Secret Server (originally from Thycotic, now from Delinea since the 2021 Thycotic merger with Centrify) is an enterprise password management application, which is available with either a cloud-based or on-premise deployment which emphasizes fast deployment, scalability, and simplicity.
N/A
Google Authenticator
Score 8.6 out of 10
N/A
Google Authenticator is a mobile authentication app.
Great for managing access to secrets and servers and is more secure than storing passwords in a browser. The browser plugin to autofill passwords works well. Being able to schedule access ahead of time is a big plus for me as I can be forgetful. If you want a lightweight password vault, however, it may not be the best choice.
It is supported by virtually all cloud-based software applications for business. I am happy to allow users to use this in addition to other authenticators. Certainly, if your business is in the Google cloud it makes sense, but my approach to the remote/virtual work world these past couple of years has been structured flexibility. Leaving some choice up to the users for their own comfort, particularly when they are using their own devices. I cannot think of a scenario where it is less appropriate - perhaps where you run the risk of "app sprawl". I.e., where you are requiring users to handle multiple authenticators (which can happen with certain pieces of hardware) you may want to encourage consolidation into one to avoid frustration.
Password Management: Its entire purpose, really. Secret Server stores passwords in an incredibly easy to use way. They can be organized in groups, they contain all the information about the site or system the password is used for (including URLs for websites), and even a notes field. You can set up specific policies for expirations and complexity, and Secret Server can even generate strong passwords for you. Using a password is simple, too, since you can just click a button to add it to your clipboard; you don't even have to unmask the password.
Security: The passwords are stored encrypted in a SQL database, and the application requires an authenticated login. This could be local, but we tie it into Active Directory. Each folder of passwords has groups assigned (in our case, again, AD, but you can make them local groups) with different permission levels, so we can compartmentalize passwords. Desktop technicians don't have access to network switch passwords, etc.
Easy Setup: It took me about an hour to get the server running, from spinning up the VM to importing our old password list. It took a little longer to organize the passwords into proper folders, and then assigning groups, but it was easy to do.
Personal Passwords: Each user also gets a personal folder, where they can keep their own, unshared passwords. This is nice for sites or systems with individualized logins (e.g., a firewall, VPN, etc.)
Favorites: Secret Server lets you tag passwords as "favorites" so you can easily find ones you use constantly. The search feature is nice, but this is nicer.
The sharing functionality NEEDS improvement. We share most passwords at a group level, but then it becomes impossible to share them with a dynamic group and one or two one-off people as well. This is a major shortcoming.
I don't love the interface. I feel like there is an attempt at a dashboard, but it is really not effective.
I've heard, but never seen, that the software can actually change passwords in the target systems. If this is part of its deliverable, I do not know how to use it, and I don't know how you would do that. Seems like a great feature for password management.
I once performed a factory reset of my smartphone which had Google Authenticator. I didn't have a backup for the device. When I restored my phone with the same google account, I was not able to restore the authenticator app settings. I had to add all the keys back into the app to use it. This is cumbersome, but I understand it is set up this way for security reasons.
I don't like the ease with which it lets you delete a key. If I accidentally delete a key, I am doomed to get my 2FA key reset, unless I still have the QR code saved somewhere.
I have not faced any technical challenge personally using this application. It's very lightweight and doesn't require many system resources on your mobile device.
I have found Google’s support to be hit or miss. There are times when they are very responsive, and I get my issue resolved quickly, and there are times where a response from them takes weeks. There is no in-between. But my support experience with this particular product is nonexistent because I have not had a problem with it yet. Hopefully, we do not have any problems with it either.
There were not very many solutions that provided the entire package of taking an account from creation and deactivating it when no longer needed, as well as providing the discovery of unknown service accounts. Other solutions like RoboForm and LastPass did not offer the ability to manage your service accounts and added layers of complication to ensure security.
We deploy Google Authenticator in residential and non-managed client scenarios. Google Authenticator can perform the basic functions needed for multi-factor authentication but lacks the more advanced features of solutions like Cisco's Secure Access by Duo. Google Authenticator is our go-to solution for anyone ready to increase their security but struggling to find the necessary technology budget.
More secure data = less worried about a data breach.
Takes longer to log in, and if I don't have my phone then I have to go looking for it, so it really makes it so that you can't be without your phone, which in certain instances is annoying or not possible and can hold up work time.
Everyone is willing to use the same program because everyone likes Google—makes it easier to manage.
