G01.2012 magic quadrant for user authentication

G00227026

Magic Quadrant for User AuthenticationPublished: 17 January 2012

Analyst(s): Ant Allan

User authentication is dominated by three well-established, wide-focusvendors that command the majority of the market. Newer wide- and tight-focus vendors are making significant inroads and offer enterprises soundalternatives across a range of needs.

Strategic Planning AssumptionsBy 2017, more than 50% of enterprises will choose cloud-based services as the delivery option fornew or refreshed user authentication implementations, up from less than 10% today.

By 2015, 30% of business-to-business and business-to-enterprise user authenticationimplementations will incorporate adaptive access control capability, up from less than 5% today.

Market Definition/DescriptionA provider in the user authentication market delivers on-premises software/hardware or a cloud-based service that makes real-time authentication decisions and can be integrated with one or moreenterprise systems to support one or more use cases. Where appropriate to the authenticationmethods supported, a provider in the user authentication market also delivers client-side softwareor hardware used by end users in those real-time authentication decisions.

This market definition does not include providers that deliver only one or more of the following:

1. Client-side software or hardware, such as PC middleware, smart cards and biometric capturedevices (sensors)

2. Software, hardware or a service, such as access management or Web fraud detection (WFD),that makes a real-time access decision and may interact with discrete user authenticationsoftware, hardware or services (for example, to provide "step up" authentication)

3. Credential management software, hardware or services, such as password management tools,card management (CM) tools and public-key infrastructure (PKI) certification authority (CA) andregistration authority (RA) tools (including OCSP responders)

4. Software, hardware or services in other markets, such as Web access management (WAM) orVPN, that embed native support for one or many authentication methods

A provider in the user authentication market may, of course, deliver one or more such offerings aspart of, or in addition to, its user authentication offering. Note, however, that, for the purposes ofthis Magic Quadrant, offerings of Type 2, 3 and 4 are not considered to be user authenticationofferings and were not included in customer, end-user or revenue figures.

Magic QuadrantFigure 1. Magic Quadrant for User Authentication

Source: Gartner (January 2012)

This Magic Quadrant replaces "MarketScope for Enterprise Broad-Portfolio AuthenticationVendors." There are several important changes from the previous document. The change ofdocument type, from MarketScope to Magic Quadrant, reflects the increasing maturity andsignificance of the user authentication market and the need to more clearly differentiate among thevendors along two axes. The Evaluation Criteria, which are detailed below, are significantly differentfrom those used in the MarketScope. They were changed to include tight-focus vendors and wide-focus (or broad-portfolio) vendors. In addition, the minimum-revenue criterion no longer applies,which avoids penalizing vendors that offer lower pricing.

Gartner sees user authentication vendors falling into four different categories with somewhatindistinct boundaries:

Page 2 of 48 Gartner, Inc. | G00227026

1. Specialist vendors: A specialist user authentication vendor focuses on a distinctive proprietaryauthentication method — either a unique method or a proprietary instantiation of a commonmethod — and also offers a corresponding infrastructure or a software development kit (SDK)that will allow it to plug into customers' applications or other vendors' extensible infrastructures.

2. Commodity vendors: These vendors focus on one or a few well-established authenticationmethods, such as one-time password (OTP) tokens (hardware or software) and out of band(OOB) authentication methods. A commodity vendor may provide a basic infrastructure tosupport only those few methods, and its offerings will primarily interest small or midsizebusinesses (SMBs) and some small enterprises that still have narrower needs.

3. Tight-focus vendors: We characterize a commodity vendor that provides a robust, scalableinfrastructure that can meet the needs of larger enterprises and global service providers — andsometimes augment other vendors' extensible infrastructures — as a tight-focus vendor.

4. Wide-focus (broad-portfolio) vendors: The defining characteristic of these vendors is offeringor supporting many distinct authentication methods. A wide-focus vendor may also be aspecialist vendor. It will typically offer a versatile, extensible authentication infrastructure thatcan support a wider range of methods than it offers, which may be sourced through originalOEM agreements with one or more other vendors in any of these categories, or left to theenterprise to source directly from those vendors.

The vendors included in this Magic Quadrant fall into the third and fourth of these categories.

Market Size

Gartner's estimate for revenue across all segments of the authentication market for 2011 remainsapproximately $2 billion. However, the margin of error in this estimate is high, because not all thevendors included in this Magic Quadrant provided revenue data and because of the "long tail" ofthe more than 150 authentication vendors not included in it. Individual vendors included in thisMagic Quadrant that did provide revenue data reported year-over-year revenue changes rangingfrom a greater than 10% decline to nearly 300% growth, with the median approximately 20% to30% growth. More vendors — although still not all — provided customer numbers, and a majority ofvendors reported growth in the 20% to 40% range, with some smaller vendors showing far greatergrowth.

We estimate the overall growth in the market by customers to be approximately 30% year overyear. Because of the shift toward lower-cost authentication solutions, we estimate the overallgrowth by revenue to be approximately only 20%.

Range of Authentication Methods

Enterprise interest in OTP methods, broadly defined, remains high; however, as has already beennoted, we have seen a significant shift in preference from traditional hardware tokens to phone-based authentication methods. Wide-focus user authentication vendors offer all these and more,generally offering or supporting knowledge-based authentication (KBA) methods or X.509 tokens(such as smart cards) as well. Most of the tight-focus vendors offer just phone-based authentication

Gartner, Inc. | G00227026 Page 3 of 48

methods, especially OOB authentication methods (sometimes incorporating voice recognition as anoption), with a few (none of which are included in this Magic Quadrant) offering only KBA orbiometric authentication methods.

The vendors included in this Magic Quadrant may offer any of a variety of methods across a rangeof categories (see "A Taxonomy of Authentication Methods, Update"). These categories, and, whereappropriate, the corresponding categories from the National Institute of Standards and Technology(NIST) Special Publication 800-63-1 "Electronic Authentication Guideline" (July 2011 draft), are:

■ KBA Lexical: This approach combines improved password methods and Q&A methods. Animproved password method lets a user continue to use a familiar password, but provides moresecure ways of entering the password or generating unique authentication information from thepassword. A Q&A method prompts the user to answer one or more questions, with the answerspreregistered or based on on-hand or aggregated life history information. It corresponds to theNIST "preregistered knowledge token" category.

■ KBA Graphical: KBA graphical authentication uses pattern-based OTP methods and image-based methods. A pattern-based OTP method asks the user to remember a fixed, arbitrarypattern of cells in an on-screen grid that is randomly populated for each login and to constructan OTP from numbers assigned to those cells. An image-based method asks the user toremember a set of images or categories of images and to identify the appropriate images fromrandom arrays presented at login. There is no corresponding NIST category.

■ OTP Token: This authentication method uses a specialized device or software application foran existing device, such as a smartphone, that generates an OTP, either continuously (time-synchronous) or on demand (event-synchronous), which the user enters at login. The token mayincorporate a PIN or be used in conjunction with a simple password. This category alsoincludes transaction authentication number (TAN) lists and grid cards for "generating" OTPs.Note that the "OTP" category does not include "OTP by SMS" or similar methods, whichGartner classes as OOB authentication methods. One of several algorithms may be used:

■ American National Standards Institute (ANSI) X9.9 (time- or event-synchronous orchallenge-response)

■ Initiative for Open Authentication (OATH) HMAC-based OTP (HOTP), time-based OTP(TOTP) or OATH Challenge-Response Algorithms (OCRA)

■ Europay, MasterCard and Visa (EMV); MasterCard Chip Authentication Program (CAP); orVisa Dynamic Passcode Authentication (DPA), also called remote chip authentication

■ A proprietary algorithm

The corresponding NIST categories are "multifactor OTP hardware token," "single-factor OTPtoken" and "look-up secret token":

■ X.509 token: This X.509 PKI-based method that uses a specialized hardware device, such as asmart card, or software that holds public-key credentials (keys or certificates) that are used inan automated cryptographic authentication mechanism. The token may be PIN-protected,biometric-enabled or used in conjunction with a simple password. It corresponds to NIST


categories "multifactor hardware cryptographic token," "multifactor software cryptographictoken" and "single-factor cryptographic token."

■ Other token: This category of methods embraces any other type of token, such as a magneticstripe card, an RFID token or a 125kHz proximity card, a CD token or proprietary software that"tokenizes" a generic device, such as a USB NAND flash drive or an MP3 player. There is nocorresponding NIST category.

■ OOB authentication: This category of methods uses an OOB channel (for example, SMS orvoice telephony) to exchange authentication information (for example, sending the user an OTPthat he or she enters via the PC keyboard). It is typically used in conjunction with a simplepassword. (Some vendors also support OTP delivery via email in a similar way; however, this isnot strictly "OOB," because the OTP is sent over the same data channel as the connection tothe server.) The corresponding NIST category is "out-of-band token."

■ Biological biometric: A biological biometric authentication method uses a biologicalcharacteristic (such as face topography, iris structure, vein structure of the hand or a fingerprint)as the basis for authentication. It may be used in conjunction with a simple password or sometype of token. There's no corresponding NIST category.

■ Behavioral biometric: A behavioral biometric authentication method uses a behavioral trait(such as voice and typing rhythm) as the basis for authentication. It may be used in conjunctionwith a simple password or some kind of token. There's no corresponding NIST category.

In the research for this Magic Quadrant, a vendor's range of authentication methods offered andsupported was evaluated as part of the assessment of the strength of its product or service offering.Note that some vendors offer only one or a few authentication methods, which may limit theirposition within the Magic Quadrant. Nevertheless, such a vendor could offer a solution that is ideallysuited to your needs.

Use Cases for New Authentication Methods

Many enterprises adopt new authentication methods to support one or many use cases — the mostcommon of which are workforce remote access, especially access to corporate networks andapplications via a VPN or hosted virtual desktop (HVD), and external-user remote access, especiallyretail-customer access to Web applications. The same new authentication method may be usedacross one or a few use cases, but the more use cases an enterprise must support, the more likelyit needs to support multiple authentication methods to provide a reasonable and appropriatebalance of authentication strength, total cost of ownership (TCO) and user experience in each case.

A full range of use cases is enumerated below. Vendors included in this Magic Quadrant cantypically support multiple use cases. The endpoint access use cases, however, cannot use avendor's authentication infrastructure, because the endpoints are not network-connected at login,but rather demand direct integration of a new authentication method into the client OS. (Note thatMicrosoft Windows natively supports "interactive smart card login" — that is, X.509 token-basedauthentication.) Not all vendors have equal experience in all use cases; some may have a strongertrack record in enterprise use cases, such as workforce remote access, while others may focus on


access to retail-customer applications, especially in financial services. Not all the vendors in thisMagic Quadrant were able to break down their customer numbers on this basis.

The authentication use cases that Gartner considered in preparing this Magic Quadrant (with therelevant subcategories) are:

Endpoint access

■ PC preboot authentication: Preboot access to a stand-alone or networked PC by any user

■ PC login: Access to a stand-alone PC by any user

■ Mobile device login: Access to a mobile device by any user

Workforce local access

■ Windows LAN: access to Windows network by any workforce user

■ Business application: Access to any individual business applications (Web or legacy) by anyworkforce user

■ Cloud applications: Access to cloud applications, such as salesforce.com and Google Apps, byany remote or mobile workforce user

■ Server (system administrator): Access to a server (or similar) by a system administrator (orsimilar)

■ Network infrastructure (network administrator): Access to firewalls, routers, switches and so onby a network administrator (or similar) on the corporate network

Workforce remote access

■ VPN: Access to the corporate network via an IPsec VPN or a Secure Sockets Layer (SSL) VPN,by any remote or mobile workforce user

■ HVD: Access to the corporate network via a Web-based thin client (for example, CitrixXenDesktop or VMware View) or zero client (for example, Teradici) by any remote or mobileworkforce user

■ Business Web applications: Access to business Web applications by any workforce user

■ Portals: Access to portal applications, such as Outlook Web App and self-service HR portals byany remote or mobile workforce user

■ Cloud applications: Access to cloud apps, such as salesforce.com and Google apps, by anyremote or mobile workforce user


External users

■ VPN: Access to back-end applications via IPsec or SSL VPN by any business partner, supplychain partner or other external user

■ HVD: Access to the corporate network via a Web-based thin client (for example, CitrixXenDesktop or VMware View) or zero client (for example, Teradici) by any business partner,supply chain partner or other external user

■ Business Web applications: Access to Web applications by any business partner, supply chainor other external user (except retail customers)

■ Retail customer applications: Access to customer-facing Web applications

For each use case, the enterprise must identify the methods, or combinations of methods, that fitbest, considering at least authentication strength, TCO and user experience (see "How to ChooseNew Authentication Methods").

