Strengths: Exceedingly simple to deploy and use, product design philosophy allows for easy fraud detection.
Weaknesses: Hosted solution, no workstation authentication.
Verdict: If one is comfortable with a hosted solution and needs multifactor authentication now, PhoneFactor is a no-brainer.
Companies looking for a turn-key, out-of-band authentication solution need look no further than PhoneFactor. It is, quite simply, one of the easiest to implement multifactor authentication solutions we've ever seen. It is a hosted solution, however, which may be a turn-off to some administrators.
Deployment of the product was incredibly simple. After creating an account on PhoneFactor's website and providing a phone number to associate with that account, we downloaded the agent application. The agent needed to be installed on each application server we wanted to augment with the product. Using our Outlook Web Access server as a test bed, we ran the installation package. After the files were copied, we were prompted to login with the user credentials we provided when setting up our account on the website.
Once we entered our login credentials, the PhoneFactor service placed a call to the phone we provided when initially setting up our account - all we had to do to authenticate was answer the call and press "#". Out of the box, the product supported a number of applications, including Outlook Web Access (OWA). All we had to do was check the appropriate box, provide the base URL and add a user. We were able to import our users from Active Directory and assign phone numbers to each. From that point on, any time one of those users attempted to log into OWA, they received a phone call from PhoneFactor and needed to authenticate just as we did when setting up the agent software. That was it - configuration complete.
PhoneFactor serves as an additional authentication layer for applications. It does not allow for multifactor workstation authentication (i.e., local Windows login), but does support Windows Terminal Services. Additionally, IIS applications, Citrix Web Interface, websites that use forms-based authentication, and applications that authenticate using RADIUS, including VPNs, are all supported out of the box. The available software development kit (SDK) allow that support to be extended further, with SDKs for Perl, Ruby, PHP, .NET and Java applications all downloadable from PhoneFactor's website.
By default, the product places a call to a specified cell phone number. However, SMS messaging and PINs are also available as authentication methods, as well as OATH tokens and a mobile phone app, which can push authentication challenges to the user. The product's user portal account management tool also can be set up as an end-user self-service website, allowing users to register their own phone numbers, activate the mobile app and set up security questions that can be later used to authenticate in case of a forgotten password or lost or stolen phone.
The documentation was decent. The text was detailed enough, with plenty of screen shots, but the formatting was no-frills with no bookmarking or indexing.
PhoneFactor offers two support tiers: its gold level provides 10/5 phone, email and web-based support. The platinum level extends those hours to 24/7. Unfortunately the company offers no real knowledge base or technical FAQs, but then again the product is so simple that there's no real need.
PhoneFactor retails between $10 and $25 per user, and that includes upgrades and gold level support. The platinum support package can be purchased for an additional 10 percent of the total expenditure.