Magic Quadrant for User Authentication

G00227026

Magic Quadrant for User Authentication

Published: 17 January 2012 Analyst(s): Ant Allan

User authentication is dominated by three well-established, wide-focus

vendors that command the majority of the market. Newer wide- and

tight-focus vendors are making significant inroads and offer enterprises sound

alternatives across a range of needs.

Strategic Planning Assumptions

By 2017, more than 50% of enterprises will choose cloud-based services as the delivery option for new or refreshed user authentication implementations, up from less than 10% today.

By 2015, 30% of business-to-business and business-to-enterprise user authentication

implementations will incorporate adaptive access control capability, up from less than 5% today.

Market Definition/Description

A provider in the user authentication market delivers on-premises software/hardware or a cloud-based service that makes real-time authentication decisions and can be integrated with one or more enterprise systems to support one or more use cases. Where appropriate to the authentication methods supported, a provider in the user authentication market also delivers client-side software or hardware used by end users in those real-time authentication decisions.

This market definition does not include providers that deliver only one or more of the following:

1. Client-side software or hardware, such as PC middleware, smart cards and biometric capture devices (sensors)

2. Software, hardware or a service, such as access management or Web fraud detection (WFD), that makes a real-time access decision and may interact with discrete user authentication software, hardware or services (for example, to provide "step up" authentication)

3. Credential management software, hardware or services, such as password management tools, card management (CM) tools and public-key infrastructure (PKI) certification authority (CA) and registration authority (RA) tools (including OCSP responders)

A provider in the user authentication market may, of course, deliver one or more such offerings as part of, or in addition to, its user authentication offering. Note, however, that, for the purposes of this Magic Quadrant, offerings of Type 2, 3 and 4 are not considered to be user authentication offerings and were not included in customer, end-user or revenue figures.

Magic Quadrant

Figure 1. Magic Quadrant for User Authentication

Source: Gartner (January 2012)

This Magic Quadrant replaces "MarketScope for Enterprise Broad-Portfolio Authentication Vendors." There are several important changes from the previous document. The change of document type, from MarketScope to Magic Quadrant, reflects the increasing maturity and

significance of the user authentication market and the need to more clearly differentiate among the vendors along two axes. The Evaluation Criteria, which are detailed below, are significantly different from those used in the MarketScope. They were changed to include tight-focus vendors and wide-focus (or broad-portfolio) vendors. In addition, the minimum-revenue criterion no longer applies, which avoids penalizing vendors that offer lower pricing.

1. Specialist vendors: A specialist user authentication vendor focuses on a distinctive proprietary authentication method — either a unique method or a proprietary instantiation of a common method — and also offers a corresponding infrastructure or a software development kit (SDK) that will allow it to plug into customers' applications or other vendors' extensible infrastructures.

2. Commodity vendors: These vendors focus on one or a few well-established authentication methods, such as one-time password (OTP) tokens (hardware or software) and out of band (OOB) authentication methods. A commodity vendor may provide a basic infrastructure to support only those few methods, and its offerings will primarily interest small or midsize businesses (SMBs) and some small enterprises that still have narrower needs.

3. Tight-focus vendors: We characterize a commodity vendor that provides a robust, scalable infrastructure that can meet the needs of larger enterprises and global service providers — and sometimes augment other vendors' extensible infrastructures — as a tight-focus vendor.

4. Wide-focus (broad-portfolio) vendors: The defining characteristic of these vendors is offering

or supporting many distinct authentication methods. A wide-focus vendor may also be a specialist vendor. It will typically offer a versatile, extensible authentication infrastructure that can support a wider range of methods than it offers, which may be sourced through original OEM agreements with one or more other vendors in any of these categories, or left to the enterprise to source directly from those vendors.

The vendors included in this Magic Quadrant fall into the third and fourth of these categories.

Market Size

Gartner's estimate for revenue across all segments of the authentication market for 2011 remains approximately $2 billion. However, the margin of error in this estimate is high, because not all the vendors included in this Magic Quadrant provided revenue data and because of the "long tail" of the more than 150 authentication vendors not included in it. Individual vendors included in this Magic Quadrant that did provide revenue data reported year-over-year revenue changes ranging from a greater than 10% decline to nearly 300% growth, with the median approximately 20% to 30% growth. More vendors — although still not all — provided customer numbers, and a majority of vendors reported growth in the 20% to 40% range, with some smaller vendors showing far greater growth.

