Duo Security vs Protectimus: Authentication Methods

You can find a general comparison of the Duo Security and Protectimus two-factor authentication solutions in the article “Duo Security vs Protectimus“. In it, we explore the features and technologies used by Duo and Protectimus, the availability of these solutions in cloud-based and on-premise forms, integration options and prices, and the authentication methods offered by each company.

Here, we describe the authentication methods available to Duo and Protectimus clients in greater detail, as well as examining each option’s pros and cons.

You can use this table to navigate the article more easily.

2FA app 2FA app
Push notifications Push notifications
HOTP tokens HOTP tokens
TOTP tokens TOTP tokens
U2F tokens OCRA tokens
SMS authentication Reflashable TOTP tokens
Voice calls SMS authentication
Backup codes Email authentication
Protectimus Bot

Duo Security

Duo Mobile 2FA app

Duo Push

Duo Security’s pride and joy. Push notifications were introduced to make the process of two-factor authentication as simple as possible. Instead of opening a 2FA app for one-time passwords generation, finding the code generated for the desired service, and then inputting 6 digits into a password entry window, the user needs only to unlock their smartphone and tap the “Approve” button. There’s another advantage: if a hacker attempts to gain access to the user’s account, a push notification will appear. The user can block the access attempt by tapping the “Deny” button. The Duo Mobile app can be synchronized with smart watches, so users can receive push notifications directly on their watches. It’s quite convenient. The main drawbacks are that it’s impossible to authenticate without internet access, and users may have to use their personal phones for business purposes.

HOTP and TOTP

The Duo Mobile app can generate one-time passwords using only the HOTP and TOTP algorithms (note that TOTP tokens can become desynchronized from the server time; Duo Mobile lacks a synchronization feature). HOTP passwords are used to log into accounts protected by the Duo two-factor authentication service if the user cannot receive push notifications. Support for the TOTP algorithm is included in order to facilitate the use of the app for authentication with third-party services not connected to Duo Security, such as Google, Dropbox, and GitHub.

Hardware tokens

HOTP tokens


The Duo Security two-factor authentication service supports hardware HOTP (HMAC-based One-Time Password) tokens from any vendor. It also sells its own HOTP tokens. It’s worth noting that while the HOTP algorithm does meet OATH (Initiative for Open Authentication) standards, this algorithm is outdated and cannot be considered sufficiently secure, particularly in the case of hardware tokens. The moving factor used to generate one-time passwords with the HOTP algorithm is a counter. If an attacker has the opportunity to gain control of the token for even a few minutes, the attacker can write down a few one-time password values and use them at any time. In the process, the actual user may also lose access to their account, as the token will become desynchronized from the authentication server.

TOTP tokens


Duo Security allows connecting third-party TOTP hardware tokens to its 2-factor authentication service but doesn’t recommend it as there is no functionality for time synchronization in its MFA system.

U2F tokens

The Duo Security two-factor authentication service also supports the U2F (Universal 2nd Factor) standard, developed by the FIDO (Fast IDentity Online) alliance in 2013. A hardware U2F token is connected to a computer via USB and activated by pressing a button on the token. The most well-known example of these tokens is Yubikey. They’re a convenient means of authentication, but these hardware tokens also have 3 drawbacks:

  • U2F tokens are often forgotten and left in computers;
  • Use of these tokens requires a USB port, which may not be present on (e.g.) a tablet;
  • If the token is connected to a device, it may be possible to infect the device with a virus or compromise it.

SMS authentication


If the user doesn’t have the capability or desire to use the app, Duo can send one-time passwords via SMS. The advantages and disadvantages of SMS authentication have been known for some time. Advantages: delivering one-time passwords via SMS is convenient; to enable SMS authentication, an administrator needs only the user’s phone number; no action is required on the user’s part. The main disadvantage is that SMS authentication is quite simply not secure. SMS messages are often transmitted in an unencrypted form. Mobile networks may have vulnerabilities, and SMS messages may be easily intercepted. The risk of SIM card replacement or infection of a user’s phone with a password-intercepting virus is also more significant. Reddit was hacked recently for this very reason — they were still using SMS authentication.

