Blog Feed
Securing VPN with Two-Factor Authentication
VPN, or virtual private network, is a popular and proven security tool used by companies across the globe to protect remote access to their corporate networks, especially today when almost every company switched to remote work, at least in part. VPN allows the creation of an encrypted link between a user and the company’s private server. And while this secures the corporate infrastructure from the direct attacks of malicious agents, VPNs themselves are still open to hacker intrusion. Here’s where VPN two-factor authentication comes into play. Multi-factor authentication, or MFA, mitigates multiple VPN security risks, protecting the VPN from unauthorized access in case of user credentials theft. Let’s take a closer look at how MFA allows you to establish the best VPN security, how you can set up VPN two-factor authentication, and which VPN authentication methods to choose. Add two-factor athentication to your VPN via RADIUS Why You Should Add 2FA to VPN Connections Let’s consider four main reasons you need to secure your VPN connection with two-factor authentication. 1. VPN Two-Factor Authentication Protects Against Phishing Attacks Among the main reasons you should ensure additional VPN security is the trend of phishing attacks, which are successfully performed by criminals in up to 17% of cases, according to the Duo report. Phishing is a social engineering technique when a hacker contacts a person either via email, SMS, or a phone call, pretends to be a reputable organization representative, and persuades their victim to provide their credentials. Often the phishing email or message may contain an attachment with malware or a link that leads to the fake website, anyway, the main goal of the hacker, who performs the phishing attack is to get the user credentials. If the phishing attack is successful, the hacker may get the login and password required to connect to the corporate system through the VPN. Then, the hacker would be able to enter this user’s profile, and install the malware, or steal sensitive data from the server computer. An extra layer of authentication guarantees that the network cannot be breached by outside players, even if they possess the stolen credentials. VPN two-factor authentication verifies the identity of the user not only by a single password but by a time-based one-time password. It is much harder to steal and use such a one-time password as it’s valid only for 30 seconds, thus guarding against phishing and other security threats (brute force, keyloggers, MITM attacks, etc). If this shows how your relationship is with your employees then you’re doing it wrong. #phishing #employeesstrongestlink pic.twitter.com/sWswvxaeya— Chief Security Protector of Legal Things (@christiantoon) February 14, 2021 2. Two-Factor Authentication Is Required to Reach the Compliance Conditions While two-factor authentication is helpful for every company that uses VPN for security, some need it more than others. The security regulations instruct the companies to ensure a certain security level. For instance, the PCI DSS (Payment Card Industry Data Security Standard) dictates that organizations should actualize two-factor authentication for network access. Using two-factor authentication is also advised for HIPAA (Health Insurance Portability and Accountability Act) conformity. If you’re in the finance or healthcare sector dealing with sensitive data, VPN 2-factor authentication will help you keep your clients’ data private and make sure it does not fall into the wrong hands. 3. VPN 2FA...
read moreRemote Work: Dream or a Threat?
