Magic Quadrant for User Authentication

G00249409

Magic Quadrant for User Authentication

Analyst(s): Ant Allan

The market is dominated by 5% of the vendors. Mobile and cloud are

disruptive. Buyers give greater weight than before to user experience.

Legacy authentication methods are increasingly deprecated. Vendors must

invest appropriately to stay relevant.

Strategic Planning Assumptions

By year-end 2016, about 30% of enterprises will choose cloud-based services as the delivery option for new or refreshed user authentication implementations — up from about 10% today. By year-end 2016, more than 30% of enterprises will use contextual authentication for workforce remote access — up from about 5% today.

Market Definition/Description

A provider in the user authentication (see Note 1) market delivers on-premises software/hardware or a cloud-based service that makes real-time authentication decisions for users who are using an arbitrary endpoint device (that is, not just Windows PCs) to access one or more applications, systems or services in a variety of use cases. Where appropriate to the authentication methods supported, a provider in the user authentication market also delivers client-side software or hardware that end users utilize to make those real-time authentication decisions. (Also see the Inclusion and Exclusion Criteria section.)

User authentication has been used since the early days of multiuser systems. Passwords remain the norm across all use cases, but over the past few decades, a wide range of authentication methods that provide higher levels of trust have been developed and adopted by the market. Within the last decade, the variety of authentication methods has proliferated (see Note 2). Passwords are

ubiquitous, and higher-trust authentication methods are used by nearly all enterprises (and at least a significant minority of small or midsize businesses [SMBs)] across different use cases (see Note 3).

emerge, with the most rapid growth occurring within the past decade in response to changing market needs. The greater adoption of user authentication over a wider variety of use cases, the impact of the Nexus of Forces (discussed in the Market Overview section) and the emergence of innovative authentication methods have all been disruptive.

Gartner is aware of more than 200 vendors offering some kind of user authentication product, although only approximately 100 of these might be commercially viable, and perhaps fewer than 50 vendors have offerings that we would consider to be credible choices. This Magic Quadrant

research covers the 20 vendors with the most significant market presence by number of customers or number of end users served (see the Inclusion and Exclusion Criteria section), although these numbers vary by orders of magnitude (see Note 4). The leading vendors in this Magic Quadrant account for the majority of the market by customer and end-user numbers.

Some of the vendors not included in the Magic Quadrant are wide-focus vendors (see Note 5) that are poised to challenge the major players, while others are "specialist" vendors. A significant

number of these are essentially "me, too" commodity vendors. These vendors fragment the market, diverting sales from more strategic players and potentially tying up buyers in "dead end" contracts. In addition, vendors in other markets — especially identity and access management as a service (IDaaS), Web access management (WAM), federated single sign-on (SSO) and VPN — are

increasingly embedding higher-trust user authentication methods within their products. While these tend to be limited to phone-as-a-token methods, with a few vendors adding contextual

Magic Quadrant

Figure 1. Magic Quadrant for User Authentication

Source: Gartner (December 2013)

Vendor Strengths and Cautions

Authentify

vendors that are discussed in this Magic Quadrant and use Authentify for OOB voice modes). Authentify also offers: voice biometric verification (normally an adjunct to OOB authentication, but some universities and others use it as a single-factor authentication method, with the phone as just a capture device); 2CHK, an OOB app for mobile devices and PCs; and xFA, an app combining OOB push modes with voice verification and an X.509 software token.

Authentify's customers predominate in financial services, e-commerce, education, government and healthcare. The majority of customers are larger enterprises. Deployment sizes at year-end 2012 spanned a median of tens to hundreds of thousands of end users, with a maximum on the order of tens of millions or more end users.

Authentify demonstrates a very sound market understanding and a very strong product strategy, and remains a Visionary in this Magic Quadrant.

Strengths

■ _{It has a growth rate well above the market norm.}

■ _{It supports contextual authentication including telephone data analytics.} ■ _{Its new xFA app addresses the needs of mobile use cases.}

■ _{It offers a canned "click and go" solution for SMBs in response to demand.} ■ _{Its pricing is in the lowest quartile for Scenario 4 (see Note 6) for cloud solutions.}

Cautions

■ _{It lacks on-premises server software or appliances, nor does it offer or support OTP hardware} tokens.

■ _{Its customer base is skewed toward the U.S. (about three-fifths of customers) and Europe} (about one-fifth).

CA Technologies

New York-based CA Technologies offers a wide-focus authentication and Web fraud detection (WFD) platform that is delivered as server software (CA Advanced Authentication, or integrating CA AuthMinder and CA RiskMinder) and as a cloud service (CA CloudMinder Advanced Authentication). These support a wide range of authentication methods, with OTP apps for mobile phones and X. 509 software tokens (see Strengths below) most commonly used.

Almost half of CA's customers are in financial services, with others spread across multiple vertical industries. The majority of customers are larger enterprises. Deployment sizes range from

thousands to millions of end users.

Strengths

■ _{Its growth rate is above the market norm.}

■ _{Its OTP seeds and X.509 credentials are protected by CA's proprietary "cryptographic} camouflage."

■ _{The CA RiskMinder WFD component provides rich contextual authentication, and is used by} about half of CA's customers.

■ _{It is the joint third most frequently shortlisted vendor among all reference customers.}

■ _{Its pricing is in the lowest quartile for all scenarios (except Scenario 5 for cloud solutions) —} including the lowest pricing for Scenario 3 for on-premises and cloud solutions.

Cautions

■ _{Its customer numbers are in the lowest tier; however, the majority are large enterprises, and} end-user numbers are in the upper midtier.

■ _{Its customer base is skewed toward the Americas (three-fifths of its customers are most likely in} the U.S.) and EMEA (one-quarter).

Deepnet Security

U.K.-based Deepnet Security offers a wide-focus authentication platform delivered as server

software (DualShield Unified Authentication Platform), as a virtual appliance of Linux (DualShield VE) and as a software development kit (SDK). Since the previous Magic Quadrant (see "Magic Quadrant for User Authentication"), Deepnet has added a managed service (DualShield SaaS) and a cloud service (DualShield Cloud). These all support a wide range of authentication methods, with OTP apps for mobile phones, OTP hardware tokens and OOB SMS modes being most commonly used. Deepnet's customers are well-spread across vertical industries; they also are spread over SMBs and enterprises. Deployment sizes at year-end 2012 spanned a median in the range of thousands of end users, with a maximum on the order of 100,000 end users or more.

Deepnet remains a Niche Player in this Magic Quadrant.

Strengths

■ _{It has an exceptionally wide range of authentication methods, including biometric authentication} (that is, face, voice).

■ _{It offers simple contextual authentication.}

Cautions

■ _{Its end-user numbers are in the lowest tier (but its customer numbers are moderate, with a} growth rate above the market norm).

■ _{Its customer base is skewed toward Europe (more than half of customers) and the U.S. (about} one-third).

■ _{Its pricing is in the highest quartile for Scenario 5 for on-premises solutions.}

■ _{It has a key person dependency on its current CEO, who is the single decision maker over all} aspects of the business.

