
Protectimus Yes No Yes Yes Yes Email
Rublon No No Yes No Yes Email
SAASPASS No No No No Yes Email
SAT Mobile ID Yes Yes No Yes Yes Email
SecSign No No No No Yes Email
SecureAuth Yes Yes Yes Yes Yes Email
SecurePass No No No Yes Yes Email
SmartSign No No Yes No Yes Email
Solidpass[24] Yes No No Yes Yes Email
SyferLock GridGuard Yes No Yes No Yes Email
Symantec/Verisign VIP Yes Yes Yes Yes Yes Email
TeleSign Yes Yes No No Yes Email
TextPower Yes No No No No Email
Token2 Yes No No Yes Yes Email
Toopher Yes No No No Yes Email
Totp.Me No No No No Yes Email
VASCO Data Security Yes Yes Yes Yes Yes Email
WWPass No No No Yes Yes Email
WiKID Systems No No No No Yes Email
Yubico No No No Yes Yes Email

Feature support

Provider TOTP HOTP Mutual authentication PIN protection Biometrics Separate Channel Scalability Transaction Signing Coverage Revocation
Authenticator Plus Yes N/A N/A Yes Yes N/A N/A N/A N/A N/A
Authentify Inc N/A N/A N/A N/A N/A Yes N/A Yes N/A N/A
Authy Yes N/A N/A N/A Yes[39] N/A N/A Yes[40] N/A N/A
Azure Multi-Factor Authentication N/A N/A N/A N/A Yes N/A N/A N/A N/A N/A
Clef N/A N/A N/A N/A Yes N/A N/A N/A N/A N/A
Cognalys Inc N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
CryptoPhoto N/A N/A N/A Yes[41] Yes[41] N/A N/A N/A N/A Yes[41]
OpenOTP Token Yes Yes Yes Yes Yes N/A Yes Yes N/A Yes
Duo Security Yes N/A N/A N/A Yes N/A N/A N/A N/A N/A
Entersekt Yes[12] N/A Yes N/A Yes[12] Yes[12] Yes Yes[12] N/A Yes
FreeOTP Yes[42] N/A N/A N/A N/A N/A N/A N/A N/A N/A
Google Authenticator Yes N/A N/A N/A N/A N/A N/A N/A N/A N/A
Latch N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
LaunchKey N/A N/A N/A N/A Yes N/A N/A N/A N/A N/A
LoginTC Yes[38] N/A N/A Yes[43] N/A Yes[14] Yes[44] N/A Yes[44] Yes[38]
MePIN Yes N/A N/A N/A Yes N/A N/A N/A N/A N/A
Mi-Token Yes Yes N/A N/A N/A N/A Yes N/A N/A N/A
Nexmo N/A N/A N/A N/A N/A N/A Yes[45] N/A N/A N/A
Nexus Smart ID[15] Yes[46] Yes[46] N/A Yes[46] Yes[46] Yes[46] Yes[46] Yes[46] N/A Yes[46]
OASIS2FA[16] Yes N/A N/A N/A N/A Yes Yes Yes Yes Yes
Ping Identity N/A N/A N/A N/A Yes[47] N/A N/A N/A N/A N/A
PortalGuard Yes[17] N/A N/A N/A N/A N/A N/A N/A N/A N/A
privacyIDEA Yes Yes N/A N/A N/A N/A N/A Yes N/A N/A
Protectimus Yes Yes N/A N/A N/A N/A N/A N/A N/A N/A
RSA Security Yes N/A N/A Yes Yes Yes Yes Yes Yes Yes
Rublon N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
SAASPASS Yes N/A Yes N/A N/A N/A N/A N/A N/A N/A
SAT Mobile ID N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
SecSign N/A N/A N/A Yes[21] N/A N/A N/A N/A N/A N/A
SecureAuth[22] Yes N/A Yes Yes Yes[48] Yes Yes N/A N/A Yes
SecurePass N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
SmartSign N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
Solidpass[24] Yes Yes Yes N/A Yes N/A N/A Yes N/A N/A
SwivelSecure Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
SyferLock GridGuard N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
Symantec/Verisign VIP N/A N/A N/A N/A Yes N/A N/A N/A N/A N/A
TeleSign Yes[26] N/A N/A N/A N/A N/A N/A N/A N/A N/A
TextPower N/A N/A N/A N/A Yes[49] N/A N/A N/A N/A N/A
Token2 Yes[50] N/A N/A N/A N/A N/A N/A N/A N/A N/A
Toopher N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
Totp.Me Yes N/A N/A N/A N/A N/A N/A N/A N/A N/A
VASCO Data Security Yes N/A N/A N/A Yes N/A N/A N/A N/A N/A
WiKID Systems N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
WWPass N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
Yubico Yes N/A N/A N/A N/A N/A N/A N/A N/A N/A

References

  1. "Comparing the top multifactor authentication vendors". November 2014. http://searchsecurity.techtarget.com/feature/The-fundamentals-of-MFA-Comparing-the-top-multifactor-authentication-products. 