Voice calls


This authentication method is designed for cases in which the user cannot or does not wish to use an app, hardware token, or SMS. Duo can call any number, mobile or landline, and the user needs only to press a button on their phone. Among the advantages are the convenience of this method and the lack of an internet connection requirement. If you have access to a landline, you’ll always be able to authenticate. But how secure is this? If the call is routed to a smartphone, there are a few hundred known viruses that can answer the call and press the button required without the user’s knowledge.

Backup codes

If you lose access to your token, you can access an account protected by Duo’s two-factor authentication system using a backup code. In this way, Duo saves administrators from considerable headache. But remember: backup codes are always an added vulnerability. If they land in the hands of an attacker (and all they really need is a photo of the codes or a copy of a file containing them), the attacker will gain access to the victim’s account. The attacker will then have plenty of time to change the password, since in the case of backup codes, the second factor is valid for far longer than 30 seconds.

Protectimus

Protectimus Smart 2FA app

Push notifications

Push notifications in Protectimus Smart work the same way they do with Duo. When logging into a site, the user just needs to tap a “Confirm” button. People often don’t like two-factor authentication because it adds extra steps to the process of logging into an account. Push notifications make MFA simpler. The main advantage of push notifications is the convenience; the main disadvantage lies in the fact that authentication is impossible without internet access. (Feature in development.)

HOTP, TOTP, and OCRA

The Protectimus Smart app supports all 3 OATH algorithms for generating one-time passwords: HOTP, TOTP, and OCRA. This makes the app universal. It works with Protectimus’s service, as well as with all other third-party 2FA solutions. Like a hardware token, the app works in a standalone way — there’s no need for an internet connection or any other kind of network.

CWYS data signing

Thanks to OCRA, the Protectimus Smart application supports CWYS (Confirm What You See) data signing. One-time passwords are generated using the data of the user’s current transaction, so they’re useless if intercepted by an attacker.

Note also that the Protectimus Smart 2FA app can be additionally protected with a PIN code or fingerprint. You can even choose the length of the one-time password (6 or 8 characters, depending on system requirements), use the app in Russian or in English, and make a backup of all your tokens.

Hardware tokens

HOTP, TOTP, and OCRA tokens


Protectimus customers can choose OATH-certified HOTP, TOTP, and OCRA hardware tokens with hard-coded shared secrets. Hardware tokens are more reliable than other methods of one-time password delivery. They work in a standalone fashion and aren’t vulnerable to viruses, excluding the possibility of an OTP being intercepted during delivery. In addition, Protectimus’s connection-free tokens can’t be left behind in a USB port (as often happens with U2F tokens). OCRA tokens enable you to achieve a particularly high level of security, as the variable used in OCRA takes on a new value each time, valid only for a single transaction. Our tokens can be used directly with the Protectimus service or with other two-factor authentication systems, if the administrator can input the shared secret in the system.

Reflashable TOTP tokens

Protectimus Slim NFC hardware TOTP tokens are unique, since the user (or administrator) can assign a shared key to the token on their own. All you need to reflash the token is an Android smartphone that supports NFC. The reflashing app, Protectimus TOTP Burner, is available for free through Google Play.

This is the most secure method of generating one-time passwords we know of today. These OTP tokens have all the advantages of standard tokens (standalone operation, invulnerability to viruses and OTP interception). However, even the shared secret is known to nobody but the user (unlike the typical situation, in which the shared secret is given to the 2FA provider by the token producer, and then to the customer by the 2FA provider).

Reflashable tokens can be connected to practically any service that supports two-factor authentication. Protectimus Slim NFC tokens are often purchased for individual use or to replace apps in companies with an existing two-factor authentication system, but where hardware tokens are not already being used.

Thus, reflashable tokens have quite a few advantages: reliability, universality, and the ability to reflash them for use with a different resource. There’s only one disadvantage: the token-flashing app is only available for Android smartphones.

