Market Guide for User Authentication
The user authentication market spans an increasingly wide variety of technologies and vendors. Mobile and cloud are key to both needs and solutions that IAM leaders should consider. Vendors in adjacent markets begin to displace incumbent solutions in some cloud-first organizations.
Key Findings
- User experience (UX) is an important selection criterion, ahead of both trust and total cost of ownership (TCO) in a majority of organizations.
- Phone-as-a-token methods dominate in multiple use cases, including high-risk privileged access. Out-of-band push modes make inroads and will dominate in the short to midterm.
- Interest in contextual/analytic and adaptive approaches grows beyond online fraud detection in banking. However, few regulations and auditors recognize the efficacy of such approaches.
- Mobile biometric authentication methods are nascent, with early adoption in mobile banking apps. Native fingerprint modes dominate, but modes such as face and voice get some traction.
- Cloud-based services grow faster than the overall growth for this market for operational reasons, as well as macroeconomic trends that constrain staffing and support for on-premises solutions.
- Authentication is a horizontal capability across adjacent markets, especially identity and access management (IAM) as a service (IDaaS) offerings that can fully address cloud and legacy remote access.
Recommendations
- Identity and access management (IAM) and security leaders should seek user authentication methods that best provide the necessary balance among trust (authentication strength and accountability), total cost of ownership (TCO) and user experience in each use case.
- While common methods, especially phone-as-a-token methods, are increasingly commoditized and authentication is an increasingly horizontal capability, IAM and security leaders should look for vendor differentiation in breadth of capability and in experience and expertise in different vertical markets, such as retail banking and healthcare.
- IAM and security leaders in organizations taking a lean-forward stance to address advanced threats that leverage user credentials should seek solution sets that integrate rich contextual/analytic and adaptive approaches with robust legacy methods.
Strategic Planning Assumptions
By 2019, 90% of new and refreshed user authentication deployments for small and midsize organizations will be delivered via cloud, up from less than 50% today.
By 2019, 60% of phone-as-a-token deployments will use out-of-band push modes for the majority of users, up from less than 10% today.
Market Definition
This document was revised on 2 March 2016. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.
Gartner defines "user authentication" as the real-time corroboration of a person's claimed digital identity with an implied or notional level of trust.1
User authentication is important to IAM leaders, because trust in users' identities is foundational to the value of other IAM functions – such as authorization (especially segregation of duties), audit (individual accountability) and analytics.
User authentication is also important to other security and risk management leaders, a necessary (but not by itself sufficient) control for network, application and data security, and for reducing fraud.
The user authentication market encompasses a variety of products and services, implementing a range of authentication methods in addition to, or in place of, legacy passwords.2
Methods are typically classified by the kind of authentication factors that they use, alone or in combination; contextual authentication now supplements the canonical three factors: "what you know, hold and are."3
User authentication technologies are contiguous with other "trust technologies" such as identity proofing and online fraud detection (OFD); the boundaries between them are increasingly fuzzy.4
User authentication capabilities are delivered via discrete software, hardware or cloud-based services or are embedded in other offerings such as operating systems (OSs) and access management tools.
Market Direction
This Market Guide research supersedes the "Magic Quadrant for User Authentication."5 Our aim here is to establish a broader picture of the user authentication market and call out a greater number and diversity of vendors offering products and services embedding native user authentication capabilities.
The Magic Quadrant research focused on vendors that offered a stand-alone user authentication infrastructure and that had a substantial market presence. These infrastructure products and services can be integrated with one or many diverse target systems.
However, as noted in that research, user authentication "beyond passwords" may be natively supported in an OS or application, as well as Web access management (WAM) software, identity and access management (IAM) as a service (IDaaS), and other tools that themselves broker IAM functions to multiple target systems.
Among these, most significantly for the evolution of the user authentication market, many IDaaS and WAM software vendors embed phone-as-a-token methods6 and more, rivalling the capability of some of the smaller pure-play user authentication vendors that were evaluated in the last Magic Quadrant research, and are increasingly viable alternatives to pure-play user authentication products and services for cloud-first organizations.7 In addition, a few IDaaS vendors are now offering discrete user authentication services, enabling them to more easily displace incumbent vendors.
Choices of new authentication methods across all use cases are increasingly dictated by user experience (UX) needs as well as trust and total cost of ownership (TCO) considerations.8
- Phone-as-a-token methods continue to be the methods of choice in a majority of new and refreshed token deployments across a wider range of use cases.9 These methods are among the most widely available in the market and are offered by a variety of vendors outside the IAM market, especially those focusing on mobile communications, security and app development.10
One-time password (OTP) apps for phones are becoming accepted in higher-risk use cases, although OTP hardware tokens (or smart cards and the like) still dominate.11 OTP apps or, more commonly, out-of-band (OOB) methods are used in banking and similar sectors to provide transaction verification.12 More vendors now offer OOB push modes that offer trust, TCO and UX benefits over OTP apps and OOB SMS and voice modes. Gartner projects that "mobile push" will become the dominant phone-as-a-token method over the next two to three years.13 - Smart cards and other public-key hardware tokens14 are the most technically mature and most popular alternative to passwords for Windows PC and network login, but, as relatively few organizations use an alternative, overall adoption is rather low.15 Other options include public-key credentials ("user certificates") on the endpoint device, maybe taking advantage of hardware protection ("virtual smart card"),16 or on a smartphone connecting to a PC or tablet via Near Field Communication (NFC) or Bluetooth LE.17 Nascent Bluetooth LE tokens holding public-key credentials might provide an alternative that can be easily used with any endpoint device.
Some organizations use contact and hybrid smart cards as common access cards (CACs),18 but Gartner client interest in this technology remains low in vertical industries other than federal government, healthcare, higher education, manufacturing and utilities.19 A small number of organizations use smartphones for converged access. This will become more prevalent in the midterm and will likely obsolete card technologies in the long term. - Biometric methods20 remain niche. Fingerprint remains the most widely used mode, with the technology embedded into a wide range of notebook PCs and smartphones. Apple Touch ID in particular has generated a lot of hype. Many banks have integrated Touch ID into their iOS apps, but the security value is limited;21 the primary goal is improved UX. Gartner sees more strategic value in other modes that can be implemented in software on any device and use ubiquitous input devices.22 We see increasing adoption of these modes in mobile banking, but corporate workforce use for mobile is still nascent.23 Gartner projects significant growth in adoption of nonfingerprint modes over the next few years backed by mainstream authentication vendors' partnerships with or acquisition of biometric vendors. The FIDO Alliance provides a standards-based way of integrating local biometric authentication with downstream services, but adoption is still nascent and its impact on the user authentication market remains unclear.24
- Many mainstream user authentication vendors, as well as some IDaaS and WAM software vendors, embed at least simple contextual/analytic and adaptive techniques into their products and services.25 Some OFD tools, widely deployed in retail banking, established this approach. OFD tools have been adopted by relatively few organizations in other use cases; some vendors, including EMC (RSA) and CA Technologies, now target these OFD tools at larger enterprises for remote-access use cases.
Other OFD vendors with advanced analytics are now eyeing corporate use cases. User and entity behavior analytics (UEBA) and cloud access security brokers (CASBs) with behavior analytics can also provide input to adaptive approaches,26 but combining multiple analytics tools will require careful orchestration. A simpler approach suits smaller organizations, which might be overwhelmed by the complexity of solutions aimed at online banking, and some user authentication and OFD vendors are targeting this need. Over the next few years, Gartner projects advanced analytics will see increased adoption in mainstream use cases.27 However, IAM and security leaders should note that few regulations demanding "two-factor" or "multifactor" authentication accept contextual/analytic methods.28 - The use of social login (external identity federation with social networks to simplify login to Web and cloud applications) for low-risk online consumer access is well-established.29 Social login can provide consumerlike UX for an organization's workforce too, which is particularly important for those pursuing digital workplace strategies.30 However, because social identities are less trustworthy than corporate identities, IAM leaders must be able to provide appropriate trust elevation for higher-risk access, within the context of adaptive approaches.
Cloud-based authentication services continue to grow faster than the overall growth for this market and Gartner projects that this will continue as multitenanted services mature and as cloud becomes more widely adopted as a more effective way of delivering any application or service in light of macroeconomic trends that will constrain staffing.31 On-premises solutions will persist in the longer term, especially in more risk-averse organizations that want to retain full control of user authentication processes or support local access without dependence on Internet connectivity.
