When looking for a reliable multi-factor authentication (MFA) solution, it’s easy to get lost in the variety of options available on the market. To help you navigate these choices, we’ve launched a series of comparison articles that examine how the Protectimus MFA platform stacks up against other prominent providers.
In this article, we’ll take a closer look at Protectimus and Rublon. Both companies provide comprehensive two-factor authentication (2FA) solutions, but differ significantly in deployment options, features, provided authentication methods, and customization options. We’ll walk you through the key differences in server-side deployment, supported technologies, core features, authentication methods, and pricing.
1. Server-Side Component
Key Difference:
- Rublon is a cloud-based solution.
- Protectimus offers both fully cloud-based and comprehensive on-premise MFA server deployment options.
Rublon
Rublon is a cloud-based two-factor authentication solution. This means Rublon hosts and manages all authentication servers in its infrastructure. When an organization activates Rublon MFA, the cloud platform handles all authentication logic, configuration, policies, and event logs. There is no option to deploy the authentication server on-premise — this makes Rublon easier to set up and manage, but limits its applicability in environments with strict data residency, privacy, or regulatory requirements.
The Rublon Admin Console is the central control point. From there, administrators can:
- Configure MFA rules and policies (e.g. IP allowlisting, adaptive access conditions).
- View authentication events and audit logs.
- Assign applications for protection, such as VPN, Microsoft 365, RDP, and ADFS.
- Add or remove users.
- Deploy Rublon’s connectors to protect systems and integrate with the Rublon cloud backend.
Users are authenticated through connectors or agents (e.g., Rublon Windows Logon & RDP agent, VPN plugin, SSO connector), which communicate with the Rublon cloud to verify credentials and deliver second factors like push notifications or TOTP challenges. These connectors are lightweight components that do not operate as full authentication servers, but rather serve as a bridge between local applications and the Rublon cloud.
There is no local fallback option — if the Rublon cloud service is unreachable (e.g., due to internet outage), MFA functionality will be affected.
Protectimus
Protectimus offers its clients a choice between two deployment options: a Cloud MFA Service or a Self-Hosted On-Premises MFA Platform. This flexibility caters to businesses of all sizes, from a small startup to larger companies and enterprises with strict security and compliance needs.
Protectimus Cloud Service
The cloud version of Protectimus MFA is a fully managed service hosted in secure, geographically distributed data centers. It allows organizations to:
- Quickly integrate MFA into their infrastructure with minimal setup.
- Avoid the overhead of maintaining authentication infrastructure.
- Scale easily as user count or service coverage grows.
- Access the Protectimus Administration Panel to set up the settings and reports.
All user data, OTP generation, policy enforcement, and access control are managed within Protectimus’ secure cloud backend. Integration usually happens through:
- API and SDKs (Java, PHP, Python).
- Pre-built plugins that include connectors for LDAP, Windows, RADIUS, ADFS, Azure AD, OWA, Citrix, VPNs, and others.
Protectimus Cloud appears to be very user-friendly for companies looking to lower their infrastructure management without sacrificing security.
Protectimus On-Premise Platform
For enterprises and government agencies that require complete control over their authentication system, Protectimus offers a full-featured on-premise platform. This platform is installed in the customer’s private infrastructure (local data center or private cloud), allowing them to:
- Control all authentication data locally.
- Operate in air-gapped or offline environments.
- Comply with internal and external regulations (e.g., GDPR, ISO 27001, national security requirements).
Key features of the on-premise version:
- Full-featured Admin Console identical to the cloud version.
- Support for all token types and authentication policies.
- Ability to configure integrations via the same APIs, SDKs, and plugins.
- Optional lifetime license (in addition to the subscription model).
It works well right away, but you can also customize it to meet your specific needs.
Since the on-premise platform has all the same features as the cloud version, clients can switch or change their deployment model whenever their needs change. They can even run a hybrid setup during the migration, which makes the transition easier and more flexible.
You can learn more about the advantages of cloud and on-premise deployment models in our article: “On-Premise 2FA vs Cloud-Based Authentication“.
![]() | ![]() | |
---|---|---|
Available in cloud | yes | yes |
Available on-premises | no | yes |
2. Features
Key Difference:
- Rublon focuses on simplicity and ease of use for cloud applications, offering core features like IP filtering and device trust.
- Protectimus provides more advanced access control options, transaction data signing (CWYS), and flexible multi-admin features for complex environments.
Rublon
Note: Most advanced features are only available in the paid Rublon Enterprise plan.
- Self-Service for Users. Users can enroll MFA devices like the mobile app via email invitation or during login.
- IP Filtering. Allows admins to permit or deny access based on IP address ranges.
- Trusted Devices. Users can mark devices as trusted to reduce login prompts, based on browser and IP.
- Application-Based Policies. Two-factor authentication can be selectively enforced per application or user group.
- Multi-Admin Console Access. Multiple admins can access the management dashboard.
- Basic Reporting. Offers logs of login attempts and device registrations.
Protectimus
Note: All features listed below are available with all payment plans, though some may require an additional fee.
- Self-Service for Users. Users can manage their authentication methods independently through a dedicated portal.
- Geographic and Time-Based Access Filters. Allows restricting logins by location and schedule.
- Role-Based Access Control. Apply policies based on user groups or roles.
- CWYS (Confirm What You See). Transaction data signing feature adds an extra layer of protection by showing transaction data on the token before approval.
- IP Filtering. Granular IP control to allow or block access by address or subnet.
- Adaptive Authentication. Adjusts the level of authentication based on behavioral, geographic, and device factors.
- Multi-Admin Support and Delegated Authority. Lets you assign different roles and permissions to different admins.
- White Labeling and Customization. Fully customizable interface, emails, and even token branding.
- Multi-Tenancy. Ideal for MSPs or organizations with separate branches or environments.
![]() | ![]() | |
---|---|---|
Self-service for users | yes* | yes |
Geographic filters | no | yes |
Time-based access filters | no | yes |
Adaptive authentication | yes* | yes |
Role-based access control | no | yes |
IP filtering | yes | yes |
Risk-based authentication | yes* | no |
Device trust policies | yes | no |
Data signing | no | yes |
*Feature availability notes:
- Self-service for users (Rublon): Available only via email invitation or at login; limited customization options outside of enterprise tier.
- Adaptive authentication (Rublon): Adjusts access based on risk level, device reputation, or network context, but lacks broader policy customization found in Protectimus.
- Risk-based authentication (Rublon): Offered primarily in Rublon Enterprise; based on preset risk profiles rather than custom logic or behavioral analytics.
3. Technologies
Key Difference:
- Protectimus supports more authentication protocols, including OATH HOTP, TOTP, and OCRA, and offers advanced transaction signing and programmable hardware tokens.
- Rublon focuses on ease of deployment with modern web-based MFA methods, but lacks support for key industry standards like OCRA and programmable token options.
Rublon
- Push-based authentication using public-private key encryption. Relies on asymmetric cryptography for secure push authentication, reducing the risk of credential theft.
- TOTP-based one-time passwords. Supports standard time-based OTPs compatible with apps like Google Authenticator and Microsoft Authenticator.
- Device trust and session management. Allows trusted devices to bypass 2FA during subsequent logins and manage trusted sessions centrally.
- Risk-based authentication (Enterprise only). Detects anomalies in login behavior and adjusts authentication demands, although it lacks the deep behavioral or AI-based analysis found in larger platforms.
- No support for OCRA or programmable hardware tokens. Rublon does not support transaction signing or token reconfiguration features available in more flexible MFA solutions.
- FIDO2 and U2F. Rublon fully supports U2F (Universal 2nd Factor) and FIDO2/WebAuthn compliant security keys for multi‑factor authentication.
Protectimus
- Support for all OATH-compliant algorithms (HOTP, TOTP, OCRA). Full compatibility with the industry-standard protocols (HOTP, TOTP, OCRA) ensures integration with a wide variety of systems and OTP token types.
- Transaction signing with OCRA. Adds a strong layer of protection by generating OTPs based on specific transaction data, ensuring integrity and preventing tampering or MITM attacks.
- Reflashable programmable TOTP tokens. Offers hardware tokens like Protectimus Slim NFC and Protectimus Flex that can be securely reprogrammed with new seeds, minimizing token waste and reducing costs.
- Flexible authentication policy engine. Enforces rules based on IP address, geolocation, time of day, user role, and device fingerprint.
- Multi-channel OTP delivery. Enables OTP delivery via hardware tokens, SMS, email, messengers (Telegram, Viber, etc.), and push, allowing coverage even in offline or mobile-restricted environments.
![]() | ![]() | |
---|---|---|
Asymmetric cryptography (Push-based) | yes | yes |
HOTP | no | yes |
TOTP | yes | yes |
OCRA | no | yes |
FIDO2 and U2F | yes | no |
Risk-based authentication | yes (Enterprise only) | no |
Transaction signing | no | yes |
4. Authentication methods
Key Differences:
- Rublon supports modern phishing-resistant authentication options like FIDO2/WebAuthn passkeys and U2F security keys. It also offers a mobile app for TOTP and push-based MFA.
- Protectimus supports a broader range of OATH OTP algorithms and delivery options, including programmable hardware tokens and unique OTP delivery via messaging apps like Telegram, Messenger, and Viber. It also includes data signing functionality (CWYS) for transaction-level security.
Rublon
- Push Notifications in Rublon Authenticator App:
- Rublon offers a mobile authenticator app that supports push notifications.
- Users can approve or deny access with one tap, simplifying the login process on web and desktop environments.
- Time-Based One-Time Passwords (TOTP):
- Rublon supports TOTP for generating one-time passwords that refresh every 30 seconds.
- Works with the Rublon Authenticator, Google Authenticator, Microsoft Authenticator, and similar apps.
- Hardware OTP tokens are not supported.
- FIDO2/WebAuthn and U2F Security Keys:
- Fully supports hardware security keys like YubiKey, Google Titan, etc.
- Provides phishing-resistant second-factor authentication or passwordless login options.
- Compatible with both web applications and Windows local/RDP logins.
- Passwordless Authentication via Passkeys:
- Allows passwordless login using FIDO2/WebAuthn passkeys on supported devices.
- Enhances user experience with biometrics and platform security.
Protectimus
- TOTP/HOTP/OCRA One-Time Passwords:
- Supports all major OATH algorithms: TOTP (time-based), HOTP (event-based), and OCRA (challenge-response).
- Ensures compatibility with various hardware and software tokens.
- SMS Authentication:
- OTPs can be sent via SMS for users without smartphones or tokens.
- Option to integrate customer’s own SMS gateway to reduce costs or ensure regional delivery reliability.
- Email Authentication:
- OTPs can be delivered by email as a backup or secondary MFA channel.
- Hardware TOTP Tokens:
- Offers a wide range of hardware tokens including programmable and reprogrammable models (e.g., Protectimus Slim NFC, Flex).
- Tokens are OATH-compliant and work offline, enhancing security for critical systems.
- OTP Delivery via Messaging Apps:
- Unique delivery via MFA bots on Telegram, Viber, and Facebook Messenger.
- Offers both improved usability and significant cost savings over SMS.
- Push Notifications in Protectimus Smart OTP App:
- Protectimus Smart OTP app sends push notifications for MFA approvals.
- Unique CWYS (Confirm What You See) feature ensures users confirm the exact action (e.g., transaction amount, recipient) they are authorizing — ideal for banking and finance applications.
- Geographic and Time-Based Access Filters:
- Administrators can define login policies based on time and location.
- Helps enforce strict security protocols for distributed teams or regulated industries.
![]() | ![]() | |
---|---|---|
Push notifications | yes | yes |
2FA app (TOTP) | yes | yes |
Hardware HOTP tokens | no | yes |
Hardware TOTP tokens | no | yes |
Hardware OCRA tokens | no | yes |
Hardware U2F/FIDO tokens | yes | no |
SMS OTP | yes | yes |
Email OTP | yes | yes |
Voice call OTP | yes | no |
OTP via chatbots in messaging apps | no | yes |
Passwordless login on managed devices | yes | no |
5. Integration Options
Key Difference:
- Rublon focuses on easy integration with popular cloud and web applications, providing streamlined deployment primarily for SaaS and web environments.
- Protectimus provides more advanced and deeper integration possibilities, including comprehensive support for VPNs, RADIUS, Active Directory, LDAP, on-premise environments, and custom enterprise applications.
Rublon
- Supports integration with popular SaaS and web applications for cloud-based MFA.
- Provides API for custom integrations and development.
- Active Directory (AD) integration primarily for user synchronization.
- Windows Login (Winlogon) and Remote Desktop Protocol (RDP) support facilitate enforcing MFA on Windows workstations and remote sessions.
- Supports web-based Single Sign-On (SSO) solutions.
- Limited RADIUS protocol and VPN integration supports.
- Emphasis on simple cloud deployment and end user and administrator simplicity of use.
Protectimus
- Comprehensive API & SDK to integrate multi-factor authentication seamlessly into any system, both cloud and on-premise.
- Inbuilt connectors for Active Directory (AD), LDAP, ADFS, Outlook Web Access (OWA), Windows Login & RDP, RADIUS protocol, Roundcube, a variety of VPN solutions, and other enterprise solutions.
- Secures any system OATH MFA algorithm-compatible: HOTP, TOTP, and OCRA.
- Patent-pending technology of LDAP and database integration enables direct two-factor authentication in such environments without third-party middleware.
- Secures single sign-on (SSO) systems with MFA, e.g., Office 365.
- Offers deployment options: cloud-based service, on-premises platform, and private cloud deployments with configurable choices.
- Comprehensive and free integration documentation to facilitate simple setup and configuration.
All integration-related documentation is openly accessible on the company’s site.
![]() | ![]() | |
---|---|---|
API | yes | yes |
SDK | yes | yes |
Pre-built plugins | yes* | yes |
Active Directory (AD) / LDAP | yes (AD sync only)* | yes (full integration) |
Windows Login (Winlogon) and RDP support | yes | yes |
RADIUS protocol / VPN integration | limited | yes (comprehensive) |
Customizable Deployment | no | yes |
*Rublon integrates with Active Directory primarily for user synchronization purposes. Unlike Protectimus, it does not support direct two-factor authentication within AD or LDAP environments without additional middleware.
6. Pricing
Key Difference:
- Protectimus is more cost-effective, offering a free plan, lower per-user pricing, and flexible on-premise licensing options.
- Rublon uses a subscription-based pricing model with no free tier and less transparent cost structure.
Rublon
- No free plan available.
- Pricing starts at $2 per user per month (based on publicly available sources).
- On-premise agents like Windows Logon and RDP require separate licensing.
- Full pricing details are not published; quote must be requested.
Protectimus
- Pricing starts at $1.45 per user per month.
- Free plan available for up to 10 users.
- One-time payment option for on-premise deployments.
- All features available regardless of pricing tier.
Find detailed Protectimus MFA pricing on the pricing page.
![]() | ![]() | |
---|---|---|
Free plan | no | yes |
One-time payment option | no | yes |
Cloud service | From $2/user/month. Separate licensing for Windows Logon & RDP agents. Pricing details not publicly listed. | From $1.45/user/month. The more users you add, the lower the cost per user. |
On-premise platform | no | One-time payment option available. From $2/user/month. Minimum pricing is $199/month for up to 99 users. |
7. Summary
Both Protectimus and Rublon are MFA providers, yet they differ greatly in terms of features, flexibility, and price. Rublon is a cloud-only, subscription-based offering that focuses on simplicity of use for SaaS applications. Protectimus offers both cloud and on-premise deployment, with greater integration options and more advanced security features such as transaction signing (CWYS), programmable tokens, and support for OATH standards such as OCRA.
Protectimus also stands out with its flexible pricing — including a free version for 10 users and perpetual licensing for on-premise deployments. Rublon is less transparent in its pricing and offers no free edition. While Rublon does offer support for newer FIDO2/WebAuthn and push-based authentication, Protectimus allows greater customization, wider protocol support, and low-cost MFA solutions for organizations with more sophisticated security needs or compliance mandates.
Features | Rublon | Protectimus |
1. Server-side component | ||
Available in the cloud | yes | yes |
Available on-premises | limited* | yes |
2. Features | ||
Self-service | yes | yes |
Geographic filters | no | yes |
Time-based access filters | no | yes |
Adaptive authentication | no | yes |
Role-based access control | no | yes |
IP filtering | yes | yes |
3. Technologies | ||
Asymmetric cryptography | no | yes |
HOTP | no | yes |
TOTP | yes | yes |
OCRA | no | yes |
FIDO2 / U2F | yes | no |
Transaction signing | no | yes |
4. Authentication methods | ||
Push notifications | yes | yes |
2FA app | yes | yes |
Hardware TOTP tokens | no | yes |
Hardware OCRA tokens | no | yes |
SMS | yes | yes |
yes | yes | |
Chatbots in messengers | no | yes |
5. Integration | ||
API | yes | yes |
SDK | no | yes |
Plugins & Connectors | limited* | broad support |
AD / LDAP sync | yes* | yes |
RDP and Winlogon integration | yes* | yes |
6. Pricing | ||
Free for up to 10 users | no | yes |
One-time payment option | no | yes |
Cloud service | From $2/user/month. Exact pricing may vary by deployment and feature set. | From $1.45/user/month. The more users you add, the lower the cost per user. |
On-premise platform | limited* | From $2/user/month. Minimum pricing: $199/month for up to 99 users. One-time license option available. |
Notes for asterisk explanations:
- limited* = Only specific components or limited availability (e.g., on-premise agents like RDP/Winlogon, not full self-hosted control).
- yes* = Available but only with Active Directory (AD) sync, not full standalone support or SSO federation.
Read more
- Duo Security vs Protectimus
- Protectimus Customer Stories: 2FA for Volet
- Protectimus Customer Stories: 2FA for SICIM
- Protectimus Customer Stories: 2FA for Ipak Yo’li Bank
- Protectimus Customer Stories: 2FA for DXC Technology
- The Architecture of Protectimus On-Premise MFA Platform
- Protectimus MFA Prices: How to Save with Coupons, Discounts, Referrals, and Subscriptions
Image and logo source: rublon.com.
Subscribe To Our Newsletter
Join our mailing list to receive the latest news and updates from our team.
Subscribe To Our Newsletter
Join our mailing list to receive the latest news and updates from Protectimus blog.
You have successfully subscribed!