Remote work is a blessing for some people and a real curse for others. In this article, we have collected all the tips to help you organize remote work in your company. We are talking about task trackers, modern communication tools, and the organization of remote access to corporate servers at the same time. We used all our experience to make this difficult task easier for you. What’s important, when organizing a home office for your employees, you should think about cybersecurity. We are ready to help you with risk management to avoid potential hacker attacks and protect all remote network connections from third-party interference. In this article, you’ll find all the answers to feel safe during the COVID-19 remote work (if you’re wearing your mask appropriately, of course). 2020 changed the usual routine for many companies. IT giant Microsoft has sent over 80% of its employees to work from home. Amazon, Facebook, Google, Uber, Twitter, Apple, are no exception. The part of our team is working remotely as well. Some business owners perceive this trend as a real challenge, forcing them to make difficult decisions. We propose to consider this as an opportunity. What if you’re already optimizing your resources and learning about new remote workstation software? It’s time to use absolutely all resources so that the inevitable economic crisis does not become a blow to your company. Table of contents Tools you need for remote workSoftware for remote accessCloud servicesMessaging appsTask managers and Customer Relationship Management systemsSoftware for video calls, presentations, and conference callsIT security threats you should be aware of to work remotelyLeakage of confidential informationMalwareUnauthorized accessCybersecurity: Where do you start?Remote connection protectionTwo-factor authenticationHow to set up two-factor authentication for RDPHow to choose OTP tokens for work from homeSecurity Policies Tools you need for remote work Organizing the work at home, you should provide your employees with all the necessary tools: the software they will use to access their workplaces remotely, such as RDP and VPN clients, etc.;tools they will use to work with the documents remotely, such as cloud services;and services they will use for communication, such as messaging apps, video conferencing software, task managers, and CRM. Let’s delve deeper into this topic and understand what exactly do you need. Software for remote access The first thing you should think about is what will your employees use while working from home? If your team uses corporate laptops, they can simply pick them up from the office for the quarantine period. But what if they are used to working with desktops? Don’t panic, it’s 2020. Remote access is not rocket science these days. Before you get your feet wet, remember that each OS has its characteristics, and you should consider them: Windows. All you need is the Microsoft Remote Desktop which is used to open access to the computer remotely over RDP (Remote Desktop Protocol). It should be already available in your operating system. If not, install Remote Assistance from Microsoft. We explain how to set up an RDP connection securely here. macOS. Apple users can use a regular Screen Sharing app, Chrome’s remote desktop connection, or third-party programs. Linux. TeamViewer, AnyDesk, and similar software are perfect for working under this operating system. Note that large companies can go even further. Citrix, VMWare, and Cisco offer...
read moreNew Programmable TOTP token Protectimus Flex
Listen to this article You asked, and we delivered – the new programmable TOTP token Protectimus Flex in a key fob format is already here! Unlike our other popular programmable hardware token Protectimus Slim NFC, the new Protectimus Flex TOTP token comes in the form of a key fob. This makes our latest two-factor authentication hardware token more comfortable to use, and more durable. The security token can easily be fastened to your keys, this way you won’t forget it, or lose it. There is a bonus feature in the new gadget — it has a battery indicator. This makes it easier to understand when it’s time to order a replacement. Order OTP token Protectimus Flex Similar to Protectimus Slim NFC, the new hardware token device requires an Android phone with NFC to burn the secret key (seed) into the device. Protectimus Flex supports secret keys no longer than 32 symbols in the Base32 numeral system. And the new TOTP authenticator can generate OTP passwords for any website that supports MFA apps, so you don’t have to install Protectimus MFA platform to work in conjunction with it. How the new TOTP hardware token Protectimus Flex works A hardware security token is typically a small device with a window display. These gadgets are roughly divided into two types: So-called classic tokens, they are delivered with the seed hardcoded and the user cannot change it.And programmable ones, a programmable TOTP token is designed for a seed to be written into it multiple times. Simply put — programmable physical token functions just like any MFA app software token (but note that unlike an MFA app one programmable hardware token can store only one secret key). These devices are safer than an app, since a one time password is generated not on a smartphone, but on a device which has no Internet connection, thus, cannot be infected by any viruses. So programmed hardware token authentication often replaces those apps for better-safeguarded OTP authentication. Besides, programmable TOTP token Protectimus Flex supports time synchronization feature. When you add the secret key into the token, the Protectimus TOTP Burner application automatically sets the exact current time on the token. This feature allows avoiding the time drift problem that is a common thing with TOTP hardware tokens. Physical programmable tokens are our specialty. And while Slim NFC is in high demand, its form factor of a card is slightly uncomfortable for some customers. Form is the main difference between Slim and Flex, the mode of action of both devices is the same. We’ve already written about the TOTP algorithm, which the programmed tokens operate on. If you want to know every detail behind TOTP you can read it here. And for a better understanding of the distinctions between classic and programmed physical tokens, as well as a detailed description of a programmable device we’d like to refer you to this article. Which sites can Protectimus Flex hardware 2FA token be linked to? A seed no longer than 32 Base32 symbols can be added into the programmable OTP hardware token Flex. The gadget can be used for TOTP MFA setup for one website, app, or service at a time. So, if the website aligns with these criteria then this TOTP hardware authenticator can be utilized for this website....