Market Analysis
IAM and security leaders, as well as business leaders focusing on customer IAM, seek user authentication solutions across a variety of use cases that differ in the following criteria:
- Trust versus risk32
- TCO versus justifiable and available budget
- UX versus users' needs8
- Other technical and operational needs and constraints33
Some methods suit a wide range of use cases and many vendors offer infrastructure solutions supporting a variety of different methods. However, IAM and security leaders might not find a single solution that meets all use cases. Nevertheless, it is still possible to find a single vendor, if not a single product or service, that can meet diverse needs.34
In previous Magic Quadrant research, we used a fine-grained breakdown of different use cases. This research explores the needs across six different patterns that better fit the most common scenarios we see in client inquiries and other interactions. Some of these patterns "mix and match" multiple fine-grained use cases:
- Workforce PC and network login
- Workforce/partner remote access (via VPN, virtual desktop infrastructure [VDI] or Web-facing application)
- Systems administrator access (and other privileged users with access to critical infrastructure)
- Workforce/partner access to cloud services (SaaS)
- Online retail banking
- Other online B2C and G2C access
There are a few other patterns that we see less often, with less clear or less well-established best practices.
Workforce PC and Network Login
Gartner sees this pattern in a large minority of enterprises and a smaller fraction of SMBs.
Public-key hardware tokens dominate, largely because of the combination of native support for "interactive smart card login" in Windows OSs and the native PKI services in Active Directory (Active Directory Certificate Services). However, it's seldom the case that all users need the high trust that these tokens can provide.
Smart cards, in the form of PIV cards, are mandated for U.S. federal agencies by Homeland Security Presidential Directive 12 (HSPD-12).35
Gartner has seen some corporate adoption of fingerprint-enabled notebook PCs, but few mandate the use of these capabilities.36 Nevertheless, we do see some companies take this approach, especially when IAM and security leaders seek solutions that provide high individual accountability.37
Some user authentication vendors support the use of OTP tokens and OOB methods for this pattern. However, this requires a GINA replacement or new Credential Providers be installed on every PC, which adds implementation effort and might be fragile with respect to Windows OS upgrades. More importantly, this provides only a local proxy for the user's Windows password, so an attacker who can discover the user's password (or socially engineer a password reset) can login as that user elsewhere.38
Windows 10 adds native support for authentication methods other than smart cards via Microsoft Passport and Windows Hello, including native support for face and iris as well as fingerprint modes.39 However, we expect only limited deployment of Windows 10 before June 201640 and mainstream adoption of Windows Hello will likely lag this by six to 12 months. IAM and security leaders in organizations planning early roll out of Windows 10 should contact Gartner to discuss the potential impact on their user authentication choices.
Workforce/Partner Remote Access (via VPN, VDI or Web-Facing Application)
This pattern is the bread-and-butter of the corporate user authentication market. We see it in the majority of large enterprises but a rather smaller fraction of SMBs.
OTP tokens and OOB methods dominate. The key advantage of all of these methods is that they require no client software or interface devices, enabling their use with a variety of PCs and other endpoint devices that might be outside the company's control (for example, an employee's home PC or tablet). As noted in the Market Direction section, phone-as-a-token methods are now far more popular than OTP hardware tokens.41 However, OTP hardware tokens might still be indicated for some users for security or operational reasons.42
We see a small but growing use of contextual, adaptive techniques in this pattern. The main benefit is to improve UX for users who are routinely connecting from home or partner offices to access low-to-medium risk systems.43
Public-key hardware tokens are sometimes used, especially where an organization has already deployed them for PC and network login. However, problems with smart card readers and middleware are hard to resolve remotely, impacting user productivity.44
Systems Administrator Access (and Other Privileged Users With Access to Critical Infrastructure)
This pattern is widespread among enterprises but rather less common among SMBs.45
OTP hardware tokens dominate, but public-key hardware tokens are also widely used. The choice is largely influenced by what the organization is using for either of the patterns described above. In particular, we see that many organizations historically adopted OTP hardware tokens for remote access and simply reused that incumbent method, especially for system administrators with remote access for out-of-hours support.
The choice is also influenced by the constraints of integration with multiple target systems, with variable support for different methods. These constraints will depend on an organization's privileged account management (PAM) strategy. Providing system administrators and the like with access to target systems via shared accounts under the aegis of a modern PAM tool, rather than via personal accounts on each target system, means that there is a single point of integration for user authentication.46
Some organizations are now using OTP apps on smartphones, but the majority still favor hardware tokens for security and operational reasons.47 OTP apps and OOB push modes are particularly appropriate choices for external privileged users (such as vendor technicians).48
Workforce/Partner Access to Cloud Services (SaaS)
This pattern is becoming more popular as organizations make greater use of cloud services.
The preferred authentication methods here are very similar to those used for workforce/partner remote access. Many organizations are simply leveraging federate SSO support to extend the solution that they have in place for that pattern.
The notable difference is that a small but growing number of cloud-first organizations are looking exclusively to an IDaaS vendor to meet their user authentication needs, potentially displacing an incumbent user authentication vendor.7 In this use case, a CASB might provide appropriate contextual/analytic capabilities to enable an adaptive approach in conjunction with IDaaS (or a stand-alone user authentication solution).
Similar considerations likely apply to PaaS access. IaaS access tracks more closely the system administrator pattern above.
Online Retail Banking
This pattern is commonplace across banks worldwide, sometimes driven by local regulations.
The range of authentication methods used is wide. There are some clear geographical preferences, even without the constraints of local regulations, but even in one country (e.g., the U.K.) there can be wide variation.
Many banks take a two-tier approach, with a low or medium level of trust for initial login, and a medium or high level of trust (via step-up authentication or transaction verification) for potentially risky transactions. Eastern European, Latin American and Asian banks generally choose the higher trust option in each case.
The following methods are used for initial authentication and verification (authorization) of potentially risky transactions:
- Enhanced passwords and "knowledge-based authentication" (KBA) (initial login only)49
- Phone-as-a-token methods, especially OOB SMS modes
- OTP hardware tokens or remote chip authentication (RCA), using EMV payment cards with handheld card readers50
Contextual, adaptive techniques are widely used, but in the context of OFD tools, rather than user authentication. OFD tools identify risky transactions and prompt for trust elevation. Some of the phone-as-a-token methods aimed at the banking sector increasingly incorporate these techniques, consuming contextual data provided by the phone itself.
Gartner sees many banks, especially in Anglophone countries, exploiting the same mechanisms they use for identity proofing for new accounts for trust elevation for existing customers.4, 51
Mobile retail banking breaks some of these approaches for customer authentication; for example, where the token converges with the endpoint device it can no longer provide independent, and therefore robust, transaction verification (authorization). Banks seeking to better balance trust and customer experience are beginning to adopt a variety of biometric modes (see Market Direction section).
Other Online B2C and G2C Access
Many financial services organizations, especially health insurance, are adopting a similar pattern as for online retail banking. While there is no dominant pattern for other B2C and G2C, and many organizations still do nothing beyond using passwords, Gartner sees some other subpatterns emerging:
- Many social networks, MNOs and some other consumer-focused services use phone-as-a-token methods, especially OOB SMS modes, to support their forgotten password processes as an alternative to sending users emails (with links to a password reset page) that provides better security and UX. Some global social networks also make use of contextual/analytic and adaptive techniques.
- We see some interest in using single-factor OOB authentication methods as a full alternative to passwords for online services that are accessed infrequently and it is therefore common for users to have forgotten their passwords from one visit to the next. An OOB SMS text to a registered phone number provides an "unforgettable" password.52
- Where social login is supported to avoid customers having to remember yet another username and password, some organizations use contextual, adaptive techniques with phone-as-a-token methods for trust elevation.53 Integration with Mobile Connect (an authentication initiative by mobile network operators) potentially kills two birds with one stone.54
Table 1 sets out our assessment of the prevalence and suitability of different kinds of authentication method across the major patterns.