We estimate the overall growth in the market by customers to be approximately 30% year over year. Because of the shift toward lower-cost authentication solutions, we estimate the overall growth by revenue to be approximately only 20%.

Range of Authentication Methods

methods, especially OOB authentication methods (sometimes incorporating voice recognition as an option), with a few (none of which are included in this Magic Quadrant) offering only KBA or

biometric authentication methods.

The vendors included in this Magic Quadrant may offer any of a variety of methods across a range of categories (see "A Taxonomy of Authentication Methods, Update"). These categories, and, where appropriate, the corresponding categories from the National Institute of Standards and Technology (NIST) Special Publication 800-63-1 "Electronic Authentication Guideline" (July 2011 draft), are: ■ _{KBA Lexical: This approach combines improved password methods and Q&A methods. An}

improved password method lets a user continue to use a familiar password, but provides more secure ways of entering the password or generating unique authentication information from the password. A Q&A method prompts the user to answer one or more questions, with the answers preregistered or based on on-hand or aggregated life history information. It corresponds to the NIST "preregistered knowledge token" category.

■ _{KBA Graphical: KBA graphical authentication uses pattern-based OTP methods and} image-based methods. A pattern-image-based OTP method asks the user to remember a fixed, arbitrary pattern of cells in an on-screen grid that is randomly populated for each login and to construct an OTP from numbers assigned to those cells. An image-based method asks the user to remember a set of images or categories of images and to identify the appropriate images from random arrays presented at login. There is no corresponding NIST category.

■ _{OTP Token: This authentication method uses a specialized device or software application for} an existing device, such as a smartphone, that generates an OTP, either continuously (time-synchronous) or on demand (event-(time-synchronous), which the user enters at login. The token may incorporate a PIN or be used in conjunction with a simple password. This category also

includes transaction authentication number (TAN) lists and grid cards for "generating" OTPs. Note that the "OTP" category does not include "OTP by SMS" or similar methods, which Gartner classes as OOB authentication methods. One of several algorithms may be used: ■ _{American National Standards Institute (ANSI) X9.9 (time- or event-synchronous or}

challenge-response)

■ _{Initiative for Open Authentication (OATH) HMAC-based OTP (HOTP), time-based OTP} (TOTP) or OATH Challenge-Response Algorithms (OCRA)

■ _{Europay, MasterCard and Visa (EMV); MasterCard Chip Authentication Program (CAP); or} Visa Dynamic Passcode Authentication (DPA), also called remote chip authentication ■ _{A proprietary algorithm}

The corresponding NIST categories are "multifactor OTP hardware token," "single-factor OTP token" and "look-up secret token":

categories "multifactor hardware cryptographic token," "multifactor software cryptographic token" and "single-factor cryptographic token."

■ _{Other token: This category of methods embraces any other type of token, such as a magnetic} stripe card, an RFID token or a 125kHz proximity card, a CD token or proprietary software that "tokenizes" a generic device, such as a USB NAND flash drive or an MP3 player. There is no corresponding NIST category.

■ _{OOB authentication: This category of methods uses an OOB channel (for example, SMS or} voice telephony) to exchange authentication information (for example, sending the user an OTP that he or she enters via the PC keyboard). It is typically used in conjunction with a simple password. (Some vendors also support OTP delivery via email in a similar way; however, this is not strictly "OOB," because the OTP is sent over the same data channel as the connection to the server.) The corresponding NIST category is "out-of-band token."

■ _{Biological biometric: A biological biometric authentication method uses a biological}

characteristic (such as face topography, iris structure, vein structure of the hand or a fingerprint) as the basis for authentication. It may be used in conjunction with a simple password or some type of token. There's no corresponding NIST category.

■ _{Behavioral biometric: A behavioral biometric authentication method uses a behavioral trait} (such as voice and typing rhythm) as the basis for authentication. It may be used in conjunction with a simple password or some kind of token. There's no corresponding NIST category. In the research for this Magic Quadrant, a vendor's range of authentication methods offered and supported was evaluated as part of the assessment of the strength of its product or service offering. Note that some vendors offer only one or a few authentication methods, which may limit their

position within the Magic Quadrant. Nevertheless, such a vendor could offer a solution that is ideally suited to your needs.

