Two-factor authentication (2FA), also known as dual-factor authentication, is a security system through which a user trying to access a system or application is verified in two distinct ways instead of just a password. This article details the key features of a 2FA solution and the top ten vendors in 2021.
Table of Contents
- Key Must-Have Features for a Two-Factor Authentication Software
- Top 10 Two Factor Authentication Vendors in 2021
Key Must-Have Features for a Two-Factor Authentication Software
Two-factor authentication (2FA), also known as dual-factor authentication, is a security system through which a user trying to access a system or application is verified in two distinct ways instead of just a password.
Key Features of Two-Factor Authentication Software
Verizon’s 2021 data breach report revealed that 61% of data breaches involve stolen credentials. A single data breach can cost a company up to 3 million dollars.
This is where two-factor authentication comes in handy. 2FA is a subset of multi-factor authentication (MFA). It mandates the need for more than one layer of authentication, such as biometrics. In today’s business climate, it is imperative that all organizations, no matter how big or small, consider implementing 2FA for added security. Here are some of the key features to look for while deciding on a two-factor authentication vendor:
1. Remote work support
With the increase in remote work and perimeter-less networks, industry-standard strong authentication such as FIDO and WebAuthn is necessary. All devices accessing the network must be monitored for security hygiene, such as whether all security patches have been applied, determining if an IP address is suspicious, etc.
2. Adaptive policies and controls
Two-factor authentication must kick in with varying factors based on security requirements. This requirement can be based on behavioral, location, or time-based context. An example of such adaptive authentication is a user trying to log in at an unusually late hour is mostly a bad actor.
3. Provision of analytics
A solid 2FA solution should give insights into users, devices, applications, and services accessed. A dashboard must provide zoomed and filtered granular information. It must also provide visibility into authentication attempts, particularly failed ones. The security profile of all devices registered to the environment would be a plus.
4. Robust logging and reporting system
All solutions must create detailed logs of users, devices, admins, and authentication methods. These logs not only help create custom reports but can also be exported to third-party security information and event management (SIEM) systems.
5. Compliance-friendly reports
All generated reports need to be audit-friendly, with up-to-date proof of compliance reports. Most regulations such as HIPAA and PCI DSS mandate two-factor authentication as part of their guidelines.
6. Flexible solution
The solution needs to be flexible in terms of the types of devices and systems supported and integration with existing applications. A user’s or device’s location must be irrelevant to 2FA operations. The solution should be able to scale up to new users and also new types of devices. Flexibility is also measured in terms of how many authentication factors the users can choose from.
7. Empowered users
Users must be able to reset passwords or recover locked accounts using their own self-service portal. Waiting for an admin to respond may waste precious time.
Factors such as high availability must also be considered, just like with all other services consumed. The chosen vendor must commit to an uptime of 99.99% in the service level agreement (SLA) and be independent of the existing system. This is usually achieved by distribution across geographic regions, power grids, and providers. If a two-factor authentication system goes down, employee productivity would be affected, and consumers can be deprived of accessing the services.
See More: What Is Two Factor Authentication? Definition, Process, and Best Practices
Top 10 Two Factor Authentication Vendors in 2021
Now that we’ve determined the key features that a two-factor authentication solution needs to have, here is a list of the top vendors in the market today. All of these solutions also provide single sign-on (SSO) support. Vendors that provide MFA capabilities also provide 2FA as an extension.
Disclaimer: This alphabetically-arranged list is based on publicly available information and includes vendor websites that sell to mid-to-large enterprises. Readers are advised to conduct their own final research to ensure the best fit for their unique organizational needs.
1. Auth0
Auth0 is an adaptive authorization and authentication platform that aims to make the login page as flexible as possible.
Key features:
- Remote work support:
- FIDO-based/WebAuthn support: It uses WebAuthn to integrate with FIDO security keys and biometric devices.
- Device state check: Auth0 does not consider device health.
- Adaptive authentication: It allows the configuration of adaptive policies for suspicious access requests.
- Analytics:
- Dashboard: Auth0 provides a basic portal to set up users, policies, rules, and logs.
- Device security profiles: It does not look into device health and trusts all registered devices and apps.
- Visibility into auth attempts: All authentication attempts are logged.