Table 1. Prevalence and Suitability
OTP hardware tokens |
RCA with payment cards |
OTP apps for smartphones |
OOB SMS or voice |
OOB push |
Public-key hardware tokens |
Fingerprint met hods |
Other biometric modes |
Device identity and (trusted) location awareness |
Broad contextual, |
|
Workforce PC and network login |
■ |
— |
■ |
■ |
■ |
■■■■ |
■ |
■ |
— |
— |
Workforce/partner remote access |
■■ |
— |
■■■ |
■■ |
■ |
■ |
■ |
■ |
■ |
■ |
Systems administrator access |
■■■ |
— |
■■ |
■ |
■ |
■■ |
— |
— |
— |
■ |
Workforce/partner access to cloud services |
■ |
— |
■■■ |
■■ |
■ |
■ |
■ |
■ |
■ |
■ |
Online retail banking |
■■ |
■■ |
■ |
■■ |
■■■ |
■ |
■ |
■ |
■■ |
■■■ |
Other online B2C and G2C access |
— |
— |
■ |
■■■ |
■■ |
— |
— |
— |
■ |
■ |
Prevalence is represented by zero to four square bullets, with four bullets indicating that the method is commonplace in the pattern. Suitability is represented by one to four checkmarks, with four indicating that the method is the best suited in the pattern; a cross indicates that we deprecate the use of that method.
Source: Gartner (February 2016)
Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.
Table 2 presents summary information about representative vendors. These include mainstream user authentication vendors, as well as smart card and biometric authentication vendors,55,56 with significant presence in the market, some notable smaller, specialist authentication vendors and vendors in adjacent markets (IDaaS, OFD, WAM software) with notable embedded authentication capabilities.
Table 2. Forty Representative User Authentication Vendors
HQ |
Geographic Focus |
Technology/Market Focus |
Notes |
|
2FA |
US-TX |
US |
UA |
|
Bio-key |
US-NJ |
(no data) |
UA |
|
BioCatch |
Israel |
US & Canada, LatAm, Europe |
UA, OFD |
|
CA Technologies |
US-NY |
US ** |
UA ⊞, OFD, IDaaS, WAM |
|
Centrify |
US-CA |
US & Canada |
IDaaS |
|
Crossmatch |
US-FL |
US & Canada, LatAm, Japan |
UA |
Acquired Digital Persona, April 2014 |
Daon |
US-VA |
US & Canada * ** |
UA |
|
Datablink |
US-VA |
LatAm |
UA |
Merged with Brazil-based BRToken, September 2014 |
Deepnet Security |
UK |
Europe, US |
UA |
|
Duo Security |
US-MI |
US |
UA ⊞ |
|
Early Warning |
US-AZ |
US |
UA ⊞ (Authentify) |
Acquired Authentify, April 2015 |
EMC (RSA) |
US-MA |
US * |
UA ⊞, OFD, IDaaS, WAM |
Dell agreed to buy EMC, October 2015 |
Entersekt |
ZA |
Africa, Europe, US |
UA |
|
Entrust Datacard |
US-MN |
US, Canada, Europe, LatAm, and ME |
UA ⊞ |
|
EyeVerify |
US-MO |
US, APAC (other) |
UA |
|
Gemalto |
NL |
US * ** |
UA ⊞ |
Acquired SafeNet, January 2015 |
Giesecke & Devrient (G&D) |
DE |
(no data) |
UA |
|
HID Global |
US-TX |
Europe, U.S. * |
UA ⊞ |
Owned by Assa Abloy (SE); acquired Lumidigm February 2014 |
i-Sprint Innovations |
SG |
APAC (other) |
UA, WAM |
Owned by Teamsun/Automated Systems Holdings (CN) |
IBM |
US-NY |
US, Canada, Europe, AU & NZ, APAC (other) |
UA, IDaaS, WAM |
|
ImageWare Systems (IWS) |
US-CA |
US, Europe, Japan |
UA |
|
Imprivata |
US-MA |
US |
UA, ESSO |
|
Microsoft |
US-WA |
(no data) |
UA ⊞, IDaaS |
Microsoft did not provide a breakdown of its global customers. |
Morpho (Safran) |
FR |
Europe |
UA |
A Safran company |
mSIGNIA |
US-TN |
US |
UA, OFD |
|
Nexus |
SE |
Europe, ME, APAC (other) |
UA ⊞ |
|
Oberthur Technologies |
FR |
(no data) |
UA |
Oberthur did not provide a breakdown of its customers. |
Okta |
US-CA |
US |
IDaaS |
|
Ping Identity |
US-CA |
US, Europe, AU-NZ |
UA, IDaaS, WAM |
|
PointSharp |
SE |
Europe |
UA ⊞ |
|
Salesforce |
US-CA |
US, Europe, APAC (other) |
IDaaS |
Acquired Toopher, April 2015 |
SecureAuth |
US-CA |
US, Europe |
UA ⊞ |
|
SecurEnvoy |
UK |
Europe, U.S., APAC (other) |
UA ⊞ |
|
SMS Passcode |
DK |
Europe |
UA ⊞ |
|
Swivel Secure |
UK |
Europe |
UA |
|
Symantec |
US-CA |
US, Europe * |
UA & |
|
TeleSign |
US-CA |
US, Europe, APAC (other) |
UA ⊞ |
|
ThreatMetrix |
US-CA |
US, Europe, APAC (other) |
OFD |
|
Vasco |
US-IL |
Europe, Japan, U.S. & Canada, LatAm |
UA ⊞ |
|
Yubico |
SE, US-CA |
US * |
UA |
|
|
|
|
|
|
Table Notes
HQ Country where the vendor is headquartered (ISO 3166-1 alpha-2 codes) and state for U.S.-based vendors.
Geographic focus Regions where more than 10% (Americas, EMEA) or more than 5% (Asia/Pacific) of the vendor's customers are located. The regions are defined as: Americas: Canada, USA, Latin America; EMEA: Europe, Middle-East, Africa; Asia/Pacific: Japan, Australia and New Zealand, other.
Technology/market focus The market in which the vendor's offering(s) is/are most often seen to compete. "UA" indicates "user authentication" (with vendors included in the evaluative analysis in the most recent Magic Quadrant research marked "⊞").
Notes Additional comments.
Source: Gartner (February 2016)
Tables 3 to 5 show the authentication methods offered with and supported by the vendors, segregated by technology/market focus (as defined above). User authentication vendors are further segregated by focus (roughly, by the range and variety of authentication methods offered).
Table 3. Wide-Focus User Authentication and OFD Vendors – Methods and Patterns Supported
OTP hardware tokens |
RCA with payment cards |
OTP apps for smartphones |
OOB SMS or voice |
OOB push |
Public-key hardware tokens |
Fingerprint methods |
Other biometric modes |
Device identity and (trusted) location awareness |
Broad contextual/analytic and adaptive techniques |
Notes |
|
2FA |
✓ |
|
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
✓ |
|
BioCatch |
|
|
|
|
|
|
|
✓ |
|
✓ |
|
CA Technologies |
† |
|
✓ |
✓ |
|
|
|
|
✓ |
✓ |
CA Advanced Authentication |
Crossmatch |
† |
|
✓ |
|
✓ |
† |
✓ |
✓ |
|
* |
* partly fulfils analytics criterion |
Daon |
|
|
✓ |
✓ |
✓ |
|
✓ |
✓ |
✓ |
|
|
Datablink |
✓ |
|
✓ |
✓ |
✓ |
|
|
|
✓ |
|
|
Deepnet Security |
✓ |
|
✓ |
✓ |
✓ |
|
|
✓ |
✓ |
|
|
EMC (RSA) |
|
|
SDK |
✓ |
✓ |
|
|
|
✓ |
✓ |
RSA Adaptive Authentication (AA) only |
EMC (RSA) |
✓ |
|
✓ |
✓ |
|
✓ |
|
|
✓ |
✓* |
RSA Authentication Manager only |
Entrust Datacard |
✓ |
|
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
* |
IdentityGuard |
Gemalto |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
|
|
✓ |
|
HID Global |
✓ |
|
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
✓ |
|
i-Sprint Innovations |
✓ |
† |
✓ |
✓ |
✓ |
† |
† |
† |
✓ |
* |
AccessMatrix Universal Authentication Server (UAS) |
Morpho (Safran) |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
|
|
mSIGNIA |
|
|
|
✓ |
✓ |
|
|
|
✓ |
✓ |
|
Nexus |
✓ |
|
✓ |
✓ |
✓ |
✓ |
|
|
✓ |
* |
* partly fulfils analytics criterion |
SecureAuth |
✓ |
|
✓ |
✓ |
✓ |
✓ |
|
✓ |
✓ |
✓ |
|
Symantec |
✓ |
|
✓ |
✓ |
✓ |
✓ |
|
|
✓ |
✓ |
|
ThreatMetrix |
|
|
✓ |
✓ |
|
|
|
|
✓ |
✓ |
|
Vasco |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
|
✓ |
✓ |
|
Table Notes
For a discussion of the authentication methods represented in the columns in this table, see "A Taxonomy of Authentication Methods."
