16

Have you used, and would recommend, an alternative to RSA SecurID for two-factor authentication?

Toto
  • 738
  • 2
  • 5
  • 11
  • I'd be grateful if the answers contained the OS on which the solution was implemented – Martin M. Jun 10 '09 at 12:34
  • To help us provide you better answers can you tell us what problems you have with the RSA solution? Is it price? Features? Security model? – Richard West Jun 10 '09 at 12:52
  • Basic problem: I don't like choosing a product without considering alternatives. – Toto Jun 10 '09 at 13:01
  • Product and service recommendations, including alternatives recon, is off topic per the updated [faq](http://serverfault.com/faq). – sysadmin1138 Mar 22 '12 at 23:12

14 Answers14

16

This is a relatively new startup company but I think their product is one of the most interesting out there for 2 factor authorization.

http://www.yubico.com/products/yubikey/

  • It's smaller than the SecurID key fob.
  • Has no batteries.
  • Doesn't rely on a user to read and retype a number.
  • Doesn't require any drivers on the computers.
3dinfluence
  • 12,409
  • 2
  • 27
  • 41
5

I have previously worked with CRYPTOCard to perform both Windows and Linux authentication. When looking at it over RSA SecurID it was more the total cost of ownership that was a key factor for consideration. With CRYPTOCard the tokens were manageable by the security administrator directly without having to send it back like with RSA. When the battery died the admin could change the battery and reprogram the token. With RSA when the battery died you would have to send it back and have it replaced which meant having to have extra tokens on hand so that they could be quickly replaced. This is the same situation I've experienced with Secure Computing Safeword tokens.

Jeremy Bouse
  • 11,241
  • 2
  • 27
  • 40
5

On a smaller scale you can use Google Authenticator.

There is a pretty straightforward PAM module available for it.

http://code.google.com/p/google-authenticator/

Chris Traweek
  • 51
  • 1
  • 1
3

I have to manage a network where smartcards are in place. They are an OK alternative -- Keep in mind however that you are now placing pieces of hardware that will fail and have driver issues at every single workstation in your organization. You will also have to license software that will read the smartcard and a machine to create, update, and fix the smartcards. Its a real PITA. I really, really wish the organization I worked for opted for SecureID instead. Users can lose a smartcard just as easy as a key-chain sized number generator.

In short -- I wouldn't recommend anything else for two-factor authentication. SecureID is Solid and it works.

GNUix
  • 480
  • 1
  • 5
  • 13
2

Check out smart cards.

Users authenticate to the Windows AD. In use by the DOD

Here is a Microsoft planning guide.

http://go.microsoft.com/fwlink/?LinkId=41314

MathewC
  • 6,877
  • 9
  • 38
  • 53
2

If you're not adverse to running your own PKI infrastructure then we've had a good long-running success with Aladdin's eTokens, which are USB two-factor auth.

We've implemented them in a huge range of scenarios - web applications, VPN auth, SSH auth, AD logins, shared password lists and web SSO password stores.

Dan Carley
  • 25,189
  • 5
  • 52
  • 70
2

We went with Entrust, much cheaper than RSA/Vasco etc...

http://www.entrust.com/strong-authentication/identityguard/tokens/index.htm

1

After 4 years of fighting with RSA SecurID we switched to Gemalto .NET smart card.
Why we don't like RSA SecurID:

  • every month we have some problems with some user that was unable to logon to his machine. The only solution was to connect to RSA server software and try to trace the reason watching logs.
  • Their server software is really hard to use and unintuitive. We had only one guy who barely had a knowledge how to use it.
  • You must buy new tokens every two years, Then you must switch the active token for each user. Sometimes it works, sometimes not. You never know.
  • You must install their software on Domain Controller, and better don't remove it or you will not be able to logon to DC.
  • You must install their logon window on each machine in domain
  • You cannot allow to use both password and SecureID for specific user
  • Their support/documentation is awfull
  • Laptop users were unable to logon at home - and no cached credentials never worked on our machines

Why we choosed Gemalto .NET

  • it's a smart card which is completly supported by windows. All drivers are on Windows Update.
  • You don't need to buy new tokens every few years, just renew certificates.
  • It can be programmed for special use if you need something else (other then simple logon).
  • Users can login using their passwords if your CA server fails for some reason, but you can force them to use smart card if you want.
  • All smart card API/sofware is rather well documented by Microsoft.
SeeR
  • 739
  • 6
  • 10
1

One SecurID challenger: Vasco / Digipass: link text

Mathieu Chateau
  • 3,175
  • 15
  • 10
1

We are currently evaluating whether 2 factor authentication over SMS will be an acceptable alternative to SecurID or other access card related solutions. Obviously this is no good if you are using mobile applications (application is running on the same device the SMS message is received).

In my case, this is only for remote access/VPN and are looking at the Barracuda SSL VPN.

Doug Luxem
  • 9,592
  • 7
  • 49
  • 80
1

You might also consider hosted RSA SecurID from a company like Signify, good for if you're only wanting a few devices for people.

SteveBurkett
  • 990
  • 4
  • 6
1

On the all software side there is

http://www.wikidsystems.com/

They have a free community edition.

Mike
  • 21,910
  • 7
  • 55
  • 79
1

You might want to also consider ActivIdenty When I looked in to 2FA, I liked this solution. They support SmartCards, USB Tokens, OTP Tokens, DisplayCard Tokens, Soft Tokens. We looked at this for Active Directory. I'm not sure of any other OS they support.

Kevin Garber
  • 311
  • 2
  • 3
0

i'm happy user of mobile-otp. simple java application for your mobile + some code you can invoke from bash / php / practically anything. and even pam module [ which i have not used ].

pQd
  • 29,561
  • 5
  • 64
  • 106