read moreTesla App Two-Factor Authentication Coming Soon According to Elon Musk
Without a doubt, Tesla’s electric cars are the best vehicles on the market right now. They attract people with modern design, high efficiency, and the low cost of maintenance and operation. These vehicles are generally considered pretty theft-proof, thanks to always-on GPS which lets owners track their cars. But numerous smart features still make these cars extremely vulnerable to hacking. That’s how the two-factor authentication has become one of the most awaited things among Tesla users. The good news is that the Tesla CEO Elon Musk has recently twitted that 2FA is now on the way. He doesn’t provide a timeline, but admits that this is “embarrassingly late”. Why Tesla users are looking forward to 2FA Firstly, what is two-factor authentication? It implies a request for data of different types, due to which it provides reliable protection against hacks and virus attacks. Usually, a person must enter a username and password (something they know), and then confirm the entry into the system by specifying the confirmation code sent to their phone (something they have) by e-mail, SMS, and chat-bot in the messaging app, or generated by the 2FA app or hardware authentication token. In some cases, it is possible to request biometric data (scanning of the eye retina, fingerprints voice recognition) – something they are. At the moment, you only need a username and password to log in and unlock your car with Tesla apps. Imagine that someone recognized them. Fraudsters can simply install the application on their phone and get access to many of the functions of your electric car. Two-factor authentication minimizes the risk of this and provides strong protection for your account. | Read also: 6 Multi-Factor Authentication Myths You Still Believe Tesla app two-factor authentication options to choose If to believe Elon Musk, two MFA methods will be available to the Tesla app two-factor authentication users: SMS and 2FA applications. This means that most probably programmable hardware tokens Protectimus Slim NFC and Protectimus Flex will also fit as they are designed to replace 2FA apps. SMS authentication SMS two authentication is one of the most popular solutions. It is convenient and saves time on installing additional applications and buying individual hardware tokens. It cannot be denied that SMS authentication is safer than simply entering a username and password. But it also has several disadvantages: The risk of replacing the SIM card;Cellular network vulnerabilities;Smartphone viruses. We described all these issues with SMS authentication in detail here. Of course, hacking your account won’t be as easy as it is now when the Tesla app works without two-factor authentication at all, but better choose any other 2-factor authentication method. 2FA apps The second popular solution is MFA applications that generate one-time passwords on your smartphone. In this case, OTP passwords are not transmitted over any network, which eliminates half of the risks. This type of two-factor authentication is much more reliable than SMS. But it also has its drawbacks. Every time you connect to the network, you make your smartphone vulnerable. Any downloaded application can go with a virus. Programmable hardware token As a rule, if the application supports two-factor authentication with the help of an in-app authenticator, you can also connect the Protectimus Slim NFC or Protectimus Flex hardware token for the Tesla app two-factor authentication. Protectimus...
