Examples |
|
RSA SecureID, Vasco DigiPassGoogle Authenticator |
Gemalto USB Smartcard, Yubikey Smart Card |
Duo, Symantec VIP, Okta Verify |
|
|
UX |
Password-less
|
|
|
|
|
|
|
|
Providing uniform, password-free authentication to the enterprise network, remote access, SSO, and web/cloud services.
|
No passwords means delighted and productive users
Standards-based solution that supports enterprise network logon, remote access, SSO, and access to web/cloud services
|
Typically used as a second factor together with vulnerable passwords
Solutions generally support only remote access and access to web applications
|
Typically used as a second factor together with vulnerable passwords
No support for access to web/cloud services
|
No support for enterprise network logon
|
Typically used as a second factor with vulnerable passwords
No support for enterprise network logon
|
No support for enterprise network logon when using mobile device-based biometrics
|
|
Hardware free
|
 |
 |
 |
 |
 |
 |
|
No need to carry around (and occasionally misplace) a separate hardware authenticator.
|
Authenticator runs on the user’s mobile device
|
Hardware: Need to carry around a separate hardware token
Software: Authenticator runs on the user’s mobile device
|
Need to carry around a separate hardware token
Access is enabled only from hosts running device interface software
|
Authenticator runs on the user’s mobile device
|
No additional hardware required
|
No additional hardware required when using mobile device-based biometrics; dedicated hardware required otherwise
|
|
No OTP Typing
|
 |
 |
 |
 |
 |
 |
|
No need to enter one-time code-strings that leads to errors and delays logging in.
|
Authenticator communicates transparently with service backend –users don’t type in anything
|
User needs to enter OTP codes
|
Token middleware communicates with service backend
|
Authenticator communicates transparently with service backend
|
User needs to enter OTP codes
Frustrating user experience when code arrival is delayed
|
Sensor middleware communicates with service backend
|
Security |
Resilient to key theft, MITM and phishing
|
|
|
 |
 |
|
 |
|
Tightly securing secrets and authentication tokens against theft and/or interception.
|
Replaces vulnerable passwords with high-assurance, password-free authentication
Provably-secure authentication scheme protects against key/seed theft, phishing and man-in-the-middle attacks
|
Typically used as a second factor with vulnerable passwords
OTP codes are susceptible to phishing and man-in-the-middle attacks
|
Highly secure when properly implemented
|
Security tokens can be intercepted
|
Codes are susceptible to phishing and man-in-the-middle attacks
Mobile carrier and/or email accounts used for authentication can be easily compromised
|
Lost biometric credential can never be recovered
Compromised mobile devices and colluding hardware manufacturers can undermine biometric data
|
|
Windows domains / network assets protection
|
 |
 |
 |
 |
 |
 |
|
Securing access to the Windows domain and to networked resources from within the domain, to prevent lateral movement.
|
Support for enterprise network logon
Replaces static passwords used for lateral movement once in the network
|
Typically no support for enterprise network access
Static passwords remain a vulnerability once inside the network
|
PKI credential used to access network
Static passwords remain a vulnerability once inside the network
|
Typically no support for enterprise network access
Static passwords remain a vulnerability once inside the network
|
Typically no support for enterprise network access
Static passwords remain a vulnerability once inside the network
|
Typically no support for enterprise network access when using mobile device-based biometrics
Static passwords remain a vulnerability once inside the network
|
|
Password phishing, cracking, and pass-the- hash prevention
|
 |
 |
 |
 |
 |
 |
|
So long as passwords remain an authentication credential, alone or in conjunction with another factor of authentication, they can be phished, cracked, or stolen after being hashed (i.e. pass-the-hash).
|
Replaces vulnerable passwords with high-assurance, password-free authentication
Replaces static passwords used for lateral movement once in the network
|
Typically used as a second factor with vulnerable passwords
Static passwords and password hashes remain a vulnerability once inside the network
|
Typically used as a second factor with vulnerable passwords
Static passwords and password hashes remain a vulnerability once inside the network
|
Typically used as a second factor with vulnerable passwords
Static passwords and password hashes remain a vulnerability once inside the network
|
Typically used as a second factor with vulnerable passwords
Static passwords and password hashes remain a vulnerability once inside the network
|
Typically used as a second factor with vulnerable passwords
Static passwords and password hashes remain a vulnerability once inside the network
|
TCO |
No password related support calls
|
 |
 |
 |
 |
 |
 |
|
So long as passwords continue to be used, password management costs continue to be incurred by the customer, irrespective of additional factors of authentication deployed.
|
No passwords means no costly resets and renewals
|
Used with passwords, which means customers will continue to incur all associated costs
|
Used with passwords, which means customers will continue to incur all associated costs
|
Typically used with passwords, which means customers will continue to incur all associated costs
|
Typically used with passwords, which means customers will continue to incur all associated costs
|
Typically used with passwords, which means customers will continue to incur all associated costs
|
|
Easy integration and maintenance
|
 |
 |
 |
 |
 |
 |
|
Standards-based (i.e. LDAP, RADIUS, etc.) integration with other systems and relying parties.
|
Standards-based solution that works well with 3rd party identity management/access management solutions, remote access and web/cloud access
|
Supports broadly adopted standards
Software: If part of an access management solution, then will likely not support 3rd parties
|
Requires client software which is hard to install and maintain
|
Supports broadly adopted standards
If part of an access management solution, then will likely not support 3rd parties
|
Supports broadly adopted standards
|
Varies by solution architecture and supported standards
|
|
Simple user enrollment
|
 |
 |
 |
 |
 |
 |
|
Straightforward, software-based user onboarding that requires no onerous logistics.
|
No hardware enrollment and logistics costs
No password enrollment
|
Hardware: Requires physical logistics to get the token to the user
Requires provisioning a password
|
Requires physical logistics to get the token to the user
Requires provisioning a password
|
No hardware enrollment and logistics costs
Typically requires provisioning a password
|
No hardware enrollment and logistics costs
Typically requires provisioning a password
|
Biometric enrollment is notoriously difficult and support-intensive
Typically requires provisioning a password
|