- Reporting and logging: Successful and failed login events, including information related to adaptive MFA risk assessment scores are logged.
- Integration: Auth0 SDKs enable integration and customization with the existing setup.
- Self-service and account recovery: It does not have a self-service portal for users. Users are given a recovery code to regain access. Alternatively, admins can reset auth details as well.
Authentication factors supported: It supports security keys, biometric devices, OTP using Google Authenticator, push notifications via Auth0 Guardian, and voice/email.
Supported devices: It supports all leading operating systems and browsers.
Compliance: Auth0 complies with GDPR, HIPAA, HITECH, CSA STAR, ISO, and PCI DSS.
Pricing: Auth0 is free of cost with up to 7,000 active users and an unlimited number of logins. Pricing varies based on the use case and the number of active users. The B2C Essentials package costs $23/month for up to 10,000 users with just user role management capabilities. The B2C Professional package costs $240/month for up to 10,000 users with pro MFA, user role management and admin capabilities, and consolidated user stores.
Editorial comments: Auth0 is an MFA platform built for developers with an API-first approach. It has great documentation, but the adaptive MFA may be tricky to implement. Moreover, it does not support disaster data recovery.
2. CyberArk Identity
CyberArk provides an end-to-end identity and access management solution that takes care of everything from access privilege to DevOps security.
Key features:
- Remote work support:
- FIDO-based/WebAuthn support: CyberArk leverages the WebAuthn API to facilitate passwordless authentication to CyberArk Identity, either by using external or on-device authenticators.
- Device state check: It enrolls devices and checks to see if they are active.
- Adaptive authentication: It supports adaptive, context-based authentication.
- Analytics:
- Dashboard: It has multiple dashboards, including one that provides a snapshot of active users, apps, login locations, devices, and users.
- Device security profiles: It does not consider device security profiles, choosing to trust registered devices.
- Visibility into auth attempts: It documents failed login and account unlock requests.
- Reporting and logging: CyberArk Identity produces entitlement reports and activity logs for compliance audits.
- Integration: Its reports can be exported to third-party SIEM solutions.
- Self-service and account recovery: Admins can set up a customized self-service portal for users. Users can recover forgotten usernames and passwords if admins permit them.
Authentication factors supported: CyberArk supports FIDO2 keys, virtual and hardware tokens, OATH-based mobile authenticators, push notifications, SMS messages, emails, interactive phone calls, security messages, and derived credentials.
Supported devices: It supports Windows, macOS, iOS, and Android.
Compliance: It complies with GDPR, NERC CIP, MASTRM, Sarbanes Oxley, and PCI DSS.
Pricing: CyberArk’s Centrify Application Services and Centrify Endpoint Services are priced at $5/user/month. The more comprehensive ‘Infrastructure Services’ is priced at $22/user/month, while its add-on ‘Analytics Service’ costs $2/user/month.
Editorial comments: CyberArk is best for SMEs and has excellent integration with HR platforms such as WorkDay. Customers report that the pricing structure is complicated and can quickly inflate if not considered carefully. It also requires better documentation.
3. Duo
Cisco’s Duo provides a comprehensive 2FA solution that focuses on mobile-based authentication factors.
Key features:
- Remote work support:
- FIDO-based/WebAuthn support: It plugs in with WebAuthn/FIDO2 security keys.
- Device state check: Duo enforces access control and monitors the health of managed and unmanaged devices. It enforces health checks at every login attempt, which is particularly helpful for organizations following a BYOD model.
- Adaptive authentication: Duo responds to changing user context. It can be tuned to protect specific apps and networks and allows fully customized security policies.
- Analytics:
- Dashboard: It provides an admin-friendly dashboard. It also provides a Trust Monitor for the analyzing and modeling of authentication data.
- Device security profiles: Duo analyzes user devices, including current device, OS, browser, Flash, and Java versions. It also shows admins the latest patches and updates for outdated devices.
- Visibility into auth attempts: It provides detailed information about each corporate and unmanaged device across the system.
- Reporting and logging: The system provides deployment progress reports, admin actions reports, and policy impact reports, among others. It also provides detailed logs, including authentication logs, admin logs, and telephony logs.
- Integration: Duo Authentication Proxy logs SIEM-consumable authentication events.
