The Aite 2021 Passwordless Report: Who is “Best in Class”?

Raz Rafaeli | June 2, 2021

The passwordless authentication market is fast-growing, and it is becoming increasingly affordable and easy to deploy identity access management that do away with passwords. But with so many providers and technologies, how do you make sure to choose the right solution for your enterprise?

Recently, Aite Group, a business and technology advisory with offices in U.S. and UK, selected Secret Double Octopus as the most enterprise-ready provider of passwordless MFA technology. The selection was made after Aite Group’s analysts made a thorough analysis of the market and spoke to a wide range of organizations about their experience with different solution providers.

Aite Group’s analysis of Secret Double Octopus’s technology sheds light on what a robust and reliable passwordless authentication solution should look like.

Addressing a fragmented landscape

Many enterprises—especially those that have been around for more than a decade—usually face a vexing technical challenge when they want to integrate new solutions into their technology stack. Many enterprises are composed of a hodgepodge of different operating systems (Windows, MacOS, Linux), directory services (Active Directory, OpenLDAP), devices (desktop/laptop computers, mobile devices, specialized terminals), authentication protocols (SAML, SSO, OAUTH), and cloud and on-premise services.

Not all passwordless solutions support all technology stacks and protocols, which makes it extremely frustrating to integrate them across an organization. In most cases, a newly introduced technology ends up becoming partially deployed across the organization, leaving some users and devices with password-based authentication. As a result, the company remains vulnerable to password-based attacks.

Secret Double Octopus has gone to great lengths to make sure its solution is compatible with all kinds of infrastructure found in enterprises of all sizes. According to Aite Group’s analysis: “Customers can deploy SDO in stages to support hundreds of off-the shelf and home-grown applications. Companies can integrate SDO with all existing identity and access management, single sign-on, OTP, and password management solutions. It works with Active Directory on-premises or in Azure, on Windows, Mac, Linux machines, with and without the use of phones.”

What makes Secret Double Octopus a leading passwordless authentication provider?

Some operating systems don’t natively support passwordless authentication. MacOS and LDAP require a password and only support passwordless technology as multi-factor authentication. Secret Double Octopus rotates passwords in the backend of password-based systems to provide a passwordless login to all operating systems and enterprise use cases.

Flexibility and scalability

Secret Double Octopus also supports all authentication protocols including RADIUS and SAML, can be deployed on VPNs and SSH terminals, and can be installed on a wide range of enterprise servers and applications such as MSSQL, Oracle, Postgre, Azure, and AWS.

But enterprises have other requirements as well when it comes to adopting new security technologies. A good authentication solution should support various modes of management and deployment. These requirements range from management interfaces to the granularity of permission and compatibility with other authenticators. Enterprises also expect their authentication solutions to be scalable.

Secret Double Octopus provides flexibility at different levels in terms of the management console, database, auditing with Elastic Search, authentication server, and DMZ servers. Therefore, based on an organization’s needs, they can deploy the different pieces of the solution together or separately and tailor each component to their current IT infrastructure.

The solution should also adapt to the enterprise’s policies in terms of user permissions and roles. Octopus supports integration with existing Active Directory/LDAP rules as well as customized settings.

Security

Finally, the most important aspect of any authentication solution is its security. A login technology that has security holes is itself an attack vector that can cause security incidents.

The mobile servers of Secret Double Octopus are stateless and are only used to locate the enrolled device and send a push notification to the user device. The server deletes the data within two minutes. Octopus uses end-to-end encryption between the server and the mobile device, which makes it resilient against man-in-the-middle attacks. The solution also uses extra measures to harden the security of the enrollment process, including key reconstruction prevention and single-use AES 256 encryption keys.

Octopus admins can also enforce device-level policies, such as setting the minimum acceptable versions of mobile operating systems. The mobile app also protects against rootkits, jailbreaks, malware, and other device-level attacks.

Here’s Aite Group’s final take on Secret Double Octopus: “SDO is unique in the passwordless field by not attempting to recreate authentication, rather simply to take user error out of the equation. It is intuitive and adaptable to all familiar daily scenarios of modern – and not-so-modern enterprises. Companies want to take passwords out of the day-to-day user experience and off the shoulders of administrators. SDO makes that happen.”