{"id":23929,"date":"2018-08-22T21:01:52","date_gmt":"2018-08-22T17:01:52","guid":{"rendered":"http:\/\/www.msp360.com\/blog\/?p=23929"},"modified":"2021-01-25T17:18:32","modified_gmt":"2021-01-25T13:18:32","slug":"two-factor-authentication-solutions","status":"publish","type":"post","link":"https:\/\/www.msp360.com\/resources\/blog\/two-factor-authentication-solutions\/","title":{"rendered":"Two-Factor Authentication: Solutions, Methods, Best Practices"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">With new data breaches being uncovered daily, many companies are desperate to improve security for their clients. The old standard of user login and password is no longer considered very safe. 2FA is a security by-word nowadays. So, why do you still using old log-on techniques?\u00a0\u00a0<\/span><\/p>\n<p><!--more--><\/p>\n<h2><b>Two-Factor Authentication<\/b><b> Standards<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Major manufacturers of hardware and software have established standards such as the Fast Identity Online (FIDO) system. It lets a user authenticate with touch after entering their name and password. Participants include Microsoft, Intel, PayPal, Google, Samsung, and Lenovo, among others. The system can use authentication hardware built into a phone or laptop, or run over an external device like a USB dongle. <\/span><\/p>\n<h2><b>How to Implement Two-Factor Authentication<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Whatever the hardware or protocol, there are some essential components to a <\/span><span style=\"font-weight: 400;\">two-tier authentication<\/span><span style=\"font-weight: 400;\"> system \u2013 the directory service, whether Active Directory, eDirectory, RADIUS or some other system and the add-on <\/span><span style=\"font-weight: 400;\">two-factor authentication software<\/span><span style=\"font-weight: 400;\"> that enables the additional functions. There are also <\/span><span style=\"font-weight: 400;\">cloud-based two-factor authentication<\/span><span style=\"font-weight: 400;\"> systems available from Google, Microsoft, and others, which are already integrated with their directory services login systems. <\/span><\/p>\n<h2><b>Two-Factor Authentication Vendors<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">In addition to the members of the FIDO Alliance, and the directory services vendors mentioned above, who include <\/span><span style=\"font-weight: 400;\">two-factor authentication<\/span><span style=\"font-weight: 400;\"> functionality as part of their solutions, there are third-party vendors who offer two-factor solutions, including RSA, Symantec, VASCO Data Security, Quest Software, Okta, CA, and others. In addition to software vendors who add <\/span><span style=\"font-weight: 400;\">two-factor authentication <\/span><span style=\"font-weight: 400;\">to server products, there are a variety of vendors offering hardware tokens, fingerprint readers, FIDO keys, and other devices.<\/span><\/p>\n<h2><a name=\"2\"><\/a><b>Choosing the Second Authentication Factor<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">The first choice to make in setting up a <\/span><span style=\"font-weight: 400;\">two-factor authentication<\/span><span style=\"font-weight: 400;\"> system is not to choose the software unless it is chosen for you. For instance, if you use Google for your office suite or Microsoft Office Online, then you will need a two-factor product that will work with your chosen system. For anything else, your first choice should be the type of the second factor you will be using. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">This is typically a system where security is traded off against cost and complexity. For instance, using a text message code as the second factor is inexpensive and easy to set up. It is also the most likely to be circumvented by a determined hacker. Hardware tokens are much harder to circumvent but are also harder to set up and support, and typically add anywhere from $10-$100 per client in hardware costs. <\/span><\/p>\n<h3><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-23935 size-full\" style=\"font-size: 14px; font-weight: normal;\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/08\/Common-types-of-2FA-2.png\" alt=\"Two-factor authentication types\" width=\"825\" height=\"315\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/08\/Common-types-of-2FA-2.png 825w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/08\/Common-types-of-2FA-2-300x115.png 300w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/08\/Common-types-of-2FA-2-768x293.png 768w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/08\/Common-types-of-2FA-2-624x238.png 624w\" sizes=\"auto, (max-width: 825px) 100vw, 825px\" \/><\/h3>\n<h3><b>Common types of 2FA:<\/b><\/h3>\n<ul>\n<li><b>Hardware tokens<\/b><span style=\"font-weight: 400;\"> - the oldest form of two-factor authentication, physical devices that act like electronic keys that generate a time-valid numeric code to access user accounts. This technique may also include a wireless keycard opening, smart cards, USB sticks.<\/span><\/li>\n<li><b>SMS text-message and voice-based 2FA<\/b><span style=\"font-weight: 400;\"> - this type of two-tier authentication interacts directly with a user\u2019s phone. After a user puts in a username and password, the site sends the user a unique one-time passcode (OTP) via text message. A user must then enter the OTP back into the application for getting access. In the case of voice-based 2FA, the system dials a user and verbally delivers the 2FA code.<\/span><\/li>\n<li><b>Software tokens <span style=\"font-weight: 400;\">- one of the most popular 2FA forms. It uses a software-generated time-based, one-time passcode (also called TOTP, or \u201csoft-token\u201d). A user needs to have a free 2FA app on their phone or desktop. At sign-in, the user first enters a username and password, and then, when prompted, they enter the code shown on the app.<\/span><\/b><\/li>\n<li><b style=\"font-size: 1rem;\">Push notifications - <span style=\"font-weight: 400;\">websites and apps can now send the user a push notification when there is an authentication attempt. It\u2019s passwordless authentication with no codes to enter, and no additional interaction required.<\/span><\/b><\/li>\n<li><strong>Biometric 2FA<\/strong> - <span style=\"font-weight: 400;\">this technique includes verifying a person\u2019s identity via fingerprints, retina patterns, and facial recognition, ambient noise, pulse, typing patterns, and vocal prints.<\/span><\/li>\n<\/ul>\n<h2><b>A <\/b><b>Two-Factor Authentication Solutions Overview<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">In addition to the members of the FIDO Alliance, and the directory services vendors mentioned above, who include two-factor authentication functionality as part of their solutions, there are third-party vendors who offer two-factor solutions, including RSA, Symantec, VASCO Data Security, Quest Software, Okta, CA, and others. In addition to software vendors who add two-factor authentication to server products, there are a variety of vendors offering hardware tokens, fingerprint readers, FIDO keys, and other devices.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">All of the systems have the same basic functionality. The directory services system that holds the username and password information have<\/span><span style=\"font-weight: 400;\">\u00a0two-factor authentication<\/span><span style=\"font-weight: 400;\"> functionality added to it, which might enable it to send text messages to a user\u2019s phone or retrieve a code when a user presses the button on a hardware token inserted into a USB port. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">The hard part is ensuring that the connection is supported and secure between the system that authenticates the user and the device or messaging system used to add the second factor. This is why picking the second factor should be an early decision \u2013 getting any particular second-factor system to work with a given directory service. Many of the second-factor hardware devices will support Active Directory or Windows 10, but if you are using Linux, or a specific brand of phone, for instance, these may limit your choices.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We compiled a list of the most popular two-factor authentication software and reviewed each solution:<\/span><\/p>\n<ul>\n<li><strong>Duo Security\u00a0<\/strong>- one of the market leaders of 2FA. A lot of our customers use it and love it. If you just need a 2FA that works on with them. If they don't fit your needs, check out the rest of our list<\/li>\n<li><strong>RSA SecurID Access<\/strong><span style=\"font-weight: 400;\"> is an enterprise-grade <\/span><span style=\"font-weight: 400;\">two-factor authentication software<\/span><span style=\"font-weight: 400;\"> that offers many <a href=\"https:\/\/www.msp360.com\/resources\/blog\/mfa-for-msps\/\">multi-factor authentication<\/a> methods including mobile multi-factor authentication (push notification, one-time password, SMS, and biometrics) and traditional hardware and software tokens. The identity assurance feature is performed by examining users a range of contextual factors and correlating them in hundreds of ways. Also, RSA SecurID Access authentication features include biometric, out-of-band authentication, <a href=\"https:\/\/www.msp360.com\/resources\/blog\/single-sign-on-for-msps\/\">single sign-on<\/a>, and policy management.<\/span><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\"><strong>Symantec VIP<\/strong><span style=\"font-weight: 400;\"><strong> (Validation and ID Protection Service)<\/strong> is a cloud-based <\/span><span style=\"font-weight: 400;\">two-tier authentication<\/span><span style=\"font-weight: 400;\"> service that enables businesses to secure access to networks and applications. Its most significant authentication features are proximity unlock, two-factor authentication, credential wallet (security codes generation for your favorite websites passwords), and more. As for the cons, the cost of this solution is rather high compared to other competitors at the market, and the enrollment process is long and confusing sometimes. <\/span><\/li>\n<li style=\"font-weight: 400;\"><strong>Okta<\/strong><span style=\"font-weight: 400;\"> is a two-factor identity management solution that covers multi-factor authentication, single sign-on, lifecycle management, universal directory, API access management, and other identity management basis. Okta's Adaptive Multi-Factor Authentication solution has a 30-days free trial and a freeware version.<\/span><\/li>\n<li style=\"font-weight: 400;\"><strong>ADSelfService Plus<\/strong><span style=\"font-weight: 400;\"> offers password self-service reset\/unlock, password expiration reminders, a self-service directory updater, a multiplatform password synchronizer, and a single sign-on for cloud applications. There also are android and iPhone mobile apps available to facilitate self-service for end users anywhere at any time. ADSelfService Plus supports the IT help desk by reducing password reset tickets and spares end users the frustration caused by computer downtime.<\/span><\/li>\n<li style=\"font-weight: 400;\"><strong>VASCO Data Security<\/strong><span style=\"font-weight: 400;\"><strong> by OneSpan<\/strong> is a mobile, two-factor authentication app that enables users to securely log in to applications, via their mobile device, with a fingerprint or PIN along with a one-time password. Users can be notified via push or generate offline passcodes. It is also called the DIGIPASS app. It comes with a free trial and has a user provisioning feature besides multi-factor authentication and password management. <\/span><\/li>\n<li style=\"font-weight: 400;\"><strong>CA Identity Suite<\/strong><span style=\"font-weight: 400;\"> software is designed to provide its users with control over their organization's privileged users to reduce the risk of compliance failures or security breaches. It comes with many access request management features as well as compliance management, role management, and user provisioning.<\/span><\/li>\n<\/ul>\n<h2><b>Is Two-Factor Authentication Secure<\/b><b>?<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">All administrators wish they could buy a security system, install it, and count on it stopping attackers for the foreseeable future. Unfortunately, hackers continue to create new attacks as fast as (and sometimes faster than) security vendors come up with solutions. It is feasible for a hacker that has the login and password for an account to log into the self-service portal for the system, change the mobile phone number that verification messages are sent to, and then enter the code sent to the new phone number into the system.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Hardware tokens and biometric verification are currently harder to hack, but a Trojan on a PC could theoretically intercept the function call on the real user\u2019s real PC and transmit the verification code to another system. This is much more difficult than spoofing a text message and is probably beyond individual criminals, if not national espionage agencies. However, security will always be a moving target.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>With new data breaches being uncovered daily, many companies are desperate to improve security for their clients. The old standard of user login and password is no longer considered very safe. 2FA is a security by-word nowadays. So, why do you still using old log-on techniques?\u00a0\u00a0<\/p>\n","protected":false},"author":63,"featured_media":24624,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[877,885,1],"tags":[],"class_list":["post-23929","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-articles","category-other","category-uncategorized"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/23929","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/users\/63"}],"replies":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/comments?post=23929"}],"version-history":[{"count":0,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/23929\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media\/24624"}],"wp:attachment":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media?parent=23929"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/categories?post=23929"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/tags?post=23929"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}