- Self-service and account recovery: The Duo Mobile App allows users to update their devices as security policies. Duo Restore can be used to recover Duo-protected accounts.
Authentication factors supported: Duo supports Duo Push for push-based 2FA, U2F, biometrics, tokens, and passcodes via mobile devices.
Supported devices: It supports Android, Windows, macOS, iOS, and Linux. It can also be integrated with various VPNs.
Compliance: Duo is compliant with SOC 2, EPCS, NIST, ISO, and FIPS.
Pricing: Duo MFA is priced at $3/user/month.
Editorial comments: Duo is ideal for small enterprises and companies looking for customer-facing 2FA solutions. The platform, however, seems to rely heavily on network connections, and, as such, Duo might not be an ideal option for low-connectivity areas.
4. Entrust Datacard
Entrust’s Digital Security boasts of multiple identity-based solutions, such as Identity as a Service, Identity Enterprise, and Identity Essential. They also focus on payment-related identity solutions.
Key features:
- Remote work support:
- FIDO-based/WebAuthn support: It supports WebAuthn.
- Device state check: The system does not check for device health.
- Adaptive authentication: It provides adaptive authentication by considering geolocation, geofencing, and login behavior.
- Analytics:
- Dashboard: It has a dashboard with built-in provisioning tools.
- Device security profiles: It does not maintain the security profiles of registered devices.
- Visibility into auth attempts: It logs all authentication details.
- Reporting and logging: It generates basic reports.
- Integration: It works with the Microsoft environment, including Active Directory (AD) and Active Directory Federation Service (ADFS) for user synchronization. It also integrates with Splunk.
- Self-service and account recovery: It has a self-service portal. Users can reset passwords.
Authentication factors supported: It supports OTPs, display cards (such as credit cards), grid authentication, biometrics, digital certificates, device authentication, mobile smart cards, and SMS soft tokens.
Supported devices: It supports Windows, macOS, iOS, Android, Blackberry, and Windows Mobile.
Compliance: It complies with GDPR and is certified for ISO, PCI DSS, California Consumer Privacy Act, FDA/DEA, FedRAMP, HIPAA, and Mexico Data Protection Law.
Pricing: Entrust offers a free trial of its services. It urges users to reach out for pricing details.
Editorial comments: Data Entrust has three solutions: Identity as a Service, Identity Essentials, and Identity Enterprise. Depending on the size and existing platform, one of these solutions can be chosen. Identity as a Service is a complete IAM solution that includes MFA. It is a less expensive option as compared to other players’ offerings in the market. Users do report that the installation process is complicated, but customer support is great.
5. Okta
Okta is an established player in the identity field, with its solutions spanning from API access management to MFA.
Key features:
- Remote work support:
- FIDO-based/WebAuthn support: Okta supports WebAuthn.
- Device state check: Okta has released Okta Device Trust to work alongside its identity management solutions.
- Adaptive authentication: It allows the creation of contextual access policies that consider device, network, location, travel, IP, and others.
- Analytics:
- Dashboard: Okta Administrator Dashboard summarizes org usage and activity. It uses big data-enabled analytics.
- Device security profiles: It allows only end-users and partners with managed devices to access Okta-integrated applications.
- Visibility into auth attempts: Risk scoring uses a data-driven risk engine to determine whether each sign-in event is likely to represent unusual activity.
- Reporting and logging: Okta’s analytics and reporting provide a clear picture of the access and authentication patterns of users. It logs information related to how the risk level was determined during each authentication attempt.
- Integration: Okta integrates with Symantec, Duo Security, Google Authenticator, and YubiKey.
- Self-service and account recovery: It provides a self-service portal for end-users and allows users to recover accounts from their portals.
Authentication factors supported: Okta supports passwords, security questions, SMS/voice/email, push verification, YubiKey OTP, U2F, and WebAuthn.
Supported devices: Okta provides cloud and on-prem MFA solutions. It can run on Windows, macOS, iOS, Android, and VMWare.
Compliance: Okta is ISO-, SOC 2-, CSA Star Level 2-, FedRamp ATO-, APEC PRP-, and FIPS-certified. It complies with HIPAA, PCI-DSS, SOX, GDPR, and NYDFS.
