Hardware MFA: Death to the password!


Enterprise and Cloud

As I stated previously, MFA comes in many shapes and sizes. It can be applied to a single website or even to an IaaS cloud provider, as detailed above, or expanded to the enterprise and beyond. The second portion of this discussion focuses on flexible, inexpensive options for MFA in enterprise and cloud resources.

FIDO Alliance

Many organizations are working on what comes next, beyond single-factor authentication (passwords). One industry consortium, called the FIDO (Fast Identity Online) Alliance, is endeavoring to solve this issue. Their goal is stronger, simpler authentication via an open industry standard with a myriad of devices. The alliance details its mission as:

  • Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users.
  • Operating industry programs to help ensure successful worldwide adoption of the specifications.
  • Submitting mature technical specification(s) to recognized standards development organization(s) for formal standardization. [4]

Members include, among others: ARM, Bank of America, BlackBerry, Google, Lenovo, Mastercard, Microsoft, PayPal, RSA, Samsung, Visa, and Yubico. The strong, broad industry involvement and focus on open standards across a wide variety of authentication technologies will likely mean success.

FIDO hopes to support an extensive range of authentication technologies from biometrics (fingerprint, retinal, voice, etc.), TPM (trusted platform modules; USB tokens, eSE [embedded security elements], smart cards, and NFC). Today, you can even see it working with supported devices such as the Lenovo Laptop fingerprint reader and the Samsung Galaxy S3.

FIDO alliance's efforts to build a set of open, interoperable standards applicable across a variety of hardware and software authentication methods looks like a potent player in solving what's next for multifactor authentication.

Beyond Passwords

It should be abundantly clear that single-factor passwords aren't the only options. Today, you have a rich set of both software and hardware multifactor options to augment or replace the stale standard password. I hope you'll explore and deploy some of these options and help make the world more secure.

PayPal Security Key

PayPal, the e-commerce and payment giant, offers a simple and inexpensive option for MFA for use of its services. This credit-card-sized device generates a random temporary security code that you are required to enter when authenticating to PayPal, as well as to your eBay account. It is hoped that support for the PayPal Security Key will be extended to other eBay-owned websites in the near future.



Supported Sites: eBay, PayPal

Cost: US$ 29.95

PayPal Virtual MFA – PayPal Security Key

PayPal doesn't have an app for Apple iOS or Google Android, but it does send a one-time password (OTP) to a PayPal security key that can also be used as a backup if you lose your physical token. Many of the other hardware MFA solutions listed in this article also support PayPal/eBay.



Cost: Free

Amazon AWS and Gemalto

Amazon Web Services (AWS) is one of the largest and most successful cloud providers. If you administer or manage a presence in the Amazon cloud, you can now easily and securely access your AWS resources with MFA enabled. Gemalto offers two supported devices.

The Ezio Time-based 6-Digit Token is a simple, inexpensive OTP generator that is small enough to be put on your keychain next to your car keys.

The Ezio Time-based 6-digit OTP Display Card is an inexpensive, more compact credit card-sized version.

Both OATH-compliant devices simply yield an OTP code when a button is pushed on the device.



Supported Sites: Amazon AWS

Cost: US$ 12.99, US$ 19.99

Amazon AWS Virtual MFA

Amazon AWS Virtual MFA is an Android-only application that supports using your phone as a multifactor authentication device and supports all AWS websites. It can be used for your account as well as other AWS Identity and Access Management (IAM)-associated accounts.



Support: Android

Cost: Free

Symantec VIP Security Cards

Symantec offers several MFA cards for use on many popular online destinations. All of these devices work alongside a regular username and password. You simply input a six-digit code output from the device into the website when authenticating. The Validation & ID Protection (VIP) card comes in three varieties: a waterproof, keychain-sized device for when you are on the go or happen to keep your tokens handy while engaging in aquatic sports; a keychain-sized device minus the waterproofing; and a credit card-sized, portable MFA device.



Supported Sites: Merrill Lynch, E*Trade, PayPal, eBay, SoftLayer, OneLogin, and many others.


Model HAI08 (waterproof), US$ 30.00

VModel HV08, US$ 30.00

Security Card, US$  48.00

Symantec Virtual MFA

Symantec's virtual application-based 2FA solution has wide coverage on mobile devices. It even boasts a virtual MFA application for Windows 7-8 and Mac OS via its VIP Access Desktop application.



Supported Devices: Android, Apple iPhone and iPad, Windows Mobile, and Blackberry.

Cost: Free



Supported Platforms: Windows, Linux, OS X, remote access, VPN, API.

Content Management Systems: Drupal, Joomla, WordPress.

Cloud Apps: Google, Dropbox, etc.

Pricing: There is no additional cost for deploying YubiKey because the software is open source.


OneLogin is a powerhouse for identity management in the cloud. It provides single sign-on, multifactor authentication, directory integration, and powerful user provisioning features. All of this further unifies authentication for thousands of pre-integrated cloud and SaaS applications. OneLogin supports both virtual MFA in the form of OneLogin's free Mobile OTP app and many hardware MFA options. You can explore the nearly half dozen hardware MFA options at the OneLogin website.



