8 top multi-factor authentication products and how to choose an MFA solution

Today’s credential-based attacks are much more sophisticated. Whether it’s advanced phishing techniques, credential stuffing, or even credentials compromised through social engineering or breaches of a third-party service, credentials are easily the most vulnerable point in defending corporate systems. All these attacks key on traditional credentials, usernames and passwords, which are past their expiration date as a legitimate security measure. The most effective way forward in enhancing access security is implementing multi-factor authentication (MFA).

Security professionals need control. In physical security this is often accomplished by limiting the points of entry, which allows security personnel to check IDs or have individuals walk through metal detectors. Before the explosion of the internet and web-based apps, the single digital point of entry was the corporate directory. Employees used a single set of credentials to authenticate and receive authorization to corporate resources and access business apps.

Modern infrastructure and web-based business applications make maintaining this single point of entry much more difficult without specialized tools to maintain security posture. MFA offers significant enhancements to the authentication process, the first of which is the additional factor itself: a smartphone, hardware MFA token, or an SMS or email-based authentication code. The authentication process no longer relies exclusively on knowledge-based elements like a username and password, which can be compromised through phishing or other malicious techniques (like simply asking for credentials). Authentication attempts leveraging additional MFA factors require either interaction from a user with a registered device or a physical hardware token, minimizing the impact of a compromised username and password.

Since we’re talking about MFA we should cover a couple of the major buzzwords: passwordless and zero trust. Passwordless is a straightforward concept. If you can authenticate users with more secure factors —biometric or software tokens—passwords become extraneous. Many of the MFA platforms we’ll discuss here can be used to facilitate passwordless authentication if your business case is a candidate, just note that there may be a maturation process for your MFA deployment.

The other popular term, zero trust, is more of a broad model for securing your infrastructure. Traditionally network security started with maintaining a secure perimeter, meaning users or devices connected to the corporate network often had some minimal level of access to corporate resources by default. The zero-trust model assumes nothing about your network perimeter, and accounts for all variations of cloud or on-prem infrastructure. MFA solutions play into zero trust in a variety of ways. First, it helps establish trust prior to authenticating the user by leveraging more secure factors and even ensuring a managed device is being used if necessary. MFA solutions can also evaluate and apply policies dynamically, another key tenet of zero trust, by evaluating various components of the authentication attempt, comparing it to existing threat data, scoring the risk level, and applying additional authentication requirements in an effort to bolster trust. Finally, a big part of those dynamic policies is having enough data for the algorithms and machine learning to chew on, and this is another area where MFA can help progress you into a zero-trust model by funneling all your disparate authentication processes into a centralized solution where you can track attempts and establish a baseline for what trusted activity looks like.

Choosing an MFA solution

The tricky part with any security measure is keeping it convenient, or at least efficient, for end users. The worst thing you can do is ratchet up security requirements so much that users either can’t (or won’t) access corporate resources, or they find ways to bypass and compromise the security measures you’ve put in place.

MFA factors are a key feature when selecting an authentication provider. SMS and email-based security codes are the bare minimum and are better than nothing but consider whether these factors provide the level of security you need. Both email and SMS are potentially vulnerable to compromise. MFA standards such as time-based one-time passwords (TOTP) are commonly supported by authentication apps like Google Authenticator and others, but ultimately hinge on a single authentication token that is known to both the authentication service and the user’s authentication device. Many MFA providers offer mobile apps as a second authentication factor which rely on proprietary protocols offering both strong security and a convenient authentication flow, up to and including push notifications. There are a few standards out there for MFA: FIDO (Fast IDentity Online) from the FIDO Alliance and WebAuthn (Web Authentication) from the W3C are two popular options. The FIDO2 standard combines WebAuthn and FIDO’s Client to Authenticator Protocol 2 (CTAP2) and is an available factor for several enterprise MFA platforms. FIDO2 is a popular choice due to convenience as it can leverage either hardware tokens like Yubico’s Yubikey or device-based authentication capabilities like Apple Touch ID or Windows Hello.

Enterprise MFA providers offer additional tools and capabilities to enhance authentication security. Properly implemented, MFA services can help you achieve a single focal point for authentication across a variety of applications and corporate resources. Having this central point for authentication traffic allows you to implement additional capabilities such as improved logging and analysis, authentication policies, and even artificial intelligence (AI) and risk-based conditional access. Business should also consider the initial setup process for the platform as a whole and in particular the level of difficulty for users to enroll with the MFA solution.

Another aspect to consider when selecting an MFA solution involves the sort of corporate resources you’re looking to secure. Cloud apps like Office 365, Google Workspaces, or Salesforce are obvious targets and an easy win for MFA. Corporate VPN is another common use case for MFA, and why not? Your VPN is essentially the gateway to your network and should be protected at least as well as physical access to corporate facilities. Likewise, VDI (virtual desktop infrastructure) implementations should have your focus for MFA authentication, as they frequently open access to corporate resources once users have authenticated. Leveraging MFA with internal or custom business apps are a bit of a tougher win and depend largely on the maturity of the app you’re looking to secure. Finally, there are solid reasons to implement MFA for authentication to corporate desktops and servers, particularly in an era where more and more users are working remotely.

