The Two Types of Two-Factor Authentication (2FA)
Quick, which is better, Duo or Authy? People ask me that question all the time, but it’s a trick question — there’s no useful answer, unless you know what kind of two-factor authentication they’re looking for. They might seem similar, but those are two completely different products and they serve very different audiences.
People make this mistake because vendors want them to make this mistake. They specialize in one kind of customer, but hope the other customers will get confused and buy their product too. Authy’s website describes their product as “Two-Factor Authentication (2FA) to protect employees, customers and partners” and Duo’s just claims it “secures your organization by verifying the identity of your users.” Meanwhile, they offer totally distinct feature sets, serve unrelated parts of an organization, and charge drastically different prices for their services.
The key distinction comes down to who will be logging in with the product you choose: your employees, or your customers. Do you want Employee 2FA or Customer 2FA?
Employee 2FA
Employee 2FA is sold to InfoSec professionals in the IT department of a company, and it’s built to protect corporate data from breaches of employee accounts. The two most prominent vendors are RSA and Duo. RSA is older and much larger, with a legacy business built mostly on keychain dongles that now also supports more modern, phone-based forms of two-factor authentication. Duo is much newer and smaller, but has grown by offering a much cheaper alternative to RSA through phone-based forms of 2FA.
These companies support many different methods of authenticating a user, and focus on “endpoint security” that evaluates the security of each device logging into the network. They offer advanced access control policies around which kinds of employees get access to which kinds of data, and they create detailed reports for IT administrators to help set up and enforce those policies. They work with VPNs, Enterprise Identity and Access Management (IAM) systems, and integrate into enterprise applications. Their products also come with the expectation that an IT help desk will be available to help set up new devices and that employees will be able to call for help when they need help.
Customer 2FA
Customer 2FA, on the other hand, is sold to the Engineering and Product teams of a company, and it’s built to protect customer accounts from theft and fraud. TeleSign and Authy are two prominent vendors, and there is an open source option called Google Authenticator. TeleSign focuses primarily on text-message authentication, while Authy and Google Authenticator center more around TOTP codes delivered in an app.
For all three, the focus is on allowing the service to scale to big user bases without high overhead cost. They let users self-service issues and self-manage setup and device management. The data they provide is mostly about the origins of new accounts, to try and prevent fraud before the account is created. They compete on reliability, the delivery rate of the messages they send, and the fault tolerance of their system for user error. The goal is to create as little support burden as possible in offering two-factor authentication to large numbers of users.
Price Comparison and Summary
The result of those different focuses shows up in their prices. Employee 2FA does more for fewer users, so companies like Duo and RSA charge a base fee of $2-$6 per user per month. Their customers often sign large contracts with big setup and maintenance fees on top of the base fee. Customer 2FA does less for many more users, so companies like Authy and TeleSign charge $.003 to $.09 per login. For those of you counting at home, that’s 10x to almost 100x less!
Whether you want Employee or Customer 2FA will determine the vendors you choose, the features they offer, the kinds of customers they expect, and, importantly, the pricing they charge. Both products are called “two-factor authentication,” but you should know which kind of two-factor authentication you’re looking for before you start your search, and then focus only on the products that are going to serve you well.
If Customer 2FA has been in your backlog for months, but still hasn’t gotten prioritized, check out Instant2FA.com — it’s two-factor authentication that takes minutes to integrate instead of weeks.