Pricing: Okta’s MFA costs $3/user/month, while the adaptive MFA comes to $6/user/month. Single sign-on is available as an add-on at $2/user/month.
Editorial comments: Okta is a good option for companies with a large volume of users. Users report it to be an intuitive, easy-to-implement solution. Small companies, however, would need to keep an eye on rising costs, especially with add-ons.
6. OneLogin
OneLogin provides an entire suite of workforce and customer identity services as a part of its IAM solution.
Key features:
- Remote work support:
- FIDO-based/WebAuthn support: OneLogin supports WebAuthn for biometric integrations.
- Device state check: OneLogin requires devices to be registered and does not provide device health details.
- Adaptive authentication: It supports policy-based adaptive MFA.
- Analytics:
- Dashboard: Its admin portal supports policy management, deployment tools, and device management.
- Device security profiles: OneLogin’s SmartFactor Authentication incorporates machine learning to evaluate the risk and context of each login and thereby adapts accordingly.
- Visibility into auth attempts: It creates a centralized audit trail that records all user changes and activity.
- Reporting and logging: Its reports give instant insights into login activity, application utilization, weak passwords, and more.
- Integration: It integrates with other SIEM solutions by sending event data in JSON format.
- Self-service and account recovery: It has self-service portals for users. Passwords can be reset in the portal.
Authentication factors supported: It supports a one-time-password (OTP) app for push notifications, email, SMS, voice, and WebAuthn for biometric factors,
Supported devices: It runs on Windows, macOS, iOS, Android, and all popular web browsers.
Compliance: OneLogin complies with GDPR and PCI DSS, and is certified for SOC, ISO, and CSA STAR. It is also part of the FFIEC/GLBA and NIST Cybersecurity initiatives.
Pricing: OneLogin’s multi-factor authentication costs $2/user/month, while its SmartFactor authentication costs $5/user/month. SSO is available as an add-on for $2/user/month.
Editorial comments: OneLogin is ideal for a business that is looking to integrate 2FA into multiple applications. Users say that the reports and user behavior analytics lack detail. They also report jerky session management, with users being logged out without warning.
7. OneSpan
OneSpan is one of the leading providers of digital security and anti-fraud solutions.
Key features:
- Remote work support:
- FIDO-based/WebAuthn support: OneSpan Cloud Authentication supports a set of WebAuthn extensions for FIDO2-based authentication.
- Device state check: It checks for device state in real time during every authentication request.
- Adaptive authentication: It supports adaptive authentication by calculating the risk of each request in real time.
- Analytics:
- Dashboard: OneSpan Risk Analytics is a comprehensive, real-time fraud detection solution that can be implemented along with its authentication solution.
- Device security profiles: It maintains the security profiles of all devices along with historical data to enable fraud detection.
- Visibility into auth attempts: It provides insights into all authentication attempts.
- Reporting and logging: OneSpan provides basic logs and reports that can be used for compliance audits.
- Integration: It provides APIs and SDKs to integrate with other solutions. It also has integrators that are triggered by events.
- Self-service and account recovery: OneSpan provides a self-service portal. It allows password resets by users.
Authentication factors supported: It supports FIDO U2F-, UAF-, and FIDO2-based authenticators such as Digipass hardware authenticators, key tokens, and display cards. It also supports mobile push notifications, TOTP using a mobile authenticator app, and biometrics.
Supported devices: It supports Windows, macOS, iOS, and Android.
Compliance: It complies with SD2, NYDFS, GDPR, MOBILE Act, and PCI DSS, among others.
Pricing: OneSpan needs to be contacted for authentication pricing.
Editorial comments: OneSpan’s encrypted offerings and compliance-ready solutions make it an ideal solution to be used by finance-based and banking organizations. It also makes perfect sense for those apps that require banking transactions. However, while opting for OneSpan’s products, maintenance costs would need to be considered beforehand.
8. Ping Identity
Established as early as 2002, Ping provides federated identity management and self-hosted IAM solutions to web identities and single sign-on solutions.
Key features:
- Remote work support:
- FIDO-based/WebAuthn support: Ping Identity uses WebAuthn to integrate with biometrics and security keys.
- Device state check: PingOne Risk uses analytics to check device risk levels before authentication.
- Adaptive authentication: It supports risk-based adaptive authentication.