Note that some vendors have a particular focus on one use case or a few use cases, which maylimit their position within the Magic Quadrant. Nevertheless, such a vendor could offer a solutionthat is ideally suited to your needs.

Market Trends and Other Considerations

Versatile Authentication Servers (VASs)

A VAS is a single product or service that supports a variety of open and proprietary authenticationmethods in multiplatform environments. It may be delivered as server software, as a virtual orhardware appliance, or as a cloud-based service, typically with a multitenanted architecture.

A VAS typically supports OTP tokens and OOB authentication, and may also support one or more ofthe following: KBA methods, X.509 tokens and biometric authentication methods. A VAS must, atminimum, support one or more standards-based authentication methods — most commonly, OTPtokens using algorithms developed by the OATH — or have an extensible architecture to enablethird-party authentication methods to be "plugged in" as required, without the need for a discretethird-party server or service.

A VAS vendor is likely a wide-focus authentication vendor, but not all wide-focus authenticationvendors are VAS vendors. Even if a vendor supports a wide range of methods, its authenticationinfrastructure does not properly qualify as "versatile" if it supports only the vendor's proprietarymethods or those licensed from another vendor. (RSA, The Security Division of EMC, is the mostnotable example of such a vendor.) Nonetheless, if the vendor can offer a wide-enough range ofauthentication methods, it may still be able to deliver much of the value of a true VAS. However,enterprises must consider the impact of vendor lock-in, particularly when it may restrict the futureadoption of fit-for-purpose authentication methods.

Most wide-focus vendors are now VAS vendors. With few exceptions, VASs are the onlyauthentication infrastructure they offer (although with different delivery options). Thus, even if a


customer is adopting only one kind of authentication method from such a vendor, it will beimplementing a VAS that gives it the flexibility to change or add methods to support future needs.

Tight-focus vendors are necessarily not VAS vendors.

Cloud-Based Authentication Services

Several included vendors offer cloud-based authentication services — either traditional managed(hosted) services or new multitenanted cloud-based services — or partner with third-party managedsecurity service providers (MSSPs) ranging from global telcos to smaller, local firms (for example,Sygnify, Tata Communications and Verizon Business). A cloud-based service can be a VAS, butmost MSSPs to date have focused on supporting only a small range of methods — typically OTPhardware tokens and sometimes OOB authentication methods. However, we are also seeing someinterest in smart cards as a service offering, especially among U.S. federal government agenciesseeking to leverage the Personal Identity Verification (PIV) cards mandated by Homeland SecurityPresidential Directive 12 (HSPD-12).

Historically, cloud-based authentication services have had the most traction among SMBs —companies with fewer than 1,000 employees — and in public-sector verticals (government andhigher education). Costs, resources and around-the-clock support considerations make a serviceoffering appealing to these customers.

However, adoption of cloud-based authentication services among private-sector enterprises isincreasing, although not because they are explicitly seeking this delivery option. Gartner seesseveral vendors successfully offering only a cloud-based service (or promoting such a service overany on-premises offering), and enterprises are choosing such solutions based on their overall valueproposition. (Of course, the cost advantages of cloud-based services are implicitly part of that valueproposition.)

We expect greater adoption of cloud-based services among enterprises as multitenanted cloud-based services mature and as cloud computing becomes more widely adopted as a way ofdelivering business applications and services generally. Gartner predicts that, by 2017, more than50% of enterprises will choose cloud-based services as the delivery option for new or refresheduser authentication implementations, up from less than 10% today. However, it is likely that on-premises solutions will persist, especially in more risk-averse enterprises that want to retain fullcontrol of identity administration, credentialing and verification.

Adaptive Access Control

A number of the vendors included in this Magic Quadrant have WFD tools (see "Magic Quadrant forWeb Fraud Detection") that are primarily aimed at financial services providers but have attractedinterest from enterprises in other sectors, notably government and healthcare. WFD tools provideadaptive access control capabilities; several vendors use the term "risk-based authentication," butthe scope of these solutions goes beyond authentication alone (see "Adaptive Access ControlEmerges").

Adaptive access control uses a dynamic risk assessment based on a range of user and assetattributes, and other contextual information — for example, transaction value, endpoint identity and


status, IP reputation, IP- or GPS-based geolocation, and user history and behavior — to make anaccess decision. Above a defined risk threshold, the tool can be set to deny a transaction, allow itbut alert, prompt for reauthentication or authentication with a higher-assurance method, prompt fortransaction verification, and so on. This capability provides an essential component in a layeredfraud prevention approach (see "The Five Layers of Fraud Prevention and Using Them to BeatMalware").

In typical enterprise use cases, adaptive access control capability can minimize the burden ofhigher-assurance authentication on the user by limiting its use to those instances where the level ofrisk demands it. For example, if a user accesses a VPN or Web application from a known endpointand location, then a legacy password alone may suffice; however, if the endpoint is unknown or thelocation is unusual, then the user would, for example, be prompted to use OOB authentication.Gartner projects that, during the next two to three years, such capability will become moreimportant over a wider range of use cases and will be more widely supported among mainstreamuser authentication products and services, especially among wide-focus vendors. By 2015, 30% ofbusiness to business (B2B) and business to enterprise (B2E) enterprise user authenticationimplementations will incorporate adaptive access control capability, up from less than 5% today.

X.509 Tokens

Unlike OTP tokens and OOB authentication offerings, "authentication using X.509 tokens" does notrepresent a complete product of fully integrated components provided by a single vendor, butrather an ensemble of discrete components from two or more vendors. Thus, X.509 token projectscan be significantly more complex than they may appear at first. Enterprises must identifycombinations of the different components that are interoperable, as demonstrated through truetechnology partnerships, rather than simply through comarketing and coselling agreements, andshould demand multiple reference implementations.

Among the vendors included in this Magic Quadrant, some (such as ActivIdentity, Gemalto andSafeNet) provide only the smart cards, middleware and CM tools. Others (such as Symantec)provide only the PKI components. For many enterprises, the PKI tools embedded in MicrosoftWindows Active Directory will be good enough, so any of the former vendors may be soundchoices. Where enterprises have a need for richer functionality in their PKI components, both typesof vendor are needed.

It is important to note, however, that this "incompleteness" is a market reality for X.509-basedauthentication, and vendors offering smart tokens and supporting X.509-based authentication intheir authentication infrastructure products were not penalized for lacking PKI tools in thedevelopment of this Magic Quadrant. Moreover, X.509-based authentication for Windows PC andnetwork login is natively supported, so it does not need an authentication infrastructure, such asthose offered by the vendors included in this Magic Quadrant. Enterprises seeking to support thiscan consider other vendors offering smart tokens (for example, G&D, Morpho and OberthurTechnologies), PC middleware (from the smart token vendors or others, such as charismathics) andCM tools (from the smart token vendors or others, such as Bell ID and Intercede).


Pricing Scenarios

For this Magic Quadrant, vendor pricing was evaluated across the following scenarios:

■ Scenario 1 — Communications (publishing and news media): Small enterprise (3,000employees) with 3,000 workforce users of "any" kind. Usage: Daily, several times per day.Endpoints: PC — approximately 60% Windows XP and Vista (AD), and 40% Mac OS X(OpenLDAP). Endpoints owned by: Company. User location: Corporate LAN. Access to: PC andLAN, downstream business and content management applications, mixture of internal andexternal Web and legacy. Sensitivity: Company- and customer-confidential information. Notes:The company also plans to refresh its building access systems and may be receptive to a"common access card" approach. The average (median) price for this scenario wasapproximately $125,000.

■ Scenario 2 — Retail ("high street" and online store): Large enterprise (10,000 employees)with 50 workforce users, limited to system administrators and other data center staff. Usage:Daily, several times per day. Endpoints: PC — mixture of Windows XP and Vista. Endpointsowned by: Company. User location: Corporate LAN. Access to: Windows, Unix, and IBM i and zservers, Web and application servers, network infrastructure. Sensitivity: Business-criticalplatforms. Notes: Users have personal accounts on all servers, plus use of shared accountsmediated by shared account password management (SAPM) tool (for example, Cyber-ArkSoftware and Quest Software). Users also need contingency access to assets via an SSL VPNfrom PCs ("any" OS). The company has already deployed 1,500 RSA SecurID hardware tokensfor remote access for its mobile workforce. It must comply with the U.S. Sarbanes-Oxley Act,PCI Data Security Standard (DSS) and other requirements as appropriate to targets accessed.The average (median) price for this scenario was approximately $7,000.

■ Scenario 3 — Healthcare (teaching hospital): Large enterprise (10,000 employees) with 1,000external users, comprising doctors and other designated staff in doctors' practices. Usage:Daily, several times per day. Endpoints: PC — mixture of Windows XP and Vista, someWindows 7 and Mac OS X, and maybe others. Endpoints owned by: Doctors' practices. Userlocation: On LANs in doctors' practices. Access to: Electronic health record applications;mixture of Web and legacy (via SSL VPN). Sensitivity: Patient records. Notes: Enterprise mustcomply with the U.S. Health Insurance Portability and Accountability Act (HIPAA) and the HealthInformation Technology for Economic and Clinical Health (HITECH) Act requirements. PCs maybe shared by doctors and other staff in doctors' practices. The average (median) price for thisscenario was approximately $70,000.

■ Scenario 4 — Utilities (power): Large enterprise (20,000 employees) with 5,000 userscomprising traveling workforce and a "roaming" campus workforce. Usage: Daily, several timesper day to several times per week. Endpoints: PC (mainly Windows XP), smartphones (mainlyBlackBerry) and some other devices. Endpoints owned by: The company. User location: PublicInternet and corporate WLAN. Access to: Business applications, mixture of internal Web andlegacy, via SSL VPN or WLAN. Sensitivity: Company- and customer-confidential information,financial systems (some users), information about critical infrastructure (some users). Notes:Must comply with U.S. Federal Energy Regulatory Commission (FERC), North AmericanElectrical Reliability Corporation (NERC) and other regulatory and legal requirements. The


company is also investigating endpoint encryption solutions for its traveling workforce's PCs.The average (median) price for this scenario was approximately $200,000.

■ Scenario 5 — Financial services (retail bank): Large enterprise (20,000 employees) with 1million external users, all retail banking customers. Usage: Variable, up to once every fewmonths. Endpoints: PC — mixture of Windows XP and Vista, some Windows 7 and Mac OS X;smartphones (including Android and iOS) and tablets (mainly iOS). Endpoints owned by:Customers, Internet cafes and others, possibly also customers' employers. User location:Public Internet, sometimes worldwide; possibly corporate LANs. Access to: Web application.Sensitivity: Personal bank accounts, up to $100,000 per account. Notes: Most customers arebased in metropolitan and urban areas, but approximately 10% are in areas without mobilenetwork coverage. The average (median) price for this scenario was approximately $1.9 million.

Note that these pricing scenarios do not reflect any discounts that a vendor may offer particularcustomers or prospects, and they do not reflect other considerations that contribute to the TCO of auser authentication solution (see "Gartner Authentication Method Evaluation Scorecards, 2011:Total Cost of Ownership").

