You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Multi-Factor Authentication Solution Evaluation Criteria

This document outlines criteria that should be consider when evaluating multi-factor authentication products and services.  Much of the content in this document is based on material from The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes by Frank Stajano et al., May 22, 2012.

Usability

  • Are users required to remember secrets?  How many?
  • Does adding more accounts for the user increase the burden on the user?
  • Are users required to carry an additional object?
  • What physical effort is required of the user?
  • How easy is the product or service to learn?
  • How much time is required to perform an authentication?  To associate a new account?
  • How reliable is the authentication process (i.e., are false negatives common)?
  • How easy is it to recover from a lot token or forgotten credentials?

Deployability

  • How accessible is solution?  To certain disabilities preclude its use?
  • What is the cost of the solution?
    • What is the startup cost?
    • What are the operations costs?
    • What is the fixed cost per user?
    • Are there variable "per user" costs?
  • Is the solution compatible with existing server platforms?  Examples for higher education include:
    • Web/browser applications
    • Microsoft AD
    • Globus
    • Unix shell
    • VPN
    • Mobile
  • Is the solution compatible with existing clients and/or browsers?
  • Is the technology mature?  Has it been reviewed by an appropriately large community?
  • Is the solution proprietary?
  • Does the solution satisfy the authentication criteria for well-known assurance profiles?
  • Does the solution satisfy the authentication criteria for compliance with FERPA, HIPAA, PCI, and other requirements for higher education?

Security

  • Is the solution resistant to physical observation?
  • Is the solution resistant to targeted impersonation (e.g., by an acquaintance)?
  • Is the solution resistant to throttled guessing?
  • Is the solution resistant to unthrottled guessing?
  • Is the solution resistant to internal observation (e.g., by intercepting traffic across a network or within an end-device?
  • Is the solution resistant to leaks fro other verifiers?
  • Is the solution resistant to phishing?
  • Is the solution resistant to theft?
  • Does the solution require a trusted third party?
  • Is explicit user consent required to complete authentication?
  • Can authentication with one verifier be linked with another?
  • Does the solution require secrets to be stored on a server?
  • No labels