EMC (RSA)

Massachusetts-based RSA, The Security Division of EMC, offers a wide-focus authentication platform, RSA Authentication Manager (AM), which supports the well-known RSA SecurID OTP tokens (among other methods). AM is delivered as server software, as virtual and hardware

appliances, and as an SDK. RSA AM Express, a hardware appliance aimed at SMBs, has now been superseded by the latest version of AM. RSA also offers RSA Adaptive Authentication (AA; see "Magic Quadrant for Web Fraud Detection"), which is used for user authentication by some larger enterprises in nonbanking vertical industries.

RSA offers a fairly broad (but proprietary) range of authentication methods. OTP hardware tokens are still most commonly used, but OTP apps for smartphones are being marketed more

aggressively. AM (and AA) lacks native biometric authentication, but this will likely change following the July 2013 acquisition of PassBan.

RSA has customers across all vertical industries. The majority are larger enterprises. RSA provided no information about industry breakdown or deployment sizes.

RSA has a strong position in this market (customer and end-user numbers are in the highest tiers), as well as a very strong product strategy and innovation. In our opinion, the March 2011 breach (see "RSA SecurID Compromise Is of Concern, but Likely Not a Fatal Flaw" [Note: This document has been archived; some of its content may not reflect current conditions]) was a catalyst for a significant shift of focus away from its legacy SecurID hardware tokens.

RSA remains a Leader in this Magic Quadrant.

Strengths

■ _{AM now has rich contextual authentication capabilities (what RSA calls "Risk-Based} Authentication") ported from AA. There is an additional one-off licensing cost for this. ■ _{It is the most frequently shortlisted vendor among other vendors' reference customers.} ■ _{It is the vendor most often cited as the competitor to beat by the others included in this}

■ _{Its pricing is in the lowest quartile for Scenario 5 for on-premises solutions, as well as for} Scenarios 4 and 5 for cloud solutions. However, this was based on AA rather than AM,

reflecting RSA's positioning of these products for different use cases. (RSA didn't quote pricing for Scenarios 1, 2 or 3 for cloud solutions.)

■ _{It has huge brand depth (even if SecurID is still frequently misspelled).}

Cautions

■ _{There is no cloud-service version of AM (but managed services are provided globally by a wide} range of MSSPs).

■ _{There are no OOB voice modes in AM (only in AA via Authentify).}

■ _{It is the vendor most often cited in inquiries, but these are mainly critical of the TCO and UX of} RSA SecurID hardware tokens. (However, clients — including RSA customers — are not always aware that RSA itself offers lower-TCO, better-UX methods.) RSA was most often disqualified by other vendors' reference customers on pricing.

■ _{Its customer base is skewed toward the Americas (three-fifths of customers, most of which are} likely in the U.S.) and EMEA (one-third).

Entrust

Texas-based Entrust offers a wide-focus authentication platform, IdentityGuard, which is delivered as server software. (Entrust introduced its cloud service, IdentityGuard Cloud Services, in late 2013, but this was not included in our analysis.) IdentityGuard supports a wide range of authentication methods, with OTP apps, OTP hardware tokens and OTP grid cards being the most commonly used.

The vendor also has public-key infrastructure (PKI) product and service offerings in its identity and access management (IAM) portfolio.

Financial services and government each account for about one-third of Entrust's customers. The majority of its customers are enterprises. Deployment sizes at year-end 2012 spanned a median in the region of hundreds to thousands of end users, with a maximum on the order of 10 million end users or more.

Entrust remains a Niche Player in this Magic Quadrant.

Strengths

■ _{Its growth rate is above the market norm.}

■ _{It supports contextual authentication via a native "risk-based" engine, which is used by about} half of its customers.

■ _{Its reference customers were extremely satisfied with Entrust's customer support.} ■ _{Its pricing is in the lowest quartile for Scenario 5 for on-premises solutions.}

Cautions

■ _{Its customer base is skewed toward the U.S. (about two-fifths of customers), Europe and Latin} America (about one-fifth in each).

■ _{It has exceptionally high pricing for Scenario 2, and its pricing for Scenario 3 for on-premises} solutions is in the highest quartile.

■ _{Gartner clients were dissatisfied with its internationalization capabilities.}

Equifax

Georgia-based Equifax offers a wide-focus authentication platform, Anakam.TFA, which is delivered as server software and as a cloud service. This supports a fairly wide range of authentication

methods, with OOB SMS modes being the most commonly used.

Anakam.TFA is one part of Equifax's broad range of fraud and identity solutions. This reflects Equifax's goal to be a broader identity assurance provider, rather than a direct competitor to Leaders in this market.

More than half of Equifax's customers are in financial services; other key markets are healthcare and the public sector. Equifax didn't provide a customer breakdown by size, but we estimate the average deployment size to be upward of hundreds of thousands of end users.

Equifax remains a Niche Player in this Magic Quadrant.

Strengths

■ _{It is part of a uniquely broad identity assurance portfolio.} ■ _{It offers simple contextual authentication.}

■ _{Its pricing is in the lowest quartile for Scenario 1 for cloud solutions.}

Cautions

■ _{Its customer numbers are in the lowest tier (but the majority of customers are large enterprises,} while Equifax's end-user numbers are in the upper midtier).

■ _{Reference customers were dissatisfied with its reporting/analytics.}

■ _{Its customer base is skewed toward the U.S. (about two-thirds of customers) and Europe (about} one-fifth).

Gemalto

Netherlands-based Gemalto, still best known as a smart-card vendor, offers two wide-focus authentication platforms: Protiva IDConfirm 1000, which is targeted at business-to-employee use cases; and Ezio Server, which incorporates technology from Gemalto's December 2012 acquisition of DS3, and is targeted at B2C use cases. IDConfirm is typically delivered as server software or as a managed service; Ezio is typically delivered as a virtual appliance or a hardware appliance. Gemalto offers a wide range of authentication methods, with X.509 hardware tokens (smart cards and so on) being most commonly used, while OTP tokens (including RCA readers) and OOB SMS modes are quickly gaining ground.

Gemalto also offers Coesys eGov, which is aimed at e-government applications and combines user authentication and federated SSO.

The majority of Gemalto's customers are in financial services, government and healthcare. The majority of customers are also larger enterprises. Deployment sizes at year-end 2012 spanned a median in the region of hundreds of thousands of end users, with a maximum of several million end users.

Gemalto has demonstrated very sound market understanding and very strong innovation, and remains a Leader in this Magic Quadrant.

Strengths

■ _{Its customers are well-dispersed geographically.}

■ _{Its pricing is in the lowest quartile for all scenarios for on-premises solutions, including the} lowest pricing for Scenarios 1 and 2.

■ _{It is the joint third most frequently shortlisted vendor among other vendors' reference} customers.

Cautions

■ _{It still lacks contextual authentication, as well as native server-side support for biometric} authentication. However, it can support client-side match-on-card capabilities.