Vendor Strengths and Cautions

ActivIdentity

ActivIdentity, based in Fremont, California, was formed by the 2005 merger of ActivCard (which hadacquired A-Space in 2004, giving it the 4TRESS product, focused on authentication in financialservices) and Protocom (an enterprise single sign-on [ESSO] vendor). ActivIdentity was purchasedby Assa Abloy in December 2010 and made part of its HID Global unit. The company has a longhistory in authentication and adjacent markets. Its current focus is on authentication and credentialmanagement across multiple market segments. As part of HID Global, ActivIdentity now has astronger focus on common access cards for physical security, as well as for enterprise PC andnetwork login.

ActivIdentity offers 4TRESS Authentication Server as a hardware appliance, aimed at enterprise andonline banking or other external user implementations, or a software appliance aimed at enterprisesand SMBs, as well as an SDK for direct integration in banking (or other) applications. It also offers4TRESS AAA Server, with support for a small range of authentication methods (OTP tokens), assoftware for enterprises and SMBs.

Strengths

■ 4TRESS Authentication Server has one of the widest ranges of supported authenticationmethods, and ActivIdentity offers one of the widest ranges of authentication methods. Overall,ActivIdentity has one of the strongest product or service offerings.

■ ActivIdentity demonstrated a strong sales strategy.

■ ActivIdentity came out very well in the pricing scenarios and was among the lowest-costoptions for Scenario 5.


■ Reference customers typically cited functional capabilities, the pricing model or TCO asimportant decision factors.

Cautions

■ ActivIdentity has a small market share by customer numbers in comparison with other vendorsin this research. However, overall, it is used by approximately 10 million end users.

■ Reference customer comments raised concerns about ActivIdentity's customer support, thereliability of the software and target system integration. Overall, reference customers wereambivalent about the company's customer support.

Authentify

Authentify, based in Chicago, was established in 1999. It offers OOB authentication services andhas multiple OEM relationships (which include other vendors discussed in this Magic Quadrant).Authentify has a strong market focus on financial services, and tailors its offerings to banks' andothers' need for layered security and fraud prevention measures.

In 2001, Authentify launched its multitenanted, cloud-based service providing OOB authenticationby voice modes, adding SMS modes in 2007 and transaction verification for electronic fundstransfer by voice modes in 2008. In voice modes, additional assurance can be provided bybiometric voice (speaker) recognition. Authentify has recently launched 2CHK, a desktop andmobile app, activated by an OOB voice call or SMS exchange, that provides more robusttransaction verification.

About half of Authentify's customers come from its channel partners, which include DocuSign,Entrust, FIS, RSA and Symantec. Direct customers come mainly from financial services, includingmajor banks and insurance companies, but can also be found in healthcare, technology and serviceprovider verticals.

Strengths

■ Although it has negligible market share by customer numbers, across its own and partnerimplementations, Authentify is likely used by hundreds of millions of end users.

■ Authentify clearly articulated a good market understanding and demonstrated a goodgeographic strategy.

■ Direct SS7 layer monitoring enables Authentify to detect call forwarding in many areas,defeating one type of attack against OOB authentication by voice.

■ Authentify came out fairly well in the pricing scenarios, and was among the lowest-cost optionsfor Scenario 5, which represents its target market segment. Although it was the highest-costoption for Scenario 4 by a huge margin, this use case is not representative of its target marketsegment.


Cautions

■ Authentify offers only OOB authentication. Furthermore, a majority of Authentify's clients use itsOOB authentication for "transactional" systems, rather than as a primary authentication methodfor login — for example, registration confirmation, password change or recovery, real-time PINdelivery, credential activation, login from unknown machine or location (in the context of WFD oradaptive access control), transaction verification for funds withdrawal or transfer (often in thecontext of WFD or adaptive access control). However, these use cases map well to the wantsand needs of Authentify's target market segment.

■ Authentify's offerings lack Security Assertion Markup Language (SAML) integration to cloud-based applications and services.

■ Authentify did not clearly articulate a strong sales or marketing strategy in comparison withother vendors in this research, nor did it demonstrate strong sales execution. However, Gartnernotes that Authentify performs strongly within its target market segment.

CA Technologies

CA Technologies' history dates back to the 1970s, and the company has a history of growththrough mergers and acquisitions, as well as internal product development. In 2010, CATechnologies acquired Arcot Systems, with which it already had an important strategic partnership.With its WebFort and RiskFort products, Arcot had made inroads into the WFD and online customerauthentication markets (as well as for card issuers authorizing e-commerce payments) and, morerecently, in the enterprise authentication market. The integrated products are now offered under theCA Advanced Authentication name, as hosted managed services, server software and SDK/APIs fordirect integration into target systems, and CA AuthMinder as-a-Service (formerly Arcot A-OK) as amultitenanted cloud-based service. One of CA Technologies' distinctive features is ArcotID, aproprietary X.509 software token technology that protects the credentials on the endpoint deviceand binds them to the device.

The ex-Arcot portfolio also includes e-payment card authentication, secure electronic notificationand delivery, and digital signature integrated with Adobe Acrobat. The acquisition also gave CATechnologies an established cloud services infrastructure and expertise for cloud delivery of otheridentity and access management (IAM) offerings.

CA Technologies offers OTP hardware tokens from Gemalto and others. (Like other OATH-compliant vendors, it can support other OATH-compliant tokens.)

Strengths

■ Overall, CA Technologies has one of the strongest product or service offerings. CA AdvancedAuthentication tightly integrates the adaptive access control capabilities of its WFD tool, CAArcot RiskFort, its WFD tool, with the authentication component, CA Arcot WebFort (soon to berenamed CA AuthMinder).


■ CA Technologies clearly articulated good market understanding and product/service strategy,as well as market, sales and geographic strategies. (This is where Arcot's acquisition by CATechnologies has had the most significant impact on the vendor's position in the market.)

■ Although it has a very small market share by customer numbers in comparison with othervendors in this Magic Quadrant, CA Technologies is used by more than 100 million end users.

■ CA Technologies came out well in the pricing scenarios, and was among the lowest-costoptions for Scenarios 2, 3, 4 and 5. Notably, it offers zero-cost OTP software tokens for mobilephones.

■ Reference customers typically cited functional capabilities and good feedback from referenceimplementations as important decision factors. (However, some were unsure aboutrecommending CA Technologies to their peers.) Reference customers were fairly satisfied withCA Technologies' customer support.

Cautions

■ CA Technologies is not as well-suited for SMBs, because its direct sales force typically doesnot do deals with an end-user count below 1,000.

■ The majority of CA Technologies' customers are in the Americas (with the bulk likely in NorthAmerica).

■ Reference customer comments raised concerns about technical integration with existinginfrastructure components and other implementation issues.

Cryptocard

Cryptocard, based in Ottawa, Canada, and Bracknell, U.K., has focused on the enterpriseauthentication market since 1989, often positioning itself as the lower-cost alternative to the marketleaders. In 2006, Cryptocard merged with WhiteHat Consulting, adding a managed authenticationservice to its portfolio.

Cryptocard now offers three core products and services: Blackshield Cloud, a multitenanted cloud-based service; Blackshield Server, application software intended to run on one or more serverinstances; and Blackshield Service Provider Edition, a software application that service providerscan use to create their own hosted versions of Blackshield Cloud.

Strengths

■ Cryptocard clearly articulated a good product/service strategy, coupled with strong technicalinnovation, as well as strong marketing, vertical industry and geographic strategies. It alsodemonstrated good market responsiveness.

■ Cryptocard came out fairly well in the pricing scenarios, and was among the lowest-costoptions for Scenario 2.


■ Reference customers typically cited functional capabilities and expected performance andscalability as important decision factors. They liked Cryptocard's Active Directorysynchronization and broad range of "token" form factors (including OOB authenticationoptions). In addition, they were fairly satisfied with Cryptocard's customer support.

Cautions

■ Cryptocard has few customers in the Asia/Pacific region.

■ Reference customer comments raised concerns about ease of migration from Crypto-MAS tothe Blackshield cloud-based service.

DS3

Founded in 1998 as RT Systems, this Singapore-based company changed its name to DataSecurity System Solutions (DS3) in 2001 to better reflect its market focus. In 2010, it raisedinstitutional funding to expand and execute on its vision to provide solutions that will meet the userand data authentication requirements for different customer segments, different industries anddifferent use cases.

DS3 offers DS3 Authentication Server as a hardware or software appliance for large-scale B2B/B2Cdeployments (launched in 2004); DS3 Authentication Security Module as a hardware appliance forsmaller enterprise intranet implementations; DS3 Authentication Toolkit, an SDK/APIs for directintegration in banking (or other) applications (2009); and a hosted authentication service (2011). DS3has a global partnership with IBM Security Services, which offers the DS3 Authentication Serverworldwide under the name "IBM Identity and Access Management Services — total authenticationsolution."

DS3 offers OTP and X.509 hardware tokens from RSA, SafeNet, Vasco and others. DS3's partnersbenefit by being able to sell large volumes of tokens without the overheads of selling andsupporting their own authentication infrastructure products.

Strengths

■ DS3 clearly articulated a good sales strategy and demonstrated good market responsiveness.Notably, DS3 responded positively to the financial crisis in 2008, when sales to banks slowedsignificantly, by expanding into other vertical industries, with some success.

■ DS3 Authentication Server has one of the widest ranges of supported authentication methods,including support for multiple OTP token types, and DS3 offers a wide range of authenticationmethods. DS3's broad OTP token support is also an advantage for an enterprise migrating fromanother vendor's offering, because it allows the continued use of that vendor's tokens for theirremaining lifetime without the need to maintain that vendor's authentication server in parallel.

■ DS3's solutions are very scalable, which Gartner believes was an important factor in DS3'swinning Singapore's National Authentication Framework for a countrywide authenticationservice.


■ DS3 came out very well in the pricing scenarios, and was among the lowest-cost options forScenarios 1, 2, 4 and 5.

■ Reference customers in financial services typically cited DS3's industry experience andreputation as important decision factors. Most found that DS3 responds to support requestsfully and promptly. Overall, they were satisfied with DS3's customer support.

Cautions

■ DS3 has a negligible market share by customer numbers. However, it is already used by theSingapore government and many banks in the region, giving DS3 total end-user numbers ofmore than 5 million.

■ The majority of DS3's customers are in the Asia/Pacific region, although its partnership withIBM has begun to yield a few significant global sales, such as ING Bank in the Netherlands.

■ DS3 did not clearly articulate a strong market understanding or marketing strategy incomparison with other vendors in this research, or demonstrate strong marketing execution.

■ DS3's offerings lack SAML integration with cloud-based applications and services.

■ Reference customer comments raised minor concerns about the stability of features andcustomizability.

Entrust

Entrust, headquartered in Dallas, Texas, is a well-established security vendor offering frauddetection, citizen e-ID and data encryption tools, in addition to its authentication portfolio. Entrust'score authentication infrastructure, Entrust IdentityGuard, supports a much broader range ofauthentication method than the OTP grid cards that first bore that name. Entrust, a public companysince 1997, was taken private in 2009 by the private equity investment firm Thoma Bravo.

Since 2005, Entrust has offered IdentityGuard Authentication Server as server software. Entrustoffers OOB authentication through a partnership with Authentify.

Strengths

■ Overall, Entrust has one of the strongest product or service offerings in the user authenticationmarket. IdentityGuard incorporates some adaptive access control capabilities natively and canbe coupled with TransactionGuard for full-blown WFD functions.

■ Entrust was among the lowest-cost options for Scenarios 4 and 5, but its pricing for Scenario 2was second-highest. We also note that SAML integration to cloud-based applications andservices for IdentityGuard requires a discrete "Federation Module" at an additional cost.