Supported Hardware MFA: Third-party hardware MFA from RSA, Symantec, VASCO and Yubico.

Supported Directories: Active Directory, LDAP, Google Apps, etc.

Supported Platforms: VPN; cloud apps such as salesforce.com, Office 365, Google Apps, Box, Dropbox; web; Microsoft.

Pricing: This cloud solution is priced on a user/month fee basis. The enterprise account is priced at US$  5/user per month. See the website for full pricing and options at http://www.onelogin.com/pricing/.


Yubico is strong hardware-based MFA that is easy and affordable. Driverless multiplatform USB and NFC devices give it a wide and capable reach. This company makes a commitment to open source, which is helping spur the extension of their technology beyond the already long list of supported vendors and partners. You can use the open source YubiX software, which is a stack of YubiKey-related software, for quick deployment, as the basis for a custom solution, or both. You have lots of flexibility in setting up your validation servers and using the Yubico cloud option, YubiCloud, which allows the use of YubiKey for nearly any IT service or website.

Note that all YubiKey devices are driverless and require no client software. As a result, they work on Windows, Mac, Linux, and others.

YubiKey Standard: This small USB device fits perfectly on a keychain. This device works by simply pressing the key button to autofill the passcode generated by the device. As with other YubiKey devices, you have no typing and no fuss.

YubiKey Nano: This smaller form factor all but disappears in a common standard USB port. A simple light touch on the side of the Nano and you authenticate. An optional USB docking ball provides a desktop authentication button for a desktop installation.

YubiKey NEO: Same core features as the Yubico YubiKey Standard plus NFC (near-field communication) support. It also supports OpenPGP and YubiOATH. In the near future, it will support the U2F requirements of the FIDO alliance, discussed elsewhere in this article.

YubiKey VIP: Same form factor as YubiKey Standard but with support for Symantec Security Credential across supported sites. It works much like the Symantec VIP Security Cards.


Symplified is an impressive SSO solution for your infrastructure – cloud or otherwise. It effectively lets you tie together and extend your existing authentication infrastructure to use a myriad of devices through the software token, as well as supported hardware tokens. Much like OneLogin, it supports a multitude of cloud solutions currently in use. It also has powerful management features for policy management, provisioning, and audit and analytics. Unlike other providers that offer a specific mobile app for MFA (e.g., Google Android, Apple iOS), for their virtual MFA, Symplified does not. Instead you must have centralized applications installed (which they call a gateway). The gateway is what a client connects to through a regular mobile browser. Symplified offers two options for the gateway: a cloud-hosted Symplified IDR gateway or your own IDR gateway, which comes in the form of a VM for your environment.

Symplified offers integration in the hardware MFA space with CryptoCard and Symantec VIP. This can extend your authentication to wherever you need it and allow multifactor authentication options.



Supported MFA Hardware:

SafeNet CryptoCard http://www.safenet-inc.com/multi-factor-authentication/

Symantec VIP https://idprotect.vip.symantec.com/

Supported Directories: Active Directory, LDAP, RDBMS, and MySQL, as well as cloud-based user stores such as Salesforce.com, Google, Workday, and Amazon RDS. It can also use multiple user stores, as is often required in today's complicated IT infrastructures.

Supported Platforms: Windows; cloud apps such as salesforce.com, Office 365, Google Apps, Box, Dropbox, etc.; VPN; web.

Pricing: Symplified doesn't have detailed pricing online. For more information, see their website.

Duo Security

Duo is cloud-based authentication without the need for IT infrastructure and headaches. It supports a variety of mobile devices through its soft token Duo mobile app. Additionally, it supports SMS, phone callback, numerous OATH-compliant tokens, and YubiKey.

Duo Security Virtual MFA

Duo's virtual MFA, called Duo Mobile, is available for iOS, Android, Blackberry, and Windows Phone. It supports an out-of-band authentication method over a mutually authenticated secure transport mechanism. The Duo Mobile app also supports Duo push or its OTP option, among the many others listed.

In terms of hardware 2FA, Duo supports Duo's D-100 token, YubiKey, Gemalto, and other OATH-compliant tokens.



Supported Hardware MFA:

Duo's D-100 Token http://guide.duosecurity.com/tokens

YubiKey http://www.yubico.com/

Gemalto http://gemalto.com/

Supported Platforms: VPN; cloud apps such as salesforce.com, Office 365, Google Apps, Box.com; Linux/SSH; web; Microsoft; API.

Supported Directories: Active Directory, LDAP, etc.

Pricing: This cloud service charges monthly for using the Duo service. Costs vary between a free account for up to 10 users to the basic enterprise edition, which starts at US$ 3/user per month (https://www.duosecurity.com/editions).


  1. Verizon Data Breach Investigations Report: http://www.verizonenterprise.com/DBIR/
  2. SplashData Annual Worst Password List: http://splashdata.com/press/worstpasswords2013.htm
  3. Trustwave Global Security Report: https://www2.trustwave.com/GSR2014.html
  4. FIDO Alliance: https://fidoalliance.org/about

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=