■ _{Its multitenanted cloud service is available only via third-party providers.}

HID Global

access); it also has virtual and hardware appliances (such as ActivID Authentication Appliance) as well as an SDK. It offers a very wide range of authentication methods, with OTP hardware tokens being most commonly used ahead of OTP apps, OOB SMS modes and X.509 hardware tokens. In addition, HID offers other ancillary products, including card management (CM) tools.

The majority of HID's customers are in government, financial services and technology. They are also enterprises. Deployment sizes at year-end 2012 spanned a median in the region of hundreds of end users, with a maximum on the order of 1 million end users or more.

HID faces some brand depth issues: ActivIdentity (the name of the company HID acquired in 2010) still has greater market recognition than HID's ActivID brand (which was introduced in 2012). HID continued to use the "ActivIdentity" logotype in publicity materials (such as event sponsorship) throughout 2013.

HID Global has demonstrated very sound market understanding and remains a Visionary in this Magic Quadrant.

Strengths

■ _{It has broad target system integration.}

■ _{It offers biometric authentication (interface interactivity) through its BehavioSec partnership.} ■ _{It has strong "common access card" play, including support for the use of legacy building}

access cards for user authentication.

■ _{It supports rich contextual authentication via ActivID Threat Detection Service (under OEM} license from ThreatMetrix) integrated with other ActivID products. However, this is a separate line item and is contingent on that third-party relationship.

Cautions

■ _{It still lacks a cloud service. However, managed hosted services are available through partner} managed security service providers (MSSPs), and HID Global tells us a cloud service is planned for 1Q14.

■ _{It lacks out-of-the-box support for OOB voice modes (but integration with Authentify, TeleSign} and so on can be supported).

■ _{Its pricing is the highest quoted for Scenarios 1, 2 and 3 for on-premises solutions.}

Mi-Token

Texas-based Mi-Token offers an OATH-compliant OTP and OOB authentication solution that is delivered as server software (Mi-Token Server), a virtual appliance (Mi-Token V Server), a cloud service (Mi-Token Cloud Server), and as an SDK. The core products and services are intended to integrate simply with Active Directory for low total cost of ownership (TCO) and a short time to value. Mi-Token provides an optional hardware security module for secure seed generation within the enterprise. The vendor also offers a fairly broad range of authentication options, with OTP hardware tokens and OTP apps for smartphones being most commonly used. In October 2013, Mi-Token announced a partnership with Microlatch for biometric-enabled hardware tokens.

Mi-Token's offerings also include innovative technology for payment security.

About half of Mi-Token's customers are in financial services, and another third are in government. The majority are enterprises. Deployment sizes at year-end 2012 spanned a median in the region of thousands of end users, with a maximum on the order of 1 million end users or more.

Mi-Token is new in this Magic Quadrant.

Strengths

■ _{It offers simple contextual authentication.}

■ _{Reference customers were very or extremely satisfied with its customer support.} ■ _{Its pricing is in the lowest quartile for Scenarios 2 and 4 for on-premises solutions.}

■ _{It is the only vendor in this Magic Quadrant with a significant share of its business in the Middle} East and Africa.

Cautions

■ _{Its end-user numbers are in the lowest tier (but its customer numbers are moderate, and its} growth rate is well above the market norm).

■ _{Reference customers were dissatisfied with its reporting/analytics. Mi-Token tell us that} additional reporting/analytics is available at an extra fee.

■ _{Its pricing is in the highest quartile for Scenario 5 for on-premises solutions.}

■ _{Its customer base is skewed toward the U.S. (one-third of customers), EMEA and Asia/Pacific,} excluding Japan (one-quarter in each), with a limited presence in Europe.

Microsoft

and user experience (UX) advantages. It can support other vendors' OATH OTP hardware tokens. It also offers biometric voice authentication, but only as an adjunct to OOB voice modes.

Microsoft did not provide any customer breakdown by vertical industry, size or deployment size. While its sales execution remains sound, Microsoft's presence in the market is modest, and, in our opinion, its focus on the acquisition and integration into Windows Azure has diverted attention from other execution and vision criteria.

Microsoft remains a Niche Player in this Magic Quadrant.

Strengths

■ _{Reference customers were extremely satisfied with its customer support.}

■ _{It is the joint third most frequently shortlisted vendor among other vendors' reference} customers.

■ _{Its pricing is in the lowest quartile for Scenarios 2, 3 and 4 for cloud solutions, including the} lowest pricing quoted for Scenario 2.

■ _{It has a pay-for-what-you-use pricing model (only users active during a month are counted for} billing).

Cautions

■ _{It has no contextual authentication as such, but offers endpoint identity (EPI) and IP address} whitelisting.

■ _{Its end-user numbers are in the lowest tier (but its customer numbers are moderate).} ■ _{Gartner understands that the great majority of its customers are in the U.S.}

■ _{It has presented exceptionally high pricing for Scenario 5 for cloud solutions.}

■ _{While Windows Azure Multi-Factor Authentication is offered independently of its Windows Azure} framework, we remain somewhat wary about its longer-term status. Microsoft demonstrated no clear product or marketing strategy for it, apart from the overall Windows Azure "Cloud OS" messaging.

PointSharp

Sweden-based PointSharp offers an OATH-compliant authentication solution, PointSharp ID, that is delivered as server software, as a virtual appliance, as managed service and as an SDK. It offers a fairly broad range of authentication methods, including OTP hardware tokens, although OTP apps for smartphones and OOB SMS modes are most commonly used.

About one-quarter of PointSharp's customers are in financial services and one-quarter are in government, with the rest spread across multiple vertical industries. The majority of customers are enterprises, some of which are large. Deployment sizes at year-end 2012 spanned a median in the region of hundreds to thousands of end users, with a maximum on the order of 100,000 end users or more.

PointSharp is new in this Magic Quadrant.

Strengths

■ _{It has simple contextual authentication.}

■ _{It has simple integration with Microsoft Exchange from mobile devices.}

■ _{Reference customers were very satisfied with its customer support. PointSharp makes creative} use of social media here.

■ _{Its pricing is in the lowest quartile for Scenarios 2, 4 and 5 for on-premises solutions.}

Cautions

■ _{Its end-user numbers are in the lowest tier (but its customer numbers are moderate, and its} growth rate is very well above the market norm).

■ _{It offers cloud service only through partners.}

■ _{Its customer base is very heavily skewed toward Europe (about nine-tenths of customers).}

SafeNet

Baltimore-based SafeNet offers three wide-focused server-software products — SafeNet Authentication Manager (SAM), SafeNet Authentication Manager Express (SAMx) and SafeNet Authentication Service for service providers (SAS SPE) — and a cloud service, SafeNet

Authentication Service (SAS, based on its March 2012 acquisition of Cryptocard). It offers a very wide range of authentication methods (with SAM supporting the whole range, including X.509 tokens, while SAMx and SAS support somewhat narrower ranges). OTP hardware tokens are the most widely used, ahead of X.509 tokens and phone-as-a-token options.

About one-third of SafeNet's customers are in government, about one-quarter are in financial services, and about one-fifth are in healthcare. They range from SMBs to very large enterprises. Deployment sizes at year-end 2012 spanned a median in the region of thousands of end users with a maximum on the order of 1 million end users or more.

