This is an incredibly complex but flexible and powerful collection, and will take some careful study and experimentation to implement your intentions, understand what defaults need adjusting, and how they relate to each other to form a coherent MFA deployment.
Finally, any setup will require opening up more than two dozen ports to the RSA server for different purposes. These are documented in the configuration guide.
RSA’s server supports a variety of Microsoft Active Directory versions for identity stores along with Sun and Oracle directories. There are also integrations with Windows logins, Citrix Storefront, IIS and Apache Web servers, along with what the company claims are more than 400 applications. There is no support in this product for SAML or other SSO-type integration; however, you’ll need to purchase a separate Via Access product for this purpose.
Pricing is fairly straightforward. A 100-user VM will cost $7,500, while the hardware appliance will cost $10,500. This includes 100 user licenses and hardware tokens, 25 software tokens and a year of maintenance. There is also a 90-day free trial for up to 25 users.
Gemalto’s SafeNet Authentication Service: Solid product, good value
Earlier this year, Gemalto acquired SafeNet, but still calls its offering SafeNet Authentication Service. It offers the product as either a hosted service or for running on a Windows Server. If you choose the local server option, you’ll have to open up more than a dozen ports for its various services, such as directory services, databases, logging agents and email servers. Like some of the other vendors, it has been around long enough to have customers with more than a million users.
The product continues its leadership in its support for token types, application integration and authentication methods. Token types include both hardware tokens and mobile software apps, SMS texts, push OTP, email and a special grid-style pattern-based soft token called GridSure. SafeNet also supports RSA SecurID hardware tokens. There are two mobile apps available for iOS and Android devices: the newer ones are called MobilePass+ and support the push OTP method mentioned in the introduction.
While the configuration is somewhat complex, once these tokens are assigned, they can make authentications easier because users just have to acknowledge the request rather than key in the actual OTP numbers. Unfortunately, only a subset of applications (such as Cisco and Sonicwall VPNs and Microsoft Office 365) supports the SafeNet push OTP methods currently.
It has published dozens of integration guides covering how to incorporate Google Docs, Cisco VPNs and numerous other products using SAML and SOAP protocols, and these documents are available to anyone online. Sadly that situation is more the exception than the rule for other MFA vendors.
Setting up the hosted service was very simple and took a matter of minutes, although we still needed some guidance to get started provisioning tokens by their tech support. You authenticate the first administrator with their own mobile OTP app and a Web browser by clicking on hot links in a special email message that automatically enrolls the token.
Once you are connected you can set up users, policies, tokens, and other details fairly quickly. The menu tree is simple to understand with just a few main levels and screens that expand as you add options. Unlike some of the other MFA vendors, SafeNet has made a nice balance between usability and displaying dozens of options on the screen.
There is also a Web-based user self-service portal which can handle lost tokens or to activate new ones. The portal is extremely customizable in its own series of configuration menus.
SafeNet has some of the best reports of any MFA vendor with more than 40 built-in reports covering an extensive range of usage, compliance and inventory management and billing areas. It also has one of the most flexible and granular administrative roles around: you set up each role with a custom collection of access rights and features by checking and unchecking the dozens of attributes that you wish for a particular class of users. Lots of other things are configurable too, from the text sent in SMS and email authentication messages to custom encryption keys for its authentication tokens.
SafeNet has the beginnings of risk-based authentication in what it calls “pre-authentication rules” that are set in the administrative console. For example, you can set particular time-of-day restrictions, limit logins to a particular IP address range, a particular authentication agent such as a Windows or IIS login, and a few other properties. This isn’t quite as capable as some of its competitors, but at least a beginning attempt at recognizing that some customers will want more restrictive policies.
Pricing is straightforward. SafeNet is one of the least expensive solutions on the market, and includes everything in a monthly subscription such as software tokens, support and maintenance. The typical cost is $1 per user per month for enterprise volume purchases. Given the combination of price and functionality, this product should be on anyone’s short list of MFA products.
Symantec Validation and ID Protection Service: Strong, SaaS-based offering
Symantec has also been in the authentication business for several years, and its Validation and ID Protection (VIP) Service now has customers with more than 70,000 credentials and the product has more than 7 million users in total. They have moved to a SaaS-based model completely with a somewhat tired Web-based console. This is where you can add users manually, setup their tokens, and keep track of any successful and unsuccessful login attempts across your enterprise.
While VIP has been around a long time, Symantec has continued to keep up with the market by offering a number of important innovations and extensions. To truly make effective use of VIP, you’ll need to also install its Enterprise Gateway, which sets up an identity provider with either your own Active Directory or another LDAP and Radius-based directory. This software runs on either a Windows or Linux server. Getting both products up and running didn’t take very long, although we still needed some guidance and to review a long series of steps in various different documents.
One example of this is how to get SAML-based identities (such as with Salesforce) working: you have to go through a typical metadata and certificate exchange before you can start using VIP tokens to authenticate SaaS-based resources. Once you connect the enterprise gateway, you can also setup a self-service Web-based portal, where users can add their own tokens to their accounts. You can set a limit on the number of different authentication tokens that each user can add in the management console.
After you get the enterprise gateway operational, another option supports risk-based authentication using device IDs and geolocation as mechanisms to step-up additional factors for logins. Symantec calls this VIP Intelligent Authentication, and it can set risk scores for activities such as end-user behavior, device reputation, and browser and device attributes.