read more6 MFA Myths You Still Believe
MFA or multi-factor authentication by definition is a technology that limits access to a user account unless the user presents two or more pieces of evidence that prove that they are who they claim to be, moreover, the evidence must be of different natures: something they know, something they have or something they are. Overall, the process is regarded as helpful, as it is a solution to many security threats including phishing, brute force, keyloggers, some cases of social engineering and MITM attacks. However, some persistent MFA myths make companies hesitant to use it, and we’re ready to debunk some of the most common ones. 1. Only large companies benefit from using MFA This misconception doesn’t make sense if you think about it. The size of the company should have nothing to do with the security measures it employs. Even small companies can acquire sensitive information that should be subject to comprehensive control and security. Furthermore, a company doesn’t need to have a huge staff to implement multifactorial identification. There are two-factor authentication examples that are easy and cheap to carry out, monitor, and maintain. While the downsides of not using MFA authentication can be even more devastating for a small company, a security breach can result in a massive loss of reputation and trust. 2. MFA should only be required from privileged users The idea behind this myth is that only privileged users have access to sensitive data, so they are the only ones that should be required to go through multi-factor authentication. However, this assumption is often wrong as, for example, every company employee has access to some confidential data. A harmful side of this myth is that cybercriminals often use it to their advantage. They target non-privileged users with phishing techniques or other hacking methods. Then they can use the access gained to move around the corporate network and access private or valuable data with ease. | Read also: Remote Work: How to Transition Team to Working From Home During the COVID-19 Pandemic 3. It is expensive to enable 2FA This myth stems from the earlier days of 2-step verification when each hardware token cost was around $100, so while it was secure, it wasn’t cheap. Furthermore, they could be lost, rendering the process harder and even more expensive. Nowadays, the price for hardware tokens Protectimus Two starts from USD 11,99 and goes down if the amount of order starts from 50 pieces. Moreover, there are much easier and cheaper ways of distributing one-time passwords. For example, it can be done for free through a dedicated authentication app or a chatbot in Telegram, Viber, or Facebook. Another thing to consider when calculating the price of MFA is how much you would lose without it in the case of a data breach. 4. Two-factor authentication ruins the user experience Most companies work hard and spend a lot of money to make the user experience as smooth as possible. This is why it might seem annoying to them that just for the sake of implementation of multi-factor authentication solutions users would need to perform an extra task entering a one-time password. While this is true, two-step authentication is becoming more and more common, and users often expect to perform this extra step. Furthermore, you should remember that technology...
read moreHow to Add Two-Factor Authentication to Outlook Web App (OWA)
If you read this article, you probably know the answer to the “what is OWA” question. But just in case — OWA Outlook is a browser email client to access Microsoft Outlook without any on-premises installations for Exchange 2013, Exchange 2010 users. For Microsoft Outlook update for Microsoft Exchange 2016 it was rebranded as “Outlook on the web”. OWA Outlook online provides access not only to email, but to other personal information like calendar, contacts, and tasks, and is widely used by businesses all over the world. With such sensitive data involved, OWA two-factor authentication becomes imperative. We developed two products for Outlook OWA 2FA. The first product is Protectimus OWA, developed specifically for Office OWA integration. The second solution is Protectimus DSPA which adds 2FA directly to the repository (Active Directory, Lightweight Directory Access Protocol, databases) and thus adds MFA to everything linked to the business AD, LDAP, etc. Today we will give you an in depth look into both methods. We will describe their work, show you how to implement each solution and list the tokens that support them. Method 1. Use Protectimus OWA 2FA Plugin Our Exchange OWA plugin is designed to integrate Outlook 2-factor authentication for mail on Microsoft Exchange 2016, Exchange 2013 as well as 2019. Protectimus installation wizard finishes a Microsoft MFA setup in 15 min tops. Download Protectimus OWA installer and setup instructions How it works With the plugin from Protectimus, OWA multi-factor authentication will be integrated with the OWA app only, nothing else. This method requires registering to Protectimus cloud service or downloading our MFA platform (contact out ), setting it up and starting the installation wizard. That is it. This product for OWA two-factor authentication runs either in cloud, or locally. The customer gets all the advanced features like geo and time filters, IP filters, analysis of the user environment etc. Every Protectimus token works with this plugin, and it supports third-party tokens as well. Supported tokens All the MFA tokens are divided into software and hardware kinds. The divide is derived from the secret key (seed) implementation. Since we are focused solely on Microsoft Outlook Exchange login here, we won’t delve into details on how 2FA works. But you can always read other articles on our blog for more info on various MFA specifics. For now let’s just mention the tokens Protectimus OWA two-factor authentication supports: Token Description Protectimus Slim NFC Hardware device that looks like a credit card. Programmable secret key. Which means — the token can be reprogrammed. 3-5 years battery life. Waterproof. $29.99/token. Protectimus TWO Hardware token, slightly bulkier than Slim NFC. Secret key is hardcoded, which means the token can be used for one app/website only. 3-5 years battery life. Waterproof. Shockproof. $11.99/item. Protectimus SMART OTP Software token — 2FA app for iOS and Android. Protected with PIN. Can be used on multiple apps/websites simultaneously. Free. Protectimus BOT Software token. OWA auth OTPs are delivered via chatbots in Telegram, Facebook Messenger, Viber. Free. Protectimus MAIL Software token. OTPs for OWA login are delivered via email. (The passwords have to be sent to different email clients, not OWA email) Free. Protectimus SMS Software token. OWA webmail login one-time passwords are sent via SMS. With the on-premise option, any SMS service can be employed. $2 per user...
