Magic Quadrant for User Authentication
17 January 2012 ID:G00227026Analyst(s): Ant Allan VIEW SUMMARY
User authentication is dominated by three well-established, wide-focus vendors that command the majority of the market. Newer wide- and tight-focus vendors are making significant inroads and offer enterprises sound alternatives across a range of needs.
Market Definition/Description
A provider in the user authentication market delivers on-premises software/hardware or a cloud-based service that makes real-time authentication decisions and can be integrated with one or more enterprise systems to support one or more use cases. Where appropriate to the authentication methods supported, a provider in the user authentication market also delivers client-side software or hardware used by end users in those real-time authentication decisions.
This market definition does not include providers that deliver only one or more of the following: 1. Client-side software or hardware, such as PC middleware, smart cards and biometric capture
devices (sensors)
2. Software, hardware or a service, such as access management or Web fraud detection (WFD), that makes a real-time access decision and may interact with discrete user authentication software, hardware or services (for example, to provide "step up" authentication)
3. Credential management software, hardware or services, such as password management tools, card management (CM) tools and public-key infrastructure (PKI) certification authority (CA) and registration authority (RA) tools (including OCSP responders)
4. Software, hardware or services in other markets, such as Web access management (WAM) or VPN, that embed native support for one or many authentication methods
A provider in the user authentication market may, of course, deliver one or more such offerings as part of, or in addition to, its user authentication offering. Note, however, that, for the purposes of this Magic Quadrant, offerings of Type 2, 3 and 4 are not considered to be user authentication offerings and were not included in customer, end-user or revenue figures.
Return to Top
Magic Quadrant
Figure 1. Magic Quadrant for User Authentication
Source: Gartner (January 2012) Return to Top
This Magic Quadrant replaces "MarketScope for Enterprise Broad-Portfolio Authentication Vendors." There are several important changes from the previous document. The change of document type, from MarketScope to Magic Quadrant, reflects the increasing maturity and significance of the user authentication market and the need to more clearly differentiate among the vendors along two axes. The Evaluation Criteria, which are detailed below, are significantly different from those used in the MarketScope. They were changed to include tight-focus vendors and wide-focus (or broad-portfolio) vendors. In addition, the minimum-revenue criterion no longer applies, which avoids penalizing vendors that offer lower pricing.
STRATEGIC PLANNING ASSUMPTIONS By 2017, more than 50% of enterprises will choose cloud-based services as the delivery option for new or refreshed user authentication implementations, up from less than 10% today.
By 2015, 30% of business-to-business and business-to -enterprise user authentication implementations will incorporate adaptive access control capability, up from less than 5% today.
ACRONYM KEY AND GLOSSARY TERMS
ANSI American National Standards Institute
ASL Automated Systems Holdings Ltd. B2B business to business B2E business to enterprise CA certification authority CAP Chip Authentication Program CM card management
DPA Dynamic Passcode Authentication (Visa)
DSS Data Security Standard (PCI) EMV Europay, MasterCard and Visa ESSO enterprise single sign-on FDS Fraud Detection System (Symantec) FERC Federal Energy Regulatory
Commission (U.S.) HIPAA Health Insurance Portability and
Accountability Act (U.S.) HITECH Health Information Technology for
Economic and Clinical Health HMAC Hash-based Message Authentication
Code
HOTP HMAC-based OTP HSM hardware security module HSPD-12 Homeland Security Presidential
Directive 12
HVD hosted virtual desktop IAM identity and access management KBA knowledge-based authentication LDAP Lightweight Directory Access Protocol MLPS Multi-Level Protection Scheme
(China)
MSSP managed security service provider NERC North American Electrical Reliability
Corporation
NIST National Institute of Standards and Technology
OATH Initiative for Open Authentication OCRA OATH Challenge-Response
Algorithms
Gartner sees user authentication vendors falling into four different categories with somewhat indistinct boundaries:
1. Specialist vendors: A specialist user authentication vendor focuses on a distinctive proprietary authentication method — either a unique method or a proprietary instantiation of a common method — and also offers a corresponding infrastructure or a software development kit (SDK) that will allow it to plug into customers' applications or other vendors' extensible infrastructures. 2. Commodity vendors: These vendors focus on one or a few well-established authentication
methods, such as one-time password (OTP) tokens (hardware or software) and out of band (OOB) authentication methods. A commodity vendor may provide a basic infrastructure to support only those few methods, and its offerings will primarily interest small or midsize businesses (SMBs) and some small enterprises that still have narrower needs.
3. Tight-focus vendors: We characterize a commodity vendor that provides a robust, scalable infrastructure that can meet the needs of larger enterprises and global service providers — and sometimes augment other vendors' extensible infrastructures — as a tight-focus vendor. 4. Wide-focus (broad-portfolio) vendors: The defining characteristic of these vendors is
offering or supporting many distinct authentication methods. A wide-focus vendor may also be a specialist vendor. It will typically offer a versatile, extensible authentication infrastructure that can support a wider range of methods than it offers, which may be sourced through original OEM agreements with one or more other vendors in any of these categories, or left to the enterprise to source directly from those vendors.
The vendors included in this Magic Quadrant fall into the third and fourth of these categories. Market Size
Gartner's estimate for revenue across all segments of the authentication market for 2011 remains approximately $2 billion. However, the margin of error in this estimate is high, because not all the vendors included in this Magic Quadrant provided revenue data and because of the "long tail" of the more than 150 authentication vendors not included in it. Individual vendors included in this Magic Quadrant that did provide revenue data reported year-over-year revenue changes ranging from a greater than 10% decline to nearly 300% growth, with the median approximately 20% to 30% growth. More vendors — although still not all — provided customer numbers, and a majority of vendors reported growth in the 20% to 40% range, with some smaller vendors showing far greater growth. We estimate the overall growth in the market by customers to be approximately 30% year over year. Because of the shift toward lower-cost authentication solutions, we estimate the overall growth by revenue to be approximately only 20%.
Range of Authentication Methods
Enterprise interest in OTP methods, broadly defined, remains high; however, as has already been noted, we have seen a significant shift in preference from traditional hardware tokens to phone-based authentication methods. Wide-focus user authentication vendors offer all these and more, generally offering or supporting knowledge-based authentication (KBA) methods or X.509 tokens (such as smart cards) as well. Most of the tight-focus vendors offer just phone-based authentication methods, especially OOB authentication methods (sometimes incorporating voice recognition as an option), with a few (none of which are included in this Magic Quadrant) offering only KBA or biometric authentication methods.
The vendors included in this Magic Quadrant may offer any of a variety of methods across a range of categories (see "A Taxonomy of Authentication Methods, Update"). These categories, and, where appropriate, the corresponding categories from the National Institute of Standards and Technology (NIST) Special Publication 800-63-1 "Electronic Authentication Guideline" (July 2011 draft), are:
KBA Lexical: This approach combines improved password methods and Q&A methods. An improved password method lets a user continue to use a familiar password, but provides more secure ways of entering the password or generating unique authentication information from the password. A Q&A method prompts the user to answer one or more questions, with the answers preregistered or based on on-hand or aggregated life history information. It corresponds to the NIST "preregistered knowledge token" category.