- Analytics:
- Dashboard: Ping Identity’s dashboards provide real-time data on enrollment, user status, and authentication types.
- Device security profiles: PingOne Risk evaluates risk signals with in-depth user behavior insights to make better authentication decisions.
- Visibility into auth attempts: PingFederate logs authentication events to enable security audits.
- Reporting and logging: It provides basic reports about admin activity, user behavior, SSO summary, policies, and user provisioning.
- Integration: It provides MFA for web apps, VPN, SSH, Windows login, Mac login, RDP, AD FS, and Azure AD.
- Self-service and account recovery: PingFederate is the self-service portal for end users. It allows users to reset passwords and enable accounts.
Authentication factors supported: PingID supports FIDO2 biometrics, security key, desktop soft token, authentication App for push notifications, OATH token, and YubiKey’s Yubico OTP hard token. It also provides email, SMS, and voice OTP.
Supported devices: It supports macOS, Windows, Android, and iOS.
Compliance: It is certified for ISO, SOC, ISSA, CSA STAR, FBI InfraGard, and OWASP. It also complies with privacy regulations such as CCPA and GDPR, as well as PCI DSS.
Pricing: Ping Identity’s pricing starts at $5/user/month.
Editorial comments: PingID is ideal for large enterprises that primarily run on the cloud. Users complain about the lack of a comprehensive dashboard to help admins with monitoring and maintenance. Reports are also very basic as compared to other solutions available in the market.
9. Secret Double Octopus
Secret Double Octopus specializes in passwordless authentication for enterprise environments.
Key features:
- Remote work support:
- FIDO-based/WebAuthn support: Authentication to web-based applications is performed using native browser support for WebAuthn.
- Device state check: It supports remote authentication for devices already registered.
- Adaptive authentication: It provides adaptive, passwordless authentication.
- Analytics:
- Dashboard: It has a centralized management dashboard.
- Device security profiles: It does not give admins device security profiles.
- Visibility into auth attempts: The management dashboard provides details of user login activity and new signups.
- Reporting and logging: Double Octopus provides basic reports.
- Integration: It extends the existing on-premise directory service. It also orchestrates multiple third-party authentication solutions, gradually helping to phase them out.
- Self-service and account recovery: It supports a self-service portal. In the case of a lost or forgotten authenticator, Octopus Authenticator generates a temporary credential to prevent employee downtime.
Authentication factors supported: Double Octopus uses authenticator apps for push notification-based authentication, biometrics, hard keys such as YubiKeys, and voice-based authentication.
Supported devices: It supports iOS, Android, VPN, and leading web browsers.
Compliance: It complies with GDPR and CCPA.
Pricing: Double Octopus has four packages: Octopus Lite, Starter, Pro, and Enterprise. Pricing is available on request.
Editorial comments: Secret Double Octopus is ideal for organizations looking to move into a passwordless architecture. While it may not be a regular 2FA solution, we’ve added it to the list as a strong passwordless contender. Users of Double Octopus report that onboarding with the solution has a learning curve, after which it gets easier. It also boasts a fail-proof offline authentication mode.
10. Yubico
Yubico’s hardware Yubikeys are the most used security keys for authentication across all major industries.
Key features:
- Remote work support:
- FIDO-based/WebAuthn support: YubiKey supports multiple protocols such as FIDO2/WebAuthn, U2F, Smart card, OpenPGP, and OTP.
- Device state check: Yubico does not check for device health.
- Adaptive authentication: It is largely hardware-key based and is mostly used in tandem with another adaptive 2FA solution.
- Analytics:
- Dashboard: YubiKey Manager helps with the setup.
- Device security profiles: It does not maintain a list of device security profiles.
- Visibility into auth attempts: It maintains the information of all authentication attempts.
- Reporting and logging: Yubico provides basic analytics and reporting.
- Integration: YubiKey is usually used in tandem with other 2FA solutions. It integrates with Windows’ and Mac’s various login options.
- Self-service and account recovery: Users can self-enroll through a web portal. The Yubico Authenticator app helps backup security codes. Yubico allows a second Yubikey or an alternate 2FA method for recovery.
Authentication factors supported: YubiKey is primarily a hardware-based key. Yubico is also coming up with YubiKey Bio, which uses fingerprints.