read moreOATH Initiative – the Main Goals, Tasks, Ins & Outs
Providing our services, we often highlight that Protectimus is a coordinate partner of the OATH Initiative and that all our tokens and two-factor authentication software are OATH-certified. Not everybody is aware, however, of what the Initiative for Open Authentication (OATH) is and what its major goals are. That’s why we decided to clarify all the details concerning the OATH definition – its tasks, algorithms, and overall contribution to open authentication which is so important and useful today. OATH two-factor authentication service and tokens Table of contents: What is OATH?The Major Goals of the OATH InitiativeOATH Authentication AlgorithmsHOTPTOTPOCRAThe Efficiency & Importance of OATH Open Authentication What is OATH? In a nutshell, OATH – Initiative for Open Authentication – promotes the industry-wide implementation of strong authentication based on a single reference architecture that is developed jointly by the industry leaders using open standards. This will allow establishing strong authentication as a highly-available standard supported by any device in any network. In the long run, the Initiative can help significantly reinforce the security of users and service providers worldwide. What is OATH-certified? OATH certification, basically, means supporting the Initiative’s standards and creating cybersecurity solutions on the basis of these standards. Protectimus, for instance, offers a two-factor authentication solution that is fundamentally based on the principles of open authentication and uses the OATH authentication algorithm HOTP, TOTP, and OCRA. Now that we got the basic OATH meaning figured out, let’s discuss its major goals. | Read also: Identification, authentication, and authorization – what’s the difference The Major Goals of the OATH Initiative Being essentially a collaborative effort in advancing modern authentication principles and making them more secure and reliable, the Initiative for Open Authentication makes the whole process more cost-efficient and transparent. It simply makes two-factor authentication open-source. Any company can build its custom 2-factor authentication system based on a single standard that is highly reliable and backed up by the leading companies in the industry. The major goals of the Initiative can be listed as follows: making online transactions safer and more secure for both users and service providers through implementing two-factor authentication;enhancing the common security standards with a collaborative-based, open-source strong authentication standard;lowering the costs and efforts required for integrating strong authentication in user systems;making authentication devices such as OATH tokens, smart cards, etc. more common and accessible;turning existing mobile devices such as tablets, laptops, and smartphones into OATH software tokens;advocating the distribution of OATH two-factor authentication algorithms and software throughout numerous network endpoints, like Wi-Fi hotspots, servers, connected hardware, network switches, etc. | Read also: The Pros and Cons of Different Two-Factor Authentication Types and Methods OATH Authentication Algorithms Based on its universal goal of standardizing strong authentication, which includes the establishment of protocols, algorithms, and data/input formats of a single standard, OATH authentication requires the underlying “pushing” powers. The collaborative efforts thus spawned three fundamental RFCs (Request for Comments) that describe the respective algorithms for one-time password generation: RFC4226 for the event-based HOTP algorithm;RFC6238 for the time-based TOTP algorithm;RFC6287 for the challenge-response OCRA algorithm. OATH HOTP HOTP (HMAC based one-time password algorithm) is an algorithm aimed at generating one-time passwords based on the mix of a secret key (a shared value) with a counter (variable). A secret key consists of a line of symbols that the authenticating server shares...