SafeNet has a strong position in this market (customer numbers are in the highest tier, while end-user numbers are in the upper midtier), and demonstrated significantly improved marketing

It remains a Leader in this Magic Quadrant.

Strengths

■ _{It is the joint third most frequently shortlisted vendor among other vendors' reference} customers.

■ _{It is one of three vendors most often cited as the competitor to beat by others included in this} research.

■ _{SAM supports contextual authentication (also planned for SAS in 2014).}

■ _{Reference customers were very or extremely satisfied with its customer support.}

■ _{Its pricing is in the lowest quartile for Scenarios 2 and 4 for on-premises solutions, and for} Scenarios 1, 2, 3 and 4 for cloud solutions. (However, it was most often disqualified by other vendors' reference customers on pricing.) It has an all-in, per-user, per-month pricing model for all offerings.

Cautions

■ _{Its customer base is skewed toward EMEA (nearly one-half of customers) and the U.S. (more} than two-fifths).

■ _{It lacks native server-side support for biometric authentication, but can support client-side} match-on-card capabilities (biometric-enabled X.509 tokens).

SecureAuth

California-based SecureAuth offers SecureAuth IdP, which Gartner categorizes primarily as a WAM product that delivers federated SSO with broad protocol support, strong mobile device support (including an integration toolkit for mobile Web and resident mobile applications) and native support for a range of authentication methods. However, Gartner sees many clients evaluating SecureAuth IdP solely as a direct replacement for other vendors' "pure" user authentication offerings — hence, its inclusion in this research.

SecureAuth demonstrated improved business strategies to match its product strategy and innovation, and moves from Niche Player to Visionary in this Magic Quadrant.

Strengths

■ _{It offers simple contextual authentication via HTML5-based EPI.} ■ _{It has federated SSO based on OpenID as well as SAML.}

■ _{Reference customers were extremely satisfied with its customer support.} ■ _{Its pricing is in the lowest quartile for Scenario 4 for on-premises solutions.}

■ _{It has a very good internationalization model: All text is abstracted, and professional translations} in several languages are available.

■ _{It continues to be the user authentication vendor most often cited positively by clients, who} point to the ease of implementation and ongoing administration, as well as to the good UX provided by SecureAuth's UBCs.

Cautions

■ _{While its target system integration is fairly broad, it hinges on UBC, which requires a Web} interface, so integration to legacy target systems must be proxied through a Web-enabled gateway.

■ _{Its customer numbers are in the lowest tier (but its end-user numbers are moderate, and its} growth rate is well above market norms).

■ _{Reference customers were dissatisfied with its reporting/analytics.}

■ _{Its pricing is in the highest quartile for Scenarios 2, 3, 4 and 5 for cloud solutions. The pricing} quoted for Scenario 1 for cloud solutions was exceptionally high.

■ _{Its customer base is skewed toward the U.S. (about one-half of customers) and Europe (about} one-fifth).

SecurEnvoy

U.K.-based SecurEnvoy offers a phone-as-a-token authentication platform, SecurAccess, which is delivered as server software.

SecurEnvoy has a roughly even spread of customers across multiple vertical industries. They range from SMBs to very large enterprises. Deployment sizes at year-end 2012 spanned a median in the region of thousands to tens of thousands of end users, with a maximum of 100,000 end users or more.

Strengths

■ _{Unique among phone-as-a-token authentication vendors, SecurEnvoy provides preboot} authentication via integration with Sophos.

■ _{It offers simple contextual authentication.}

■ _{Reference customers were extremely satisfied with its customer support.}

■ _{It has grown beyond its domestic market and now has a significant customer base in the U.S.} and Asia/Pacific.

■ _{Its pricing is in the lowest quartile for Scenarios 2, 4 and 5 for on-premises solutions. Its pricing} model is all-in.

Cautions

■ _{It focuses on phone-as-a-token authentication (with OOB SMS modes and OTP apps for} smartphones being the most widely used). However, implementation is superior: Multiple configuration options for OOB SMS modes enable tuning security-UX balance.

■ _{It has no cloud service. SecurEnvoy's rationale is that channel partners with long experience in} managed and cloud services can offer superior quality of service.

■ _{Its end-user numbers are in the lowest tier (but its customer numbers are moderate, and its} growth rate is above the market norm).

SMS Passcode

Denmark-based SMS Passcode offers an OOB authentication platform of the same name, which is delivered as server software. SMS modes are the most widely used; voice modes are supported by partnerships with TeleSign, Twilio and others. It can also support Yubico YubiKey OTP hardware tokens.

SMS Passcode's customers predominate in manufacturing, natural resources, government and financial services. Nine-tenths of them are SMBs. Deployment sizes at year-end 2012 spanned a median in the region of tens to hundreds of end users, with a maximum on the order of 100,000 end users or more.

SMS Passcode remains a Niche Player in this Magic Quadrant.

Strengths

■ _{It offers simple contextual authentication based on behavior patterns and geolocation.} ■ _{It stands out for making creative use of social media in its marketing.}

Cautions

■ _{Its end-user numbers are in the lowest tier (but its customer numbers are moderate, and its} growth rate is above the market norm). This is consistent with its focus on SMBs.

■ _{Its pricing is in the highest quartile for Scenarios 1 and 3 for on-premises solutions. It didn't} present pricing for Scenario 5, commenting that the use case didn't match its channel-driven "plug and play" go-to-market model.

■ _{Its customer base is heavily skewed toward Europe (about four-fifths of customers).}

Swivel Secure

U.K.-based Swivel Secure offers a phone-as-a-token platform delivered as server software (Swivel Core Software) and as virtual and hardware appliances (Swivel Virtual Appliance and Swivel

Appliance). All these also support Swivel Secure's variety of improved password and pattern-based OTP knowledge-based authentication (KBA) methods, which work with nonce challenges ("security strings") and can be displayed on the login screen in the simplest implementation. Swivel Secure also offers OOB push(ish) and SMS modes that combine the KBA methods and can also support OTP hardware tokens.

Swivel Secure's customers are spread across multiple vertical industries. They range from SMBs to very large enterprises. Deployment sizes at year-end 2012 spanned a median in the region of hundreds to thousands of end users, with a maximum on the order of 100,000 end users or more. Swivel Secure remains a Niche Player in this market.

Strengths

■ _{It has a unique combination of KBA and phone-as-a-token authentication methods that span a} range of trust levels and have good UX.

■ _{It is preintegrated with Microsoft Office 365 and Microsoft Business Productivity Online Suite.} ■ _{Its pricing is in the lowest quartile for Scenario 4 for on-premises solutions.}

Cautions

■ _{It has no contextual authentication.}

■ _{It has no cloud service (but rather has a subscription pricing model to better compete with} cloud services).

■ _{Its customer base is very heavily skewed toward Europe (about nine-tenths of customers).} ■ _{It has weak marketing and brand depth.}

Symantec

authentication methods, with OTP apps for mobile phones being most commonly used ahead of OTP hardware tokens.

While VIP lacks native federated SSO to support cloud applications, this can be provided at additional cost by Symantec's fledgling cloud access security broker, Symantec O3.

About one-third of Symantec's customers are in financial services, with the rest spread across most other vertical industries. The majority of Symantec's customers are enterprises. Deployment sizes at year-end 2012 spanned a median in the region of thousands to tens of thousands of end users, with a maximum on the order of 1 million end users or more.

Symantec is a very strong innovator, but its product or service and market responsiveness ratings are not yet on a par with leading vendors. It remains a Visionary in this Magic Quadrant.

Strengths

■ _{Its growth rate is above market norms.}

■ _{It embeds rich contextual authentication under the name "Intelligent Authentication."} ■ _{Reference customers were very or extremely satisfied with its customer support.} ■ _{It is the joint third most frequently shortlisted vendor among other vendors' reference}

customers.

■ _{Its pricing is in the lowest quartile for Scenarios 1, 3 and 4 for cloud solutions.}

Cautions

■ _{Its pricing is in the highest quartile for Scenario 5 for cloud solutions (based on a per-user} model; however, per-transaction pricing might be lower depending on transaction volumes). ■ _{Its customer base is skewed toward the U.S. (about one-half of customers) and Europe (about}

one-third). Its lack of cloud-services security operations centers outside the U.S. inhibits global sales.

■ _{It has no discrete WFD offering. Symantec VIP alone may not meet financial services}

customers' needs, or match other vendors' full-blown WFD offerings. (This market accounts for one-third of Symantec's customers — down from about one-half in the previous year.)

■ _{It has no on-premises server software or appliance offering, which limits its appeal (as shown} by Gartner client interactions).

Technology Nexus

Nexus offers a wide range of authentication methods, with OTP apps for mobile phones and OOB SMS modes being most commonly used. It also offers ancillary tools, as well as WAM and

federated SSO tools.

Nexus has about third of its customers in financial services and in government, with about one-fifth in manufacturing and natural resources. The majority of Nexus' customers are large enterprises. Deployment sizes at year-end 2012 spanned a median in the region of tens of thousands of end users, with a maximum of tens of millions of end users.

Technology Nexus demonstrated very sound market understanding and very strong product strategy and innovation, and remains a Leader in this Magic Quadrant.

Strengths

■ _{Cloud integration options include OAuth and System for Cross-Domain Identity Management} (SCIM), as well as SAML.

■ _{It has one of the widest ranges of authentication methods, including biometric authentication} (interface interactivity) through a BehavioSec partnership.

■ _{It offers simple contextual authentication.}

■ _{Its pricing is in the lowest quartile for Scenarios 2 and 4 for on-premises solutions, and for} Scenarios 2, 3 and 4 for cloud solutions.

Cautions

■ _{Its pricing is in the highest quartile for Scenario 5 for cloud solutions.}

■ _{Its customer base is skewed toward Europe and Asia/Pacific (about two-fifths in each} geography).

TeleSign

California-based TeleSign offers a phone-as-a-token authentication platform, TeleSign Verify (formerly 2FA), which is delivered as a cloud service. Its February 2013 acquisition of

RoutoMessaging (now TeleSign Mobile) gives TeleSign a global mobile messaging platform and access to network data that has enhanced its offerings. TeleSign now offers a dual-mode OOB push mode/OTP smartphone app, as well as its legacy OOB voice and SMS modes. Several other vendors, including some in this research, license TeleSign for (at least voice-based) OOB

authentication.

About threfifths of TeleSign's customers are in cloud services (including social media) and e-commerce, with about one-quarter in financial services and others in online gaming and Web-based email. Just over half of TeleSign's customers are SMBs. Deployment sizes at year-end 2012

TeleSign demonstrated a very strong product strategy and innovation, and remains a Visionary in this Magic Quadrant.

Strengths

■ _{It supports contextual authentication, leveraging its PhoneID offering to provide a variety of} information about a phone number.

■ _{Its growth rate is very well above market norms, with end-user numbers bolstered by its strong} presence among very large global service providers (including social media).

■ _{Reference customers were very or extremely satisfied with its customer support.}

■ _{Its pricing is in the lowest quartile for all scenarios for cloud solutions. It has the lowest pricing} for Scenarios 1, 3 and 5.

Cautions

■ _{It has somewhat limited target system integration. This depends heavily on APIs rather than} standard protocols; however, TeleSign contends that this, modeled on Amazon's authentication model with a shared secret key, makes it more secure.

■ _{Its customer base is skewed toward the U.S. (about half) and Europe (about one-fifth and} growing). However, it supports end users of global service providers in more than 200 countries, and internationalization is excellent.

■ _{It lacks on-premises server software or an appliance offering. It does not support OTP hardware} tokens. However, TeleSign's partners, including vendors in this research, can meet such needs.

Vasco Data Security

Illinois-based Vasco offers a range of wide-focus authentication platforms: Identikey (server software), Identikey Virtual Appliance, Identikey Appliance (a hardware appliance), Digipass as a Service (private cloud service), MyDigipass.com (public cloud service) and Vacman Controller (API-based authentication library). Vasco offers a wide range of authentication methods with OTP hardware tokens, OTP apps for smartphones and X.509 software tokens being most commonly used.

More than one-third of Vasco's customers are in financial services; another third are in

communications, media and services; and the rest are spread across other vertical industries. Vasco provided no information about customer or deployment sizes.

Vasco Data Security has a strong position in this market (customer numbers are in the highest tier, with end-user numbers in the upper midtier) and is a very strong innovator. It remains a Leader in this Magic Quadrant.

Strengths

■ _{It is one of the three vendors most often cited as the competitor to beat by the others included} in this research.

■ _{It has a federated SSO based on OpenID as well as SAML.}

■ _{It has one of the widest ranges of authentication methods (although support varies across} offerings).

■ _{Its pricing is in the lowest quartile for Scenarios 2 and 4 for on-premises solutions and cloud} solutions.

Cautions

■ _{It has no contextual authentication capability.}

■ _{Its pricing is in the highest quartile for Scenario 1 for on-premises solutions and cloud solutions.} It is most often disqualified by other vendors' reference customers based on pricing.

■ _{Its customer base is skewed toward EMEA (about two-thirds of customers).}

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or

MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.

Added

■ _{Mi-Token: A Texas-based commodity user authentication vendor.}

■ _{PointSharp: A Sweden-based user authentication and mobile management vendor.}

Dropped

■ _{DS3 was acquired by Gemalto early in December 2012.}

The following vendors failed to meet the elevated inclusion criteria for this Magic Quadrant:

to the burgeoning Chinese market). It remains a credible choice for large enterprise deployments.

■ _{Yubico: Based in Stockholm and Palo Alto, California, Yubico was established in 2007. It has a} number of core software and service offerings in this market, but it is best known for its

distinctive OTP, X.509 and Near Field Communication hardware tokens, which are also supported by a number of other vendors in this Magic Quadrant. While Yubico has some notable deployments with large global enterprises, such as Facebook and Google, most of its direct customer deployments are too small for it to be able to qualify for inclusion in this Magic Quadrant. It remains a credible choice for firms seeking low-TCO hardware token deployments.

Other Changes

■ _{PhoneFactor: This brand has disappeared, and Microsoft now offers the phone-as-a-token} authentication platform as Windows Azure Multi-Factor Authentication.

Honorable Mentions

The following vendors did not meet the inclusion criteria (typically because of customer and end-user numbers), but are credible alternatives to the vendors included in this Magic Quadrant:

■ _{CM: Netherlands-based CM offers a range of telephony services for messaging, payments and} security. It is a communications partner and service operator for many vendors' OOB

authentication offerings. Since 2010, it has offered an OOB authentication service (SMS modes) directly to end customers. It is aggressively priced and offers good quality of service, and is now CM's fastest-growing offering.

■ _{Duo Security: Michigan-based Duo Security offers a wide-focus authentication platform} delivered as cloud services. These services support OOB authentication (voice, SMS and push modes), OATH-compliant OTP tokens (printed media, hardware and software) and simple contextual authentication (behavior patterns and location). Almost all its customers are U.S.-based, where its growth rate is above the market norm. It is available on special terms to higher education institutions via InCommon and Internet2.

■ _{Entersekt: South Africa-based Entersekt offers a phone-as-a-token authentication platform} delivered as FIPS 140-2 hardware appliances and encrypted messaging services. Its mobile phone app for smartphones and feature phones combines OOB push modes with an X.509 device credential that is used to sign messages from the phone; the app also can generate OATH-compliant OTPs as a fallback when mobile data or Wi-Fi services are unavailable. A mobile SDK is also available. Entersekt targets the financial services sector and has many domestic customers with millions of users. It is now gaining traction in Europe and, to a lesser degree, the U.S.

supports a full range of the authentication methods demanded by its target market, including the use of building access cards (contactless chip cards and RFID cards) and fingerprint biometric authentication, which are commonly used among healthcare customers in North America, and X.509 hardware tokens, which are widely used among healthcare customers in EMEA. Imprivata also offers OneSign Virtual Desktop Access, which provides API-level integration with leading virtualization platforms to automate and streamline the login process, including authenticating to the workstation, launching and authenticating to the virtual desktop client, and selecting the desktop. Within this target vertical industry, Imprivata is the leading vendor by market share, according to healthcare industry sources. Although, in our opinion, Imprivata doesn't fit our market definition for a general user authentication solution, Gartner clients in healthcare will likely find that it can meet their specific needs ahead of other vendors included in this Magic Quadrant.

■ _{Kobil Systems: Germany-based Kobil offers a wide-focus authentication platform, Smart} Security Management Server, which is delivered as server software, a virtual appliance and a managed service. It offers a wide variety of OTP hardware tokens (EMV-CAP, HHD and OATH HOTP) and X.509 tokens, as well as OOB push modes. It has targeted the financial services sector; it also has a strong, localized customer base in Germany, Austria, Switzerland and Turkey. While it has little visibility globally, Kobil asserted that it has firm plans for expansion. ■ _{McAfee: A wholly owned subsidiary of Intel, McAfee has a Center of Expertise for Identity}

based in Sweden, built around Intel's January 2011 acquisition of Nordic Edge. McAfee offers a phone-as-a-token authentication platform, One Time Password, as well as a federated SSO platform, Cloud Single Sign On, which embeds the authentication offering. The OTP platform supports "Pledge" OTP apps (for desktops as well as phones) and OOB SMS modes, and offers good migration support for legacy OTP tokens. The product is notable for its ease of

implementation, enabling proofs of concept without any vendor support (or any contact with McAfee — a "see it, try it, buy it" model). The majority of its customers are in Europe, but since the acquisition, it is beginning to gain traction in North America.

Inclusion and Exclusion Criteria

The following inclusion criteria apply:

■ _{Relevance of offering: Each core user authentication infrastructure product or service meets the} user authentication market definition established above. This market definition does not include providers that deliver only one or more of the following:

1. Client-side software or hardware, such as PC middleware, smart cards and biometric capture devices (sensors).

2. Credential management tools, such as password management tools, CM tools, and PKI certification authority and registration authority tools (including OCSP responders).

interact with discrete third-party user authentication platforms (for example, to provide "step-up" authentication).

A provider in the user authentication market may, of course, deliver one or more such offerings as part of, or in addition to, its user authentication offering. Note, however, that, for the

purposes of this Magic Quadrant, offerings of Types 2 and 3 are not considered to be "user authentication" offerings (Type 2 because of the "real-time decision" requirement, and Type 3 because the products are included in other Gartner market research), and they are not included in customer, end-user or revenue figures.

■ _{Longevity of offering: Each core user authentication infrastructure product or service has been} generally available since at least 1 May 2012, and is in use in multiple customer production environments. (Product or service capabilities, including new authentication methods, that were generally available since that date were not included in our analysis. However, we generally call out such changes in the discussion of the vendors above.)

■ _{Origination of offering: The offering is manufactured or operated by the vendor, or is a}

significantly modified version obtained through an OEM relationship. (We discount any software, hardware or service that has merely been obtained without functional modification through a licensing agreement from another vendor — for example, as part of a reseller/partner or service-provider agreement.)

■ _{Number of customers and end users (including customers of third-party service providers and}

their end users): As of 31 December 2012, the vendor had either:

■ _{More than 560 active customers using the vendor's authentication offerings in a production} environment, with more than 280 customers licensed for more than 320 end users, or … ■ _{More than 178 such customers, with more than 89 customers licensed for more than}

32,000 end users.

■ _{Verifiability: Customer references must be available.}

Vendors with minimal or negligible apparent market share among Gartner clients, or with no currently shipping products, may be excluded from the ratings.

Evaluation Criteria

Ability to Execute

Product or Service

■ _{The capabilities, quality and feature sets of one or more on-premises software or hardware} products or cloud-based services that make real-time authentication decisions, and can be integrated with any of a variety of enterprise systems. We evaluate offerings that were generally available as of May 2012.

■ _{The range and variety of user authentication methods offered or supported, along with the} client-side software or hardware used by end users in those real-time authentication decisions. ■ _{The applicability and suitability of these offerings to a wide range of use cases across different}

kinds of users and different enterprise systems.

Overall Viability (Business Unit, Financial, Strategy, Organization)

■ _{The vendor's overall financial health.}

■ _{The vendor's financial and practical success in the user authentication market.}

■ _{The likelihood that the vendor will continue investing in its user authentication portfolio, and} sustain its presence in the user authentication market.

Sales Execution/Pricing

■ _{The vendor's capabilities in such areas as deal management and presales support, as well as} the overall effectiveness of the sales channel, including value-added resellers and third-party managed service providers.

■ _{The vendor's track record in competitive wins and business retention.}

■ _{Pricing over a number of different scenarios. This aspect is heavily weighted because Gartner} finds that clients are increasingly price-sensitive when selecting new user authentication methods.

Market Responsiveness/Record

■ _{The vendor's demonstrated ability to respond, change direction, be flexible and achieve} competitive success as opportunities develop, competitors act and market dynamics change. ■ _{How the vendor can meet customers' evolving user authentication needs over a variety of use}

cases.

■ _{How the vendor has embraced standards initiatives in the user authentication and adjacent} market segments, and responded to relevant regulation and legislation.

Marketing Execution

■ _{The clarity, quality, creativity and efficacy of programs designed to deliver the vendor's}

products, and establish a positive identification with the product/brand and organization in the minds of buyers.

■ _{This mind share can be driven by a combination of publicity, promotional initiatives, thought} leadership, word-of-mouth and sales activities.

Customer Experience

■ _{The vendor's relationships and services/programs — such as technical support and}

professional services — that facilitate customers' successful implementations and use of the vendor's user authentication offerings.

■ _{Gartner client and reference customers' feedback.}

Operations

■ _{The ability of the organization to meet its goals and commitments. Factors include the quality of} the organizational structure, including skills, experiences, programs, systems, and other

vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Table 1. Ability to Execute Evaluation Criteria

Evaluation Criteria Weighting

Product or Service High

Overall Viability Medium

Sales Execution/Pricing High Market Responsiveness/Record Medium Marketing Execution Medium Customer Experience Medium

Operations Low

Source: Gartner (December 2013)

Completeness of Vision

Market Understanding

■ _{The vendor's understanding of buyers' needs and how it translates those needs into offerings.} Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those wants and needs with their added vision.

Marketing Strategy

■ _{The clarity, differentiation and performance management of the vendor's marketing messages} and campaigns.

■ _{The appropriateness of the vendor's use of social media, other online media and traditional} media as part of its marketing efforts.

Sales Strategy

■ _{The vendor's strategy for selling its user authentication offerings; that strategy uses the} appropriate network of direct and indirect sales, marketing, service and communication affiliates that extends the scope and depth of market reach, skills, expertise, technologies, services and the customer base.

Offering (Product) Strategy

■ _{The vendor's approach to developing and delivering its user authentication offerings, which} meet customers' and prospects' needs with respect to their key selection criteria, the needs created by the Nexus of Forces, and other market dynamics.

■ _{The vendor's ability to exploit the Nexus of Forces to improve its user authentication products} and services.

■ _{How the vendor will increase the competitive differentiation of its user authentication products} and services.

■ _{The vendor's participation in user authentication and adjacent standards development.}

Business Model

■ _{The soundness and logic of the vendor's underlying business proposition.}

Vertical/Industry Strategy

■ _{The vendor's strategy to direct resources, skills and offerings to meet the specific needs of} individual market segments, including SMBs and vertical industries.

Innovation

and nontechnical innovations introduced since May 2012, as well as on the vendor's road map over the next few years.

Geographic Strategy

■ _{How the vendor directs resources, skills and offerings to meet the specific needs of} geographies outside its home geography — directly or through partners, channels and subsidiaries — as appropriate for each geography and market.

Table 2. Completeness of Vision Evaluation Criteria

Evaluation Criteria Weighting

Market Understanding High Marketing Strategy Medium

Sales Strategy Medium

Offering (Product) Strategy High

Business Model Medium

Vertical/Industry Strategy Low

Innovation High

Geographic Strategy Low Source: Gartner (December 2013)

Quadrant Descriptions

Leaders

Leaders in this Magic Quadrant are vendors with a solid track record and, typically, a significant presence in the market. They have a clearly articulated vision that is in line with the market trends, and their vision is typically backed by solid technical innovation, as well as an understanding of the challenges and opportunities presented by the Nexus of Forces. Leaders' business strategies and execution are very sound. Vendors in this quadrant can provide a strong solution for enterprises in different vertical industries across one or many use cases, typically including emerging needs pertaining to cloud and mobile.

Challengers

may not be as strong. They may lack, or may not clearly articulate, a vision that is in line with the market trends, although their technical innovation may be sound. Vendors in this quadrant can provide a strong solution for enterprises in different vertical industries across one or many use cases. Their understanding of the challenges and opportunities presented by the Nexus of Forces may be uneven, or have a limited planning horizon.

There are no Challengers in this Magic Quadrant. Market understanding and strategy are consistently sound among all the more able vendors, thereby moving them to the right.

Visionaries

Visionaries in this Magic Quadrant are vendors with a clearly articulated vision that is in line with the market trends. Their vision is typically backed by technical innovation and an understanding of the challenges and opportunities of the Nexus of Forces, as well as by a solid business strategy. They have a steady track record, an appreciable presence in the market and acceptable business

execution. Vendors in this quadrant can typically provide a very satisfactory solution for enterprises across one or many use cases; this typically includes emerging needs pertaining to cloud or mobile, or a strong solution focused on one or a few particular use cases — or a particular vertical industry.

Niche Players

Niche Players in this Magic Quadrant are vendors with a steady track record and an appreciable presence in the market. They may lack, or may not clearly articulate, a vision that is in line with the market trends, although their technical innovation may be sound. Their business strategies and execution are acceptable. Vendors in this quadrant can typically provide a very satisfactory solution for many enterprises across one or often many use cases, or a sound solution focused on one or a few particular use cases — or a particular vertical industry. In this market in particular, it is worth stressing that all Niche Players fully meet the inclusion criteria, and any of them could offer a solution that is ideally suited to your needs.

Context

Enterprises and, to a lesser degree, SMBs increasingly recognize the need for authentication methods that offer higher levels of trust than passwords can provide across a broader range of use cases, and they are addressing that need.

Moreover, enterprises and SMBs are increasingly aware of the need to find a reasonable and appropriate balance of authentication strength, TCO and UX in each use case. These factors are driving the adoption of alternatives to traditional token-based authentication methods that offer higher levels of trust, but at a higher cost and with relatively poor UX.

User authentication may be natively supported in an OS or application, or embedded in a directory or access management tool, such as a WAM tool, that spans multiple applications.

User authentication may also be added to one or many target systems, including OSs and access management tools, via a discrete third-party authentication infrastructure — either on-premises software or hardware, or a cloud-based service — which can be integrated via standard protocols (such as LDAP, RADIUS or SAML) or proprietary software agents. Vendors that provide such authentication infrastructures are the focus of this Magic Quadrant. Some of these vendors also offer components (APIs or SDKs) that allow new methods to be embedded directly in specific target systems.

Although a majority of enterprises and (particularly) SMBs remain focused on one or a few use cases that may be met by a single authentication method from any kind of vendor, we continue to see growth in the number of enterprises taking a strategic view of authentication, and seeking to address a wider range of use cases that demand different authentication methods with a single, versatile, flexible infrastructure.

This Magic Quadrant focuses on the vendors that have the most significant presence in the user authentication market. However, choosing among vendors comes toward the end of a security or IAM leader's decision framework for a new user authentication solution.

For each use case, the leader must identify the methods or combinations of methods that fit best, considering at least authentication strength, TCO and UX (see "How to Choose New User

Authentication Methods").

Given the needs (authentication strength, UX, TCO) in each use case, a leader should evaluate candidate user authentication methods using Gartner Authentication Method Evaluation Scorecards (GAMES) or a similar methodology (see "Use Gartner Authentication Method Evaluation Scorecards When Selecting a New User Authentication Solution" and "Toolkit: Gartner Authentication Method Evaluation Scorecards"). Other needs and constraints should also be considered, as well as the technology risk associated with any innovative but immature authentication methods.

(Further along, a leader can reuse GAMES to help in the evaluation of different candidate vendors, because, even for the "same" authentication methods, vendors' implementations may differ in authentication strength and UX. Furthermore, different infrastructures can easily have different TCOs: One reference customer noted that it chose one vendor over another on the basis of the number of servers needed to meet its capacity and scalability requirements.)

Once the authentication methods have been selected, the leader must consider how they will be delivered. In some use cases, the authentication methods may be natively supported (for example, interactive smart card login within Microsoft Windows) or embedded within an appropriate tool, such as a federated SSO or VPN tool. If neither of these is the case, if the native/embedded implementation is lacking some capability compared with available third-party solutions, or,

Your needs and circumstances should determine how you use this Magic Quadrant (see "How Gartner Evaluates Vendors and Markets in Magic Quadrants and MarketScopes").

Evaluating vendors in the Leaders quadrant only and ignoring those in other quadrants is risky. As a result, Gartner discourages this practice. For example, a vendor in the Niche Players quadrant could offer functions that are ideally suited to your needs. Similarly, a Leader might not offer functions that meet your requirements — for example, its offerings might cost more than competitors', or it might not support your region or use cases.

Moreover, given the number of vendors in the user authentication market, there are many that simply do not have the market presence to qualify for the Magic Quadrant (see the Inclusion and Exclusion Criteria section), but which nonetheless are viable and credible alternatives. At least some of these are given an "honorable mention" in the Vendors Added and Dropped section, but the omission of any other vendor from that list is not necessarily a reason to rule them out of consideration.

In financial services use cases, consideration should also be given to vendors' WFD capabilities (see "Magic Quadrant for Web Fraud Detection").

X.509-based authentication for Windows PC and network login is natively supported, so it does not need an authentication infrastructure that defines the market covered by this Magic Quadrant. Some vendors included in this Magic Quadrant (such as Gemalto, HID Global, SafeNet and Technology Nexus) provide the necessary smart tokens, middleware and CM tools. Credible alternatives include Giesecke & Devrient (G&D), Oberthur Technologies and Safran Morpho, as well as specialist vendors such as charismathics (PC middleware), Bell ID and Intercede (both CM tools). Microsoft also offers a CM tool as part of Forefront Identity Manager.

If the PKI tools provided by Active Directory Certificate Services (a standard component in the Standard and Datacenter editions of Active Directory) are not good enough, then PKI vendors such as Entrust, Symantec (both are included in this Magic Quadrant) and OpenTrust should be

considered.

Market Overview

This Magic Quadrant research reflects Gartner's opinion of the vendors based on interactions with them and other vendors, and with end-user clients, over the past year.1

The evaluation criteria that we used in our analysis are established above. However, some aspects of our analysis are worth detailing.

Range of Authentication Methods

vendors offer only one or a few authentication methods, this doesn't limit their position within the Magic Quadrant.

Unlike OTP tokens and OOB authentication offerings, "authentication using X.509 tokens" does not represent a complete product of fully integrated components provided by a single vendor, but rather an ensemble of discrete components from two or more vendors. Among the vendors

included in this Magic Quadrant, some (such as Gemalto, HID Global and SafeNet) provide only the smart tokens, middleware and CM tools. Others (such as Symantec) provide only the PKI

components. This "incompleteness" is a market reality for X.509-based authentication; vendors offering smart tokens and supporting X.509-based authentication in their authentication

infrastructure products were not penalized for lacking PKI tools when we were developing this Magic Quadrant.

Range of Use Cases Supported

Our analysis of the vendors' market responsiveness and track record considered (among other things) each vendor's demonstrated ability to support enterprise and SMB needs across a variety of use cases (see Note 3). Not all vendors in this Magic Quadrant were able to break down their

customer numbers on this basis, and in these cases, we have considered the use cases mentioned in inquiry calls in which clients cited those vendors.

Vendors included in this Magic Quadrant typically can support multiple use cases. However, not all vendors have equal experience in all use cases; some may have a stronger track record in

enterprise use cases, such as workforce remote access, while others may focus on access to retail-customer applications, especially in financial services, which may limit their vertical position within the Magic Quadrant. If the focus were on only specific use cases, then the vendor positions would probably look different.

Pricing Scenarios

Our analysis of the vendors' sales execution and pricing considered (among other things) vendor pricing across the scenarios enumerated in Note 6 and carried over from the March 2013 Magic Quadrant (see "Magic Quadrant for User Authentication"). This year, however, we asked vendors to provide separate quotations for on-premises and cloud delivery options in each scenario.

These pricing scenarios do not reflect nonstandard discounts that a vendor may offer particular customers or prospects, or pricing variations across different distribution channels; nor do they reflect other considerations that contribute to the TCO of a user authentication solution (see "Use Gartner Authentication Method Evaluation Scorecards When Selecting a New User Authentication Solution" and "Toolkit: Gartner Authentication Method Evaluation Scorecards").

In the Vendor Strengths and Cautions section, we call out the vendors that fall into the lowest (best) and highest (poorest) "quartiles" — that is, the first and last 25% of the pricing range between the lowest and highest figures provided (but not all vendors provided pricing guidance for all scenarios). Vendors are not necessarily evenly distributed among the quartiles. However, to avoid skewing the analysis where it would erode differences among the majority of vendors (for example, where all but one would lie in the lowest quartile), some exceptionally high outliers were removed from the pricing analysis in two of the scenarios (see Note 6).

Market Understanding and Product or Service Strategy

Vendors' market understanding and offering (product) strategy were evaluated against the market trends established below. Those vendors that are better aligned with these trends tend to be positioned toward the right (increased Completeness of Vision). Nevertheless, we sought to give appropriate credit to any vendor whose strategy was consistent with its market understanding, even when that differed from Gartner's.

Market Trends

The trends in the user authentication market continue to be dominated by the Nexus of Forces; the convergence of four forces — social, mobile, cloud and information — is building on and

transforming user behavior while creating new business opportunities (see "The Nexus of Forces: Social, Mobile, Cloud and Information"). Cloud and mobile have the broadest impact, creating the most significant challenges as well as opportunities for user authentication vendors.

Cloud

Cloud computing is relevant to the user authentication market in two ways:

1. It provides a delivery option for vendors' user authentication offerings. This may be a traditional managed (hosted) service or a multitenanted cloud-based service.

2. It is another integration target for vendors' user authentication offerings (however they are delivered).

Cloud as a Delivery Option

A vendor might offer a cloud-based service alone or as an alternative to its on-premises software or hardware, or it might partner with third-party MSSPs that could build a service offering around the vendor's software.

Enterprises, as well as SMBs (which historically were the major buyers of managed authentication services), are choosing such solutions based on their overall value proposition — including, but not limited to, simplicity, flexibility and cost considerations. Customer numbers for cloud services are growing at an estimated 27%, which is nearly twice the overall growth rate for the user