KBA Graphical: KBA graphical authentication uses pattern-based OTP methods and image-based methods. A pattern-based OTP method asks the user to remember a fixed, arbitrary pattern of cells in an on-screen grid that is randomly populated for each login and to construct an OTP from numbers assigned to those cells. An image-based method asks the user to remember a set of images or categories of images and to identify the appropriate images from random arrays presented at login. There is no corresponding NIST category.
OTP Token: This authentication method uses a specialized device or software application for an existing device, such as a smartphone, that generates an OTP, either continuously (time-synchronous) or on demand (event-(time-synchronous), which the user enters at login. The token may incorporate a PIN or be used in conjunction with a simple password. This category also includes transaction authentication number (TAN) lists and grid cards for "generating" OTPs. Note that the "OTP" category does not include "OTP by SMS" or similar methods, which Gartner classes as OOB authentication methods. One of several algorithms may be used:
American National Standards Institute (ANSI) X9.9 (time- or event-synchronous or challenge -response)
Initiative for Open Authentication (OATH) HMAC-based OTP (HOTP), time-based OTP (TOTP) or OATH Challenge-Response Algorithms (OCRA)
Europay, MasterCard and Visa (EMV); MasterCard Chip Authentication Program (CAP); or Visa Dynamic Passcode Authentication (DPA), also called remote chip authentication A proprietary algorithm
The corresponding NIST categories are "multifactor OTP hardware token," "single-factor OTP token" and "look-up secret token":
X.509 token: This X.509 PKI-based method that uses a specialized hardware device, such as a smart card, or software that holds public-key credentials (keys or certificates) that are used in an automated cryptographic authentication mechanism. The token may be PIN-protected, biometric-enabled or used in conjunction with a simple password. It corresponds to NIST categories "multifactor hardware cryptographic token," "multifactor software cryptographic token" and "single -factor cryptographic token."
SAML Security Assertion Markup Language SaaS software as a service
SAM SafeNet Authentication Manager SAPM shared account password
management
SDK software development kit SMB small or midsize business SSL Secure Sockets Layer SSO single sign-on
TAN transaction authentication number TCO total cost of ownership UAS Universal Authentication Server
(i-Sprint)
TOTP time-based OTP VAS versatile authentication server WAM Web access management VIP Validation and ID Protection Service WFD Web fraud detection
Ability to Execute
Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships, as defined in the market definition and detailed in the subcriteria.
Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products.
Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.
Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word-of-mouth and sales activities. Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.
Completeness of Vision
Market Understanding: Ability of the vendor to understand the buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Other token: This category of methods embraces any other type of token, such as a magnetic stripe card, an RFID token or a 125kHz proximity card, a CD token or proprietary software that "tokenizes" a generic device, such as a USB NAND flash drive or an MP3 player. There is no corresponding NIST category.
OOB authentication: This category of methods uses an OOB channel (for example, SMS or voice telephony) to exchange authentication information (for example, sending the user an OTP that he or she enters via the PC keyboard). It is typically used in conjunction with a simple password. (Some vendors also support OTP delivery via email in a similar way; however, this is not strictly "OOB," because the OTP is sent over the same data channel as the connection to the server.) The corresponding NIST category is "out-of-band token."
Biological biometric: A biological biometric authentication method uses a biological
characteristic (such as face topography, iris structure, vein structure of the hand or a fingerprint) as the basis for authentication. It may be used in conjunction with a simple password or some type of token. There's no corresponding NIST category.
Behavioral biometric: A behavioral biometric authentication method uses a behavioral trait (such as voice and typing rhythm) as the basis for authentication. It may be used in conjunction with a simple password or some kind of token. There's no corresponding NIST category. In the research for this Magic Quadrant, a vendor's range of authentication methods offered and supported was evaluated as part of the assessment of the strength of its product or service offering. Note that some vendors offer only one or a few authentication methods, which may limit their position within the Magic Quadrant. Nevertheless, such a vendor could offer a solution that is ideally suited to your needs.
Use Cases for New Authentication Methods
Many enterprises adopt new authentication methods to support one or many use cases — the most common of which are workforce remote access, especially access to corporate networks and applications via a VPN or hosted virtual desktop (HVD), and external-user remote access, especially retail-customer access to Web applications. The same new authentication method may be used across one or a few use cases, but the more use cases an enterprise must support, the more likely it needs to support multiple authentication methods to provide a reasonable and appropriate balance of authentication strength, total cost of ownership (TCO) and user experience in each case.
A full range of use cases is enumerated below. Vendors included in this Magic Quadrant can typically support multiple use cases. The endpoint access use cases, however, cannot use a vendor's authentication infrastructure, because the endpoints are not network-connected at login, but rather demand direct integration of a new authentication method into the client OS. (Note that Microsoft Windows natively supports "interactive smart card login" — that is, X.509 token-based authentication.) Not all vendors have equal experience in all use cases; some may have a stronger track record in enterprise use cases, such as workforce remote access, while others may focus on access to retail-customer applications, especially in financial services. Not all the vendors in this Magic Quadrant were able to break down their customer numbers on this basis.
The authentication use cases that Gartner considered in preparing this Magic Quadrant (with the relevant subcategories) are:
Endpoint access
PC preboot authentication: Preboot access to a stand-alone or networked PC by any user PC login: Access to a stand-alone PC by any user
Mobile device login: Access to a mobile device by any user Workforce local access
Windows LAN: access to Windows network by any workforce user
Business application: Access to any individual business applications (Web or legacy) by any workforce user
Cloud applications: Access to cloud applications, such as salesforce.com and Google Apps, by any remote or mobile workforce user
Server (system administrator): Access to a server (or similar) by a system administrator (or similar)
Network infrastructure (network administrator): Access to firewalls, routers, switches and so on by a network administrator (or similar) on the corporate network
Workforce remote access
VPN: Access to the corporate network via an IPsec VPN or a Secure Sockets Layer (SSL) VPN, by any remote or mobile workforce user
HVD: Access to the corporate network via a Web-based thin client (for example, Citrix XenDesktop or VMware View) or zero client (for example, Teradici) by any remote or mobile workforce user Business Web applications: Access to business Web applications by any workforce user
Portals: Access to portal applications, such as Outlook Web App and self-service HR portals by any remote or mobile workforce user
Cloud applications: Access to cloud apps, such as salesforce.com and Google apps, by any remote or mobile workforce user
External users
VPN: Access to back-end applications via IPsec or SSL VPN by any business partner, supply chain partner or other external user
HVD: Access to the corporate network via a Web-based thin client (for example, Citrix XenDesktop or VMware View) or zero client (for example, Teradici) by any business partner, supply chain partner or other external user
Business Web applications: Access to Web applications by any business partner, supply chain or other external user (except retail customers)
Retail customer applications: Access to customer-facing Web applications
Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries, as appropriate for that geography and market.
©
For each use case, the enterprise must identify the methods, or combinations of methods, that fit best, considering at least authentication strength, TCO and user experience (see "How to Choose New Authentication Methods").
Note that some vendors have a particular focus on one use case or a few use cases, which may limit their position within the Magic Quadrant. Nevertheless, such a vendor could offer a solution that is ideally suited to your needs.
Market Trends and Other Considerations Versatile Authentication Servers (VASs)
A VAS is a single product or service that supports a variety of open and proprietary authentication methods in multiplatform environments. It may be delivered as server software, as a virtual or hardware appliance, or as a cloud-based service, typically with a multitenanted architecture. A VAS typically supports OTP tokens and OOB authentication, and may also support one or more of the following: KBA methods, X.509 tokens and biometric authentication methods. A VAS must, at minimum, support one or more standards-based authentication methods — most commonly, OTP tokens using algorithms developed by the OATH — or have an extensible architecture to enable third-party authentication methods to be "plugged in" as required, without the need for a discrete third-third-party server or service.
A VAS vendor is likely a wide-focus authentication vendor, but not all wide-focus authentication vendors are VAS vendors. Even if a vendor supports a wide range of methods, its authentication infrastructure does not properly qualify as "versatile" if it supports only the vendor's proprietary methods or those licensed from another vendor. (RSA, The Security Division of EMC, is the most notable example of such a vendor.) Nonetheless, if the vendor can offer a wide-enough range of authentication methods, it may still be able to deliver much of the value of a true VAS. However, enterprises must consider the impact of vendor lock-in, particularly when it may restrict the future adoption of fit-for-purpose authentication methods.
Most wide-focus vendors are now VAS vendors. With few exceptions, VASs are the only authentication infrastructure they offer (although with different delivery options). Thus, even if a customer is adopting only one kind of authentication method from such a vendor, it will be implementing a VAS that gives it the flexibility to change or add methods to support future needs.
Tight-focus vendors are necessarily not VAS vendors. Cloud-Based Authentication Services
Several included vendors offer cloud-based authentication services — either traditional managed (hosted) services or new multitenanted cloud-based services — or partner with third-party managed security service providers (MSSPs) ranging from global telcos to smaller, local firms (for example, Sygnify, Tata Communications and Verizon Business). A cloud-based service can be a VAS, but most MSSPs to date have focused on supporting only a small range of methods — typically OTP hardware tokens and sometimes OOB authentication methods. However, we are also seeing some interest in smart cards as a service offering, especially among U.S. federal government agencies seeking to leverage the Personal Identity Verification (PIV) cards mandated by Homeland Security Presidential Directive 12 (HSPD-12).
Historically, cloud-based authentication services have had the most traction among SMBs —companies with fewer than 1,000 employees — and in public-sector verticals (government and higher education). Costs, resources and around-the-clock support considerations make a service offering appealing to these customers.
However, adoption of cloud-based authentication services among private-sector enterprises is increasing, although not because they are explicitly seeking this delivery option. Gartner sees several vendors successfully offering only a cloud-based service (or promoting such a service over any on-premises offering), and enterprises are choosing such solutions based on their overall value proposition. (Of course, the cost advantages of cloud-based services are implicitly part of that value proposition.) We expect greater adoption of cloud-based services among enterprises as multitenanted cloud-based services mature and as cloud computing becomes more widely adopted as a way of delivering business applications and services generally. Gartner predicts that, by 2017, more than 50% of enterprises will choose cloud-based services as the delivery option for new or refreshed user authentication implementations, up from less than 10% today. However, it is likely that on-premises solutions will persist, especially in more risk-averse enterprises that want to retain full control of identity administration, credentialing and verification.
Adaptive Access Control
A number of the vendors included in this Magic Quadrant have WFD tools (see "Magic Quadrant for Web Fraud Detection") that are primarily aimed at financial services providers but have attracted interest from enterprises in other sectors, notably government and healthcare. WFD tools provide adaptive access control capabilities; several vendors use the term "risk-based authentication," but the scope of these solutions goes beyond authentication alone (see "Adaptive Access Control Emerges"). Adaptive access control uses a dynamic risk assessment based on a range of user and asset attributes, and other contextual information — for example, transaction value, endpoint identity and status, IP reputation, IP- or GPS-based geolocation, and user history and behavior — to make an access decision. Above a defined risk threshold, the tool can be set to deny a transaction, allow it but alert, prompt for reauthentication or authentication with a higher-assurance method, prompt for transaction verification, and so on. This capability provides an essential component in a layered fraud prevention approach (see "The Five Layers of Fraud Prevention and Using Them to Beat Malware").
In typical enterprise use cases, adaptive access control capability can minimize the burden of higher-assurance authentication on the user by limiting its use to those instances where the level of risk demands it. For example, if a user accesses a VPN or Web application from a known endpoint and location, then a legacy password alone may suffice; however, if the endpoint is unknown or the location is unusual, then the user would, for example, be prompted to use OOB authentication. Gartner projects that, during the next two to three years, such capability will become more important over a wider range of use cases and will be more widely supported among mainstream user authentication products and services, especially among wide-focus vendors. By 2015, 30% of business to business (B2B) and
business to enterprise (B2E) enterprise user authentication implementations will incorporate adaptive access control capability, up from less than 5% today.
X.509 Tokens
Unlike OTP tokens and OOB authentication offerings, "authentication using X.509 tokens" does not represent a complete product of fully integrated components provided by a single vendor, but rather an ensemble of discrete components from two or more vendors. Thus, X.509 token projects can be significantly more complex than they may appear at first. Enterprises must identify combinations of the different components that are interoperable, as demonstrated through true technology partnerships, rather than simply through comarketing and coselling agreements, and should demand multiple reference implementations.
Among the vendors included in this Magic Quadrant, some (such as ActivIdentity, Gemalto and SafeNet) provide only the smart cards, middleware and CM tools. Others (such as Symantec) provide only the PKI components. For many enterprises, the PKI tools embedded in Microsoft Windows Active Directory will be good enough, so any of the former vendors may be sound choices. Where enterprises have a need for richer functionality in their PKI components, both types of vendor are needed. It is important to note, however, that this "incompleteness" is a market reality for X.509-based authentication, and vendors offering smart tokens and supporting X.509-based authentication in their authentication infrastructure products were not penalized for lacking PKI tools in the development of this Magic Quadrant. Moreover, X.509-based authentication for Windows PC and network login is natively supported, so it does not need an authentication infrastructure, such as those offered by the vendors included in this Magic Quadrant. Enterprises seeking to support this can consider other vendors offering smart tokens (for example, G&D, Morpho and Oberthur Technologies), PC middleware (from the smart token vendors or others, such as charismathics) and CM tools (from the smart token vendors or others, such as Bell ID and Intercede).