read moreTOTP Algorithm Explained
Time-based one-time password algorithm (TOTP) is the focus of this post. But, before we delve deeper into the TOTP meaning, we’d like to mention the organization that is instrumental in the one-time password algorithms’ existence — OATH, or Open AuTHentication. OATH is a collaboration of all sorts of specialists, who made their mission to create a truly secure and universal network for all to use. We at Protectimus are proud to be a part of this collaborative effort. In this article, we will learn what OATH TOTP is. We will have a closer look at TOTP algorithm implementation and the work of the TOTP mode. Finally, we will provide a full list of Protectimus TOTP tokens designed for time based token authentication to help you choose the one that suits you best. Order programmable and classic TOTP tokens here Table of contents: What is TOTPTOTP background — HOTPTOTP vs HOTPTOTP synchronization problemProtectimus TOTP tokens What is TOTP algorithm We’ve already answered the “what does TOTP mean?” question above. But what is TOTP authentication? An uncomplicated answer is — it’s a 2-factor verification method that uses the time as a variable. Let’s expand on this a bit and unravel how TOTP authentication actually operates. TOTP algorithm (RFC 6238) implies that an OTP is a product of two parameters encrypted together. These are a common value, which is a shared secret key, or seed; and a variable, in this case – the running time. These parameters are encrypted with a hash function. Here’s a TOTP algorithm example to illustrate: A user wants to log into a TOTP 2FA protected application or website. For the OTP authentication to run, the user and the TOTP server need to initially share a static parameter (a secret key).When the client logs into the protected website, they have to confirm they possess the secret key. So their TOTP token merges the seed and the current timestep and generates a HASH value by running a predetermined HASH function. This value essentially is the OTP code the user sees on the token.Since the secret key, the HASH function, and the timestep are the same for both parties, the server makes the same computation as the user’s OTP generator.The user enters the OTP and if it is identical to the server’s value, the access is granted. If the results of the calculations aren’t identical, the access is, naturally, denied. To explain the above example a bit let’s note here that the mentioned seed is a string of random characters, usually 16–32 characters long. “Sharing” the key usually implies scanning a QR code that shows the seed generated by the server with the client’s TOTP app. Alternatively, the key is already programmed in their TOTP device. The timestep is calculated using UNIX time, which starts on January 1, 1970, UTC. The timesteps are to be 30 or 60 seconds, so the time value used for TOTP is the number of seconds run since 00:00 January 1, 1970, divided by 30, or 60. Finally, the mentioned HASH function is a cryptographic mathematic function that simply changes one value into another and usually shortens the result to 6-8 symbols. This result is what we called a HASH value above. All of this is specified in TOTP RFC. TOTP algorithm background — HOTP...
read moreOCRA Algorithm Explained
OCRA, or OATH challenge-response algorithm is the most reliable multi-factor authentication algorithm yet. OCRA algorithm is proved to be the safest one created by the OATH (OpenAuTHentication initiative) as it allows a challenge input to be used for one-time passcode generation alongside the secret key (seed) and a counter or time. The key difference of the challenge-response authentication algorithm from the older OATH algorithms HOTP and TOTP is the capability to identify the server. The end-user can be assured in the server authenticity, which significantly adds to the security. OCRA token is usually a keypad-style device or an app. As OCRA meaning might suggest, the algorithm utilizes a certain challenge and a response to it. So a notional challenge-response example would look something like this: the website or app, a client tries to log into, provides a code (this will be the challenge)the client needs to enter this code into the tokenwhich in its turn returns another code (this will be the response)the client then enters this response code to login. In this article, we will take a closer look at OCRA and its background, see in detail how it works and find out how Protectimus implements it. OCRA Background — HOTP & TOTP The challenge-response algorithm can be identified as an advanced HOTP, the logical next stage of its evolution. Here, instead of employing a counter like it’s done in HOTP, we can employ any data (including the time like in TOTP) as an authentication challenge. HOTP OATH has been working on OTP algorithms since 2004. The initial outcome of those efforts was the Hash-based Message Authentication Code OTP algorithm — HOTP, published as an IETF (Internet Engineering Task Force) project in 2005. HOTP algorithm allows generating one-time passwords by utilizing a secret key and a counter. The token’s