Fingerprint methods A check mark here indicates that vendor software handles the biometric data and performs comparison and matching. Several vendors integrate fingerprint methods embedded in smartphones (Apple Touch ID and the like) within their mobile apps for OTP and OOB push, but we don't reflect that in this column, as the vendor software simply consuming a "black-box" decision over which the vendor has no control.
Broad contextual/analytic and adaptive techniques A check mark here indicates that the vendor software:
Consumes multiple elements in three or more of the following kinds of contextual information: endpoint device identity, location, interaction metrics, interaction history, biometric comparison score, "other."
Uses a variety of analytic techniques (not just static rules).
Provides trust elevation, such as step-up authentication, or risk mitigation responses when risk exceeds trust.
("†" indicates out-of-the-box support for third-party authenticators)
Source: Gartner (February 2016)
Table 4. Tight-Focus User Authentication Vendors – Methods and Patterns Supported
|
OTP hardware tokens |
RCA with payment cards |
OTP apps for smartphones |
OOB SMS or voice |
OOB push |
Public-key hardware tokens</p> |
Fingerprint methods |
Other biometric modes |
Device identity and (trusted) location awareness |
Broad contextual/ analytic and adaptive techniques |
Notes |
Bio-key |
|
|
|
|
|
|
✓ |
|
|
|
|
Duo Security |
† |
|
✓ |
✓ |
✓ |
|
|
|
✓* |
|
* plus network and time of day |
Early Warning |
|
|
✓ |
✓ |
✓ |
|
|
✓ |
✓ |
|
Authentify Platform Solution Suite |
Entersekt |
|
|
✓ |
✓ |
✓ |
|
|
|
|
|
|
EyeVerify |
|
|
|
|
|
|
|
✓ |
|
|
|
Giesecke & Devrient (G&D) |
|
|
|
|
|
✓ |
|
|
|
|
|
ImageWare Systems (IWS) |
|
|
|
✓ |
✓ |
|
✓ |
✓ |
|
|
|
Imprivata |
✓ |
|
✓ |
✓ |
|
|
✓ |
|
|
|
|
Oberthur Technologies |
✓ |
|
|
|
|
✓ |
|
|
Oberthur also supports methods in other categories for services such as payments. |
||
Ping Identity |
† |
|
✓ |
✓ |
✓ |
† |
|
|
✓ |
|
PingID (can be licensed separately from PingOne; see Table 5) |
PointSharp |
✓ |
|
✓ |
✓ |
✓ |
✓ |
|
|
|
✓ |
|
SecurEnvoy |
|
|
✓ |
✓ |
✓ |
|
|
|
✓ |
|
|
SMS Passcode |
† |
|
† |
✓ |
✓* |
|
|
|
✓** |
|
* for OTP delivery only |
Swivel Secure |
✓ |
|
✓ |
✓ |
✓ |
|
|
|
✓* |
|
* plus time of day |
TeleSign |
|
|
|
✓ |
✓ |
|
|
|
|
✓ |
|
Yubico |
✓ |
|
|
|
|
✓ |
|
|
|
|
|
Source: Gartner (February 2016)
Table 5. IDaaS and WAM Software Vendors – Methods and Patterns Supported
|
OTP hardware tokens |
RCA with payment cards |
OTP apps for smartphones |
OOB SMS or voice |
OOB push |
Public-key hardware tokens |
Fingerprint methods |
Other biometric modes |
Device identity and (trusted) location awareness |
Broad contextual/analytic and adaptive techniques |
Notes |
CA Technologies |
|
|
✓ |
✓ |
|
|
|
|
|
|
CA Secure Cloud, CA Single Sign-On |
Centrify |
|
|
✓ |
✓ |
✓ |
† |
|
|
✓* |
|
* plus network and time of day |
EMC (RSA) |
|
|
|
|
✓ |
|
|
|
* |
|
RSA Via only |
i-Sprint Innovations |
✓ |
† |
✓ |
✓ |
✓ |
† |
† |
† |
✓ |
* |
AccessMatrix Universal Access Manager (UAM) |
IBM |
† |
|
† |
✓ |
† |
† |
† |
† |
✓ |
✓ |
IBM Cloud Identity Service, IBM Security Access Manager |
Microsoft |
✓ |
|
✓ |
✓ |
✓ |
|
|
|
✓ |
|
Microsoft Azure; note that Microsoft Azure MFA is offered as a stand-alone tool |
Okta |
† |
|
✓ |
✓ |
✓ |
|
|
|
✓ |
|
|
Ping Identity |
† |
|
✓ |
✓ |
✓ |
† |
|
|
✓ |
|
PingOne (license includes all the capabilities of PingID; see Table 4) |
Salesforce |
† |
|
✓ |
✓ |
✓ |
|
|
|
✓ |
|
Trusted location awareness from Toopher acquisition |
Source: Gartner (February 2016)
Table 6 shows the vertical industries (see Note 1) that represent a significant proportion of each vendor's customers or where the vendor focuses sales and marketing effort (based on information provided by the vendors). Blank cells do not indicate that a vendor has no customers in that vertical industry and readers should not infer that the vendor cannot meet the needs of an organization in any of the other industry verticals.
Table 6. Vertical Industry Focus
|
Banking |
Education |
Energy Resources and Processing |
Government |
Healthcare Providers |
Insurance |
Investment Services |
Manufacturing |
Media |
Natural Resources or Materials |
Retail |
Services |
Telecommunications |
Transportation |
Utilities |
Wholesale … |
All Other |
2FA |
|
✓ |
|
✓ |
✓ |
✓ |
✓ |
✓ |
|
|
|
✓ |
|
|
✓ |
✓ |
|
Bio-key |
✓ |
|
|
✓ |
✓ |
✓ |
✓ |
|
|
|
|
|
✓ |
|
|
|
|
BioCatch |
✓ |
|
|
|
|
✓ |
✓ |
|
|
|
✓ |
|
|
|
|
|
|
CA Technologies |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
✓ |
✓ |
✓ |
✓ |
|
|
Centrify |
✓ |
|
✓ |
✓ |
|
✓ |
✓ |
✓ |
✓ |
|
✓ |
✓ |
|
|
|
|
|
Crossmatch |
✓ |
|
|
✓ |
✓ |
✓ |
✓ |
✓ |
|
|
✓ |
✓ |
|
|
|
|
|
Daon |
✓ |
|
|
✓ |
✓ |
✓ |
✓ |
|
|
|
|
|
|
|
|
|
|
Datablink |
✓ |
✓ |
✓ |
|
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
|
Deepnet Security |
|
✓ |
|
✓ |
|
✓ |
|
|
|
|
|
|
|
|
|
|
|
Duo Security |
|
✓ |
|
|
✓ |
|
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Early Warning |
✓ |
✓ |
|
✓ |
✓ |
✓ |
✓ |
|
|
|
✓ |
|
✓ |
|
|
✓ |
|
EMC (RSA) |
✓ |
✓ |
|
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
|
|
Entersekt |
✓ |
|
|
|
|
✓ |
✓ |
|
|
|
|
|
✓ |
|
|
|
|
Entrust Datacard |
✓ |
|
|
✓ |
|
✓ |
✓ |
✓ |
|
|
|
✓ |
|
|
|
|
|
EyeVerify |
✓ |
|
|
|
|
|
✓ |
|
|
|
|
|
✓ |
|
|
|
|
Gemalto |
✓* |
|
|
✓ |
✓ |
✓* |
✓* |
✓ |
✓ |
|
✓ |
|
✓ |
|
|
|
|
Giesecke & Devrient (G&D) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
HID Global |
✓ |
✓ |
|
✓ |
✓ |
✓ |
|
|
|
|
✓ |
✓ |
✓ |
|
✓ |
|
|
i-Sprint Innovations |
✓ |
|
|
✓ |
|
✓ |
✓ |
✓ |
|
|
|
✓ |
✓ |
|
|
|
|
IBM |
✓ |
|
|
✓ |
✓ |
✓ |
✓ |
|
✓ |
|
✓ |
✓ |
✓ |
✓ |
|
|
|
ImageWare Systems (IWS) |
✓ |
|
|
✓ |
✓ |
✓ |
✓ |
|
|
|
✓ |
✓ |
✓ |
✓ |
|
|
|
Imprivata |
|
|
|
|
✓ |
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
Morpho (Safran) |
✓ |
|
|
✓ |
|
✓ |
|
|
|
|
✓ |
|
✓ |
|
|
|
|
mSIGNIA |
✓ |
|
|
|
|
|
|
|
|
|
✓ |
|
|
|
|
|
|
Nexus |
✓ |
✓ |
|
✓ |
✓ |
✓ |
✓ |
✓ |
|
|
|
✓ |
✓ |
|
✓ |
|
|
Oberthur Technologies |
✓ |
|
|
✓ |
✓ |
|
|
|
|
|
|
|
✓ |
|
|
|
✓ |
Okta |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
Ping Identity |
✓ |
|
|
|
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
✓ |
|
|
|
|
|
PointSharp |
✓ |
|
|
✓ |
|
✓ |
✓ |
|
|
✓ |
|
|
|
|
|
|
|
Salesforce |
✓ |
|
|
✓ |
|
|
|
✓ |
✓ |
|
✓ |
|
|
|
|
|
|
SecureAuth |
✓ |
✓ |
|
✓ |
✓ |
✓ |
✓ |
|
|
|
|
|
|
|
|
|
|
SecurEnvoy |
|
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
SMS Passcode |
✓ |
|
|
✓ |
✓ |
|
|
|
|
|
|
✓ |
|
|
|
|
|
Swivel Secure |
|
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Symantec |
✓ |
✓ |
|
✓ |
✓ |
|
|
|
|
|
✓ |
✓ |
✓ |
|
|
|
|
TeleSign |
✓ |
|
|
|
|
✓ |
✓ |
|
✓ |
|
|
✓ |
|
|
|
|
|
Threatmetrix |
✓ |
|
|
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
✓ |
✓ |
✓ |
|
|
|
Vasco |
✓ |
✓ |
|
✓ |
✓ |
✓ |
✓ |
|
|
|
|
✓ |
|
|
|
|
|
Yubico |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
≡ |
Please note that "≡" indicates a largely horizontal focus for the vendor.