■ Reference customers typically cited functional capabilities and expected performance andscalability as important decision factors.


Cautions

■ Entrust did not clearly articulate a good market understanding or demonstrate strong marketresponsiveness or customer experience in comparison with other vendors in this research.

■ Entrust has a very small market share by customer numbers in comparison with other vendorsin this research. However, it is used by an installed base of approximately 40 million end users.

■ There is no appliance or cloud-based version of IdentityGuard. Entrust tells us that it will beintroducing a cloud-based version early in 2012.

Equifax

Equifax, based in Atlanta, Georgia, has a long history in identity, going back to 1899. It entered theuser authentication market in 2010 with its acquisition of Anakam, a wide-focus authenticationvendor with a market focus on healthcare and government.

Equifax's core offering in this market is the Anakam.TFA Two-Factor Authentication server software,launched in 2005, which is complemented by tools for identity proofing, risk assessment andcredentialing. In 2011, it launched Anakam.ODI On-Demand Identity, a multitenanted, cloud-basedservice that integrates its product offerings with SAML-based federated single sign-on (SSO).

Strengths

■ Although it has negligible market share by customer numbers, Equifax is used by more than 100million end users.

■ Equifax clearly articulated a good vertical industry strategy and demonstrated its overallviability.

■ Reference customers in healthcare typically cited Equifax's industry experience andunderstanding of their business needs as important decision factors. Reference customers weresatisfied with Equifax's customer support.

Cautions

■ A significant majority of Equifax's customers are in North America, although the company doeshave a presence in Latin America and Europe.

■ Equifax did not clearly articulate a strong product/service strategy, strong technical innovationor a strong sales strategy in comparison with other vendors in this research.

■ Only Equifax's Anakam.ODI On-Demand Identity offering provides SAML integration to cloud-based applications and services.


Gemalto

Amsterdam-based Gemalto, formed in 2006 by the merger of Axalto (formerly the smart carddivision of Schlumberger) and Gemplus, is a leading smart card vendor, with a strong presence inthe authentication market. It offers OTP tokens, as well as smart tokens. With the acquisitions ofXiring's authentication portfolio and, in particular, of Todos, Gemalto has broadened the range of itsofferings in the financial services industry, which it has identified as a key market. Other recentacquisitions relevant to its authentication portfolio include Trusted Logic (a provider of open, securesoftware for consumer devices and digital services), Valimo (a pioneer in mobile digital ID, withsolutions that enable secure authentication, digital signatures and transaction verification) andMultos International (originator of the Multos smart card OS).

Gemalto's core infrastructure products are Protiva Strong Authentication Server (server software)and Protiva Strong Authentication Service (a hosted managed service), as well as the Ezio System(server software for financial services and e-commerce) from the Todos acquisition.

Strengths

■ Gemalto came out well in the pricing scenarios, and was among the lowest-cost options forScenarios 1, 3 and 5. (However, it did not provide a quotation for Scenario 2.)

■ Gemalto demonstrated significant growth in its OTP token product lines, and has establisheditself as a credible provider of these authentication methods.

■ Reference customers were fairly satisfied with Gemalto's customer support, and theircomments about the products were generally positive.

Cautions

■ Gemalto did not clearly articulate good marketing strategy or technical innovation.

■ Although Gemalto is widely recognized as a leading smart card vendor, the company is rarelycited by Gartner clients in calls about authentication, generally.

i-Sprint Innovations

Singapore-based i-Sprint Innovations was founded in 2000 by ex-Citibank security professionalsand is backed by global institutional investors. It was acquired in 2011 by Automated SystemsHoldings Ltd. (ASL), a subsidiary of Teamsun. The companies are listed in the Hong Kong StockExchange and Shanghai Stock Exchange respectively. The purchase bodes well for the expansionof i-Sprint's offerings into the Chinese market, given the Multi-Level Protection Scheme (MLPS) inChina, which obliges companies to use only domestic security solutions.

Its AccessMatrix Universal Authentication Server (UAS), launched in 2005, is part of an integratedset of server software products, which also includes ESSO, WAM and SAPM tools.

i-Sprint offers OTP hardware tokens from ActivIdentity, Gemalto, SafeNet, Vasco and others. (Likeother OATH-compliant vendors, it can support other OATH-compliant tokens.)


Strengths

■ AccessMatrix UAS has one of the widest ranges of supported authentication methods,including support for multiple OTP token types, and i-Sprint offers a wide range ofauthentication methods.

■ i-Sprint clearly articulated a good product/service strategy, coupled with strong technicalinnovation, and it demonstrated good customer experience. Reference customers were very orextremely satisfied with i-Sprint's customer support.

■ i-Sprint was among the lowest-cost options for Scenarios 4 and 5.

■ Reference customers in financial services typically cited i-Sprint's industry experience,conformity to technical standards, and pricing model or TCO as important decision factors.They praised the robustness, maturity and sophistication of the product.

Cautions

■ i-Sprint has a negligible market share by customer numbers (although it is used by severalmillion end users).

■ i-Sprint did not clearly articulate a strong market understanding or sales strategy in comparisonwith other vendors in this research.

■ The majority of i-Sprint's customers are in Asia/Pacific. Although its acquisition by ASL andlikely future growth in China will only reinforce this bias, ASL may well provide the resources toenable significant overseas growth.

■ Reference customer comments raised some concerns about the complexity of UAS'sadministration interface and the suitability of audit reports for business users.

Nordic Edge

Sweden-based Nordic Edge was founded in 2001 and acquired by Intel in early 2011. Nordic Edgeprovides a broad range of IAM solutions, from provisioning of user information and SSO to softwareas a service (SaaS), as well as its wide-focus authentication offering.

Nordic Edge's core product is the Nordic Edge One Time Password Server, which can be deliveredas server software, an SDK/API for Java and .NET/COM, and an on-demand Web service. NordicEdge Opacus is also offered to service providers for them to offer a cloud-based authenticationservice as part of ERP, CRM and business intelligence cloud services, and this approach representsapproximately 5% of its customers.

Nordic Edge offers OTP hardware tokens from Feitian Technologies and Yubico. (Like other OATH-compliant vendors, it can support other OATH-compliant tokens.)


Strengths

■ Nordic Edge was among the lowest-cost options for Scenarios 2, 4 and 5. Notably, OTPsoftware tokens for mobile phones are included in its OTP Server offering.

■ Reference customers typically cited Nordic Edge's industry experience, conformity to technicalstandards, and expected performance and scalability as important decision factors. Somereference customers highlighted Nordic Edge's flexibility, scalability and ease of installation.

■ Reference customers were, on average, very satisfied with the vendor's customer support, andnoted that it always dealt with technical support requests fully and promptly.

Cautions

■ Nordic Edge has a negligible market share by customer numbers. (However, it is used by morethan 1 million end users.)

■ Nordic Edge did not clearly articulate a strong marketing strategy or demonstrate strong marketresponsiveness in comparison with other vendors in this research.

■ The majority of Nordic Edge's deployments are in companies with fewer than 1,000 users.

PhoneFactor

PhoneFactor, based in Overland, Kansas, and established in 2001 as Positive Networks, has offeredits multitenanted, cloud-based OOB authentication service since 2007. PhoneFactor providesagents for target system integration to VPNs, HVDs, Web applications and other systems, and anSDK/API for integration with Web application login and transaction processes. In conjunction with athird-party WFD tool, PhoneFactor can be used to authenticate high-risk logins or for transactionverification.

Strengths

■ PhoneFactor is the OOB authentication vendor most frequently cited by Gartner clients.

■ PhoneFactor is one of the few OOB authentication vendors that does not pass an OTP over thedata channel in either direction, with all authentication information being exchanged over the airby the voice or SMS channel, making it less vulnerable to man-in-the-middle attacks.

■ PhoneFactor was among the lowest-cost options for Scenarios 2 and 5.

■ Reference customers typically cited PhoneFactor's functional capabilities and expectedperformance and scalability as important decision factors. PhoneFactor's ease ofimplementation and management were explicitly mentioned. Reference customers were verysatisfied with the vendor's customer support, and noted that it always dealt with technicalsupport requests fully and promptly.

■ Phone Factor offers a free version of its service, restricted to 25 users for one or twoapplications, with no time limit. This may provide a complete solution for some SMBs, but italso offers a low-risk proof of concept for any company seeking a larger implementation.


Clients tell us that nearly all proof-of-concept implementations are converted to full enterpriselicenses.

Cautions

■ PhoneFactor offers only phone-based authentication (OOB authentication, as well as a softwaretoken using push notification that was released in late 2011).

■ The company has very small market share by customer numbers in comparison with othervendors in this research (but is one of the larger pure-play, phone-based authenticationvendors).

■ PhoneFactor did not clearly articulate good market understating, product/service strategy ormarketing, vertical industry or geographic strategies, nor did it demonstrate strong marketresponsiveness in comparison with other vendors in this research.

■ Reference customer comments raised some concerns about technical integration with someexisting infrastructure components.

Quest Software

Quest Software, based in Aliso Viejo, California, offers a wide range of Windows, application,database and virtualization management tools. It has recently strengthened its IAM offerings withthe acquisition of Voelcker Informatik. Its authentication offering is the Defender product line(offered in succession since 1995 by AssureNet Pathways, Axent Technologies, Symantec andPassGo Technologies).

The company's core infrastructure product is Quest Defender Security Server, delivered as securitysoftware. Defender offers OTP hardware tokens from ActivIdentity, SafeNet, Vasco, Yubico andothers. (Like other OATH-compliant vendors, it can support other OATH-compliant tokens.)

Strengths

■ Quest Software has relationships with several of the leading token manufacturers, which enableit to support one of the widest selections of OTP hardware tokens, as well as OTP softwaretokens and other methods. This is an advantage for an enterprise migrating from anothervendor's offering, because it enables the continued use of that vendor's tokens for theirremaining lifetime, without the need to maintain that vendor's authentication server in parallel.

■ Quest Software clearly articulated a good marketing strategy and demonstrated goodmarketing execution.

■ Quest Software was among the lowest-cost options for Scenarios 2 and 4. Some referencecustomers indicated that its TCO can be significantly lower than its major competitors', owingto, for example, reduced infrastructure requirements.

■ Reference customers typically cited Defender's functional capabilities and pricing model orTCO as important decision factors. Reference customers were very satisfied with the vendor's


customer support, and noted that it always dealt with technical support requests fully andpromptly.

Cautions

■ Quest has negligible market share by customer numbers and is used by fewer than 200,000 endusers. The majority of Quest Software's deployments are in companies with fewer than 1,000users.

■ Quest Software did not clearly articulate a strong product/service strategy or geographicstrategy, nor did it demonstrate strong market responsiveness in comparison with othervendors in this research.

■ Defender Security Server lacks SAML integration with cloud-based applications and services.

■ Quest Software offers no appliance or cloud-based delivery options.

RSA, The Security Division of EMC

RSA, The Security Division of EMC, which is based in Bedford, Massachusetts, has a long history inthe authentication market. Security Dynamics was founded in 1984, and began shipping its SecurIDtokens in 1986. Security Dynamics acquired RSA Data Security in July 1996, to form RSA Security.In 2006, RSA was acquired by EMC. Other acquisitions have provided RSA with a broad portfolio ofaccess and intelligence products.

RSA's flagship infrastructure product is RSA Authentication Manager (formerly ACE/Server), whichis now offered as either server software or a hardware appliance. It also offers RSA SecurIDAuthentication Engine, a Java/C++ SDK/API for direct integration into applications and portals.

From its acquisitions of Cyota (2005) and PassMark Security (2006), RSA has a WFD product, RSAAdaptive Authentication. It also offers RSA Adaptive Authentication for the enterprise, which can beused as part of an enterprise's layered authentication approach. The risk engine from RSA AdaptiveAuthentication is combined with RSA SecurID on-demand OOB authentication in the RSAAuthentication Manager Express hardware appliance, launched in 2010 and targeted at remoteaccess use cases in SMBs or small deployments in enterprises.