Pricing Scenarios
For this Magic Quadrant, vendor pricing was evaluated across the following scenarios:
Scenario 1 — Communications (publishing and news media): Small enterprise (3,000 employees) with 3,000 workforce users of "any" kind. Usage: Daily, several times per day. Endpoints: PC — approximately 60% Windows XP and Vista (AD), and 40% Mac OS X (OpenLDAP). Endpoints owned by: Company. User location: Corporate LAN. Access to: PC and LAN, downstream business and content management applications, mixture of internal and external Web and legacy. Sensitivity: Company- and customer-confidential information. Notes: The company also plans to refresh its building access systems and may be receptive to a "common access card" approach. The average (median) price for this scenario was approximately $125,000.
Scenario 2 — Retail ("high street" and online store): Large enterprise (10,000 employees) with 50 workforce users, limited to system administrators and other data center staff. Usage: Daily, several times per day. Endpoints: PC — mixture of Windows XP and Vista. Endpoints owned by: Company. User location: Corporate LAN. Access to: Windows, Unix, and IBM i and z servers, Web and application servers, network infrastructure. Sensitivity: Business-critical platforms. Notes: Users have personal accounts on all servers, plus use of shared accounts mediated by shared account password management (SAPM) tool (for example, Cyber-Ark Software and Quest Software). Users also need contingency access to assets via an SSL VPN from PCs ("any" OS). The company has already deployed 1,500 RSA SecurID hardware tokens for remote access for its mobile workforce. It must comply with the U.S. Sarbanes-Oxley Act, PCI Data Security Standard (DSS) and other requirements as appropriate to targets accessed. The average (median) price for this scenario was approximately $7,000.
Scenario 3 — Healthcare (teaching hospital): Large enterprise (10,000 employees) with 1,000 external users, comprising doctors and other designated staff in doctors' practices. Usage: Daily, several times per day. Endpoints: PC — mixture of Windows XP and Vista, some Windows 7 and Mac OS X, and maybe others. Endpoints owned by: Doctors' practices. User location: On LANs in doctors' practices. Access to: Electronic health record applications; mixture of Web and legacy (via SSL VPN). Sensitivity: Patient records. Notes: Enterprise must comply with the U.S. Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act requirements. PCs may be shared by doctors and other staff in doctors' practices. The average (median) price for this scenario was approximately $70,000.
Scenario 4 — Utilities (power): Large enterprise (20,000 employees) with 5,000 users comprising traveling workforce and a "roaming" campus workforce. Usage: Daily, several times per day to several times per week. Endpoints: PC (mainly Windows XP), smartphones (mainly BlackBerry) and some other devices. Endpoints owned by: The company. User location: Public Internet and corporate WLAN. Access to: Business applications, mixture of internal Web and legacy, via SSL VPN or WLAN. Sensitivity: Company- and customer-confidential information, financial systems (some users), information about critical infrastructure (some users). Notes: Must comply with U.S. Federal Energy Regulatory Commission (FERC), North American Electrical Reliability Corporation (NERC) and other regulatory and legal requirements. The company is also investigating endpoint encryption solutions for its traveling workforce's PCs. The average (median) price for this scenario was approximately $200,000.
Scenario 5 — Financial services (retail bank): Large enterprise (20,000 employees) with 1 million external users, all retail banking customers. Usage: Variable, up to once every few months. Endpoints: PC — mixture of Windows XP and Vista, some Windows 7 and Mac OS X; smartphones (including Android and iOS) and tablets (mainly iOS). Endpoints owned by: Customers, Internet cafes and others, possibly also customers' employers. User location: Public Internet, sometimes worldwide; possibly corporate LANs. Access to: Web application. Sensitivity: Personal bank accounts, up to $100,000 per account. Notes: Most customers are based in metropolitan and urban areas, but approximately 10% are in areas without mobile network coverage. The average (median) price for this scenario was approximately $1.9 million.
Note that these pricing scenarios do not reflect any discounts that a vendor may offer particular customers or prospects, and they do not reflect other considerations that contribute to the TCO of a user authentication solution (see "Gartner Authentication Method Evaluation Scorecards, 2011: Total Cost of Ownership").
Vendor Strengths and Cautions
ACTIVIDENTITY
ActivIdentity, based in Fremont, California, was formed by the 2005 merger of ActivCard (which had acquired A-Space in 2004, giving it the 4TRESS product, focused on authentication in financial services) and Protocom (an enterprise single sign-on [ESSO] vendor). ActivIdentity was purchased by Assa Abloy in December 2010 and made part of its HID Global unit. The company has a long history in
authentication and adjacent markets. Its current focus is on authentication and credential management across multiple market segments. As part of HID Global, ActivIdentity now has a stronger focus on common access cards for physical security, as well as for enterprise PC and network login. ActivIdentity offers 4TRESS Authentication Server as a hardware appliance, aimed at enterprise and online banking or other external user implementations, or a software appliance aimed at enterprises and SMBs, as well as an SDK for direct integration in banking (or other) applications. It also offers 4TRESS AAA Server, with support for a small range of authentication methods (OTP tokens), as software for enterprises and SMBs.
Strengths
4TRESS Authentication Server has one of the widest ranges of supported authentication methods, and ActivIdentity offers one of the widest ranges of authentication methods. Overall, ActivIdentity has one of the strongest product or service offerings.
ActivIdentity demonstrated a strong sales strategy.
ActivIdentity came out very well in the pricing scenarios and was among the lowest-cost options for Scenario 5.
Reference customers typically cited functional capabilities, the pricing model or TCO as important decision factors.
Cautions
ActivIdentity has a small market share by customer numbers in comparison with other vendors in this research. However, overall, it is used by approximately 10 million end users.
Reference customer comments raised concerns about ActivIdentity's customer support, the reliability of the software and target system integration. Overall, reference customers were ambivalent about the company's customer support.
Return to Top
AUTHENTIFY
Authentify, based in Chicago, was established in 1999. It offers OOB authentication services and has multiple OEM relationships (which include other vendors discussed in this Magic Quadrant). Authentify has a strong market focus on financial services, and tailors its offerings to banks' and others' need for layered security and fraud prevention measures.
In 2001, Authentify launched its multitenanted, cloud-based service providing OOB authentication by voice modes, adding SMS modes in 2007 and transaction verification for electronic funds transfer by voice modes in 2008. In voice modes, additional assurance can be provided by biometric voice (speaker) recognition. Authentify has recently launched 2CHK, a desktop and mobile app, activated by an OOB voice call or SMS exchange, that provides more robust transaction verification.
About half of Authentify's customers come from its channel partners, which include DocuSign, Entrust, FIS, RSA and Symantec. Direct customers come mainly from financial services, including major banks and insurance companies, but can also be found in healthcare, technology and service provider verticals.
Strengths
Although it has negligible market share by customer numbers, across its own and partner implementations, Authentify is likely used by hundreds of millions of end users.
Authentify clearly articulated a good market understanding and demonstrated a good geographic strategy.
Direct SS7 layer monitoring enables Authentify to detect call forwarding in many areas, defeating one type of attack against OOB authentication by voice.
Authentify came out fairly well in the pricing scenarios, and was among the lowest-cost options for Scenario 5, which represents its target market segment. Although it was the highest-cost option for Scenario 4 by a huge margin, this use case is not representative of its target market segment. Cautions
Authentify offers only OOB authentication. Furthermore, a majority of Authentify's clients use its OOB authentication for "transactional" systems, rather than as a primary authentication method for login — for example, registration confirmation, password change or recovery, real-time PIN delivery, credential activation, login from unknown machine or location (in the context of WFD or adaptive access control), transaction verification for funds withdrawal or transfer (often in the context of WFD or adaptive access control). However, these use cases map well to the wants and needs of Authentify's target market segment.
Authentify's offerings lack Security Assertion Markup Language (SAML) integration to cloud-based applications and services.
Authentify did not clearly articulate a strong sales or marketing strategy in comparison with other vendors in this research, nor did it demonstrate strong sales execution. However, Gartner notes that Authentify performs strongly within its target market segment.
Return to Top
CA TECHNOLOGIES
name, as hosted managed services, server software and SDK/APIs for direct integration into target systems, and CA AuthMinder as-a-Service (formerly Arcot A-OK) as a multitenanted cloud-based service. One of CA Technologies' distinctive features is ArcotID, a proprietary X.509 software token technology that protects the credentials on the endpoint device and binds them to the device. The ex-Arcot portfolio also includes e-payment card authentication, secure electronic notification and delivery, and digital signature integrated with Adobe Acrobat. The acquisition also gave CA Technologies an established cloud services infrastructure and expertise for cloud delivery of other identity and access management (IAM) offerings.
CA Technologies offers OTP hardware tokens from Gemalto and others. (Like other OATH-compliant vendors, it can support other OATH-compliant tokens.)
Strengths
Overall, CA Technologies has one of the strongest product or service offerings. CA Advanced Authentication tightly integrates the adaptive access control capabilities of its WFD tool, CA Arcot RiskFort, its WFD tool, with the authentication component, CA Arcot WebFort (soon to be renamed CA AuthMinder).
CA Technologies clearly articulated good market understanding and product/service strategy, as well as market, sales and geographic strategies. (This is where Arcot's acquisition by CA Technologies has had the most significant impact on the vendor's position in the market.) Although it has a very small market share by customer numbers in comparison with other vendors in this Magic Quadrant, CA Technologies is used by more than 100 million end users.
CA Technologies came out well in the pricing scenarios, and was among the lowest-cost options for Scenarios 2, 3, 4 and 5. Notably, it offers zero-cost OTP software tokens for mobile phones. Reference customers typically cited functional capabilities and good feedback from reference implementations as important decision factors. (However, some were unsure about recommending CA Technologies to their peers.) Reference customers were fairly satisfied with CA Technologies' customer support.
Cautions
CA Technologies is not as well-suited for SMBs, because its direct sales force typically does not do deals with an end-user count below 1,000.
The majority of CA Technologies' customers are in the Americas (with the bulk likely in North America).
Reference customer comments raised concerns about technical integration with existing infrastructure components and other implementation issues.
Return to Top
CRYPTOCARD
Cryptocard, based in Ottawa, Canada, and Bracknell, U.K., has focused on the enterprise authentication market since 1989, often positioning itself as the lower-cost alternative to the market leaders. In 2006, Cryptocard merged with WhiteHat Consulting, adding a managed authentication service to its portfolio. Cryptocard now offers three core products and services: Blackshield Cloud, a multitenanted cloud-based service; Blackshield Server, application software intended to run on one or more server instances; and Blackshield Service Provider Edition, a software application that service providers can use to create their own hosted versions of Blackshield Cloud.
Strengths
Cryptocard clearly articulated a good product/service strategy, coupled with strong technical innovation, as well as strong marketing, vertical industry and geographic strategies. It also demonstrated good market responsiveness.
Cryptocard came out fairly well in the pricing scenarios, and was among the lowest-cost options for Scenario 2.
Reference customers typically cited functional capabilities and expected performance and scalability as important decision factors. They liked Cryptocard's Active Directory synchronization and broad range of "token" form factors (including OOB authentication options). In addition, they were fairly satisfied with Cryptocard's customer support.
Cautions
Cryptocard has few customers in the Asia/Pacific region.
Reference customer comments raised concerns about ease of migration from Crypto-MAS to the Blackshield cloud-based service.
Return to Top
DS3
Founded in 1998 as RT Systems, this Singapore-based company changed its name to Data Security System Solutions (DS3) in 2001 to better reflect its market focus. In 2010, it raised institutional funding to expand and execute on its vision to provide solutions that will meet the user and data authentication requirements for different customer segments, different industries and different use cases.
DS3 offers DS3 Authentication Server as a hardware or software appliance for large-scale B2B/B2C deployments (launched in 2004); DS3 Authentication Security Module as a hardware appliance for smaller enterprise intranet implementations; DS3 Authentication Toolkit, an SDK/APIs for direct integration in banking (or other) applications (2009); and a hosted authentication service (2011). DS3 has a global partnership with IBM Security Services, which offers the DS3 Authentication Server worldwide under the name "IBM Identity and Access Management Services — total authentication solution."
Strengths
DS3 clearly articulated a good sales strategy and demonstrated good market responsiveness. Notably, DS3 responded positively to the financial crisis in 2008, when sales to banks slowed significantly, by expanding into other vertical industries, with some success.
DS3 Authentication Server has one of the widest ranges of supported authentication methods, including support for multiple OTP token types, and DS3 offers a wide range of authentication methods. DS3's broad OTP token support is also an advantage for an enterprise migrating from another vendor's offering, because it allows the continued use of that vendor's tokens for their remaining lifetime without the need to maintain that vendor's authentication server in parallel. DS3's solutions are very scalable, which Gartner believes was an important factor in DS3's winning Singapore's National Authentication Framework for a countrywide authentication service. DS3 came out very well in the pricing scenarios, and was among the lowest-cost options for Scenarios 1, 2, 4 and 5.
Reference customers in financial services typically cited DS3's industry experience and reputation as important decision factors. Most found that DS3 responds to support requests fully and promptly. Overall, they were satisfied with DS3's customer support.
Cautions
DS3 has a negligible market share by customer numbers. However, it is already used by the Singapore government and many banks in the region, giving DS3 total end-user numbers of more than 5 million.
The majority of DS3's customers are in the Asia/Pacific region, although its partnership with IBM has begun to yield a few significant global sales, such as ING Bank in the Netherlands. DS3 did not clearly articulate a strong market understanding or marketing strategy in comparison with other vendors in this research, or demonstrate strong marketing execution.
DS3's offerings lack SAML integration with cloud-based applications and services. Reference customer comments raised minor concerns about the stability of features and customizability.
Return to Top
ENTRUST
Entrust, headquartered in Dallas, Texas, is a well-established security vendor offering fraud detection, citizen e-ID and data encryption tools, in addition to its authentication portfolio. Entrust's core authentication infrastructure, Entrust IdentityGuard, supports a much broader range of authentication method than the OTP grid cards that first bore that name. Entrust, a public company since 1997, was taken private in 2009 by the private equity investment firm Thoma Bravo.
Since 2005, Entrust has offered IdentityGuard Authentication Server as server software. Entrust offers OOB authentication through a partnership with Authentify.
Strengths
Overall, Entrust has one of the strongest product or service offerings in the user authentication market. IdentityGuard incorporates some adaptive access control capabilities natively and can be coupled with TransactionGuard for full-blown WFD functions.
Entrust was among the lowest-cost options for Scenarios 4 and 5, but its pricing for Scenario 2 was second-highest. We also note that SAML integration to cloud-based applications and services for IdentityGuard requires a discrete "Federation Module" at an additional cost.
Reference customers typically cited functional capabilities and expected performance and scalability as important decision factors.
Cautions
Entrust did not clearly articulate a good market understanding or demonstrate strong market responsiveness or customer experience in comparison with other vendors in this research. Entrust has a very small market share by customer numbers in comparison with other vendors in this research. However, it is used by an installed base of approximately 40 million end users. There is no appliance or cloud-based version of IdentityGuard. Entrust tells us that it will be introducing a cloud-based version early in 2012.
Return to Top
EQUIFAX
Equifax, based in Atlanta, Georgia, has a long history in identity, going back to 1899. It entered the user authentication market in 2010 with its acquisition of Anakam, a wide-focus authentication vendor with a market focus on healthcare and government.
Equifax's core offering in this market is the Anakam.TFA Two-Factor Authentication server software, launched in 2005, which is complemented by tools for identity proofing, risk assessment and credentialing. In 2011, it launched Anakam.ODI On-Demand Identity, a multitenanted, cloud-based service that integrates its product offerings with SAML-based federated single sign-on (SSO). Strengths
Although it has negligible market share by customer numbers, Equifax is used by more than 100 million end users.
Equifax clearly articulated a good vertical industry strategy and demonstrated its overall viability. Reference customers in healthcare typically cited Equifax's industry experience and understanding of their business needs as important decision factors. Reference customers were satisfied with Equifax's customer support.
Cautions
A significant majority of Equifax's customers are in North America, although the company does have a presence in Latin America and Europe.
Only Equifax's Anakam.ODI On-Demand Identity offering provides SAML integration to cloud-based applications and services.
Return to Top
GEMALTO
Amsterdam-based Gemalto, formed in 2006 by the merger of Axalto (formerly the smart card division of Schlumberger) and Gemplus, is a leading smart card vendor, with a strong presence in the authentication market. It offers OTP tokens, as well as smart tokens. With the acquisitions of Xiring's authentication portfolio and, in particular, of Todos, Gemalto has broadened the range of its offerings in the financial services industry, which it has identified as a key market. Other recent acquisitions relevant to its authentication portfolio include Trusted Logic (a provider of open, secure software for consumer devices and digital services), Valimo (a pioneer in mobile digital ID, with solutions that enable secure authentication, digital signatures and transaction verification) and Multos International (originator of the Multos smart card OS).
Gemalto's core infrastructure products are Protiva Strong Authentication Server (server software) and Protiva Strong Authentication Service (a hosted managed service), as well as the Ezio System (server software for financial services and e-commerce) from the Todos acquisition.
Strengths
Gemalto came out well in the pricing scenarios, and was among the lowest-cost options for Scenarios 1, 3 and 5. (However, it did not provide a quotation for Scenario 2.)
Gemalto demonstrated significant growth in its OTP token product lines, and has established itself as a credible provider of these authentication methods.
Reference customers were fairly satisfied with Gemalto's customer support, and their comments about the products were generally positive.
Cautions
Gemalto did not clearly articulate good marketing strategy or technical innovation.
Although Gemalto is widely recognized as a leading smart card vendor, the company is rarely cited by Gartner clients in calls about authentication, generally.
Return to Top
I-SPRINT INNOVATIONS
Singapore-based i-Sprint Innovations was founded in 2000 by ex-Citibank security professionals and is backed by global institutional investors. It was acquired in 2011 by Automated Systems Holdings Ltd. (ASL), a subsidiary of Teamsun. The companies are listed in the Hong Kong Stock Exchange and Shanghai Stock Exchange respectively. The purchase bodes well for the expansion of i-Sprint's offerings into the Chinese market, given the Multi-Level Protection Scheme (MLPS) in China, which obliges companies to use only domestic security solutions.
Its AccessMatrix Universal Authentication Server (UAS), launched in 2005, is part of an integrated set of server software products, which also includes ESSO, WAM and SAPM tools.
i-Sprint offers OTP hardware tokens from ActivIdentity, Gemalto, SafeNet, Vasco and others. (Like other OATH-compliant vendors, it can support other OATH-compliant tokens.)
Strengths
AccessMatrix UAS has one of the widest ranges of supported authentication methods, including support for multiple OTP token types, and i-Sprint offers a wide range of authentication methods. i-Sprint clearly articulated a good product/service strategy, coupled with strong technical innovation, and it demonstrated good customer experience. Reference customers were very or extremely satisfied with i-Sprint's customer support.
i-Sprint was among the lowest-cost options for Scenarios 4 and 5.
Reference customers in financial services typically cited i-Sprint's industry experience, conformity to technical standards, and pricing model or TCO as important decision factors. They praised the robustness, maturity and sophistication of the product.
Cautions
i-Sprint has a negligible market share by customer numbers (although it is used by several million end users).
i-Sprint did not clearly articulate a strong market understanding or sales strategy in comparison with other vendors in this research.
The majority of i-Sprint's customers are in Asia/Pacific. Although its acquisition by ASL and likely future growth in China will only reinforce this bias, ASL may well provide the resources to enable significant overseas growth.
Reference customer comments raised some concerns about the complexity of UAS's administration interface and the suitability of audit reports for business users. Return to Top
NORDIC EDGE
Sweden-based Nordic Edge was founded in 2001 and acquired by Intel in early 2011. Nordic Edge provides a broad range of IAM solutions, from provisioning of user information and SSO to software as a service (SaaS), as well as its wide-focus authentication offering.
Nordic Edge's core product is the Nordic Edge One Time Password Server, which can be delivered as server software, an SDK/API for Java and .NET/COM, and an on-demand Web service. Nordic Edge Opacus is also offered to service providers for them to offer a cloud-based authentication service as part of ERP, CRM and business intelligence cloud services, and this approach represents approximately 5% of its customers.
Strengths
Nordic Edge was among the lowest-cost options for Scenarios 2, 4 and 5. Notably, OTP software tokens for mobile phones are included in its OTP Server offering.
Reference customers typically cited Nordic Edge's industry experience, conformity to technical standards, and expected performance and scalability as important decision factors. Some reference customers highlighted Nordic Edge's flexibility, scalability and ease of installation. Reference customers were, on average, very satisfied with the vendor's customer support, and noted that it always dealt with technical support requests fully and promptly.
Cautions
Nordic Edge has a negligible market share by customer numbers. (However, it is used by more than 1 million end users.)
Nordic Edge did not clearly articulate a strong marketing strategy or demonstrate strong market responsiveness in comparison with other vendors in this research.
The majority of Nordic Edge's deployments are in companies with fewer than 1,000 users. Return to Top
PHONEFACTOR
PhoneFactor, based in Overland, Kansas, and established in 2001 as Positive Networks, has offered its multitenanted, cloud-based OOB authentication service since 2007. PhoneFactor provides agents for target system integration to VPNs, HVDs, Web applications and other systems, and an SDK/API for integration with Web application login and transaction processes. In conjunction with a third-party WFD tool, PhoneFactor can be used to authenticate high-risk logins or for transaction verification. Strengths
PhoneFactor is the OOB authentication vendor most frequently cited by Gartner clients. PhoneFactor is one of the few OOB authentication vendors that does not pass an OTP over the data channel in either direction, with all authentication information being exchanged over the air by the voice or SMS channel, making it less vulnerable to man-in-the-middle attacks. PhoneFactor was among the lowest-cost options for Scenarios 2 and 5.
Reference customers typically cited PhoneFactor's functional capabilities and expected performance and scalability as important decision factors. PhoneFactor's ease of implementation and management were explicitly mentioned. Reference customers were very satisfied with the vendor's customer support, and noted that it always dealt with technical support requests fully and promptly.
Phone Factor offers a free version of its service, restricted to 25 users for one or two applications, with no time limit. This may provide a complete solution for some SMBs, but it also offers a low-risk proof of concept for any company seeking a larger implementation. Clients tell us that nearly all proof-of-concept implementations are converted to full enterprise licenses.
Cautions
PhoneFactor offers only phone-based authentication (OOB authentication, as well as a software token using push notification that was released in late 2011).
The company has very small market share by customer numbers in comparison with other vendors in this research (but is one of the larger pure-play, phone-based authentication vendors). PhoneFactor did not clearly articulate good market understating, product/service strategy or marketing, vertical industry or geographic strategies, nor did it demonstrate strong market responsiveness in comparison with other vendors in this research.
Reference customer comments raised some concerns about technical integration with some existing infrastructure components.
Return to Top
QUEST SOFTWARE
Quest Software, based in Aliso Viejo, California, offers a wide range of Windows, application, database and virtualization management tools. It has recently strengthened its IAM offerings with the acquisition of Voelcker Informatik. Its authentication offering is the Defender product line (offered in succession since 1995 by AssureNet Pathways, Axent Technologies, Symantec and PassGo Technologies). The company's core infrastructure product is Quest Defender Security Server, delivered as security software. Defender offers OTP hardware tokens from ActivIdentity, SafeNet, Vasco, Yubico and others. (Like other OATH-compliant vendors, it can support other OATH-compliant tokens.)
Strengths
Quest Software has relationships with several of the leading token manufacturers, which enable it to support one of the widest selections of OTP hardware tokens, as well as OTP software tokens and other methods. This is an advantage for an enterprise migrating from another vendor's offering, because it enables the continued use of that vendor's tokens for their remaining lifetime, without the need to maintain that vendor's authentication server in parallel.
Quest Software clearly articulated a good marketing strategy and demonstrated good marketing execution.
Quest Software was among the lowest-cost options for Scenarios 2 and 4. Some reference customers indicated that its TCO can be significantly lower than its major competitors', owing to, for example, reduced infrastructure requirements.
Reference customers typically cited Defender's functional capabilities and pricing model or TCO as important decision factors. Reference customers were very satisfied with the vendor's customer support, and noted that it always dealt with technical support requests fully and promptly. Cautions
Quest Software did not clearly articulate a strong product/service strategy or geographic strategy, nor did it demonstrate strong market responsiveness in comparison with other vendors in this research.
Defender Security Server lacks SAML integration with cloud-based applications and services. Quest Software offers no appliance or cloud-based delivery options.
Return to Top
RSA, THE SECURITY DIVISION OF EMC
RSA, The Security Division of EMC, which is based in Bedford, Massachusetts, has a long history in the authentication market. Security Dynamics was founded in 1984, and began shipping its SecurID tokens in 1986. Security Dynamics acquired RSA Data Security in July 1996, to form RSA Security. In 2006, RSA was acquired by EMC. Other acquisitions have provided RSA with a broad portfolio of access and intelligence products.
RSA's flagship infrastructure product is RSA Authentication Manager (formerly ACE/Server), which is now offered as either server software or a hardware appliance. It also offers RSA SecurID Authentication Engine, a Java/C++ SDK/API for direct integration into applications and portals. From its acquisitions of Cyota (2005) and PassMark Security (2006), RSA has a WFD product, RSA Adaptive Authentication. It also offers RSA Adaptive Authentication for the enterprise, which can be used as part of an enterprise's layered authentication approach. The risk engine from RSA Adaptive Authentication is combined with RSA SecurID on-demand OOB authentication in the RSA Authentication Manager Express hardware appliance, launched in 2010 and targeted at remote access use cases in SMBs or small deployments in enterprises.
From its acquisition of Verid (2007), RSA Identity Verification provides identity proofing for new account registration, but can also be used for authentication of infrequent users (who would be unlikely to remember legacy password) and call center caller verification.
RSA offers OOB authentication through a partnership with Authentify. The Impact of the RSA Breach
In March 2011, RSA was successfully attacked by what Gartner believes to have been two China-based hacking groups, at least one of which has a history of going after U.S. defense companies. We have inferred that the breach exposed the token records of all then-extant RSA SecurID hardware tokens, including the seed values used to generate the OTPs, allowing the attackers to successfully masquerade as legitimate users. We believe that this formed the basis of the subsequent (unsuccessful) attack against Lockheed Martin. That attack prompted RSA to offer replacement hardware or software tokens to its customers — all hardware tokens shipped after a brief hiatus following the attack are not compromised, and software tokens were never exposed — and we understand that many customers have replaced their tokens. (RSA tells us, however, that a "significant majority" have not.) The cost to RSA of replacing these tokens is estimated at $60 million. However, RSA has been impacted by the breach in other ways.
Since the breach, many Gartner clients have told us that they are looking at alternatives to RSA SecurID hardware tokens, but this is only sometimes because of the security concerns. In the majority of cases, the breach has prompted the company to review its historical decision to adopt RSA SecurID, leading the company to seek alternatives that offer a similar, or sometimes lower, level of assurance with lower TCO or better user experience — something that has long been a popular topic in client inquiries. Furthermore, we believe that RSA has lost much goodwill among some of its customers because of poor communication regarding the nature and impact of the breach (even though they might understand why RSA has focused its attention on its defense customers, which it believed were most at risk), the time RSA took to offer replacement tokens (although we believe that RSA would not have had the manufacturing capacity to do this any earlier) and to fulfill replacement requests (with several clients receiving their replacements over a period of months), and the contractual terms for the replacements (although we understand that RSA cannot provide free replacements under U.S. General Services Administration rules). These customers are likely to be looking hard at alternatives to RSA in the coming years. Nonetheless, it is highly likely that customer attrition will remain relatively small, given the "stickiness" of RSA SecurID deployments (because of the breadth of technical integration RSA offers) and, increasingly, a shift toward RSA SecurID software tokens and adaptive access control (especially if and when RSA integrates its risk engine into RSA Authentication Manager). Strengths
Gartner estimates that RSA has a market share by customer numbers of about 25%, although this is appreciably lower than the previous year. (Note that this market share is based on 2010 numbers, and does not reflect any impact of the breach discussed above.) Overall, RSA is used by tens of millions of end users.
RSA is seen as the principal competitor by the majority of vendors in this research and has strong mind share among Gartner clients.
RSA demonstrated good overall viability (among the strongest of the vendors discussed in this research) and good marketing execution.
Reference customers in financial services typically cited RSA's industry experience as an important decision factor. All references also cited the functional capabilities, and some the expected performance and scalability, of RSA's products. Reference customers noted that the company generally dealt with technical support requests fully and promptly. Although reference customers were, on average, fairly satisfied with RSA's customer support, the rankings were widely spread. Cautions
Although RSA offers a market-leading WFD tool, RSA Adaptive Authentication, and we see significant enterprise interest in RSA Adaptive Authentication for the Enterprise, these products are only loosely coupled with RSA Authentication Manager. RSA now offers RSA Authentication Manager Express, which is aimed at the SMB market and combines the risk engine from RSA Adaptive Authentication with OOB authentication (RSA SecurID On-demand). However, RSA Authentication Manager still lacks this integration.
Reference customer comments raised some concerns about ease of user management in RSA Authentication Server (which was often echoed by other vendors' reference customers' reasons for deciding against RSA).
A frequently mentioned reason among other vendors' reference customers for deciding against RSA Authentication Manager/RSA SecurID was its high cost. In fact, RSA was average or worse in most of the pricing scenarios, and was the highest-cost option for Scenario 5 by a wide margin. Although there is certainly a bias because of RSA's presence in the market, a significant number of client inquiries ask about "lower-cost alternatives to RSA."
Return to Top
SAFENET
SafeNet, based in Baltimore, Maryland, was established in 1983 as Industrial Resource Engineering and changed its name in 2000. In 2007, SafeNet was acquired by Vector Capital, which also acquired Aladdin Knowledge Systems two years later. Both firms now trade under the SafeNet name. Common ownership brings SafeNet's authentication offerings (from the 2004 to 2008 acquisitions of Rainbow Technologies and Datakey) together with those of Aladdin, which had a much stronger presence in that market segment with its legacy eToken offerings, as well as those from its acquisitions in 2008 of Eutronsec and the SafeWord product line from Secure Computing (one of the oldest lines of OTP tokens). SafeNet's other major product lines focus on software rights management and cryptography for data protection, including hardware security modules (HSMs).
SafeNet has two server software offerings: SafeNet Authentication Manager (SAM), which was formerly Aladdin's Token Management System, and SafeNet Authentication Manager Express, which was formerly SafeWord 2008. The latter supports a restricted set of authentication methods (OTP tokens and OOB authentication via SMS). SAM also provides CM capabilities and federated SSO to cloud-based applications. SafeNet also offers SafeNet OTP Authentication Engine, an SDK and API for direct integration of OTP authentication into target systems.
Strengths
SafeNet offers a wide range of authentication methods. Overall, SafeNet has one of the strongest product or service offerings in the market.
Gartner estimates that SafeNet has a market share by customer numbers of approximately 20%. Overall, SafeNet is used by tens of millions of end users.
SafeNet clearly articulated its technical innovation, as well as good marketing, industry vertical and geographic strategy, and demonstrated good customer experience. It also demonstrated good overall viability, market responsiveness and market execution, as well as good customer experience. Reference customers were very satisfied with SafeNet's customer support (one remarking that SafeNet had "gone to great lengths") and noted that it generally dealt with technical support requests fully and promptly.
SafeNet came out quite well in the pricing scenarios, and was among the lowest-cost options for Scenarios 2, 3 and 4; however, it was one of the higher-cost options for Scenario 5.
Reference customers' comments about the products were generally positive. Cautions
SafeNet lacks any adaptive access control capability. Gartner sees this as a significant caution for a vendor with such a strong focus on the financial services market. SafeNet tells us that this capability is in development and will be released in 2Q12.
Although SafeNet has good mind share among Gartner clients, this still attaches to the SafeWord and (now defunct) Aladdin brand names, rather than to the SafeNet name itself. Gartner sees this as a continuing marketing challenge for SafeNet in the near term.
Return to Top
SECUREAUTH
Formed in 2005 as MultiFactor Corporation, this Irvine, California-based vendor changed its name to SecureAuth in 2010. SecureAuth IEP, which is delivered as a hardware or software appliance, combines its authentication infrastructure with the SSO capability of a WAM and support for federation using multiple protocols (see "MarketScope for Web Access Management").
Strengths
During the past year, SecureAuth has been one of the authentication vendors most frequently cited by Gartner clients, typically because of its low cost or ease of installation or because of its "tokenless" authentication method.
SecureAuth IEP is a single platform that integrates user authentication with federated SSO to cloud-based and Web applications, as well as VPNs. However, Gartner clients rarely cite this as a decision factor in choosing SecureAuth, and the company's lead with this approach may be somewhat eroded as other vendors roll out their support for SAML to provide similar federated SSO capabilities.
SecureAuth clearly articulated a good vertical/industry strategy.
SecureAuth was among the lowest-cost options for Scenarios 1 and 5, and SecureAuth IEP can cost less than some stand-alone solutions for federated SSO or user authentication. Cautions
SecureAuth's primary authentication method is a kind of X.509 software token. This is not something Gartner sees widely used in practice, although SecureAuth does provide simple implementation of this method, without the constraints of legacy PKI approaches. Although SecureAuth offers KBA and OOB authentication methods (with out-of-the-box support for YubiKey and OATH-compliant tokens planned for 1Q12), and provides a flexible way of linking together multiple methods, relatively few of its customers use any of these other methods as their primary authentication methods.