Source: February (2016)
Market Recommendations
While the prospect of a universal, high-trust authentication method may be initially attractive, it is usually overkill because most users have access to only low- or medium-risk applications and data, and it may be unnecessarily costly. For many organizations, implementing a well-defined range of authentication methods that balances needs in each use case is the best approach.
IAM and security leaders should:
- Embrace the opportunities offered by OOB push modes among other phone-as-a-token methods, with attention to the availability of devices and alignment to UX and trust requirements.
- Identify use cases that will benefit from the value that contextual/analytic and adaptive approaches can provide in both improving UX and more effectively mitigating risk. While many clients focus on the UX improvements (deferring the friction of legacy methods until the level of risk dictates it), the risk mitigation benefits of analytic approaches, especially those provided by UEBA tools, fit organizations taking a lean-forward stance to address advanced threats that leverage user credentials (that is, legacy password authentication).
- Carefully evaluate mobile biometric methods (which are not widely deployed, but are poised to be significant) and do not be distracted by the hype around Apple Touch ID and similar fingerprint methods implemented by handset vendors. Give preference to methods that can be implemented in software across any and all phones (and other endpoint devices) wholly under the control of the organization.
- Consider smart cards and other public-key tokens for limited high-trust use cases, but seek emerging solutions that promised greater versatility without the need for interface devices for multiple endpoint devices for each user. Examples include methods that provision credentials to mobile devices enabling them to act as "contactless smart cards" via NFC or Bluetooth and nascent Bluetooth LE hardware tokens (wearables and other form factors).
- Determine the value of IDaaS as authentication solutions not just for access to cloud applications but also for legacy remote access needs as well. IDaaS vendors continue to extend their capabilities to embrace VPN and VDI use cases.
- To confirm a system entity's asserted principal identity with a specified or understood level of confidence ("Glossary for the OASIS Security Assertion Markup Language [SAML] V2.0," OASIS Standard, 2005).
- Entity authentication is the corroboration of the claimed identity of an entity and a set of its observed attributes (Modinis Study on Identity Management in eGovernment: Common Terminological Framework for Interoperable Electronic Identity Management, Consultation Paper v2.01").
- The process of establishing confidence in the identity of users or information systems (NIST SP 800—63—2, "Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology").
- The focus is on identity claims made by people, not things (see "Authentication in the Internet of Things").
- The focus is on the claim of a digital identity, typically instantiated in a user account or user profile. User authentication provides evidence that the person accessing a computer, network, app, cloud-based service and so on is the person for whom the identity was created (and who is entitled to the access that flows from that).
- User authentication does not, strictly, provide any evidence that the person has a particular real-world identity – that claim should have been examined in a prior step, before the digital identity was provisioned. We normally talk about "identity proofing" in this context, although some clients do call it "authentication." The waters are further muddied when the same mechanisms are used for user authentication as well as identity proofing.
- Type 1: Something known to only the user – for example, a password, a passphrase, a PIN, a pattern or a picture.
- Type 2: Something held by only the user – for example, a token, such as an OTP token or a smart card with X.509 public-key infrastructure credentials.
- More pedantically, the credential is the cryptographic key (or similar) stored in the token, rather than the token itself.Type 3: Something inherent to only the user – that is, a biometric trait, such as face topography, fingerprint or typing rhythm.
- It was too shallow, restricted to about 20 vendors in a market of 100s, in which there are likely 50 vendors that have credible enterprise solutions.
- It was too narrow, omitting, for example, significant smart card and biometric authentication vendors.
- It was too strict, omitting products/services in adjacent markets, such as IAM-as-a-service, with native authentication capabilities on a par with some "pure" authentication solutions.
- Out-of-band (OOB) authentication, in which a user and an authentication server exchange authentication information over a different channel from the one between endpoint and server. These methods exploit automated voice calls, SMS text messaging or push notification. At least one vendor also supports over-the-top (OTT) messaging (such as WhatsApp and Facebook Messenger).
- One-time password (OTP) apps for smartphones, which allow phones to be used like traditional OTP hardware tokens.
- Problems with smart card readers and middleware are hard to resolve remotely, impacting user productivity.
- Support is dependent on the mobile OS. Mobile-compatible readers incur a sometimes prohibitive additional cost and add bulk to the device, reducing UX.
- Banking
- Education:
- Higher Education
- Primary and Secondary Education
- Energy Resources and Processing
- Government:
- Defense and Intelligence
- Local or Regional
- National or International Government
- Healthcare Providers:
- Ambulatory Clinic
- Hospital or Integrated Delivery Network (IDN)
- Physician Practice
- Insurance:
- Health Insurance (payer)
- Life Insurance
- Property and Casualty Insurance
- Other
- Investment Services
- Manufacturing:
- Automotive
- Consumer Nondurable Products
- Heavy Industry
- IT Hardware
- Life Sciences (pharma and biotech) or Healthcare Products (equipment and supplies)
- Other
- Media:
- Broadcasting or Cable
- Entertainment (to include cultural institutions such as museums, etc.)
- Publishing or Advertising
- Natural Resources or Materials
- Retail:
- General Retailers
- Grocery
- Restaurants and Hotels
- Specialty Retailers
- Services:
- Information Technology Services and Software
- Other Business, Consulting or Consumer Services
- Telecommunications
- Transportation:
- Air Transport
- Motor Freight
- Pipelines
- Rail and Water
- Warehousing, Couriers, Support Services
- Utilities
- Electric or Gas
- Water Utilities
- Wholesale Durable and Nondurable Goodsv
- All Other
The authentication market is populated with mature vendors and a growing number of new entrants, especially in and from adjacent markets. Capabilities and experience/expertise across patterns vary widely among these vendors. For some organizations, using a single vendor can satisfy most needs, even when a variety of methods are required across multiple use cases. However, IAM and security leaders might consider using multiple vendors to address the needs of different use cases or sets of use cases (for example, workforce versus customer). This is likely for those that are seeking rich contextual/analytic and adaptive approaches and mobile biometric technologies (which are rarely supported by mainstream "token" vendors).