Support for third-party tokens


For customers that already have hardware HOTP, TOTP, or OCRA tokens and their associated shared secrets, we support connecting these tokens to our system. This applies to any token from any vendor. The same goes for software-based tokens, too.

SMS authentication

SMS authentication is outdated, but convenient. The downsides to using this authentication method are these: messages are transmitted in an unencrypted form and can be intercepted; attackers can swap out SIM cards or infect smartphones with a virus that intercepts one-time passwords; SMS messages are the most expensive option, as the customer must bear the cost of sending the messages. It is much safer and cheaper to use messaging service chatbots, which we discuss below.

All the same, some clients still prefer to use other authentication methods apart from SMS messages, so we continue to make this option available. To make SMS-based two-factor authentication more secure, you can enable CWYS data signing feature.
Connecting your own SMS provider to the on-premise platform: Customers who have favorable contracts with an SMS provider and choose to use SMS-based password delivery can easily connect their provider to the Protectimus on-premise platform using SMPP.

Email authentication

Delivering one-time passwords via email is just as convenient as sending SMS messages, but emails are free. To set up email-based authentication, administrators just need their users’ email addresses.
But once again, this isn’t the best 2FA approach from a security standpoint. The level of security depends entirely on how well-protected the email account is. The device on which a user logs into their inbox to open messages containing one-time passwords may also be infected with a virus.

Protectimus Bot

One-time password delivery using chatbots on messaging services. Currently, Protectimus is the only company that offers this option. Users don’t need to install any additional apps; everything they need is already available in their favorite messaging apps. Just connect to the Protectimus Bot chatbot on Telegram, Viber, Facebook Messenger, or whatever other messaging service you use and Protectimus will send you confirmation requests right there.

It’s just as convenient as using push notifications. Users just need to press “Accept” to confirm an action, or “Deny” to block authentication.

In addition, customers can use the chatbots to send their users any other notifications they wish and receive feedback from them.

Messaging services are far better protected from attacks than SMS, all messages are encrypted, apps can be additionally protected with a PIN code or biometrics (depending on phone support), and two-factor authentication can even be enabled in order to access messaging services themselves. The disadvantages are the need for an internet connection and some self-control — so as to not leave a messaging app open on multiple devices at once.

Conclusions

Both two-factor authentication providers, Protectimus and Duo, offer their users a wide range of one-time password generation and delivery methods.

It’s important to note that all authentication methods offered by Protectimus meet OATH (Initiative for Open Authentication) standards.

Duo’s two-factor authentication solution works on different principles, using asymmetric cryptography. For this reason, not all authentication options offered by Duo meet OATH standards. You can read more about these differences in “Duo Security vs Protectimus” under “Technologies”.

Duo supports SMS messages, voice calls, hardware HOTP tokens, and U2F tokens, but users generally choose Duo specifically for its mobile app with push notification support.

Unlike Duo, Protectimus does not support U2F tokens and voice calls, but it does offer other, more modern alternatives: the Protectimus Slim NFC reflashable hardware TOTP token and one-time password delivery via messaging services.

Features

Duo Security

Protectimus

Push notifications yes yes
2FA app yes yes
Hardware HOTP tokens yes yes
Hardware TOTP tokens yes1 yes
Hardware OCRA tokens no yes
Hardware U2F tokens yes no
SMS yes yes
Email no yes
Voice calls yes no
Messaging services chatbots no yes2
Backup codes yes no
  1. Duo Security allows connecting third-party TOTP hardware tokens to its 2-factor authentication service but doesn’t recommend it as there is no functionality for time synchronization in its MFA system.
  2. Currently, Protectimus Bot is available on Telegram, Viber, and Facebook Messenger

Read more

Image and logo source: duo.com

Author: Cyber Max

Max has a great experience in various fields of IT. The main service areas he is involved in are financial services solutions, web development, mobile device management and security solutions. In the previous projects Max has acted as initiator, architect, developer, mentor, program/project manager and co-founder.

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from Protectimus blog.

You have successfully subscribed!

Share This