![\"\"](\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2018\/11\/duoLogo-web.png\")
<\/td>\n![\"\"](\"https:\/\/www.protectimus.com\/blog\/wp-content\/uploads\/2018\/11\/protectimus-logo-300x63.png\"){kind=logo}
<\/td>\n<\/tr>\nDuo Security<\/strong><\/h2>\n<\/a>
\nNote: Nearly all features examined in this section can be activated only with Duo’s most expensive payment plans, Access and Beyond. Self-service is also available in the Duo MFA basic plan.<\/em><\/span><\/p>\nUser self-service<\/h3>\n
<\/a>
\nUsers can issue and manage tokens themselves. This saves administrators time. Saving administrators time means saving the company money, which is always good.<\/p>\nGeographic filters<\/h3>\n
<\/a>
\nThese allow administrators to grant access to a resource only from a specified geographic location. Or, they can deny access from certain countries (for example, North Korea or Russia).<\/p>\nNetwork- or IP-based access control<\/h3>\n
<\/a>
\nThis feature is also referred to as adaptive authentication by Duo. It gives administrators the ability to block access to a resource from anonymous networks (such as Tor). Access can also be allowed or denied from a specific range of IP addresses.<\/p>\nRole-based access policies<\/h3>\n
<\/a>
\nThis makes it possible to impose stricter authentication rules for specific users or groups of users, depending on their roles and their levels of access to data. For example, an accountant might be able to choose any authentication method \u2014 SMS, push notifications, or a one-time password from an app \u2014 while a network administrator might be required to use a hardware token exclusively.<\/p>\nMonitoring and identification of vulnerable devices<\/h3>\n
This unique technology allows you to keep tabs on users’ “device hygiene” if they have the Duo Mobile app installed. Using this system, you can see how well-protected each device is: find out if biometric authentication and screen lock settings are configured; find out if antivirus is installed; find out what operating system, browsers, and plugins are installed, and whether they’re up to date; see if the device is personal or company-owned; see if the device has been rooted, etc. An administrator can block access to the system from devices that don’t meet preset requirements (for example, if no antivirus is installed).<\/p>\n
Protectimus<\/strong><\/h2>\n<\/a>
\nNote: All features examined in this section are available with all payment plans, including the no-cost Protectimus Free plan.<\/em><\/span><\/p>\nUser self-service<\/h3>\n
<\/a>
\nThis feature takes a burden off of the system administrator’s shoulders, saving the administrator time and the company money. Users can issue and manage their own tokens.<\/p>\nGeographic filters<\/h3>\n
<\/a>
\nThese allow restricting access to specific countries only. Access from specific countries (Russia, North Korea, etc.) can also be blocked.<\/p>\nTime-based filters<\/h3>\n
<\/a>
\nThis feature allows granting access to a resource only at certain times; for example, only during business hours. This approach significantly increases the level of protection against unauthorized account access. It’s perfect for corporate environments: even if a user leaves their token at work, nobody can access the user’s account outside of working hours.<\/p>\nAdaptive authentication<\/h3>\n
<\/a>
\nThis feature may also be called smart identification or user environment analysis. We created it to make things more convenient for users in systems where a certain amount of trust is permissible. Nobody loves typing in one-time passwords, so we devised a way of analyzing the user’s environment (browser name and version, operating system and language, window size and screen resolution, color depth, presence or absence of Java, plugins, etc.); a one-time password is required only once an established mismatch threshold has been exceeded.<\/p>\nDifferentiation and delegation of authority within the system<\/h3>\n
Resources are used to logically group users and easily manage them. Several resources can be created within a single account, and several administrators can be appointed to manage different resources.<\/p>\n
Let’s see how this works in a payment system, for example. There are 2 tasks in a payment system: protecting the end users and protecting the admin panel. For the end users, two-factor authentication should be, first and foremost, convenient. Access to the admin panel must be protected as reliably as possible.<\/p>\n
In this case, one resource is created in the Protectimus service for the end users, where they can choose from a variety of tokens<\/a> (they can purchase a hardware token<\/a>, download a software OTP token<\/a>, or connect to the Protectimus chatbot<\/a> on any messaging service).
\n<\/a>
\nTo protect the accounts of administrators, developers, and support staff, another resource can be created in the same Protectimus account with stricter authentication rules: only hardware tokens can be connected, and time- and location-based filters are set up. This way, you can conveniently manage different groups of users and establish different security requirements for them, based on each group’s level of access to sensitive data.<\/p>\nAbility to assign different types of tokens to different users<\/h3>\n
<\/a>
\nAs described above, by assigning different users to different resources, administrators can control the selection of authentication methods available to users. If needed, the administrator can even create and assign a token to each user individually.<\/p>\nCWYS (Confirm What You See) data signing functionality<\/h3>\n
CWYS functionality protects against phishing<\/a>, man-in-the-middle attacks<\/a>, banking Trojans, injection attacks, and other kinds of malware designed to intercept one-time passwords. One-time passwords are generated based on data from the user’s current operation. For example, when transferring funds, the amount, currency, and user data are used to generate an OTP. This one-time password can only be used to confirm that particular operation being performed by the user. Even if an attacker intercepts such a password, it won’t work to confirm an illegal transaction. You can read more about how CWYS works here<\/a>.<\/p>\nConclusions<\/strong><\/h2>\nMany similar functions are available in Duo’s and Protectimus’s strong authentication services: user self-service, geographic filters, adaptive authentication, and the ability to impose custom authentication requirements for users with different access levels.<\/p>\n
But there are differences. The specifics of Duo Security’s 2FA solution, where the main means of delivering OTPs is through a mobile application, became a reason for them to develop a system to monitor user devices and identify problems in protecting these devices. Protectimus 2FA service does not have this feature. However, it does include CWYS data signing \u2014 invaluable in payment and banking services \u2014 and time-based filters that allow you to boost the effectiveness of your corporate infrastructure protection several times over.<\/p>\n
\nNote: Nearly all features examined in this section can be activated only with Duo’s most expensive payment plans, Access and Beyond. Self-service is also available in the Duo MFA basic plan.<\/em><\/span><\/p>\n
User self-service<\/h3>\n
<\/a> <\/a> <\/a> <\/a> This unique technology allows you to keep tabs on users’ “device hygiene” if they have the Duo Mobile app installed. Using this system, you can see how well-protected each device is: find out if biometric authentication and screen lock settings are configured; find out if antivirus is installed; find out what operating system, browsers, and plugins are installed, and whether they’re up to date; see if the device is personal or company-owned; see if the device has been rooted, etc. An administrator can block access to the system from devices that don’t meet preset requirements (for example, if no antivirus is installed).<\/p>\n <\/a> <\/a> <\/a> <\/a> <\/a> Resources are used to logically group users and easily manage them. Several resources can be created within a single account, and several administrators can be appointed to manage different resources.<\/p>\n Let’s see how this works in a payment system, for example. There are 2 tasks in a payment system: protecting the end users and protecting the admin panel. For the end users, two-factor authentication should be, first and foremost, convenient. Access to the admin panel must be protected as reliably as possible.<\/p>\n In this case, one resource is created in the Protectimus service for the end users, where they can choose from a variety of tokens<\/a> (they can purchase a hardware token<\/a>, download a software OTP token<\/a>, or connect to the Protectimus chatbot<\/a> on any messaging service). <\/a> CWYS functionality protects against phishing<\/a>, man-in-the-middle attacks<\/a>, banking Trojans, injection attacks, and other kinds of malware designed to intercept one-time passwords. One-time passwords are generated based on data from the user’s current operation. For example, when transferring funds, the amount, currency, and user data are used to generate an OTP. This one-time password can only be used to confirm that particular operation being performed by the user. Even if an attacker intercepts such a password, it won’t work to confirm an illegal transaction. You can read more about how CWYS works here<\/a>.<\/p>\n Many similar functions are available in Duo’s and Protectimus’s strong authentication services: user self-service, geographic filters, adaptive authentication, and the ability to impose custom authentication requirements for users with different access levels.<\/p>\n But there are differences. The specifics of Duo Security’s 2FA solution, where the main means of delivering OTPs is through a mobile application, became a reason for them to develop a system to monitor user devices and identify problems in protecting these devices. Protectimus 2FA service does not have this feature. However, it does include CWYS data signing \u2014 invaluable in payment and banking services \u2014 and time-based filters that allow you to boost the effectiveness of your corporate infrastructure protection several times over.<\/p>\n
\nUsers can issue and manage tokens themselves. This saves administrators time. Saving administrators time means saving the company money, which is always good.<\/p>\nGeographic filters<\/h3>\n
\nThese allow administrators to grant access to a resource only from a specified geographic location. Or, they can deny access from certain countries (for example, North Korea or Russia).<\/p>\nNetwork- or IP-based access control<\/h3>\n
\nThis feature is also referred to as adaptive authentication by Duo. It gives administrators the ability to block access to a resource from anonymous networks (such as Tor). Access can also be allowed or denied from a specific range of IP addresses.<\/p>\nRole-based access policies<\/h3>\n
\nThis makes it possible to impose stricter authentication rules for specific users or groups of users, depending on their roles and their levels of access to data. For example, an accountant might be able to choose any authentication method \u2014 SMS, push notifications, or a one-time password from an app \u2014 while a network administrator might be required to use a hardware token exclusively.<\/p>\nMonitoring and identification of vulnerable devices<\/h3>\n
Protectimus<\/strong><\/h2>\n
\nNote: All features examined in this section are available with all payment plans, including the no-cost Protectimus Free plan.<\/em><\/span><\/p>\nUser self-service<\/h3>\n
\nThis feature takes a burden off of the system administrator’s shoulders, saving the administrator time and the company money. Users can issue and manage their own tokens.<\/p>\nGeographic filters<\/h3>\n
\nThese allow restricting access to specific countries only. Access from specific countries (Russia, North Korea, etc.) can also be blocked.<\/p>\nTime-based filters<\/h3>\n
\nThis feature allows granting access to a resource only at certain times; for example, only during business hours. This approach significantly increases the level of protection against unauthorized account access. It’s perfect for corporate environments: even if a user leaves their token at work, nobody can access the user’s account outside of working hours.<\/p>\nAdaptive authentication<\/h3>\n
\nThis feature may also be called smart identification or user environment analysis. We created it to make things more convenient for users in systems where a certain amount of trust is permissible. Nobody loves typing in one-time passwords, so we devised a way of analyzing the user’s environment (browser name and version, operating system and language, window size and screen resolution, color depth, presence or absence of Java, plugins, etc.); a one-time password is required only once an established mismatch threshold has been exceeded.<\/p>\nDifferentiation and delegation of authority within the system<\/h3>\n
\n<\/a>
\nTo protect the accounts of administrators, developers, and support staff, another resource can be created in the same Protectimus account with stricter authentication rules: only hardware tokens can be connected, and time- and location-based filters are set up. This way, you can conveniently manage different groups of users and establish different security requirements for them, based on each group’s level of access to sensitive data.<\/p>\nAbility to assign different types of tokens to different users<\/h3>\n
\nAs described above, by assigning different users to different resources, administrators can control the selection of authentication methods available to users. If needed, the administrator can even create and assign a token to each user individually.<\/p>\nCWYS (Confirm What You See) data signing functionality<\/h3>\n
Conclusions<\/strong><\/h2>\n