Acronym Key and Glossary Terms
AD FS |
Active Directory Federation Services |
ANSI |
American National Standards Institute |
CAC |
Common (or converged) access card |
CAP |
Chip Authentication Program (MasterCard's RCA specification) |
CASB |
Cloud access security broker |
CM |
Card management |
CSP |
Cloud service provider |
DPA |
Dynamic Passcode Authentication (Visa's RCA specification) |
EMV |
European, MasterCard and Visa |
ESSO |
Enterprise single sign-on |
FERC |
Federal Energy Regulatory Commission |
FIDO |
Fast Identity Online |
FIPS |
Federal Information Processing Standard |
GSMA |
GSM Alliance |
HIPAA |
Health Insurance Portability and Accountability Act |
HITECH |
Health Information Technology for Economic and Clinical Health |
HMAC |
Hash-based Message Authentication Code |
HOTP |
HMAC-based OTP |
HVD |
Hosted virtual desktop |
IAM |
Identity and access management |
IDaaS |
IAM as a service |
IDP |
Identity provider |
LDAP |
Lightweight Directory Access Protocol |
LE |
Low energy |
MSP |
Managed service provider |
MSSP |
Managed security service provider |
NERC |
North American Electric Reliability Corp. |
NFC |
Near Field Communication |
NIST |
National Institute of Standards and Technology |
OATH |
Initiative for Open Authentication |
OCRA |
OATH Challenge-Response Algorithm |
OCSP |
Online Certificate Status Protocol |
OFD |
Online fraud detection |
OOB |
Out-of-band |
OTP |
One-time password |
PCI DSS |
Payment Card Industry Data Security Standard |
PIV |
Personal Identity Verification (HSDP—12) |
PKI |
Public-key infrastructure |
POC |
Proof of concept |
RCA |
Remote chip authentication (a generic term covering MasterCard Chip Authentication Program and Visa Dynamic Passcode Authentication) |
SAML |
Security Assertion Markup Language |
SDK |
Software development kit |
SMB |
Small or midsize business |
SSL |
Secure Sockets Layer |
SSO |
Single sign-on |
TCO |
Total cost of ownership |
TOPT |
Time-based OTP |
U2F |
Universal Second Factor (a FIDO Alliance specification) |
UEBA |
User and entity behavior analytics |
UX |
User experience |
WAM |
Web access management |
WLAN |
Wireless LAN |
Evidence
In addition to the specific citations below, this research is based on a survey of user authentication vendors (including some not included in the Representative Vendors section) and a variety of interactions with vendors and end-user organizations.
1The definition we adopt here is based on a number of similar definitions from canonical industry standards. For example:
We use "corroborating" in preference to "confirming" or "verifying" because it better conveys the idea that authentication cannot provide absolute proof of a user's claimed digital identity. There are three crucial points:
2Legacy passwords remain a ubiquitous, but notoriously weak, user authentication method. Neither increasing password length and complexity nor forcing periodic changes – both commonly demanded by regulators and auditors – is effective against purposeful attacks or accidental leakage (see "Best Practices for Managing Passwords: End-User Policies Must Balance Risk, Compliance and Usability Needs; Update").
3Canonically, there are three kinds of credentials that characterize user authentication methods:
These are usually referred to as "authentication factors," although it is ambiguous whether the term refers to a kind or an instance of a credential.
This description goes back at least as far as Federal Information Processing Standards (FIPS) Publication (Pub) 41, "Computer Security Guidelines for Implementing the Privacy Act of 1974," NCJRS, 1975. The FIPS Pub 41 taxonomy was restated by the National Computer Security Center in NCSC- TG-017, A Guide to Understanding Identification and Authentication in Trusted Systems," The Rainbow Books, 1991. Here, an authentication method based on knowledge is called Type 1, a method based on what the user holds is Type 2, and a method based on an inherent characteristic is Type 3. All types may be described as "authentication by possession," although this is sometimes used to mean only Type 2.
The descriptions are often stated in the second person: "something you know," "something you have" and "something you are." However, only the first description is unambiguous and inclusive. Because it is common to call someone in possession of a (payment) card the cardholder, it seems natural to use the phrase "something held." A biometric characteristic can arguably be described as "something you have" or "something you possess," and behavioral biometric characteristics are as much "something you do" as "something you are." Thus, the language we use here to encompass all biometric characteristics is "something inherent."
Authentication may be based on just one of these authentication factors (although a token is rarely used alone) or some combination of two or three factors – two-factor authentication (2FA) or three-factor authentication (3FA) or, more generally, multifactor authentication (MFA). Sometimes, two different kinds of knowledge or two different biometric traits are combined, but in a strict sense, neither provides 2FA. See "A Taxonomy of User Authentication Methods" and "Technology Overview for Phone-as-a-Token Authentication Methods" for a more detailed discussion.
4Identity proofing is, in a canonical sense, analogous to user authentication: The corroboration of a claimed real-world identity with an implied or notional level of trust. Real-time identity proofing based on "knowledge-based authentication" – by providing answers to life-history questions – is increasingly problematic and layering other techniques provides more value (see "The Four Layers of Identity Proofing Lead to Stronger Identity Verification," "Identity Proofing Revisited as Data Confidentiality Dies" and "Increase Use of Dynamic Data to Decrease Fraud Levels in Identity Proofing"). Identity proofing technologies continue to be used to verify new account applicants, but the same mechanisms are also invoked to elevate trust in users with existing accounts engaging in high-risk interactions, such as wire transfers or changes of address on file; that is, in instances where a "traditional" user authentication method might otherwise have been used, muddying the waters between identity proofing and user authentication.
OFD tools help an organization detect fraud by performing one or both of these functions: (a) running background processes (transparent to users) that use up to hundreds of contextual attributes and data points – such as geolocation, device characteristics, user behavior, navigations and transaction activity – to determine the likelihood of fraudulent transactions and (b) verifying the legitimacy of a user's identity using available internal and external information sources (see "Market Guide for Online Fraud Detection"). Several user authentication vendors are also OFD vendors, but many other mainstream user authentication tools incorporate contextual authentication, which is in essence a subset of (a).
5There are multiple reasons for retiring the Magic Quadrant research. Simply stated:
6Phone-as-a-token methods are those that make use of a mobile phone as an authentication token (see "Technology Overview for Phone-as-a-Token Authentication Methods"). The two most popular examples are:
7Gartner takes an increasing number of client inquiries from cloud-first organizations that are looking exclusively to an IDaaS vendor to meet their user authentication needs. Given that the IAM leader has identified the need to have IDaaS anyway – to provide identity administration, single sign-on (SSO), authorization enforcement, and so on for multiple target systems in the cloud (see "Magic Quadrant for Identity and Access Management as a Service, Worldwide") – he or she wants to avoid the additional cost and complexity of selecting, implementing and integrating a third-party product or service. Legacy user authentication needs might militate against this, but IDaaS and WAM software can often extend its user authentication capabilities to SSL VPNs and similar remote access technologies, potentially displacing an incumbent user authentication vendor. (Some VPN vendors also embed phone-as-a-token methods, but we have seen far less client interest in these embedded methods as an alternative to third-party user authentication solutions.)
8UX is a particularly heavily weighted selection criterion in consumer-facing use cases. A Gartner survey of U.S. bank customers, conducted in the wake of banks introducing new authentication methods for retail banking in response to Federal Financial Institutions Examination Council (FFIEC) guidance, revealed that 12% of customers had considered changing banks because they found what their banks had done to be too onerous, and 3% actually had changed banks. Poor UX led to lost business. In business to employee (B2E) and most B2B use cases, the users are a "captive audience." Nevertheless, poor UX for workforce and partners adds friction, annoys users and reduces agility and morale. What is more, poor UX often prompts users to seek ways to reduce friction, which can introduce new vulnerabilities that reduce trust. A prosaic example of this is increasing password complexity, which makes passwords harder to remember, prompting users to write them down, even when security policies say they should not, which in turn creates potential exposure. Across all use cases, UX is an important selection criterion, ahead of either or both trust and TCO in a majority of organizations. In the 2015 Gartner Annual Risk and Security Survey, 19% of 410 respondents put UX first, ahead of trust and TCO, and 56% put it first or second.
9Phone-as-a-token methods as a class have lower TCO and offer better UX than legacy OTP hardware tokens (see "Technology Overview for Phone-as-a-Token Authentication Methods"). OTP apps or OOB methods are now widely used as an alternative to traditional OTP hardware tokens by all sizes of organizations across different vertical industries, and now have a larger installed base than OTP hardware tokens. Many organizations with incumbent OTP hardware token solutions have migrated many or all users to OTP apps or OOB methods (using the same or a new vendor) to reduce costs or improve UX. These methods have also been newly adopted in use cases where hardware tokens would be prohibitively expensive or unacceptable to users.
