Duo Security vs Protectimus: Features

In Duo Security vs Protectimus, we touched on all the aspects of Duo and Protectimus two-factor authentication solutions. We examined the technologies these companies use, their methods of delivering one-time passwords, the availability of an API and pre-made plugins for integration, pricing, availability in cloud-based and on-premise forms, and — briefly — the features of each solution.

In this article, we describe in greater detail the features available to administrators and users of the Duo and Protectimus multifactor authentication services. You can use this table to navigate the article more easily.

User self-service User self-service
Geographic filters Geographic filters
Network- or IP-based access control Adaptive authentication
Role-based access policies Differentiation and delegation of authority within the system
Monitoring and identification of vulnerable devices Ability to assign different types of tokens to different users
Time-based filters
CWYS (Confirm What You See) data signing functionality

Duo Security


Note: Nearly all features examined in this section can be activated only with Duo’s most expensive payment plans, Access and Beyond. Self-service is also available in the Duo MFA basic plan.

User self-service


Users can issue and manage tokens themselves. This saves administrators time. Saving administrators time means saving the company money, which is always good.

Geographic filters


These allow administrators to grant access to a resource only from a specified geographic location. Or, they can deny access from certain countries (for example, North Korea or Russia).

Network- or IP-based access control


This feature is also referred to as adaptive authentication by Duo. It gives administrators the ability to block access to a resource from anonymous networks (such as Tor). Access can also be allowed or denied from a specific range of IP addresses.

Role-based access policies


This makes it possible to impose stricter authentication rules for specific users or groups of users, depending on their roles and their levels of access to data. For example, an accountant might be able to choose any authentication method — SMS, push notifications, or a one-time password from an app — while a network administrator might be required to use a hardware token exclusively.

Monitoring and identification of vulnerable devices

This unique technology allows you to keep tabs on users’ “device hygiene” if they have the Duo Mobile app installed. Using this system, you can see how well-protected each device is: find out if biometric authentication and screen lock settings are configured; find out if antivirus is installed; find out what operating system, browsers, and plugins are installed, and whether they’re up to date; see if the device is personal or company-owned; see if the device has been rooted, etc. An administrator can block access to the system from devices that don’t meet preset requirements (for example, if no antivirus is installed).

Protectimus


Note: All features examined in this section are available with all payment plans, including the no-cost Protectimus Free plan.

User self-service


This feature takes a burden off of the system administrator’s shoulders, saving the administrator time and the company money. Users can issue and manage their own tokens.

Geographic filters


These allow restricting access to specific countries only. Access from specific countries (Russia, North Korea, etc.) can also be blocked.

Time-based filters


This feature allows granting access to a resource only at certain times; for example, only during business hours. This approach significantly increases the level of protection against unauthorized account access. It’s perfect for corporate environments: even if a user leaves their token at work, nobody can access the user’s account outside of working hours.

Adaptive authentication


This feature may also be called smart identification or user environment analysis. We created it to make things more convenient for users in systems where a certain amount of trust is permissible. Nobody loves typing in one-time passwords, so we devised a way of analyzing the user’s environment (browser name and version, operating system and language, window size and screen resolution, color depth, presence or absence of Java, plugins, etc.); a one-time password is required only once an established mismatch threshold has been exceeded.

Differentiation and delegation of authority within the system

Resources are used to logically group users and easily manage them. Several resources can be created within a single account, and several administrators can be appointed to manage different resources.

Let’s see how this works in a payment system, for example. There are 2 tasks in a payment system: protecting the end users and protecting the admin panel. For the end users, two-factor authentication should be, first and foremost, convenient. Access to the admin panel must be protected as reliably as possible.

In this case, one resource is created in the Protectimus service for the end users, where they can choose from a variety of tokens (they can purchase a hardware token, download a software OTP token, or connect to the Protectimus chatbot on any messaging service).

To protect the accounts of administrators, developers, and support staff, another resource can be created in the same Protectimus account with stricter authentication rules: only hardware tokens can be connected, and time- and location-based filters are set up. This way, you can conveniently manage different groups of users and establish different security requirements for them, based on each group’s level of access to sensitive data.

Ability to assign different types of tokens to different users


As described above, by assigning different users to different resources, administrators can control the selection of authentication methods available to users. If needed, the administrator can even create and assign a token to each user individually.

CWYS (Confirm What You See) data signing functionality

CWYS functionality protects against phishing, man-in-the-middle attacks, banking Trojans, injection attacks, and other kinds of malware designed to intercept one-time passwords. One-time passwords are generated based on data from the user’s current operation. For example, when transferring funds, the amount, currency, and user data are used to generate an OTP. This one-time password can only be used to confirm that particular operation being performed by the user. Even if an attacker intercepts such a password, it won’t work to confirm an illegal transaction. You can read more about how CWYS works here.

Conclusions

Many similar functions are available in Duo’s and Protectimus’s strong authentication services: user self-service, geographic filters, adaptive authentication, and the ability to impose custom authentication requirements for users with different access levels.

But there are differences. The specifics of Duo Security’s 2FA solution, where the main means of delivering OTPs is through a mobile application, became a reason for them to develop a system to monitor user devices and identify problems in protecting these devices. Protectimus 2FA service does not have this feature. However, it does include CWYS data signing — invaluable in payment and banking services — and time-based filters that allow you to boost the effectiveness of your corporate infrastructure protection several times over.

Features

Duo Security

Protectimus

Self-service yes yes
Geographic filters yes yes
Time-based filters no yes
Adaptive authentication yes yes
Role-based access policies yes yes
Monitoring and identification of vulnerable devices yes no
Data signing no yes

Read more

Image and logo source: duo.com

Author: Cyber Max

Max has a great experience in various fields of IT. The main service areas he is involved in are financial services solutions, web development, mobile device management and security solutions. In the previous projects Max has acted as initiator, architect, developer, mentor, program/project manager and co-founder.

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from Protectimus blog.

You have successfully subscribed!

Share This