From its acquisition of Verid (2007), RSA Identity Verification provides identity proofing for newaccount registration, but can also be used for authentication of infrequent users (who would beunlikely to remember legacy password) and call center caller verification.

RSA offers OOB authentication through a partnership with Authentify.

The Impact of the RSA Breach

In March 2011, RSA was successfully attacked by what Gartner believes to have been two China-based hacking groups, at least one of which has a history of going after U.S. defense companies.We have inferred that the breach exposed the token records of all then-extant RSA SecurIDhardware tokens, including the seed values used to generate the OTPs, allowing the attackers to


successfully masquerade as legitimate users. We believe that this formed the basis of thesubsequent (unsuccessful) attack against Lockheed Martin. That attack prompted RSA to offerreplacement hardware or software tokens to its customers — all hardware tokens shipped after abrief hiatus following the attack are not compromised, and software tokens were never exposed —and we understand that many customers have replaced their tokens. (RSA tells us, however, that a"significant majority" have not.) The cost to RSA of replacing these tokens is estimated at $60million. However, RSA has been impacted by the breach in other ways.

Since the breach, many Gartner clients have told us that they are looking at alternatives to RSASecurID hardware tokens, but this is only sometimes because of the security concerns. In themajority of cases, the breach has prompted the company to review its historical decision to adoptRSA SecurID, leading the company to seek alternatives that offer a similar, or sometimes lower,level of assurance with lower TCO or better user experience — something that has long been apopular topic in client inquiries. Furthermore, we believe that RSA has lost much goodwill amongsome of its customers because of poor communication regarding the nature and impact of thebreach (even though they might understand why RSA has focused its attention on its defensecustomers, which it believed were most at risk), the time RSA took to offer replacement tokens(although we believe that RSA would not have had the manufacturing capacity to do this any earlier)and to fulfill replacement requests (with several clients receiving their replacements over a period ofmonths), and the contractual terms for the replacements (although we understand that RSA cannotprovide free replacements under U.S. General Services Administration rules). These customers arelikely to be looking hard at alternatives to RSA in the coming years. Nonetheless, it is highly likelythat customer attrition will remain relatively small, given the "stickiness" of RSA SecurIDdeployments (because of the breadth of technical integration RSA offers) and, increasingly, a shifttoward RSA SecurID software tokens and adaptive access control (especially if and when RSAintegrates its risk engine into RSA Authentication Manager).

Strengths

■ Gartner estimates that RSA has a market share by customer numbers of about 25%, althoughthis is appreciably lower than the previous year. (Note that this market share is based on 2010numbers, and does not reflect any impact of the breach discussed above.) Overall, RSA is usedby tens of millions of end users.

■ RSA is seen as the principal competitor by the majority of vendors in this research and hasstrong mind share among Gartner clients.

■ RSA demonstrated good overall viability (among the strongest of the vendors discussed in thisresearch) and good marketing execution.

■ Reference customers in financial services typically cited RSA's industry experience as animportant decision factor. All references also cited the functional capabilities, and some theexpected performance and scalability, of RSA's products. Reference customers noted that thecompany generally dealt with technical support requests fully and promptly. Although referencecustomers were, on average, fairly satisfied with RSA's customer support, the rankings werewidely spread.


Cautions

■ Although RSA offers a market-leading WFD tool, RSA Adaptive Authentication, and we seesignificant enterprise interest in RSA Adaptive Authentication for the Enterprise, these productsare only loosely coupled with RSA Authentication Manager. RSA now offers RSA AuthenticationManager Express, which is aimed at the SMB market and combines the risk engine from RSAAdaptive Authentication with OOB authentication (RSA SecurID On-demand). However, RSAAuthentication Manager still lacks this integration.

■ The majority of RSA's customers are in the Americas (with the bulk likely in North America).

■ RSA Authentication Manager and RSA Authentication Manager Express lack SAML integrationto cloud-based applications and services.

■ Reference customer comments raised some concerns about ease of user management in RSAAuthentication Server (which was often echoed by other vendors' reference customers' reasonsfor deciding against RSA).

■ A frequently mentioned reason among other vendors' reference customers for deciding againstRSA Authentication Manager/RSA SecurID was its high cost. In fact, RSA was average or worsein most of the pricing scenarios, and was the highest-cost option for Scenario 5 by a widemargin. Although there is certainly a bias because of RSA's presence in the market, a significantnumber of client inquiries ask about "lower-cost alternatives to RSA."

SafeNet

SafeNet, based in Baltimore, Maryland, was established in 1983 as Industrial Resource Engineeringand changed its name in 2000. In 2007, SafeNet was acquired by Vector Capital, which alsoacquired Aladdin Knowledge Systems two years later. Both firms now trade under the SafeNetname. Common ownership brings SafeNet's authentication offerings (from the 2004 to 2008acquisitions of Rainbow Technologies and Datakey) together with those of Aladdin, which had amuch stronger presence in that market segment with its legacy eToken offerings, as well as thosefrom its acquisitions in 2008 of Eutronsec and the SafeWord product line from Secure Computing(one of the oldest lines of OTP tokens). SafeNet's other major product lines focus on software rightsmanagement and cryptography for data protection, including hardware security modules (HSMs).

SafeNet has two server software offerings: SafeNet Authentication Manager (SAM), which wasformerly Aladdin's Token Management System, and SafeNet Authentication Manager Express,which was formerly SafeWord 2008. The latter supports a restricted set of authentication methods(OTP tokens and OOB authentication via SMS). SAM also provides CM capabilities and federatedSSO to cloud-based applications. SafeNet also offers SafeNet OTP Authentication Engine, an SDKand API for direct integration of OTP authentication into target systems.

Strengths

■ SafeNet offers a wide range of authentication methods. Overall, SafeNet has one of thestrongest product or service offerings in the market.


■ Gartner estimates that SafeNet has a market share by customer numbers of approximately20%. Overall, SafeNet is used by tens of millions of end users.

■ SafeNet clearly articulated its technical innovation, as well as good marketing, industry verticaland geographic strategy, and demonstrated good customer experience. It also demonstratedgood overall viability, market responsiveness and market execution, as well as good customerexperience. Reference customers were very satisfied with SafeNet's customer support (oneremarking that SafeNet had "gone to great lengths") and noted that it generally dealt withtechnical support requests fully and promptly.

■ SafeNet came out quite well in the pricing scenarios, and was among the lowest-cost optionsfor Scenarios 2, 3 and 4; however, it was one of the higher-cost options for Scenario 5.

■ Reference customers' comments about the products were generally positive.

Cautions

■ SafeNet lacks any adaptive access control capability. Gartner sees this as a significant cautionfor a vendor with such a strong focus on the financial services market. SafeNet tells us that thiscapability is in development and will be released in 2Q12.

■ Although SafeNet has good mind share among Gartner clients, this still attaches to theSafeWord and (now defunct) Aladdin brand names, rather than to the SafeNet name itself.Gartner sees this as a continuing marketing challenge for SafeNet in the near term.

SecureAuth

Formed in 2005 as MultiFactor Corporation, this Irvine, California-based vendor changed its nameto SecureAuth in 2010. SecureAuth IEP, which is delivered as a hardware or software appliance,combines its authentication infrastructure with the SSO capability of a WAM and support forfederation using multiple protocols (see "MarketScope for Web Access Management").

Strengths

■ During the past year, SecureAuth has been one of the authentication vendors most frequentlycited by Gartner clients, typically because of its low cost or ease of installation or because of its"tokenless" authentication method.

■ SecureAuth IEP is a single platform that integrates user authentication with federated SSO tocloud-based and Web applications, as well as VPNs. However, Gartner clients rarely cite this asa decision factor in choosing SecureAuth, and the company's lead with this approach may besomewhat eroded as other vendors roll out their support for SAML to provide similar federatedSSO capabilities.

■ SecureAuth clearly articulated a good vertical/industry strategy.

■ SecureAuth was among the lowest-cost options for Scenarios 1 and 5, and SecureAuth IEP cancost less than some stand-alone solutions for federated SSO or user authentication.


Cautions

■ SecureAuth's primary authentication method is a kind of X.509 software token. This is notsomething Gartner sees widely used in practice, although SecureAuth does provide simpleimplementation of this method, without the constraints of legacy PKI approaches. AlthoughSecureAuth offers KBA and OOB authentication methods (with out-of-the-box support forYubiKey and OATH-compliant tokens planned for 1Q12), and provides a flexible way of linkingtogether multiple methods, relatively few of its customers use any of these other methods astheir primary authentication methods.

■ SecureAuth does not provide high-assurance authentication methods, although it can integratethird-party methods such as X.509 hardware tokens (for example, PIV cards) to support high-assurance needs.

■ The vendor has negligible market share by customer numbers. Year-over-year growth has,however, been exceptionally strong. In this respect, SecureAuth is outperforming most largervendors in this research.

■ SecureAuth did not clearly articulate a strong sales strategy or geographic strategy incomparison with other vendors considered in this research. Neither did it clearly articulate astrong market understanding in line with Gartner's view of enterprises' wants and needs acrossthe market as a whole. Nevertheless, SecureAuth's growth demonstrates that it is addressingthe wants and needs of a segment of the market.

SecurEnvoy

U.K.-based SecurEnvoy, formed in 2003, was one of the first vendors to offer OOB authenticationsolutions.

SecurEnvoy offers two server software products that meet the market definition for this MagicQuadrant: SecurAccess, launched in 2004 and aimed primarily at workforce remote access usecases, and SecurICE, launched in 2006, which supports secure remote access in the event of adisaster or other contingency. (Several other vendors support this as part of their standard userauthentication product offering.) In 2009, SecurEnvoy launched SecurCloud, a program for resellersto deploy an authentication service based on the SecurEnvoy product suite as part of a wider cloudoffering.

In addition, the company offers SecurMail, a simple email encryption tool, and SecurPassword,which allows secure self-service password reset for Windows using OOB techniques.

Strengths

■ SecurEnvoy clearly articulated a good vertical industry strategy.

■ The vendor provides a range of configuration options for OOB authentication via SMS modesthat enable an enterprise to address operational issues (such as latency and lack of signal) andbalance user experience against a desired level of security.


■ SecurEnvoy came out well in the pricing scenarios, and was among the lowest-cost options forScenarios 2, 3 and 4.

Cautions

■ SecurEnvoy has small market share by customer numbers in comparison with other vendors inthis research (but is one of the larger pure-play, phone-based authentication vendors).

■ A significant majority of SecurEnvoy's customers are in Europe. However, a majority of its largercustomers use SecurEnvoy globally.

■ In comparison with the other vendors in this Magic Quadrant, SecurEnvoy did not clearlyarticulate a strong geographic strategy, nor did it demonstrate strong overall viability, marketingexecution or customer experience (although no reference customers raised specific concerns).

■ SecurEnvoy's offerings lack SAML integration to cloud-based applications and services.SecurEnvoy tells us that SAML will be supported via Active Directory Federation Services earlyin 2012.

■ SecurEnvoy has no appliance- or cloud-based delivery options; however, these are availablethrough some channel partners. SecurEnvoy also supports authentication as part of third-partycloud-based services via its SecurCloud offering.

SMS Passcode

Denmark-based SMS Passcode was established in 1999 as Conecto A/S, a consulting operationimplementing mobile solutions. SMS Passcode OOB authentication, delivered as server software,was launched in 2005. At the end of 2009, the company sold off its consulting business andadopted the name of the product.

Strengths

■ SMS Passcode was among the lowest-cost options for Scenario 2.

■ Reference customers typically cited SMS Passcode's functional capabilities as an importantdecision factor. Expected performance and scalability, an understanding of business needs,and pricing model or TCO were often cited as well.