10Examples include CM and Twilio (Authy).
11A notable example is their use for system administrators and external users with administrator privileges, such as vendor technicians, logging in to critical infrastructure (see "How to Secure Remote Access for Third-Party Technicians").
12Transaction verification (or authorization) allows the bank or other organization to confirm the details and origin of a transaction (such as setting up a new payee or transferring money), which might have been manipulated or inserted by an attacker or malware (for example, in a man-in-the-browser attack). Transaction verification might be triggered by static rules (for example, transfers over a certain value) or by dynamic risk assessment by an OFD tool evaluating a variety of identity and risk relevant contextual data (see "Market Guide for Online Fraud Detection").
13As authentication messages are exchanged completely via a data channel over the air or via Wi-Fi Internet connections, OOB push modes are not vulnerable to, for example, man-in-the-middle attacks targeted at OTP methods (since they don't require the user to pass an OTP to the target system) and attacks against SMS and voice channels. Many vendors, especially those targeting financial services, incorporate public-key credentials for message integrity and proof of origin. OOB push modes avoid the messaging costs of OOB SMS and voice modes. Users only have to tap or swipe on their smartphone screen rather than having to transcribe an OTP as they do with OTP methods and most OOB SMS and voice modes.
14Contact smart cards carrying X.509 public-key infrastructure (PKI) credentials are the most widely known kind of public-key hardware tokens used for user authentication. Other common form factors are contact USB tokens that embed the same kind of chips as contact smart cards, and contactless smart cards. PIN-protected or (very rarely) biometric-enabled public-key hardware tokens provide high trust ("multifactor hardware cryptographic tokens" are ranked at Level 4, the highest level of assurance, in NIST's "Electronic Authentication Guidelines").
15Adoption is less than 50% globally. While public-key hardware tokens for Windows PC and network login are natively supported (under the rubric of "interactive smart card login"), provisioning and managing these tokens are relatively expensive, and UX is poor.
Smart cards, in the form of Personal Identity Verification (PIV) cards, are mandated for U.S. federal agencies by Homeland Security Presidential Directive 12 (HSPD-12) and law enforcement and other organizations that interact with U.S. federal agencies use PIV-interoperable (PIV-I) cards.
Public-key hardware tokens are not a good first choice in remote-access or mobile use cases:
16Public-key credentials can be held in a secure element (such as a Trusted Processing Module) on an endpoint device to provide a "virtual smart card" for protection against credential theft, but these options offer lower trust than having the credentials in a discrete physical token.
17Public-key credentials on a phone can be used in different ways. A phone can emulate a contactless smart card via Near Field Communication (NFC), which is interoperable with contactless card protocols, or (with appropriate PC software) via Bluetooth. Other methods are contiguous with OOB push modes that exploit public-key credentials for message integrity and proof of origin. These methods can meet the specification for PIV-derived credentials (NIST SP 800-157 "Guidelines for Derived Personal Identity Verification (PIV) Credentials").
18A common (or converged) access card (CAC) is a single corporate card or token that can be used for PC, network and application login (user authentication), as well as for building access. Use as a photo ID card is mandated in some regulated implementations, such as PIV cards, but is otherwise optional. A CAC also may be used as, for example, a stored-value card (electronic wallet) for vending machines, catering and transportation.
19CACs are mandated for the U.S. federal agencies (PIV cards) as well as the U.S. Department of Defense (common access cards). Gartner sees most other adoption in a small number of vertical industries. In higher education, some organizations are extending the use of multiplication contactless "campus cards" to PC and network login. Many healthcare delivery organizations, especially in the U.S., use CACs but favor using legacy proximity cards and contactless chip cards to expensive new cryptographic smart cards.
20Biometric methods use unique traits to verify users' claimed identities. Traits are classified as biological (or physiological) or behavioral. Commonly used biological traits include fingerprint, face topography, iris structure and vein structure in the hand. Commonly used behavioral traits include voice recognition, keyboard dynamics (typing rhythm or cadence) and gesture dynamics.
21Engineering decisions made by handset and OS vendors tend to favor processing efficiency and UX over trust (for example, to reduce false nonmatch or rejection rates). Power-on access still relies on a potentially weak passcode. Accountability can be eroded when phones are shared and multiple users each enroll a fingerprint instead of the primary user enrolling multiple fingerprints. (Android Lollipop and Android Marshmallow have multiuser support, but iOS does not.)
22Examples are face recognition, iris structure and scleral vein structure (for devices with user-facing cameras, the user's face and eyes will tend to be in view when they're using the device normally), keyboard dynamics, gesture dynamics (pointer and touchscreen movements), and handling dynamics (motion-based mode using device accelerometers and gyros).
23Early adopters include USAA and Zions Bank, with trials by Wells Fargo and others in the U.S., Grupo Mutual (Costa Rica), and others internationally. Modes of choice are face recognition (from vendors such as Cognitec, Daon and FacePhi), voice recognition (Daon, Nuance and SpeechPro) and gesture dynamics (BioCatch). Among enterprise mobility management (EMM) vendors, Good (recently acquired by BlackBerry) and AirWatch by VMware support EyeVerify's scleral vein structure technology.
24FIDO supports a wider range of authentication methods, but it is biometric methods that have dominated conversations about FIDO. One of the FIDO protocols is the Universal Authentication Framework (UAF), which provides a way for local biometric authentication on mobile devices to transition to applications using a standards-based approach. In brief, a successful on-device authentication enables the client to authenticate to a specific application via public key technology. However, FIDO is not necessary to enable the use of mobile biometric modes and it constrains architecture options. Several vendors provide software development kits (SDKs) that can be directly integrated with resident mobile apps to provide feature extraction, comparison and matching entirely onboard the phone; others provide the ability to capture the probe data on the phone, but do comparison and matching on a downstream authentication infrastructure. Each of these architectures has its pros and cons and it is not clear at this time whether one is "universally" superior to the other; more likely, we will see benefits of either approach dominating in different use cases. At this time, FIDO supports only the former.
25Contextual, adaptive techniques apply analytics to some aggregation of identity-relevant and risk-relevant contextual data. The value of these techniques increases with the use of advanced analytics and large aggregations of ("big identity data"). Identity-relevant contextual data, combined with a variety of analytics, provides contextual authentication (see "A Taxonomy of User Authentication Methods"). Adaptive techniques act to balance trust against risk at the moment of access; for example, by invoking a trust elevation mechanism, such as step-up authentication (see "Technology Overview for Adaptive Access Control" and "Enterprise Adaptive Access: Are We There Yet?").
26At the Gartner Identity and Access Management Summit (December 2015), Nathan Harris, Senior Director Leading Identity & Access Management in Aetna Global Security, described how Aetna had used a UEBA tool to enable a "predictive risk model" as part of an adaptive approach to user authentication and access control.
27In combination with passive biometric modes, advanced analytics has the potential to provide a medium level of trust without the need for any kind of password or token (see "Predicts 2016: Identity and Access Management").
28The U.S. Department of Justice "Criminal Justice Information Services (CJIS) Security Policy" is the notable exception.
29See "IAM Must Adapt to Realize All the Benefits of Social Identity Integration." Commerce, media and entertainment organizations have been leading adopters. In true consumer contexts, social identity use can improve customer profiling, intimacy and service. Here, IAM leaders orchestrate integration efforts with sales and marketing leaders, and may need to consider alternatives to traditional IAM toolsets, from vendors such as Gigya and Janrain.
30The digital workplace is a business strategy to boost employee agility and engagement through a more consumerized work environment. See "Managing Identities, Access and Trust for Digital Workplace Success."
31"How Demographics Rule the Global Economy." Wall Street Journal.
32Risk-appropriate authentication is a best-practice architectural principle. While the prospect of a single, high-trust authentication method for all users across all use cases may be initially attractive to IAM leaders, it is usually overkill, because most users have access to only low- or medium-risk systems, and it may be unnecessarily costly or create unacceptable friction for end users. The risk-appropriate authentication principle dictates that an IAM leader must, for each use case, evaluate minimum levels of trust commensurate with the level of risk, and choose authentication methods offering at least that level of trust.
33Other needs include things such as transaction verification/authorization, digital signature and converged access card. Other constraints include things such as endpoint independence and the ability to work in locations with no wireless connectivity.
34Several vendors described in the Representative Vendors section would be able to provide, for example, a cloud-based authentication service supporting phone-as-a-token authentication for a company's customers and cryptographic smart cards for Windows PC and network login for its workforce.
35Recent breaches have prompted the U.S. government to rapidly extend this mandate to other agencies. Gartner has recently had a flurry of inquiries from these agencies who find the PIV requirements (beyond the usual cost and complexities of using smart cards) and aggressive implementation schedule challenging.
36Many users (up to 15%) have problems some of the time, and at least some users are unable to reliably use this mode at all. These UX issues, especially with the typical swipe sensors, have led to user disenchantment and low adoption.
37Although abuse is still possible, biometric traits cannot be easily shared with others as passwords and tokens can.
38Windows Credential Provider is replaced by Microsoft Passport in Windows 10. Gartner understands that this will break third-party integration of user authentication methods. Vendors will likely have to wait for FIDO 2.0 Technical Specifications (which Microsoft will support in Windows Hello) before they can provide Windows 10 integration. However, this will be more robust and more secure than the existing local proxies.
39 Microsoft has made a significant investment in moving away from traditional password-based login. This includes new, embedded support for biometric authentication (fingerprint, face and iris) using Windows Hello. Face and iris modes require specialized infrared cameras, such as Intel RealSense. While these cameras enable liveness testing (a crucial element of robust biometric authentication) and mitigate imaging problems under poor lighting conditions, they introduce a significant additional cost compared to existing webcams, which might be an inhibitor for the adoption of these modes (see "New Hardware Options Will Have an Impact on PC Procurement in 2016"). Adoption of these modes is also dependent on the implementation of Windows Server 2016 as well as the new desktop OS. In the midterm, we expect to see more interest in third-party implementations of other biometric modes that can make use of existing cameras, microphones and the like, especially where organizations can implement the same biometric modes across "any" endpoint device (phone, tablet, and so on).
40"Deciding When to Migrate to Windows 10" notes that there will be some moderate risk associated with Windows 10 for at least the first year (through June 2016), and a likelihood that images and processes may have to be changed and retested often during that time. Thus, keeping the installed base small through that period will be prudent.
41The significantly reduced logistical overheads make phone-as-a-token methods particularly suited to access by partners and other third-party users, as well as company employees who are geographically remote.
42Some users might not be able to use a phone-as-a-token method at all (for example, because they do not have a corporate or personal smartphone for OOB push modes) or reliably (for example, because of poor network coverage for OOB SMS and voice modes). Other users who don't have a corporate phone may be unwilling to use their personal phones (although when faced with the poor UX of using an OTP hardware token, they might reconsider).
43One notable "partner" example arises in healthcare. Affiliated physicians are not employees of the healthcare delivery organization (HDO), but have an elective relationship. Obliging the affiliated physician to use an OTP hardware token may sour and even curtail that relationship. Adopting contextual/analytic and adaptive capabilities can minimize the burden of higher-trust authentication on physicians by limiting its use to only those instances where the level of risk demands it.
44One client noted that the impact of this problem was so severe that they had twice revised the method that they used. First, they moved from smart cards to smart USB tokens, to eliminate the smart card reader as a source of problems. Then, as other problems persisted, they moved away from public-key hardware tokens altogether, deploying OTP tokens instead. We have also heard from many U.S. federal agencies about these smart-card related problems and their frustration at not being able to move to something better, since they are mandated to use PIV cards for remote access.
45In "Market Guide for Privileged Access Management," Gartner noted that adoption is about 20% across organizations of all sizes and projected that this will reach 50% by 2018.
46Such as a superuser password management (SUPM) or a privileged session management (PSM) tool (see "Market Guide for Privileged Access Management"). Although some PSM tools have native authentication capabilities, most organizations still seek integration with incumbent user authentication services to provide consistent UX and enable a centralized policy management. Furthermore, PAM vendors lack support for contextual/analytic and adaptive capabilities that security and IAM leaders are increasingly demanding (see "Predicts 2016: Identity and Access Management").
47From a security point of view, OTP and public-key hardware tokens generally provide a higher level of trust than phone-as-a-token methods, appropriate to the high level of risk associated with system administrator access. From an operational point of view, some IAM and security leaders are concerned about the impact on out-of-hours support if a system administrator has neglected to charge his or her phone.
48In "Twelve Best Practices for Privileged Access Management," Gartner noted that "clients and PAM vendors have indicated that delivering OTPs by phone or via email is a good alternative to physical tokens" for vendor technicians and other third-party users that require sporadic access. However, IAM and security leaders should be cautious about the right balance between ease of provisioning and the level of trust they provide: OOB SMS modes are easy to provision but provide only low to medium trust; email provides low trust and we deprecate it in this use case. Gartner recommends OTP apps and OOB push modes that provide level of trust closer to that provided by OTP hardware tokens (see "How to Secure Remote Access for Third-Party Technicians"); provisioning these, even for ad hoc users, is not particularly onerous for the organization or the users.
49Enhanced passwords often take the form of partial passwords: The user is prompted to enter specified characters from the password, often described as "memorable information" or something similar, via drop-down menus rather than the keyboard (to defeat keyboard-logging attacks) (see "A Taxonomy of User Authentication Methods" for other variants). KBA is strongly deprecated: There are very high failure rates – an average of 10% to 15% – on KBA methods where users are asked "secret" life-history questions based on external public and PII data. This failure rate can climb to an average of 30% in cases of populations without a plentitude of public data on them, such as young adults or new immigrants. At the same time, the attackers can answer the challenge questions perfectly because they either stole the "secret" data or found it on the Internet. The same method – with the same problems – is used for identity proofing for new account creation (see "Identity Proofing Revisited as Data Confidentiality Dies," "When Knowledge-Based Authentication Fails, and What You Can Do About It").
50Gartner sees some banks also use RCA for initial login. Even though this provides a higher level of trust than is necessary at that point, some users, such as the lead author, find it easier to use the same card and PIN that they use at POS or ATMs than remember rarely used "memorable information."
51In this sense, trust elevation is "reaching back" to the customer's real-world identity behind the digital identity, rather than focusing on the claimed digital identity itself (which is the traditional scope of "user authentication").
52This method breaks when users change their mobile phone numbers, but it's now commonplace for users to retain their mobile phone numbers when they change handsets or MNOs.
53Social login support is typically provided by WAM software or IDaaS, which can also provide phone-as-a-token authentication. Some "pure" user authentication solutions can also support social login directly (see "IAM Must Adapt to Realize All the Benefits of Social Identity Integration" and "Finding the Right Consumer IAM Products").
54The GSM Alliance Mobile Connect service can be integrated as a single-factor authentication method via Open ID Connect, in the same way as social login (see "IAM Must Adapt to Realize All the Benefits of Social Identity Integration"). It functions in a similar way to an OOB push "acknowledgment" mode (see "Technology Overview for Phone-as-a-Token Authentication Methods").
55 While the Magic Quadrant research included some vendors that offer, among other methods, public-key hardware tokens along with middleware, card management (CM) tools or PKI. Vendors focusing solely on these technologies were excluded from the Magic Quadrant, among whom Giesecke & Devrient (G&D) and Oberthur Technologies are included in this research. Vendors offering only PC middleware (such as charismatics), CM tools (such as Bell ID and Intercede), and PKI (such as OpenTrust) are not included in this research.
56 Some biometric authentication vendors were excluded from the Magic Quadrant research because they did not have an offering that fit the market definition. The market definition used was: "A vendor in the user authentication market delivers on-premises software/hardware or a cloud-based service that makes real-time authentication decisions for users who are using an arbitrary endpoint device (that is, not just Windows PCs) to access one or more applications, systems or services in a variety of use cases. Where appropriate to the authentication methods supported, a vendor in this market also delivers client-side software or hardware that end users utilise to make those real-time authentication decisions."
Many biometric technologies are offered for integration with login to Windows PCs, with the PC hardware vendors being major buyers, or via SDKs for integration with mobile apps. In both cases, the focus is making an authentication decision via comparison and matching with biometric reference data wholly on the endpoint device. Some vendors, such as Bio-key and ImageWare Systems, have authentication infrastructure offerings that can leverage local capture and preprocessing on the device, but do comparison and matching in the data center or the cloud. (Gartner sees greater flexibility and value in this architecture, especially when biometric modes are integrated with advanced analytics.) While these offerings did fit the market definition, they did not have sufficient customer or end-user numbers to qualify for the Magic Quadrant research.
Note 1
Vertical Industries
Table 6 references the following categories:
