Two-Factor Authentication Solutions Comparison: Google Authenticator vs. Protectimus

People often ask us to compare the Protectimus two-factor authentication solutions with Google Authenticator and explain how we’re better. In this article, we’ll try to answer these questions.

Firstly, keep in mind that Google Authenticator is only a one-time password generator app. One of our tokens, the Protectimus Smart OTP, works similarly to this app. However, in any authentication system, what really matters is not the OTP token that generates one-time passwords, but the server component that verifies them. 

Unlike Google Authenticator, Protectimus is a complex, complete two-factor authentication solution. After integrating it with your system, your employees’ and users’ accounts will be protected from unauthorized access, once and for all.

When we get questions asking us to compare two-factor authentication solutions by Protectimus and Google Authenticator, we understand that the client is planning to develop a server component on their own, but they still aren’t sure. That’s why in this article we’ll also discuss the advantages of developing a 2FA server component independently, as well as the difficulties that it inevitably leads to.

Table of contents:

How the two-factor authentication solutions are built

The foundation of all 2-factor authentication solutions is the MFA server. The server component is the part of the two-factor authentication system that verifies one-time passwords submitted by users in order to grant or deny access to a resource.

Besides verifying OTPs, the server component may support additional data protection functionality. For example, the Protectimus two-factor authentication service makes it possible to restrict access based on a user’s geographical location, the time of the login attempt, and the user’s IP address.

The second component that any two-factor authentication solution needs is MFA tokens (authenticators). These are devices that generate one-time passwords. Users need to keep these devices on hand in order to generate or receive codes when they log into their accounts. Authenticators come in all shapes and sizes (hardware, software, SMS, email, messaging service chatbots). One possible option is the Google Authenticator app.

You can find out more about how HOTP, TOTP, and OCRA one-time passwords are generated and verified in this article.

How two factor authnetication solutions work

What is Google Authenticator

Google Authenticator is one kind of MFA token: an app for generating one-time passwords based on the TOTP and HOTP algorithms. It’s available for free on Android and iOS. This is one of the components required for a two-factor authentication system, but it isn’t a complete system.

Our OTP tokens are one-time code generators like Google Authenticator, they’re only one part of a solution for two-factor authentication, as a server that can verify the generated OTP codes is also required. By the way, we do support Google Authenticator, so you can use it with our 2FA service instead of using physical tokens.

We also have our own, more advanced counterpart: the software authenticator Protectimus Smart OTP. To give you the whole picture: we also support other companies’ OTP tokens that adhere to the OATH standards, and we can send one-time codes via SMS, email, or messaging service chatbots on Telegram, Viber, and Messenger.

| Read also: The Pros and Cons of Different Two-Factor Authentication Types and Methods

What is Protectimus

Protectimus is a complex two-factor authentication service that includes both a server component and a wide range of OTP tokens. The server component is available as both a cloud service (SaaS) and as a platform for clients to install on their own server or private cloud (On-premise).

You can quickly integrate the Protectimus two-factor authentication solution into your system using:

The list of OTP tokens available includes:

  • the Protectimus Two classic hardware tokens;
  • the Protectimus Slim NFC programmable hardware tokens;
  • the Protectimus Smart OTP app (Google Authenticator equivalent);
  • one-time code delivery using the Protectimus Bot chatbots on Facebook, Telegram, and Viber;
  • one-time code delivery via SMS messages;
  • one-time code delivery via email;
  • Google Authenticator support;
  • support for third-party OATH tokens.

The server component: SaaS or On-Premise

You can use the Protectimus cloud service or deploy a two-factor authentication server on your own premises or private cloud. Each option we offer has its advantages.

Protectimus SaaS ServiceProtectimus On Premise Platform

SaaS Service

On-premise Platform

  • the server component is ready to use off the shelf;
  • you can connect a minimal number of users and pay only for the number of users you really need (up to 10 users for free);
  • you’ll receive a US$25 credit when signing up;
  • there’s no need to invest in equipment for the server components, there’s no infrastructure to protect and maintain, and the Protectimus cloud-based authentication service is available 24/7.
  • the authentication server is entirely under your control;
  • you can protect your MFA server in whatever way meets your needs — for example, you can install the platform on an isolated local network, or on a network protected by a firewall;
  • if you were planning to develop your own server component for your two-factor authentication solutions in order to maintain full control over your user data, or because regulations in your country require it, you can use the Protectimus on-premise platform to meet these needs.

OTP tokens: hardware or software

Hardware OTP token Protectimus TwoSoftware OTP token Protectimus Smart OTP

Hardware OTP tokens

Software OTP tokens

The benefit of using a physical token (Protectimus Two, Protectimus Slim NFC) is that it’s a separate device made specifically for generating one-time passwords. It can’t communicate with the outside world, and it works independently. There’s no way to install third-party software on such a token, so compromising one is impossible. Ultimately, you can also just lock a physical token away in a safe.

The benefit of using a software token is that you don’t need to carry any additional devices around. It’s also less expensive: Google Authenticator and Protectimus Smart OTP are entirely free, so you’ll only have to pay for the authentication server.

Additional features of the Protectimus MFA solution

Data signing (CWYS)

Unlike Google Authenticator, our MFA server and the Protectimus Smart software token support a third OATH algorithm for generating one-time passwords, called OCRA (OATH Challenge-Response Algorithm, RFC 6287). This makes it possible to implement CWYS data signing functionality (Confirm What You See), raising the reliability of two-factor authentication to a new level. One-time passwords are generated according to the OCRA algorithm, but instead of a standard challenge, data from the user’s current operation is used. For example, when transferring funds, this might include the user’s name, the amount of the transfer, the currency, etc. This way, even if an attacker intercepts a one-time password, they won’t be able to use the OTP to confirm their own unauthorized operation. See how this data signing functionality works for yourself on the demo page.

Geographic filters

This feature makes it possible to grant or deny access to your system from particular countries. For example, you can allow access to company resources only from countries where your branches are located.

Time-based filters

This feature allows granting access to a resource only at certain times; for example, only during business hours.

User environment analysis

This feature can help you promote user loyalty. The system analyzes information about the user’s environment, like their browser name and version, operating system, language, screen resolution, color depth, and so on. After doing so, the system will request a one-time password only when the allowed number of mismatches is exceeded.

IP address filtering

This feature lets you grant access to your system from only approved IP addresses.

| Read also: Duo Security vs Protectimus: Features

Advantages and risks of developing your own server component

Now, about the server part of two-factor authentication solutions: naturally, you can set up one-time password verification yourself and use Google Authenticator with it. It’s an open standard: RFC 6238

However, in this case, there’s no guarantee that everything will be implemented correctly, taking all the possible pitfalls into account. There’s no need for you to go through all of the expensive certifications and checks that we have, and there are a lot of those pitfalls — especially when you consider that the standards describe a Java-based implementation, while the algorithms have been ported to PHP by hobbyists. 

Besides reliability and additional protections (clusters, replication, backups, firewalls, HSMs, and so on), we also offer tools for monitoring, statistics, management, and much more. It wouldn’t be profitable for you to also develop all of these yourself. 

As an additional bonus, we constantly are monitoring trends in our industry and reacting to new challenges as they appear. After all, security is a never-ending battle. Smaller companies often lack the time and resources to handle all of these activities.

In all likelihood, the only advantage of developing your own server component for your two-factor authentication solution is the lack of recurring service costs. Don’t forget, though, that development itself is hardly free, so you’ll still need to consider whether this is profitable.

| Read also: 2FA Security Flaws You Should Know About

In summary

  1. Google Authenticator is only one part of a 2FA solution. It’s compatible with our 2-factor authentication service since it’s built on the same principles and uses the same algorithms. Google’s offering is a software counterpart to hardware tokens, which have only one role: generating one-time codes.
  2. Compared to developing your own, the benefits of using our authentication server include the reliability of the 2FA solution, the ability to choose a level of protection that meets your needs, our technical experience, our management and monitoring tools, the deployment speed, and affordability.

We’d be happy to answer any questions you have about two-factor authentication and the Protectimus MFA solution. Write to us at [email protected].

Read more:

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Author: Denis Shokotko

Once upon a time, in a small town there lived a boy named little Denis. As years went by and the boy grew up, his interest in everything new and unknown grew, too. Denis was particularly interested in information technologies. And, his feelings were reciprocated. His new hobby was so fascinating that he decided to devote the rest of his life to it. Soon after that, he developed his first software program, then another one and another one, and more... In software development, no one could compare to him. His talent could not but be noticed and appreciated. Before long, he is among the originators of a new innovative project. And now, Protectimus in Denis’ life is like a mistress that would not share him with another or put up with any unfaithfulness :)

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from Protectimus blog.

You have successfully subscribed!

Share This