counter scales up each time the button on the device is clicked, the server counter scales up with each validated OTP. We’ve already published an article on HOTP, so we won’t delve into details here. Suffice to say — the algorithm had a few drawbacks, plus the technology evolves very fast so new security challenges arise fast as well. So OATH continued its work in pursuit of the most trustworthy verification method. TOTP The next expansion was put out in 2008. Unlike HOTP, the new method, named Time-based One Time Password or TOTP for short, does not utilize a counter for the server-user synchronization but generates a password based on the current time. The advantage of the TOTP password is a limited lifetime, usually 30-60 seconds. The end-user’s TOTP token has a secret key and the current time value, these two are hashed with any hash function and the result hash value is truncated, that’s how we get a one-time password that should be sent to the server. The server in its turn has the same secret key as the user’s token and, naturally, the same time value. So the server makes the same calculations and compares the end values. | Read also: Time Drift in TOTP Hardware Tokens Explained and Solved OCRA Finally, in 2010 the OCRA authentication was presented in IETF RFC 6287. OCRA algorithm expanded TOTP further by introducing the challenge-response mode to calculate OTP values. The key difference of the challenge-response authentication from the older...
read moreTwo-Factor Authentication Solutions Comparison: Google Authenticator vs. Protectimus
People often ask us to compare the Protectimus two-factor authentication solutions with Google Authenticator and explain how we’re better. In this article, we’ll try to answer these questions. Firstly, keep in mind that Google Authenticator is only a one-time password generator app. One of our tokens, the Protectimus Smart OTP, works similarly to this app. However, in any authentication system, what really matters is not the OTP token that generates one-time passwords, but the server component that verifies them. Unlike Google Authenticator, Protectimus is a complex, complete two-factor authentication solution. After integrating it with your system, your employees’ and users’ accounts will be protected from unauthorized access, once and for all. When we get questions asking us to compare two-factor authentication solutions by Protectimus and Google Authenticator, we understand that the client is planning to develop a server component on their own, but they still aren’t sure. That’s why in this article we’ll also discuss the advantages of developing a 2FA server component independently, as well as the difficulties that it inevitably leads to. Sign up to Protectimus 2FA Service and get 25$ to your account Table of contents: How the two-factor authentication solutions are built What is Google Authenticator What is Protectimus The server component: SaaS or On-Premise OTP tokens: hardware or software Additional features of the Protectimus MFA solution Advantages and risks of developing your own server component In summary How the two-factor authentication solutions are built The foundation of all 2-factor authentication solutions is the MFA server. The server component is the part of the two-factor authentication system that verifies one-time passwords submitted by users in order to grant or deny access to a resource. Besides verifying OTPs, the server component may support additional data protection functionality. For example, the Protectimus two-factor authentication service makes it possible to restrict access based on a user’s geographical location, the time of the login attempt, and the user’s IP address. The second component that any two-factor authentication solution needs is MFA tokens (authenticators). These are devices that generate one-time passwords. Users need to keep these devices on hand in order to generate or receive codes when they log into their accounts. Authenticators come in all shapes and sizes (hardware, software, SMS, email, messaging service chatbots). One possible option is the Google Authenticator app. You can find out more about how HOTP, TOTP, and OCRA one-time passwords are generated and verified in this article. What is Google Authenticator Google Authenticator is one kind of MFA token: an app for generating one-time passwords based on the TOTP and HOTP algorithms. It’s available for free on Android and iOS. This is one of the components required for a two-factor authentication system, but it isn’t a complete system. Our OTP tokens are one-time code generators like Google Authenticator, they’re only one part of a solution for two-factor authentication, as a server that can verify the generated OTP codes is also required. By the way, we do support Google Authenticator, so you can use it with our 2FA service instead of using physical tokens. We also have our own, more advanced counterpart: the software authenticator Protectimus Smart OTP. To give you the whole picture: we also support other companies’ OTP tokens that adhere to the OATH standards, and we can send one-time codes via...
read more