■ Reference customers were mostly extremely satisfied with SMS Passcode's customer support,and noted that it always dealt with support requests fully and promptly.

Cautions

■ SMS Passcode has a small market share by customer numbers in comparison with othervendors in this research (but is one of the larger pure-play, phone-based authenticationvendors).


■ Although it has customers in more than 40 countries, a significant majority of SMS Passcode'scustomers are in Europe.

■ SMS Passcode offers only OOB authentication. However, despite its name, the company doessupport voice modes, as well as SMS modes, through a partnership with TeleSign.

■ SMS Passcode did not clearly articulate a strong vertical industry strategy or demonstratestrong overall viability in comparison with other vendors in this research. (The vendor'semphasis is squarely on supporting common workforce access use cases out of the box andhorizontally across all industries.)

Swivel Secure

U.K.-based Swivel Secure was established in 2000 and launched its PINsafe product line in 2003.Unique to Swivel's offerings is its proprietary enhanced password method, which allows a user togenerate an OTP by combining a known PIN or pattern with a security string or graphic presentedon the login pane or on a mobile phone (functioning as a token). Swivel also offers conventionalOOB authentication with SMS and voice modules.

Strengths

■ Swivel offers the broadest range of delivery options of any provider discussed in this MagicQuadrant. PINsafe is available as a hardware or software appliance, server software, amanaged service with customer premises equipment, and a multitenanted cloud-based service.

■ Swivel was among the lowest-cost options for Scenarios 3, 4 and 5. Notably, it offers zero-costmobile clients (equivalent to OTP software tokens) for mobile phones.

■ Reference customers typically cited Swivel's pricing model or TCO as an important decisionfactor. They were very satisfied with the vendor's customer support, and noted that it alwaysdealt with support requests fully and promptly.

■ Swivel is one of the few vendors in this Magic Quadrant to offer an enhanced passwordmethod, which is popular with many SMBs that are looking for an improvement over legacypassword authentication but do not want or cannot justify "two-factor authentication." Inaddition, Swivel uses the same enhanced password method with its phone-basedauthentication methods, providing additional assurance compared with competing solutionsthat rely on a legacy password or a simple PIN.

Cautions

■ Swivel has very small market share by customer numbers in comparison with other vendors inthis research.

■ Swivel did not clearly articulate a strong market understanding or marketing strategy, ordemonstrate strong overall viability or marketing execution in comparison with other vendors inthis research.


■ A significant majority of Swivel's customers are in Europe. However, these include some sizableglobal deployments supporting users in North America and the Asia/Pacific region, as well as inEurope.

Symantec

Symantec, based in Mountain View, California, has been a publicly traded company since 1989. Itentered the authentication market in 2010 with the acquisition of VeriSign's Identity andAuthentication business. (VeriSign had been spun off from RSA Security in 1995 to focus on PKIofferings.) The deal allows Symantec to use the VeriSign brand for its identity and authenticationproducts until 2015, as well as VeriSign's "tick" icon, which has been incorporated into Symantec'slogotype. Symantec has a more coherent and better-articulated vision for Validation and IDProtection Service (VIP) and adjacent products than VeriSign had.

Symantec VIP (formerly VeriSign Identity Protection Authentication Service) is delivered as amultitenanted cloud-based service. Symantec also offers a WFD tool, Symantec Fraud DetectionSystem (FDS), as server software or a hosted managed service. The company also cites "synergies"with its data loss prevention and encryption products, but Gartner clients are not seekingauthentication solutions in that context.

Symantec offers OTP hardware tokens from ActivIdentity, RSA, SafeNet, Vasco and others, andOOB authentication through a partnership with Authentify. (Like other OATH-compliant vendors, itcan support other OATH-compliant tokens.)

Strengths

■ Symantec demonstrated good marketing execution, and it is one of the authentication vendorsmost frequently cited by Gartner clients.

■ The vendor offers a wide range of authentication methods, including zero-cost OTP softwaretokens for mobile phones. However, although Symantec VIP does support OOB authentication,the majority of its customers use this as a backup for users who cannot use their OTP tokens,rather than as a primary authentication method.

■ In late 2011, Symantec incorporated the adaptive access control capabilities from its FDS intoVIP to provide what Symantec calls "intelligent authentication."

■ Symantec was among the lowest-cost options for Scenarios 3, 4 and 5.

■ Reference customers typically cited Symantec's functional capabilities as an important decisionfactor (one said, "everything is as advertised"). Expected performance and scalability and, forfinancial services, industry experience were often cited, as well. One customer called attentionto the flexibility of VIP and the ease of extending it to meet business needs. Some clients tell usthat Symantec VIP is difficult to integrate with target systems; however, all but one of thereference customers asserted that they had no technical implementation challenges.

■ Reference customers were very or extremely satisfied with Symantec's customer support, andnoted that it always dealt with support requests fully and promptly.


Cautions

■ Symantec has a small market share by customer numbers in comparison with other vendors inthis research. However, its offerings are used by a few million end users, and year-over-yeargrowth for 2009 to 2010 was exceptionally strong.

■ Symantec did not clearly articulate a strong vertical industry strategy in comparison to othervendors in this research.

■ Symantec VIP lacks SAML integration to cloud-based applications and services. Symantec tellsus that this will be provided in the first half of 2012 as part of Symantec O3.

■ Reference customer comments raised some concerns about the reliability of the ID-1 OTPhardware token.

Technology Nexus

Sweden-based Technology Nexus was founded as a management buyout from Saab Technologiesin 1984. In 2010, it acquired PortWise, another Swedish company, adding PortWise's authenticationportfolio, Web access management and identity federation platform, and SSL VPN tool to its ownPKI-based authentication and other offerings, giving the merged company a broader portfolio ofauthentication methods and a broader customer base. (PortWise, under its former name of LemonPlanet, was one of the first vendors to offer OOB authentication.)

Technology Nexus offers PortWise Authentication Server as server software, PortWise VirtualAppliance as a software appliance, and Technology Nexus Safe Login as a multitenanted, cloud-based service and a hosted managed service.

Strengths

■ Although it has only a small market share by customer numbers in comparison with othervendors in this research, Technology Nexus is used by several tens of millions of end users.

■ Overall, Technology Nexus has one of the strongest product or service offerings in the market.It includes adaptive access control capabilities through its Policy Service module in PortWiseAuthentication Server.

■ Technology Nexus clearly articulated a good geographic strategy, and demonstrated goodcustomer experience. Reference customers were very satisfied with Technology Nexus'customer support.

■ Technology Nexus came out well in the pricing scenarios, and was among the lowest-costoptions for Scenarios 1, 2 and 4.

■ Reference customers cited a variety of vendor and product characteristics as importantdecision factors. One said that it was "proud" of its decision to implement PortWiseAuthentication Server.


Cautions

■ Technology Nexus has relatively few customers in the Americas — less than 20% overall.

■ Technology Nexus did not demonstrate strong market responsiveness and track record incomparison with other vendors included in this Magic Quadrant.

■ Reference customers typically cited integration into the existing infrastructure as animplementation challenge. One cited ongoing browser compatibility issues and poor logmanagement with PortWise Authentication Server.

TeleSign

TeleSign, based in Marina del Rey, California, was established in 2005. It provides an OOBauthentication service — TeleSign Two-Factor Authentication, a multitenanted cloud-based service— and has a market focus on large global service providers, especially for consumer access, andseveral OEM relationships (which include other vendors discussed in this Magic Quadrant). TeleSignalso offers PhoneID, which evaluates the fraud risk of the phone being used for OOB authentication.

Strengths

■ TeleSign sends calls to more than 200 countries and in more than 85 languages. Voice promptsare localized for native accents to optimize user experience.

■ TeleSign demonstrated good market responsiveness (for example, shifting its marketingstrategy to target large online website and service providers as fraudster activity shifted toonline arenas and social media platforms).

■ TeleSign guarantees "enterprise-level uptime" and asserts that it consistently outperforms thislevel of service. TeleSign sends voice calls and SMS messages via multiple routes to ensuredeliverability. The performance and reliability of TeleSign's offering are underscored by theexperience of a major global service provider, which had been using TeleSign only for OOB invoice mode, but switched over to TeleSign's SMS mode, as well, when it had problems with itsincumbent solution, and never went back.

■ Reference customers typically cited TeleSign's functional capabilities as an important decisionfactor. Direct SS7 layer monitoring now enables TeleSign to detect call forward in many areas,defeating one type of attack against OOB authentication by voice. Product implementation is"smooth," and operational use is unproblematic. Reference customers were very or extremelysatisfied with TeleSign's customer support, and noted that it always dealt with support requestsfully and promptly.

■ TeleSign came out well in the pricing scenarios. It was consistently among the lowest-costoptions. (Note that this assessment is based on a pricing structure that was introduced inmid-2011.)


Cautions

■ TeleSign offers only OOB authentication.

■ TeleSign has a small market share by customer numbers in comparison with the other vendorsin this Magic Quadrant, and a significant majority of its customers are in North America(however, it is used by tens of millions of end users globally).

■ TeleSign did not clearly articulate a good vertical industry strategy (although this is notnecessarily a significant caution given its market focus).

Vasco

Vasco, based in Chicago, Illinois, entered the OTP token market in 1996 with the acquisition ofDigipass, and it continues to use Digipass branding for its portfolio of authentication products.Other authentication-relevant Vasco acquisitions include Lintel Security in 1996, AOS-Hagenuk in2005, and Able and Logico in 2006. In 2011, Vasco acquired Alfa & Ariss, enhancing its Digipass asa Service.

The company is well-established in the financial services market globally, with a substantialpresence in retail banking outside North America, and continues to make significant inroads intoenterprise use cases globally.

Vasco acquired DigiNotar in 2011, not long before the attack that precipitated DigiNotar'sbankruptcy (see "Certificate Authority Breaches Impact Web Servers, Highlighting the Need forBetter Controls"). This has had some impact on Vasco's financial situation, but none at all on theviability of its Digipass product line.

Vasco offers a number of products and services: Vacman Controller SDK/APIs, which provide directintegration with online applications, especially in retail banking and online gaming; Identikey Serveras server software (the most widely deployed, by a very wide margin); aXsGuard Identifier andaXsGuard Gatekeeper as hardware appliances, the latter aimed at SMBs; and Digipass as aService, a managed service with customer premises equipment. Authentication method supportvaries across these offerings, with aXsGuard Gatekeeper having the most restricted set.

Strengths

■ Vasco offers one of the widest range of authentication methods. Overall, Vasco has one of thestrongest product or service offerings.

■ Vasco clearly articulated a good sales strategy and demonstrated good overall viability andmarketing execution.

■ Gartner estimates that Vasco has a market share by customer numbers of approximately 15%.Overall, Vasco is used by approximately 10 million users.

■ Reference customers frequently cited Vasco's pricing model or TCO (but see Cautions),functional capabilities, industry experience (in financial services), expected performance, andscalability and conformity to technical standards as important decision factors. Several view


Vasco as a strategic partner. Most reference customers were, on average, very satisfied withVasco's customer support (with one outlier that was unsatisfied), and noted that it generallydealt with support requests fully and promptly.

Cautions

■ Vasco lacks any adaptive access control capability. Gartner sees this as a significant caution fora vendor with such a strong focus on the financial services market.

■ Although Vasco has a mature business globally, the majority of its customers are in Europe.

■ Vasco was only average across the pricing scenarios and was one of the higher-cost options forScenario 5 (but note the reference customer comments about pricing models and, particularly,TCO, cited under Strengths above). We also note that SAML integration to cloud-basedapplications and services for Vasco's on-premises offerings is provided by a discrete product,Identikey Federation Server, at additional cost.

■ Reference customer comments raised some concerns about ease of integration with enterpriseremote access tools and Lightweight Directory Access Protocol (LDAP) directory services.

