Authenticators, a Side-by-Side Comparison

Authenticators, a Side-by-Side Comparison Blog | ProteqsIT

An authenticator is often a device (sometimes referred to as a token) or a mobile phone App, an on occasion one’s email account may be used as one. At minimum it fulfills the second factor in multi-factor-authentication, specifically “something you have”. Its purpose in most instances is to augment other authentication credentials by demonstrating user presence, in other words, by responding to a second factor requirement one demonstrates possession or access to the authenticator supplying the response content or message.

AffirmID is an authenticator quite unlike all others. The following is a comparison a few of the top, most popular and well-respected brands I consider representative of the market today compared alongside AffirmID.

I have attempted to remove bias from the comparison, however should you believe I failed to do so, send along your comments for inclusion in an update.

Authenticators Comparison Chart | AffirmID

ID Affirmation – Indicates those authenticators that actively identify identity of the person in possession of the authenticator at time of authentication.

Biometrics – Indicates all that directly incorporate the use of biometrics in the authenticator process.

Factors – NIST recommends use of multi-factor-authentication and states a preference for 3-factor authentication. The more factors used the more secure the authentication process is.

  • AffirmID
    • Something you know, Security KEY.
    • Something you have, Mobile phone.
    • Something you are, the biometrics of behavioral human traits.
  • YubiKey Token
    • Something you have. USB (NFC) token.
  • MS Authenticator
    • Something you know, PIN.
    • Something you have, Mobile phone.
  • DUO Authenticator
    • Something you have, Mobile phone.
  • RSA Authenticator
    • Something you have, Mobile phone.
  • Authy Authenticator App
    • Something you have, Mobile phone.
  • Google Authenticator App
    • Something you have, Mobile phone.

Note: use of mobile phone locks, though helpful if used, are optional and unregulated and therefore not considered an Authenticator App security factor.

Intent – A NIST recommendation, demonstrating intent to authenticate. Such demonstration does not always indicate a human presence. It is possible for a malicious app to simulate the human input.

Presence – is like Intent but different as it ensures a human is in possession of the authenticator.

Possession – goes hand in hand with Presence and by extension ensures the human in possession is interacting with the authenticator.

Active – is an authenticator that requires a human to take an active role in the authentication process. Such activity is normally a gesture such as tapping a button.

Passive – are authenticators taking a passive role in the authentication process. Simple observation of an OTP code is not an indication of active participation. Indeed, the malicious app can do so with no human present.

Backup – a data backup facility, considered a critical need by most allowing account recovery when necessary.

Lock – prevents access and use except by authorized person. The mobile device lock is optional and for this reason not applicable. They are also implemented using high risk credentials, the very problem an authenticator attempts to mitigate.

TOTP/HOTP – indicates those authenticators that support two-factor-authentication (2FA) using a standards compliant one-time-passcode (OTP) method. There are authenticators using non-standard OTP codes so indicated by ‘y’.

FIDO2 – authenticator standards and associated protocols published by the FIDO Alliance. There are multiple versions including FIDO, FIDO2, and FIDO2.1 versions.

U2F – Another authenticator and protocol architecturally like FIDO2 but published by the World Wide Web Consortium (W3C). A standard from a well-known entity with the advantage of a single published version.

U2F Push – a non-standard unique protocol supported only by AffirmID. It combines the value add of a FIDO or U2F authenticator with the enhanced security of Push authentication. Exploits futuristic protocol capability eliminating risk from man-in-the-middle and replay attacks plaguing all authenticators.

Push – like U2F and FIDO Push but without incorporating registration and use of U2F or FIDO authentication. An extremely secure methodology avoiding the heavy hand of standards compliance and opportunity to fit authenticators to needs. Likewise exploits futuristic protocol capability eliminating risk from man-in-the-middle and replay attacks plaguing all authenticators.

Loss Prevention – authenticators typically have no loss prevention measures. Seen as a major risk factor, those that do ensure a lost authenticator will disable itself thereby prevent malicious use.

Support Tickets – a built in facility allowing authenticator user to open a support ticket directly from the authenticator.

Private Certificates – some authenticator protocols use asymmetrical cryptography that are based on use of certificates. The certificate value add tends to face with increased use. There are those promoting certificates should be renewed after 100K uses. This option enables the enterprise to address this concern by using their own certificates.

API – the application program interface often relates to some form of cloud facility associated, so indicted using the ‘y’ indication. Others, ‘Y’ offer service API’s directly by the authenticator itself.