Multi-Factor Authentication Solution Evaluation Criteria
This document outlines criteria that should be consider when evaluating multi-factor authentication products and services. Much of the content in this document is based on material from The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes by Frank Stajano et al., May 22, 2012.
Usability
- Are users required to remember secrets? How many?
- Does adding more accounts for the user increase the burden on the user?
- Are users required to carry an additional object?
- What physical effort is required of the user?
- How easy is the product or service to learn?
- How much time is required to perform an authentication? To associate a new account?
- How reliable is the authentication process (i.e., are false negatives common)?
- How easy is it to recover from a lot token or forgotten credentials?
Deployability
- How accessible is solution? To certain disabilities preclude its use?
- What is the cost of the solution?
- What is the startup cost?
- What are the operations costs?
- What is the fixed cost per user?
- Are there variable "per user" costs?
- Is the solution compatible with existing server platforms? Examples for higher education include:
- Web/browser applications
- Microsoft AD
- Globus
- Unix shell
- VPN
- Mobile
- Is the solution compatible with existing clients and/or browsers?
- Is the technology mature? Has it been reviewed by an appropriately large community?
- Is the solution proprietary?
- Does the solution satisfy the authentication criteria for well-known assurance profiles?
- Does the solution satisfy the authentication criteria for compliance with FERPA, HIPAA, PCI, and other requirements for higher education?
Security
- Is the solution resistant to physical observation?
- Is the solution resistant to targeted impersonation (e.g., by an acquaintance)?
- Is the solution resistant to throttled guessing?
- Is the solution resistant to unthrottled guessing?
- Is the solution resistant to internal observation (e.g., by intercepting traffic across a network or within an end-device?
- Is the solution resistant to leaks fro other verifiers?
- Is the solution resistant to phishing?
- Is the solution resistant to theft?
- Does the solution require a trusted third party?
- Is explicit user consent required to complete authentication?
- Can authentication with one verifier be linked with another?
- Does the solution require secrets to be stored on a server?