Yubico

Yubico, based in Stockholm, Sweden, and Palo Alto, California, was established in 2007. Yubicooffers distinctive USB hardware tokens for OTP authentication, along with open-sourceinfrastructure products and a new cloud-based service. It has a market focus on enterprises,especially for workforce remote access, and several OEM relationships (which include othervendors discussed in this Magic Quadrant).

Yubico offers YubiKey Validation Server software for Linux, the baseline open-source offering forfirms that want to build their own authentication server or service. YubiRADIUS VA is a softwareappliance in Open Virtualization Format built on open-source components, YubiCloud is amultitenanted cloud-based service, and YubiHSM is an HSM for securing server-side token keys(seed values). The YubiKey hardware tokens have a unique, robust form factor and need no clientsoftware, and token keys are held and managed solely by the customer.

Two-thirds of Yubico's customers and partners use the YubiCloud service, with the other thirdintegrating its low-level library directly into their authentication products or using OATH-compliantYubiKeys with their existing OATH-compliant authentications systems.

Strengths

■ Gartner estimates that Yubico has a market share by customer numbers of approximately 10%.Although a significant portion of these are very small implementations, Yubico does have largeenterprise and service provider implementations.

■ YubiKeys can be quickly integrated at a low cost. For example, one small manufacturingcompany implemented YubiKeys for its 20 system administrators within one hour for $500.


Yubico came out exceptionally well in the pricing scenarios, with the lowest cost for pricingScenarios 1, 2, 3 and 4, although it was more expensive than the majority of competitors inScenario 5.

■ Reference customers typically cited Yubico's functional capabilities as an important decisionfactor. Expected performance and scalability, and pricing model or TCO, were often cited, aswell. The reference customers were very satisfied with the vendor's customer support, andnoted that it generally dealt with support requests fully and promptly. (However, Yubico did notdemonstrate strong frameworks for managing customer experience in comparison with othervendors in this Magic Quadrant.)

Cautions

■ Yubico did not clearly articulate a good product/service strategy, sales strategy or geographicstrategy, nor did it demonstrate good marketing execution.

■ The vendor has few customers in the Asia/Pacific region.

■ Yubico's offerings lack SAML integration to cloud-based applications and services. The vendortells us that this will be available the first half of 2012.

■ Unlike traditional OTP hardware tokens, YubiKeys require a standard (Type A) USB port, so theycannot be used with devices that lack them — easily (that is, without an adapter cable) or at all(for example, with iOS devices). One reference customer raised this issue as a problem withiPads. Yubico tells us that this issue will be addressed in early 2012, with YubiApp OTPsoftware tokens for mobile devices, and later in 2012 with YubiKey+ tokens for use with NearField Communication-enabled devices.

Vendors Added or Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as marketschange. As a result of these adjustments, the mix of vendors in any Magic Quadrant orMarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope oneyear and not the next does not necessarily indicate that we have changed our opinion of thatvendor. This may be a reflection of a change in the market and, therefore, changed evaluationcriteria, or a change of focus by a vendor.

Added■ Authentify: A U.S.-based OOB authentication service provider with a market focus on financial

services and multiple OEM relationships (which include other vendors in this Magic Quadrant)

■ Equifax: A U.S.-based financial information services provider offering a wide-focusauthentication solution with a market focus on healthcare and government through itsacquisition of Anakam

■ i-Sprint Innovations: A Singapore-based IAM vendor with a market focus on financial services,offering an integrated set of access products that includes ESSO, WAM and SAPM tools, aswell as a wide-focus user authentication offering


■ Nordic Edge: A Sweden-based IAM vendor, recently acquired by Intel, with a strong focus onthe cloud and a portfolio that includes provisioning of user information and SSO to SaaS, aswell as its wide-focus authentication offering

■ PhoneFactor: A U.S.-based OOB authentication service provider with a market focus onenterprises, especially for workforce remote access

■ SecureAuth: A U.S.-based vendor offering an integrated user authentication and gatewayproduct providing SSO to on-premises and cloud-based target systems

■ SecurEnvoy: A U.K.-based OOB authentication service provider with a market focus onenterprises, especially for workforce remote access

■ SMS Passcode: A Denmark-based OOB authentication service provider with a market focus onenterprises, especially for workforce remote access

■ Swivel Secure: A U.K.-based authentication vendor with a market focus on enterprises,especially for workforce remote access, that is often characterized as a phone-basedauthentication vendor but has probably achieved greater traction with software-onlyimplementations of its PINsafe enhanced password authentication methods

■ TeleSign: A U.S.-based OOB authentication service provider with a market focus on largeglobal service providers, especially for consumer access, and several OEM relationships (whichinclude other vendors in this Magic Quadrant)

■ Yubico: A Sweden-based company with a market focus on enterprises, especially for workforceremote access, and several OEM relationships (which include other vendors in this MagicQuadrant) offering distinctive USB hardware tokens for OTP authentication, along with open-source infrastructure products and a new cloud-based service

The following vendors were included in the earlier MarketScope, but their names have changedbecause of a merger or acquisition:

■ Arcot Systems: now part of CA Technologies

■ PortWise: now part of Technology Nexus.

■ VeriSign: now part of Symantec (the remainder of VeriSign, which focuses on DNS business,conducts business under the Verisign name; note the lowercase "s").

Dropped

The following vendor failed to meet the inclusion criteria for this year's Magic Quadrant, because ofits small market share by customer numbers:

■ Fujitsu Services: Finland-based Fujitsu Services, a subsidiary of Fujitsu, offers the mPollux lineof authentication products and services. Fujitsu Services supports and offers only a narrowrange of supported authentication methods and is tightly focused on local markets. Notably, itprovides a government-to-citizen authentication service, managed by the Finnish State


Treasury, that spans more than 50 municipalities and agencies. Fujitsu Services may still be anappropriate choice for enterprises in the Nordic region with more-focused needs.

The following vendors are noteworthy, but were not rated in this Magic Quadrant:

■ AuthenWare: Based in Miami, Florida, AuthenWare offers a practicable behavioral biometricauthentication technology based on typing rhythm (also known as keystroke dynamics). Othervendors offer this authentication method, but the AuthenWare Technology product isdifferentiated by being simple to implement, scalable and robust, as well as providing good userexperience. Many Gartner clients report that they have a positive view of AuthenWare.(AuthenWare did not meet the inclusion criteria for customer numbers.)

■ DigitalPersona: DigitalPersona, headquartered in Redwood City, California, offers a suite ofsolutions that include user authentication and ESSO, as well as full-disk encryption, email/document encryption and VPN multifactor authentication. DigitalPersona has expanded itssupport for other vendors' authentication methods, and these methods integrate withDigitalPersona's ESSO and VPN components. The company has an OEM deal with HP toinclude DigitalPersona's software, rebranded as HP ProtectTools, on HP computers. AlthoughDigitalPersona's user authentication options can be implemented independently of its ESSOcapabilities, integration is restricted to the endpoint device. (For this reason, DigitalPersona didnot fit the market definition for this Magic Quadrant.)

■ LexisNexis: Dayton, Ohio-based LexisNexis offers InstantID Q&A, a KBA service endorsed bythe American Bankers Association and used by more than 200 financial services and otherorganizations worldwide. InstantID Q&A is "powered by" RSA Identity Verification KBAtechnology (formerly Verid) and exploits LexisNexis' access to billions of public records andvast amounts of noncredit data to generate robust verification questions. (LexisNexis wasexcluded, because there is no functional modification of the technology licensed from RSA.)

■ ValidSoft: Ireland-based ValidSoft, now a subsidiary of telecommunications vendor ElephantTalk Communications, offers OOB authentication and transaction verification methods. Itsoffering is technically sound, and it has a good track record in enterprise and financial servicesuse cases, including private and retail banking. (ValidSoft did not meet the inclusion criteria forcustomer numbers.)

Inclusion and Exclusion CriteriaThe following inclusion criteria apply:

■ Relevance of offering: The offering meets the user authentication market definition detailedabove.

■ Longevity of offering: The offering has been generally available since at least 1 May 2010.

■ Origination of offering: The offering is manufactured or operated by the vendor or is asignificantly modified version obtained through an OEM relationship. (We discount any software,hardware or service that has merely been obtained without functional modification through a


licensing agreement from another vendor — for example, as part of a reseller/partneragreement.)

■ Number of customers and end users (including customers of third-party service providersand their end users): The vendor has either:

■ 200 or more current customers that have been using the vendor's authentication offeringsin a production environment for at least three months

■ 50 or more such customers with a total of 5 million or more end users

Vendors with minimal or negligible apparent market share among Gartner clients, or with nocurrently shipping products, may be excluded from the ratings.

Evaluation Criteria

Ability to Execute

Gartner analysts evaluate technology providers on the quality and efficacy of the processes,systems, methods or procedures that enable IT provider performance to be competitive, efficientand effective, and to positively impact revenue, retention and reputation. Ultimately, technologyproviders are judged on their ability and success in capitalizing on their vision.

Product/Service

We evaluate:

■ The current capabilities, quality and feature sets of one or more on-premises software orhardware products or cloud-based services that make real-time authentication decisions andcan be integrated with any of a variety of enterprise systems, as well as supporting skills

■ The range and variety of user authentication methods offered or supported, along with theclient-side software or hardware used by end users in those real-time authentication decisions

■ The applicability and suitability of these offerings to a wide range of use cases across differentkinds of users and different enterprise systems

We also evaluate the capabilities, quality, and feature sets of ancillary and adjacent products andservices relevant to enterprises' user authentication needs.

Overall Viability (Business Unit, Financial, Strategy, Organization

We evaluate the organization's overall financial health, the financial and practical success of theuser authentication line of business, and the likelihood that the vendor will continue investing in andadvance the state of the art of the user authentication portfolio, and, if appropriate, will continueoffering the portfolio within the vendor's broader product portfolio.


Sales Execution/Pricing

We evaluate the vendor's capabilities in such areas as deal management, pricing and negotiation,presales support, and the overall effectiveness of the sales channel, including value-added resellersand third-party managed service providers.

We evaluate pricing over a number of different scenarios. Clients are increasingly price-sensitive asthey seek the optimal balance of assurance and accountability, user experience, and cost whenselecting new user authentication methods.

Market Responsiveness and Track Record

We evaluate the vendor's demonstrated ability to respond, change direction, be flexible and achievecompetitive success as opportunities develop, competitors act, customer needs evolve and marketdynamics change.

We give particular consideration to how the vendor has embraced or responded to standardsinitiatives in the user authentication and adjacent market segments.

Marketing Execution

We evaluate the clarity, quality, creativity and efficacy of programs designed to deliver the vendor'smessage to influence the market, promote the brand and business, increase awareness of theproducts, and establish a positive identification with the product/brand and organization in theminds of buyers. This mind share can be driven by a combination of publicity, promotionalinitiatives, thought leadership, word-of-mouth and sales activities.

Customer Experience

We evaluate the vendor's relationships and services/programs — such as technical support andprofessional services — that facilitate customers' successful implementations and use of thevendor's user authentication offerings.

We consider Gartner client and reference customer feedback.

Operations

We evaluate the ability of the organization to meet its goals and commitments. Factors include thequality of the organizational structure, including skills, experiences, programs, systems and othervehicles that enable the organization to operate effectively and efficiently on an ongoing basis.


Table 1. Ability to Execute Evaluation Criteria

Evaluation Criteria Weighting

Product/Service High

Overall Viability (Business Unit, Financial, Strategy, Organization) Standard

Sales Execution/Pricing High

Market Responsiveness and Track Record Standard

Marketing Execution Standard

Customer Experience Standard

Operations Low


Completeness of Vision

Gartner analysts evaluate technology providers on their ability to convincingly articulate logicalstatements about current and future market direction, innovation, customer needs and competitiveforces, and how well they map to the Gartner position. Ultimately, technology providers are rated ontheir understanding of how market forces can be exploited to create opportunity for the provider.