  2. "Side Channel Vulnerabilities on the Web - Detection and Prevention". https://www.owasp.org/images/c/cd/Side_Channel_Vulnerabilities.pdf. 
  3. "Definition of Hardware Token". http://hitachi-id.com/concepts/hardware_token.html. 
  4. 4.0 4.1 "INTRODUCING AUTHY FOR YOUR PERSONAL COMPUTER". https://www.authy.com/blog/introducing-authy-for-your-personal-computer. 
  5. 5.0 5.1 "SECURITY NOTICE: OPENSSH PASSWORDS VULNERABLE". https://www.authy.com/blog/openssh-passwords-vulnerable. 
  6. "Microsoft Azure is phishing-friendly". 30 April 2014. http://www.zdnet.com/article/microsoft-azure-is-phishing-friendly/. Retrieved 27 April 2016. 
  7. "Microsoft Antimalware for Azure Cloud Services and Virtual Machines". 22 March 2016. https://azure.microsoft.com/en-in/documentation/articles/azure-security-antimalware/. Retrieved 27 April 2016. 
  8. 8.0 8.1 8.2 "Clef". https://getclef.com/security/. 
  9. 9.0 9.1 9.2 "CryptoPhoto Features". https://cryptophoto.com/features. Retrieved 18 April 2016. 
  10. 10.0 10.1 10.2 10.3 10.4 10.5 10.6 "CryptoPhoto for Banking". https://cryptophoto.com/doc/CryptoPhoto_for_Banking.pdf. Retrieved 11 November 2017. 
  11. "Duo Patches for the Latest OpenSSL Vulnerabilities". 6 June 2014. https://duo.com/blog/duo-patches-for-the-latest-openssl-vulnerabilities. Retrieved 18 April 2016. 
  12. 12.0 12.1 12.2 12.3 12.4 12.5 12.6 12.7 "Build in trust with the Transakt SDK". http://cdn2.hubspot.net/hubfs/315236/Build_in_trust_with_the_Transakt_SDK.pdf?t=1431427665953. 
  13. "The secret keys are stored in the clear in the database". https://github.com/google/google-authenticator/issues/253. 
  14. 14.0 14.1 14.2 14.3 14.4 14.5 "The Use of Secure Remote Password in LoginTC". 6 December 2013. https://www.logintc.com/blog/2013-12-06-secure-remote-password.html. 
  15. 15.0 15.1 15.2 "Nexus Smart ID for physical and digital access". https://www.nexusgroup.com/solutions/nexus-smart-id-solution/. Retrieved 7 June 2018. 
  16. 16.0 16.1 16.2 "Olive Innovations - OASIS". http://www.oliveinnovations.com/Products/OASIS. Retrieved 7 June 2018. 
  17. 17.0 17.1 17.2 "Two factor Authentication:Flexible Options". http://www.portalguard.com/tb/flexible-2FA-tech-brief.pdf?submission=1065243. 
  18. "privacyIDEA:Features". http://privacyidea.org/about/features. 
  19. "HSM Support in privacyIDEA". https://www.privacyidea.org/privacyidea-2-12-hardware-security-module-support/. 
  20. 20.0 20.1 "Rublon". http://wordpress.rublon.com/. 
  21. 21.0 21.1 21.2 21.3 "SecSign". https://www.secsign.com/security-id/. 
  22. 22.0 22.1 22.2 22.3 "SecureAuth Adaptive Authentication". https://www.secureauth.com/products/secureauth-idp/. 
  23. "SecureAuth Multi-Factor Authentication". https://www.secureauth.com/products/secureauth-idp/multi-factor-authentication. 
  24. 24.0 24.1 24.2 "Solid Pass". http://www.solidpass.com/#. 
  25. "GridGuard Overview". http://www.syferlock.com/?q=basic-page/solutions&qt-gridguard=5#qt-gridguard. 
  26. 26.0 26.1 26.2 26.3 "TeleSign_US_Datasheet_Push_Verify_20161". 2016. https://www.telesign.com/wp-content/uploads/2015/04/TeleSign_US_Datasheet_Push_Verify_20161.pdf. Retrieved 27 April 2016. 
  27. ""Hack-Proof" TextKey Turns SMS Authentication on Its Head". 20 May 2014. http://in.pcmag.com/opinion/54043/hack-proof-textkey-turns-sms-authentication-on-its. Retrieved 1 May 2016. 
  28. "TextKey Scores Well in Network World Review of Authentication Solutions". http://www.marketwired.com/press-release/textkey-scores-well-in-network-world-review-of-authentication-solutions-1796747.htm. 
  29. "Multi-Factor Authentication | Identity Assurance | RSA". https://www.rsa.com/en-us/products/rsa-securid-suite/rsa-securid-access.html. 
  30. "NIST explains proposed ban on SMS for 2FA". https://www.pindrop.com/blog/nist-explains-proposed-ban-on-sms-for-2fa/. 
  31. 31.0 31.1 "Two-Factor authentication is a mess". https://www.theverge.com/2017/7/10/15946642/two-factor-authentication-online-security-mess. 
  32. "Authenticator plus". https://authenticatorplus.freshdesk.com/support/solutions. 
  33. "Authentify Two-Factor Authentication". http://authentify.com/solutions/authentication-concepts/two-factor-authentication/. 
  34. "Authy: Two-Factor Authentication Made Easy". http://www.howtogeek.com/199262/authy-two-factor-authentication-made-easy. 
  35. 35.0 35.1 35.2 "Choosing a Two-Factor Authentication System". 28 November 2012. https://blog.cloudflare.com/choosing-a-two-factor-authentication-system. Retrieved 16 April 2016. 
  36. "What is Azure Multi-Factor Authentication?". https://azure.microsoft.com/en-in/documentation/articles/multi-factor-authentication/. 
  37. "Clef Two-Factor Authentication". https://wordpress.org/plugins/wpclef/. 
  38. 38.0 38.1 38.2 "LoginTC Two Factor Authentication". https://www.logintc.com/docs/guides. 
  39. "AUTHY two factor authentication". https://www.twilio.com/authy. Retrieved 27 April 2016. 
  40. "AUTHY ONETOUCH: SIMPLY STRONG SECURITY". https://www.authy.com/blog/authy-onetouch-simply-strong-security. Retrieved 18 April 2016. 
  41. 41.0 41.1 41.2 "Two Factor and Multifactor Authentication by CryptoPhoto". https://applications.cpanel.com/listings/view/Two-Factor-and-Multifactor-Authentication-by-CryptoPhoto. Retrieved 18 April 2016. 
  42. "FreeOTP". https://fedorahosted.org/freeotp. 
  43. "LoginTC Multi-Factor Flow". 13 December 2013. https://www.logintc.com/docs/platform/multi-factor-flow.html. 
  44. 44.0 44.1 "Two-Factor Authentication Worldwide using LoginTC". 2 April 2014. https://www.logintc.com/blog/2014-04-01-two-factor-authentication-with-logintc-worldwide.html. 
  45. "Nexmo". https://www.nexmo.com/why-nexmo/. 
  46. 46.0 46.1 46.2 46.3 46.4 46.5 46.6 46.7 "Nexus Smart ID Authentication Methods". https://doc.nexusgroup.com/display/PUB/Authentication+methods. 
  47. "PingID Multi-factor Authentication". https://www.pingidentity.com/en/products/pingid.html. 
  48. "SecureAuth Behavioral Biometrics". https://www.secureauth.com/products/secureauth-idp/behavioral-biometrics. 
  49. "GET AN INDUSTRY LEADING MULTI-FACTOR AUTHENTICATION SOLUTION". http://www.textpower.com/public/solutions/security-authentication/. 
  50. "TOKEN2". https://token2.com/.