You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Multi-Factor Authentication Solution Evaluation Criteria

This document outlines criteria that should be consider when evaluating multi-factor authentication products and services.  Much of the content in this document is based on material from The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes by Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano, March, 2012.

Usability

  • Are users required to remember secrets? How many? What is the required complexity of those secrets?
  • Does adding more accounts for the user increase the burden on the user?
  • Are users required to carry an additional object (to be used as an authentication token)?
  • What physical effort is required of the user?
  • How easy is the solution to learn?
  • How much time is required to perform an authentication? To associate a new account?
  • How reliable is the authentication process (i.e., are false negatives common)?
  • How easy is it to recover from a lost token or forgotten credentials?
  • How accessible is the solution? Do certain disabilities preclude its use?

Deployability

  • What is the total cost of the solution?
    • What is the startup cost?
    • What are the ongoing operational costs?
    • What is the fixed cost per user?
    • Are there variable "per user" costs?
  • Is the solution compatible with existing server platforms? Examples for higher education include:
    • Web/browser applications
    • Microsoft AD
    • Globus
    • Unix shell
    • VPN
    • Mobile
    • CAS
    • Shibboleth
  • Is the solution compatible with existing clients and/or browsers?
  • Is the solution scalable and flexible enough to be adapted to potential future applications?
  • Is the technology mature? Has it been reviewed by a sufficiently large community?
  • Is the solution proprietary?
  • Does the solution satisfy the authentication criteria for well-known assurance profiles?
  • Does the solution satisfy the authentication criteria for compliance with FERPA, HIPAA, PCI, and other requirements for higher education?
  • Does the solution conform with applicable standards, such as FIPS 140-2 and NIST 800-63-2?

Security

  • Is the solution resistant to physical observation?
  • Is the solution resistant to targeted impersonation (e.g., by an acquaintance)?
  • Is the solution resistant to throttled guessing?
  • Is the solution resistant to unthrottled guessing?
  • Is the solution resistant to internal observation (e.g., by intercepting traffic across a network or within an endpoint device?
  • Is the solution resistant to leaks from other verifiers?
  • Is the solution resistant to phishing?
  • Is the solution resistant to theft?
  • Does the solution require a trusted third party?
  • Is explicit user consent required to complete authentication?
  • Can authentication with one verifier be linked with another?
  • Does the solution require secrets to be stored on a server?
  • No labels