Market Understanding

We evaluate the vendor's understanding of buyers' needs and how it translates these needs intoofferings. Vendors that show the highest degree of vision listen and understand buyers' wants andneeds, and can shape or enhance those wants with their added vision.

Marketing Strategy

We evaluate the clarity and differentiation of the vendor's marketing messages, and the consistencyof communication throughout the organization and externally through its website, advertising,customer programs and positioning statements.

Sales Strategy

We evaluate the vendor's strategy for selling its user authentication offerings that uses theappropriate network of direct and indirect sales, marketing, service and communication affiliatesthat extend the scope and depth of market reach, skills, expertise, technologies, services and thecustomer base. In particular, we evaluate business development, partnerships with systemintegrators and channel execution.


Offering (Product) Strategy

We evaluate the vendor's approach to developing and delivering its user authentication offeringsthat emphasizes differentiation, functionality, and feature sets as they map to current and futurerequirements for enterprises across multiple use cases — differentiated not only by level of risk, butalso by business needs and technical, logistical and other constraints.

We consider support for open standards and extensibility to support proprietary authenticationmethods offered by other vendors. We also consider support for mobile devices as endpoints andfor access to cloud-based applications and services.

Business Model

We evaluate the soundness and logic of the vendor's underlying business proposition.

Vertical/Industry Strategy

We evaluate the vendor's strategy to direct resources, skills and offerings to meet the specificneeds of individual market segments, including SMBs and vertical industries. We consider thevendor's focus on supporting different use cases, and if and how it can deliver adjacent productsand services, that are important to different market segments.

Innovation

We evaluate the vendor's continuing track record in market-leading innovation, including earlystandards and technology adoption, how well it anticipates and adjusts to changes in marketdynamics and customer and end-user needs, and the provision of distinctive products, functions,capabilities, pricing models and so on.

Geographic Strategy

We evaluate how the vendor directs resources, skills and offerings to meet the specific needs ofgeographies outside its home geography — either directly or through partners, channels andsubsidiaries — as appropriate for each geography and market.


Table 2. Completeness of Vision Evaluation Criteria

Evaluation Criteria Weighting

Market Understanding Standard

Marketing Strategy Standard

Sales Strategy Standard

Offering (Product) Strategy High

Business Model Standard

Vertical/Industry Strategy Standard

Innovation High

Geographic Strategy Standard


Quadrant Descriptions

Leaders

Leaders in this Magic Quadrant are vendors with a wide-focus user authentication offering with asolid track record and typically a significant presence in the market. They have a clearly articulatedvision that is in line with the market trends, which is typically backed by solid technical innovation.Their business strategy and execution are very sound. Vendors in this quadrant can provide astrong solution for many enterprises across one or many use cases, typically including emergingneeds.

Challengers

Challengers in this Magic Quadrant are vendors with a wide-focus user authentication offering, asolid track record and typically a significant presence in the market. Their business execution isgenerally very sound, although their strategy may not be as strong. They may lack or may notclearly articulate a vision that is in line with the market trends, although technical innovation may besound. Vendors in this quadrant can provide a strong solution for many enterprises across one ormany use cases.

Visionaries

Visionaries in this Magic Quadrant are vendors with a clearly articulated vision that is in line with themarket trends, which is typically backed by technical innovation and a solid business strategy. They


may have a broad- or tight-focus user authentication offering with a steady track record, anappreciable presence in the market and acceptable business execution. Vendors in this quadrantcan typically provide a quite satisfactory solution for many enterprises across one or many usecases, typically including emerging needs, or a strong solution focused on one or a few particularuse cases.

Niche Players

Niche Players in this Magic Quadrant are vendors with a broad- or tight-focus user authenticationoffering with a steady track record and appreciable presence in the market. They may lack or maynot clearly articulate a vision that is in line with the market trends, although, technically, innovationmay be sound. Their business strategy and execution are acceptable. Vendors in this quadrant cantypically provide a quite satisfactory solution for many enterprises across one or often many usecases. In this market in particular, it is worth stressing that any Niche Player could offer a solutionthat is ideally suited to your needs.

ContextGartner defines "user authentication" as the real-time corroboration of a claimed identity with aspecified or understood level of confidence. This is a foundational IAM function, because withoutsufficient confidence in users' identities, the value of other IAM functions — for example,authorization and intelligence (audit and analytics) — is eroded. User authentication is provided by arange of authentication methods and in a variety of ways. It may be natively supported in an OS orapplication, or in a directory or access management tool, such as a WAM tool, that spans multipleapplications. Or it may be added to one or more target systems, including OSs and accessmanagement tools, via a third-party component (an API or SDK) that allows it to be embeddeddirectly in each system, or a discrete authentication infrastructure, either on-premises software orhardware or increasingly a cloud-based service, which can be integrated with multiple targetsystems via standard protocols, such as LDAP, RADIUS or SAML, or proprietary software agents.

This Magic Quadrant evaluates the major vendors that provide such authentication infrastructures,some of which also provide APIs, SDKs or components (such as smart cards) that can beconsumed by natively supported authentication methods. Many enterprises adopt such tools tosupport one or more — sometimes many — use cases, the most common of which are workforceremote access, especially access to corporate networks and applications via VPN or HVD, andexternal-user remote access, especially retail-customer access to Web applications. The same newauthentication method may be used across one or a few use cases; however, the more use casesan enterprise must support, the more likely it is to need to support multiple authentication methodsto provide a reasonable and appropriate balance of authentication strength, TCO and userexperience in each use case.

Gartner's previous research on this market considered only those user authentication vendors thatoffered or supported a wide range of authentication methods, catering to enterprises seeking tosupport multiple use cases with a single authentication infrastructure. However, many of thosevendors' customers continue to use their solutions to provide a single authentication method in only


one or a few use cases. Moreover, Gartner client inquiries show that a significant number ofenterprises remain interested in vendors that have a tighter focus — that is, vendors that offer orsupport only one type of authentication method. The most significant of these vendors have beenincluded in this Magic Quadrant.

Enterprise interest in OTP methods, broadly defined, remains high; however, during the past fewyears, we have seen a significant shift in preference from traditional hardware tokens to phone-based authentication methods. Wide-focus user authentication vendors offer all these approachesand more — typically offering or supporting KBA methods or X.509 tokens (such as smart cards) aswell. Most of the tight-focus vendors offer only phone-based authentication methods, especiallyOOB authentication methods.

The 23 user authentication vendors included in this Magic Quadrant are those that have the largestpresence in the market by number of customers or number of end users served. Gartner is aware ofmore than 175 user authentication vendors worldwide, but the market is dominated by a far smallerset of vendors. Just three — RSA, the Security Division of EMC; SafeNet; and Vasco — account formore than three-fifths of the market by customer numbers. Some of the other vendors are poised tochallenge the major players, but most are essentially "me too" commodity vendors, offeringtechnically similar solutions and competing more on price than on quality or experience, whileothers focus on particular market niches or innovative technologies that may be licensed to majorvendors.

Market OverviewCustomer wants and needs for user authentication continue to mature. Enterprises increasinglyrecognize the need for authentication with higher assurance than legacy passwords can provide,across a broader range of use cases, and are addressing that need. Moreover, enterprises areincreasingly aware of the need to find a reasonable and appropriate balance of authenticationstrength (assurance and accountability), TCO and user experience in each use case. These factorsare driving the adoption of alternatives to traditional token-based authentication methods that offerhigher levels of assurance, but at a higher cost and with relatively poor user experience.

Although some of the growth in these alternative methods arises from enterprises replacingincumbent tokens, many enterprises are implementing such methods in one or many use cases forthe first time. These wants and needs are also driving the adoption of authentication methods otherthan the few that are typically natively supported (for example, in OSs, applications and WAM tools)and demand proprietary authentication infrastructures. Although a majority of enterprises remainfocused on one or a few use cases that may be met by a single authentication method from anykind of vendor, we continue to see modest growth in the number of enterprises taking a strategicview of authentication and seeking to address a wider range of use cases that demand differentauthentication methods with a single versatile, flexible infrastructure.


Recommended ReadingSome documents may not be available as part of your current Gartner subscription.

"Adaptive Access Control Emerges"

"Certificate Authority Breaches Impact Web Servers, Highlighting the Need for Better Controls"

"The Five Layers of Fraud Prevention and Using Them to Beat Malware"

"How to Choose New Authentication Methods"

"Gartner Authentication Method Evaluation Scorecards, 2011: Total Cost of Ownership"

"Good Authentication Choices for External User Access"

"Good Authentication Choices for Workforce Local Access"

"Good Authentication Choices for Workforce Remote Access"

"Magic Quadrant for Web Fraud Detection"

"Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors Within a Market"

"MarketScope for Web Access Management"

"A Taxonomy of Authentication Methods, Update"

"Where Strong Authentication Fails and What You Can Do About It"


Acronym Key and Glossary Terms

ANSI American National Standards Institute

ASL Automated Systems Holdings Ltd.

B2B business to business

B2E business to enterprise

CA certification authority

CAP Chip Authentication Program

CM card management

DPA Dynamic Passcode Authentication (Visa)

DSS Data Security Standard (PCI)

EMV Europay, MasterCard and Visa

ESSO enterprise single sign-on

FDS Fraud Detection System (Symantec)

FERC Federal Energy Regulatory Commission (U.S.)

HIPAA Health Insurance Portability and Accountability Act (U.S.)

HITECH Health Information Technology for Economic and Clinical Health

HMAC Hash-based Message Authentication Code

HOTP HMAC-based OTP

HSM hardware security module

HSPD-12 Homeland Security Presidential Directive 12

HVD hosted virtual desktop

IAM identity and access management

KBA knowledge-based authentication

LDAP Lightweight Directory Access Protocol


MLPS Multi-Level Protection Scheme (China)

MSSP managed security service provider

NERC North American Electrical Reliability Corporation

NIST National Institute of Standards and Technology

OATH Initiative for Open Authentication

OCRA OATH Challenge-Response Algorithms

OOB out of band

OTP one-time password

PIV Personal Identity Verification

PKI public-key infrastructure

RA registration authority

SAML Security Assertion Markup Language

SaaS software as a service

SAM SafeNet Authentication Manager

SAPM shared account password management

SDK software development kit

SMB small or midsize business

SSL Secure Sockets Layer

SSO single sign-on

TAN transaction authentication number

TCO total cost of ownership

UAS Universal Authentication Server (i-Sprint)

TOTP time-based OTP

VAS versatile authentication server


WAM Web access management

VIP Validation and ID Protection Service

WFD Web fraud detection


Regional Headquarters

Corporate Headquarters56 Top Gallant RoadStamford, CT 06902-7700USA+1 203 964 0096

Japan HeadquartersGartner Japan Ltd.Aobadai Hills, 6F7-7, Aobadai, 4-chomeMeguro-ku, Tokyo 153-0042JAPAN+81 3 3481 3670

European HeadquartersTamesisThe GlantyEghamSurrey, TW20 9AWUNITED KINGDOM+44 1784 431611

Latin America HeadquartersGartner do BrazilAv. das Nações Unidas, 125519° andar—World Trade Center04578-903—São Paulo SPBRAZIL+55 11 3443 1509

Asia/Pacific HeadquartersGartner Australasia Pty. Ltd.Level 9, 141 Walker StreetNorth SydneyNew South Wales 2060AUSTRALIA+61 2 9459 4600

© 2012 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Thispublication may not be reproduced or distributed in any form without Gartner’s prior written permission. The information contained in thispublication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness oradequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publicationconsists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions expressedherein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does notprovide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and itsshareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board ofDirectors may include senior managers of these firms or funds. Gartner research is produced independently by its research organizationwithout input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartnerresearch, see “Guiding Principles on Independence and Objectivity” on its website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp.


http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp

http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp