People often ask us to compare the Protectimus two-factor authentication solutions with Google Authenticator and explain how we’re better. In this article, we’ll try to answer these questions.
Firstly, keep in mind that Google Authenticator is only a one-time password generator app. One of our tokens, the Protectimus Smart OTP, works similarly to this app. However, in any authentication system, what really matters is not the OTP token that generates one-time passwords, but the server component that verifies them.
Unlike Google Authenticator, Protectimus is a complex, complete two-factor authentication solution. After integrating it with your system, your employees’ and users’ accounts will be protected from unauthorized access, once and for all.
When we get questions asking us to compare two-factor authentication solutions by Protectimus and Google Authenticator, we understand that the client is planning to develop a server component on their own, but they still aren’t sure. That’s why in this article we’ll also discuss the advantages of developing a 2FA server component independently, as well as the difficulties that it inevitably leads to.
Table of contents:
- How the two-factor authentication solutions are built
- What is Google Authenticator
- What is Protectimus
- Advantages and risks of developing your own server component
- In summary
How the two-factor authentication solutions are built
The foundation of all 2-factor authentication solutions is the MFA server. The server component is the part of the two-factor authentication system that verifies one-time passwords submitted by users in order to grant or deny access to a resource.
Besides verifying OTPs, the server component may support additional data protection functionality. For example, the Protectimus two-factor authentication service makes it possible to restrict access based on a user’s geographical location, the time of the login attempt, and the user’s IP address.
The second component that any two-factor authentication solution needs is MFA tokens (authenticators). These are devices that generate one-time passwords. Users need to keep these devices on hand in order to generate or receive codes when they log into their accounts. Authenticators come in all shapes and sizes (hardware, software, SMS, email, messaging service chatbots). One possible option is the Google Authenticator app.
You can find out more about how HOTP, TOTP, and OCRA one-time passwords are generated and verified in this article.
What is Google Authenticator
Google Authenticator is one kind of MFA token: an app for generating one-time passwords based on the TOTP and HOTP algorithms. It’s available for free on Android and iOS. This is one of the components required for a two-factor authentication system, but it isn’t a complete system.
Our OTP tokens are one-time code generators like Google Authenticator, they’re only one part of a solution for two-factor authentication, as a server that can verify the generated OTP codes is also required. By the way, we do support Google Authenticator, so you can use it with our 2FA service instead of using physical tokens.
We also have our own, more advanced counterpart: the software authenticator Protectimus Smart OTP. To give you the whole picture: we also support other companies’ OTP tokens that adhere to the OATH standards, and we can send one-time codes via SMS, email, or messaging service chatbots on Telegram, Viber, and Messenger.
What is Protectimus
Protectimus is a complex two-factor authentication service that includes both a server component and a wide range of OTP tokens. The server component is available as both a cloud service (SaaS) and as a platform for clients to install on their own server or private cloud (On-premise).
You can quickly integrate the Protectimus two-factor authentication solution into your system using:
- ready-made plugins (ADFS, OWA, RADIUS, RoundCube, Winlogon);
- SDKs for programming languages (PHP, Python, Java);
- integrate directly through our API.
The list of OTP tokens available includes:
- the Protectimus Two classic hardware tokens;
- the Protectimus Slim NFC programmable hardware tokens;
- the Protectimus Smart OTP app (Google Authenticator equivalent);
- one-time code delivery using the Protectimus Bot chatbots on Facebook, Telegram, and Viber;
- one-time code delivery via SMS messages;
- one-time code delivery via email;
- Google Authenticator support;
- support for third-party OATH tokens.
The server component: SaaS or On-Premise
You can use the Protectimus cloud service or deploy a two-factor authentication server on your own premises or private cloud. Each option we offer has its advantages.
OTP tokens: hardware or software
Hardware OTP tokens
Software OTP tokens
The benefit of using a physical token (Protectimus Two, Protectimus Slim NFC) is that it’s a separate device made specifically for generating one-time passwords. It can’t communicate with the outside world, and it works independently. There’s no way to install third-party software on such a token, so compromising one is impossible. Ultimately, you can also just lock a physical token away in a safe.
The benefit of using a software token is that you don’t need to carry any additional devices around. It’s also less expensive: Google Authenticator and Protectimus Smart OTP are entirely free, so you’ll only have to pay for the authentication server.
Additional features of the Protectimus MFA solution
Data signing (CWYS)
Unlike Google Authenticator, our MFA server and the Protectimus Smart software token support a third OATH algorithm for generating one-time passwords, called OCRA (OATH Challenge-Response Algorithm, RFC 6287). This makes it possible to implement CWYS data signing functionality (Confirm What You See), raising the reliability of two-factor authentication to a new level. One-time passwords are generated according to the OCRA algorithm, but instead of a standard challenge, data from the user’s current operation is used. For example, when transferring funds, this might include the user’s name, the amount of the transfer, the currency, etc. This way, even if an attacker intercepts a one-time password, they won’t be able to use the OTP to confirm their own unauthorized operation. See how this data signing functionality works for yourself on the demo page.
This feature makes it possible to grant or deny access to your system from particular countries. For example, you can allow access to company resources only from countries where your branches are located.
This feature allows granting access to a resource only at certain times; for example, only during business hours.
User environment analysis
This feature can help you promote user loyalty. The system analyzes information about the user’s environment, like their browser name and version, operating system, language, screen resolution, color depth, and so on. After doing so, the system will request a one-time password only when the allowed number of mismatches is exceeded.
IP address filtering
This feature lets you grant access to your system from only approved IP addresses.
| Read also: Duo Security vs Protectimus: Features
Advantages and risks of developing your own server component
Now, about the server part of two-factor authentication solutions: naturally, you can set up one-time password verification yourself and use Google Authenticator with it. It’s an open standard: RFC 6238.
However, in this case, there’s no guarantee that everything will be implemented correctly, taking all the possible pitfalls into account. There’s no need for you to go through all of the expensive certifications and checks that we have, and there are a lot of those pitfalls — especially when you consider that the standards describe a Java-based implementation, while the algorithms have been ported to PHP by hobbyists.
Besides reliability and additional protections (clusters, replication, backups, firewalls, HSMs, and so on), we also offer tools for monitoring, statistics, management, and much more. It wouldn’t be profitable for you to also develop all of these yourself.
As an additional bonus, we constantly are monitoring trends in our industry and reacting to new challenges as they appear. After all, security is a never-ending battle. Smaller companies often lack the time and resources to handle all of these activities.
In all likelihood, the only advantage of developing your own server component for your two-factor authentication solution is the lack of recurring service costs. Don’t forget, though, that development itself is hardly free, so you’ll still need to consider whether this is profitable.
| Read also: 2FA Security Flaws You Should Know About
- Google Authenticator is only one part of a 2FA solution. It’s compatible with our 2-factor authentication service since it’s built on the same principles and uses the same algorithms. Google’s offering is a software counterpart to hardware tokens, which have only one role: generating one-time codes.
- Compared to developing your own, the benefits of using our authentication server include the reliability of the 2FA solution, the ability to choose a level of protection that meets your needs, our technical experience, our management and monitoring tools, the deployment speed, and affordability.
We’d be happy to answer any questions you have about two-factor authentication and the Protectimus MFA solution. Write to us at [email protected].
- How to Backup Google Authenticator or Transfer It to a New Phone
- Remote Work: How to Transition Team to Working From Home During the COVID-19 Pandemic
- Active Directory Two-Factor Authentication
- Two-factor authentication for Windows 7, 8, 10
- 2FA Chatbots vs. SMS Authentication
- Time Drift in TOTP Hardware Tokens Explained and Solved
- Electronic Visit Verification with Hardware Tokens
- Hardware Tokens for Azure MFA
- Office 365 MFA Hardware Token
- 4 Reasons Two-Factor Authentication Isn’t a Panacea