Review: PhoneFactor

Deployment of the product was incredibly simple. After creating an account on PhoneFactor's website and providing a phone number to associate with that account, we downloaded the agent application. The agent needed to be installed on each application server we wanted to augment with the product. Using our Outlook Web Access server as a test bed, we ran the installation package, and after the files were copied we were prompted to log in with the user credentials we provided when setting up our account on the website.

Once we entered our login credentials, the PhoneFactor service placed a call to the phone we provided when initially setting up our account - all we had to do to authenticate was answer the call and press '#'. Out-of-the-box, the product supported a number of applications, including Outlook Web Access. All we had to do was check the appropriate box, provide the base URL, and add a user. We were able to import our users from Active Directory and assign phone numbers to each of them. From that point on, any time one of those users attempted to log into OWA, they received a phone call from PhoneFactor and needed to authenticate just as we did when setting up the agent software. That was it - configuration complete. 

PhoneFactor serves as an additional authentication layer for applications. It does not allow for multi-factor workstation authentication (i.e. local Windows login), but does support Windows Terminal Services. Additionally, IIS applications, Citrix Web Interface, websites that use forms-based authentication and applications that authenticate using Radius, including VPNs, are all supported out-of-the-box. The available SDKs allow that support to be extended further, with SDKs for Perl, Ruby, PHP, .NET and Java applications all downloadable from PhoneFactor's website.

By default, the product places a call to a specified mobile phone number, however SMS messaging and PINs are also available as authentication methods, as well as Oath tokens and a mobile phone app that can push authentication challenges to the user. The product's user portal account management tool can be set up as an end-user self-service website, allowing users to register their own phone numbers, activate the mobile app and set up security questions that can later be used to authenticate the user in case of a forgotten password or lost or stolen phone. The hosted online management portal allows administrators to assign new phone numbers to users, change PINs, or provide a one-time bypass of the PhoneFactor authentication process in case of emergencies. Reports based on usage, agent status, system changes and other items can be generated and viewed on the site, exported to CSVs, or scheduled and automatically emailed to administrators in an encrypted format. Client-based logging is also available; the system can be configured to use flat files or transmit log data to a syslog server. 

The product's documentation was decent. The text was detailed enough, with plenty of screenshots, but the formatting was no-frills, no bookmarking or indexing.

PhoneFactor offers two support tiers: gold level is ten-hours-a-day/five-days-a-week, providing phone, email and web-based support; and platinum level extends those hours to 24/7. Unfortunately it offers no real knowledgebase or technical FAQs, but then again the product is so simple that there's no real need.

PhoneFactor retails between £6 and £16 per user per year, including gold level support. The platinum support package can be purchased for an additional ten per cent of the total expenditure.