In Duo Security vs Protectimus, we touched on all the aspects of Duo and Protectimus two-factor authentication solutions. We examined the technologies these companies use, their methods of delivering one-time passwords, the availability of an API and pre-made plugins for integration, pricing, availability in cloud-based and on-premise forms, and — briefly — the features of each solution.
In this article, we describe in greater detail the features available to administrators and users of the Duo and Protectimus multifactor authentication services. You can use this table to navigate the article more easily.
Duo Security
Note: Nearly all features examined in this section can be activated only with Duo’s most expensive payment plans, Access and Beyond. Self-service is also available in the Duo MFA basic plan.
User self-service
Users can issue and manage tokens themselves. This saves administrators time. Saving administrators time means saving the company money, which is always good.
Geographic filters
These allow administrators to grant access to a resource only from a specified geographic location. Or, they can deny access from certain countries (for example, North Korea or Russia).
Network- or IP-based access control
This feature is also referred to as adaptive authentication by Duo. It gives administrators the ability to block access to a resource from anonymous networks (such as Tor). Access can also be allowed or denied from a specific range of IP addresses.
Role-based access policies
This makes it possible to impose stricter authentication rules for specific users or groups of users, depending on their roles and their levels of access to data. For example, an accountant might be able to choose any authentication method — SMS, push notifications, or a one-time password from an app — while a network administrator might be required to use a hardware token exclusively.
Monitoring and identification of vulnerable devices
This unique technology allows you to keep tabs on users’ “device hygiene” if they have the Duo Mobile app installed. Using this system, you can see how well-protected each device is: find out if biometric authentication and screen lock settings are configured; find out if antivirus is installed; find out what operating system, browsers, and plugins are installed, and whether they’re up to date; see if the device is personal or company-owned; see if the device has been rooted, etc. An administrator can block access to the system from devices that don’t meet preset requirements (for example, if no antivirus is installed).
Protectimus
Note: All features examined in this section are available with all payment plans, including the no-cost Protectimus Free plan.
User self-service
This feature takes a burden off of the system administrator’s shoulders, saving the administrator time and the company money. Users can issue and manage their own tokens.
Geographic filters
These allow restricting access to specific countries only. Access from specific countries (Russia, North Korea, etc.) can also be blocked.
Time-based filters
This feature allows granting access to a resource only at certain times; for example, only during business hours. This approach significantly increases the level of protection against unauthorized account access. It’s perfect for corporate environments: even if a user leaves their token at work, nobody can access the user’s account outside of working hours.
Adaptive authentication
This feature may also be called smart identification or user environment analysis. We created it to make things more convenient for users in systems where a certain amount of trust is permissible. Nobody loves typing in one-time passwords, so we devised a way of analyzing the user’s environment (browser name and version, operating system and language, window size and screen resolution, color depth, presence or absence of Java, plugins, etc.); a one-time password is required only once an established mismatch threshold has been exceeded.
Differentiation and delegation of authority within the system
Resources are used to logically group users and easily manage them. Several resources can be created within a single account, and several administrators can be appointed to manage different resources.
Let’s see how this works in a payment system, for example. There are 2 tasks in a payment system: protecting the end users and protecting the admin panel. For the end users, two-factor authentication should be, first and foremost, convenient. Access to the admin panel must be protected as reliably as possible.
In this case, one resource is created in the Protectimus service for the end users, where they can choose from a variety of tokens (they can purchase a hardware token, download a software OTP token, or connect to the Protectimus chatbot on any messaging service).
To protect the accounts of administrators, developers, and support staff, another resource can be created in the same Protectimus account with stricter authentication rules: only hardware tokens can be connected, and time- and location-based filters are set up. This way, you can conveniently manage different groups of users and establish different security requirements for them, based on each group’s level of access to sensitive data.
Ability to assign different types of tokens to different users
As described above, by assigning different users to different resources, administrators can control the selection of authentication methods available to users. If needed, the administrator can even create and assign a token to each user individually.
CWYS (Confirm What You See) data signing functionality
CWYS functionality protects against phishing, man-in-the-middle attacks, banking Trojans, injection attacks, and other kinds of malware designed to intercept one-time passwords. One-time passwords are generated based on data from the user’s current operation. For example, when transferring funds, the amount, currency, and user data are used to generate an OTP. This one-time password can only be used to confirm that particular operation being performed by the user. Even if an attacker intercepts such a password, it won’t work to confirm an illegal transaction. You can read more about how CWYS works here.
Conclusions
Many similar functions are available in Duo’s and Protectimus’s strong authentication services: user self-service, geographic filters, adaptive authentication, and the ability to impose custom authentication requirements for users with different access levels.
But there are differences. The specifics of Duo Security’s 2FA solution, where the main means of delivering OTPs is through a mobile application, became a reason for them to develop a system to monitor user devices and identify problems in protecting these devices. Protectimus 2FA service does not have this feature. However, it does include CWYS data signing — invaluable in payment and banking services — and time-based filters that allow you to boost the effectiveness of your corporate infrastructure protection several times over.
Features | Duo Security | Protectimus |
Self-service | yes | yes |
Geographic filters | yes | yes |
Time-based filters | no | yes |
Adaptive authentication | yes | yes |
Role-based access policies | yes | yes |
Monitoring and identification of vulnerable devices | yes | no |
Data signing | no | yes |
Read more
- Duo Security vs Protectimus
- Duo Security vs Protectimus: Authentication Methods
- How does 2-factor authentication work?
- The Evolution of Two-Step Authentication
- The Pros and Cons of Different Two-Factor Authentication Types and Methods
- Mobile Authentication Pros and Cons
- How to Backup Google Authenticator or Transfer It to a New Phone
- Protectimus New OTP Tokens
- Why US, Canadian, and EU Universities Choose Programmable Hardware OTP Tokens
Image and logo source: duo.com
Subscribe To Our Newsletter
Join our mailing list to receive the latest news and updates from our team.
Subscribe To Our Newsletter
Join our mailing list to receive the latest news and updates from Protectimus blog.
You have successfully subscribed!