Since it is no longer prudent for an organization protecting sensitive information to rely solely on a simple username and password as its secured form of protection, then these multifactor authentication solutions must deliver a reliable, cost-effective and easily managed offering for organizations of all shapes and sizes. That became the focus of our test this year. Many of the technologies we reviewed were part of the Group Test review last year. Most of the products are obviously mature in their lifecycle, so we shifted our focus slightly to examine how these solutions could address the next level of challenges facing organizations today.
As always, we are interested in the product's ability to deploy easily, be centrally managed and provide good reporting and logging for forensic and auditing purposes. There will always be challenges in the deployment and integration of software across a large enterprise. There are logistical and support challenges with distributing, enrolling and supporting token technologies. In reviewing the solutions for this product set, we looked for tools that used true multifactor authentication while creatively solving the integration, deployment and management issues plaguing this technology.
For this review, we defined multifactor authentication products as those which provide enhanced security of a supplicant providing credentials for access to an authenticator or authentication server. Supplicants may be users or devices.
We had 12 products in our review this month representing a good cross-section of the offerings available. Most of the solutions were software based. We had one appliance-based tool and one hosted-based VPN-style solution. Some of the tools reviewed provided a full-featured offering covering enterprise applications with numerous authentication options, including PKI-based token devices, one-time password (OTP) offerings and soft token options. Some of the solutions took a more focused approach and either provided application-specific-type offerings, such as Outlook Web Access (OWA) and SharePoint authentication, or delivered a specific authentication-style solution, like an OTP using a cell phone. All the solutions we reviewed performed very well and would add positively to enterprise security defenses.
The focused offerings did deploy much easier, especially some of the OTP products. The full-featured tools took some time and integration to get up and running, but after they were configured, provided many options and good reporting and logging details. It's important to note that a fully integrated multifactor authentication solution for corporate applications and websites will require time and expertise to properly integrate. Another important factor to consider when reviewing options for the organization is the ability to have multiple authentication options available.
At the end of the day, our Group Test review turned up some very good solutions for enhancing the security posture of the enterprise. Some were more cumbersome to deploy and manage, while others delivered the technology to the end-user very easily and economically, but with additional reliability risk. In the end, you will need to balance the security needs of your organization with the level of risk you and your company are willing to assume when choosing the best solution.