Tightly intertwined with the resources you’re securing with MFA is the infrastructure needed to tie those resources together with your existing identity repository. Frequently this will involve integrating with an on-premises Lightweight Directory Access Protocol (LDAP) directory. Many MFA providers do this using either a software agent installed on your local network or through LDAPS (LDAP over SSL). If your enterprise scale warrants multiple directories things get a little more complicated, and you’ll want to ensure your MFA solution of choice is mature enough to handle that complexity by defining things like which repository contains the master data for certain attributes and how attributes between different repositories match up.

In terms of use-case specific infrastructure, cloud apps are often going to be an easy win as many integrate seamlessly using standards like Security Assertion Markup Language (SAML). Most VPN solutions support integration with Remote Authentication Dial-In User Service (RADIUS), which can either be used to funnel authentication to an existing RADIUS server and then to your MFA provider, or in some cases can communicate directly with your MFA provider using standard RADIUS protocols. Custom or internally hosted business apps may require interaction with the MFA provider via API or potentially SAML can be leveraged. MFA for desktops and servers will require software installed on each endpoint to insert itself into the authentication workflow.

8 top multi-factor authentication products

The MFA segment is a buyer’s market. There are several very solid options, each with a comprehensive feature set and quite a bit of flexibility. This list of services below is not all-inclusive, and inclusion does not constitute an endorsement.

• Cisco Secure Access by Duo
• IBM Security Verify
• LastPass MFA
• Microsoft Azure AD MFA
• Okta Adaptive MFA
• PingOne MFA
• RSA SecurID
• Yubico Yubikey

Cisco Secure Access by Duo

Duo has one of the bigger footprints of any of the MFA services. There are a couple of major selling points for Duo. Implementing Duo MFA authentication for various applications, services, and even servers is a straightforward process, with many apps integrating out of the box. Additionally, Duo’s MFA app supports an easy, secure enrollment process and push authentication that is both convenient and secure.

IBM Security Verify

IBM Security Verify is IBM’s entry into the Identity Management and MFA space. IBM Security Verify offers MFA options for cloud or on-prem apps, VPN, and even desktops. One of the biggest features with Verify is the amount of flexibility you have between MFA factors, integrations with other identity providers, and perhaps most importantly the broad capabilities in adaptive access and risk-based authentication. Bottom line, IBM Security Verify offers all the features you need to protect access to your corporate resources.

LastPass MFA

LastPass is best known for their password managers, but their MFA offering is robust enough to warrant mention here. LastPass MFA is an add-on for LastPass Business, though Business users get basic MFA functionality. The MFA add-on brings contextual authentication policies, support for both workstations and VPNs, as well as the option to integrate with other Identity Providers (IDPs) like many of the other solutions on this list.

Microsoft Azure AD MFA

Mostly everyone is familiar with Azure AD at this point, and it’s no secret that Microsoft offers a solid baseline for MFA and conditional access. Some features (notably conditional access and risk-based authentication) do require premium accounts, but basic MFA functionality is included with a free Azure AD instance. It’s also worth noting that some Office 365 accounts include Azure AD Premium, making it an easy choice for a growing number of businesses.

Okta Adaptive MFA

In terms of modern identity management and adaptive MFA policies, Okta is one of the premier solutions on the market and should really be on everyone’s short list of potential options. Okta offers a variety of tools and services surrounding identity and authentication, allowing corporate IT to pick and choose the elements that best fit their needs.

PingOne MFA

Ping Identity has been offering solutions for securing identities for quite some time and has a robust set of services geared toward managing and securing corporate identities. PingOne MFA focuses on the various aspects of MFA including the mechanics of push-based MFA, one-time passwords, biometrics, and other key components of the customer-facing authentication process. PingOne also offers dynamic policies to optimize the authentication process for users and allows you to apply custom branding or even integrate the service in your own business applications.

RSA SecurID

RSA has been in the MFA game since before cloud-based MFA services really took off and remains a leader for a number of reasons. RSA’s MFA mobile app is on par with any other solution out there in terms of features, and RSA still offers hardware tokens that generate rotating one-time passwords (OTP) for use with VPNs, web applications, or other corporate resources.

Yubico YubiKey

If you’ve done any previous research on MFA, you’ve likely come across the YubiKey: a small hardware token that integrates with many of the MFA services listed here (and many others). For business scenarios Yubico offers a few services primarily centered around helping manage the supply chain aspect of issuing tokens to employees. YubiEnterprise subscription offers a cost-effective way to maintain a buffer stock or YubiKeys as well as handle periodic upgrades. YubiEnterprise Delivery similarly helps manage issuance of YubiKeys, but through direct-ship rather than the IT shop maintaining inventory. Yubico’s other service, YubiCloud, is a set of APIs you can use to leverage YubiKey authentication from your business applications.