Supported devices: YubiKey works with Windows, macOS, Linux, iOS, and Android devices. It does not require any extra software to be downloaded. It supports USB-A, USB-C, Lightning, NFC. It secures both computers and mobiles.
Compliance: Yubico is FIPS-certified and complies with DoD regulations. It also complies with GDPR and HIPAA.
Pricing: YubiKeys are priced based on hardware capabilities. It starts at $45 per key and goes up to $75.
Editorial comments: Yubico is a good option for large enterprises looking to step up security with their existing 2FA setup. It is more expensive than other software-only solutions but is undoubtedly more secure. Users report that it needs more intuitive interfaces and documentation.
Let’s look at the feature comparison of the above solutions.
Solution/Parameter | Auth Factors | Supported Systems | Pricing |
---|---|---|---|
Auth0 | Security keys, biometric devices, OTP using Google Authenticator, etc., Push notifications via Auth0 Guardian, and voice/email | Windows, macOS, iOS, Android, Chrome | Free up to 7000 users, B2C Essentials: $23/month/10000 users, B2C Professional: $240/month/1000o users |
CyberArk Identity | FIDO2 keys, virtual and hardware tokens, OATH-based mobile authenticators, push notifications, SMS messages, emails, interactive phone calls, security messages, and derived credentials | Windows, macOS, iOS, and Android | Centrify Application Services and Centrify Endpoint Services: $5/user/month, Infrastructure Services: $22/user/month, Analytics: $2/per/month |
Duo | Duo Push for push-based 2FA, U2F, biometrics, tokens, and passcodes via mobile device | Android, Windows, macOS, iOS, Linux and various VPNs. | Duo MFA: $3/user/month |
Entrust Datacard | OTPs, display cards, grid authentication, biometrics, digital certificates, device authentication, mobile smart cards, and SMS soft tokens | Windows, macOS, iOS, Android, Blackberry, and Windows Mobile | Contact company for pricing |
Okta | Passwords, security questions, SMS/voice/email, push verification, YubiKey OTP, U2F, and WebAuthn | Windows, MacOS, iOS, Android, and VMWare | MFA: $3/user/month, Adaptive MFA: $6/user/month, SSO: $2/user/month |
OneLogin | OTP, push notifications, email, SMS, voice, and WebAuthn for biometric factors | Windows, macOS, iOS, Android, and all popular web browsers. | MFA: $2/user/month, SmartFactor Authentication: $5/user/month. SSO: $2/user/month |
OneSpan | FIDO U2F, UAF, and FIDO2 based authenticators such as Digipass hardware authenticators, key tokens and display cards, push notifications, TOTP using a mobile authenticator app, and biometrics | Windows, macOS, iOS, and Android | Contact company for pricing |
Ping Identity | FIDO2 biometrics, security key, desktop soft token, app for push notifications, OATH token, YubiKey’s Yubico OTP hard token, and email, SMS, and voice OTP | macOS, Windows, Android, and iOS | Ping Identity: starts at $5/user/month |
Secret Double Octopus | Push notification, biometrics, hard keys like YubiKeys, and voice-based | iOS, Android, VPN, and leading web browsers | Contact company for pricing |
Yubico | Hardware keys and fingerprinting | Windows, macOS, Linux, iOS, and Android devices; USB-A, USB-C, Lightning, NFC | YubiKey: starts at $45 |
See More: What Is Multi-Factor Authentication? Definition, Key Components, and Best Practices
Takeaway
Every organization must choose a two-factor authentication solution based on its infrastructure and operational requirements. A solid 2FA solution needs to scale and diversify with the organization.There is no one-size-fits-all 2FA solution in the market. Finding the right two-factor authentication solution for an organization depends on its business policies, customer services, existing infrastructure, and available resources. The chosen solution must be able to scale and adapt to newer technologies as the company grows.
Did this article help you shortlist a two-factor authentication vendor? Tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!
MORE ON AUTHENTICATION
- What Is Biometric Authentication? Definition, Benefits, and Tools
- Top 11 Facial Recognition Software in 2021
- Top 10 Multi-Factor Authentication Software Solutions for 2021
- What Is Two Factor Authentication? Definition, Proc