Use Cases for New Authentication Methods

Many enterprises adopt new authentication methods to support one or many use cases — the most common of which are workforce remote access, especially access to corporate networks and applications via a VPN or hosted virtual desktop (HVD), and external-user remote access, especially retail-customer access to Web applications. The same new authentication method may be used across one or a few use cases, but the more use cases an enterprise must support, the more likely it needs to support multiple authentication methods to provide a reasonable and appropriate

balance of authentication strength, total cost of ownership (TCO) and user experience in each case. A full range of use cases is enumerated below. Vendors included in this Magic Quadrant can

access to retail-customer applications, especially in financial services. Not all the vendors in this Magic Quadrant were able to break down their customer numbers on this basis.

The authentication use cases that Gartner considered in preparing this Magic Quadrant (with the relevant subcategories) are:

Endpoint access

■ _{PC preboot authentication: Preboot access to a stand-alone or networked PC by any user} ■ _{PC login: Access to a stand-alone PC by any user}

■ _{Mobile device login: Access to a mobile device by any user}

Workforce local access

■ _{Windows LAN: access to Windows network by any workforce user}

■ _{Business application: Access to any individual business applications (Web or legacy) by any} workforce user

■ _{Cloud applications: Access to cloud applications, such as salesforce.com and Google Apps, by} any remote or mobile workforce user

■ _{Server (system administrator): Access to a server (or similar) by a system administrator (or} similar)

■ _{Network infrastructure (network administrator): Access to firewalls, routers, switches and so on} by a network administrator (or similar) on the corporate network

Workforce remote access

■ _{VPN: Access to the corporate network via an IPsec VPN or a Secure Sockets Layer (SSL) VPN,} by any remote or mobile workforce user

■ _{HVD: Access to the corporate network via a Web-based thin client (for example, Citrix} XenDesktop or VMware View) or zero client (for example, Teradici) by any remote or mobile workforce user

■ _{Business Web applications: Access to business Web applications by any workforce user}

■ _{Portals: Access to portal applications, such as Outlook Web App and self-service HR portals by} any remote or mobile workforce user

External users

■ _{VPN: Access to back-end applications via IPsec or SSL VPN by any business partner, supply} chain partner or other external user

■ _{HVD: Access to the corporate network via a Web-based thin client (for example, Citrix} XenDesktop or VMware View) or zero client (for example, Teradici) by any business partner, supply chain partner or other external user

■ _{Business Web applications: Access to Web applications by any business partner, supply chain} or other external user (except retail customers)

■ _{Retail customer applications: Access to customer-facing Web applications}

For each use case, the enterprise must identify the methods, or combinations of methods, that fit best, considering at least authentication strength, TCO and user experience (see "How to Choose New Authentication Methods").

Note that some vendors have a particular focus on one use case or a few use cases, which may limit their position within the Magic Quadrant. Nevertheless, such a vendor could offer a solution that is ideally suited to your needs.

Market Trends and Other Considerations

Versatile Authentication Servers (VASs)

A VAS is a single product or service that supports a variety of open and proprietary authentication methods in multiplatform environments. It may be delivered as server software, as a virtual or hardware appliance, or as a cloud-based service, typically with a multitenanted architecture.

A VAS typically supports OTP tokens and OOB authentication, and may also support one or more of the following: KBA methods, X.509 tokens and biometric authentication methods. A VAS must, at minimum, support one or more standards-based authentication methods — most commonly, OTP tokens using algorithms developed by the OATH — or have an extensible architecture to enable third-party authentication methods to be "plugged in" as required, without the need for a discrete third-party server or service.

A VAS vendor is likely a wide-focus authentication vendor, but not all wide-focus authentication vendors are VAS vendors. Even if a vendor supports a wide range of methods, its authentication infrastructure does not properly qualify as "versatile" if it supports only the vendor's proprietary methods or those licensed from another vendor. (RSA, The Security Division of EMC, is the most notable example of such a vendor.) Nonetheless, if the vendor can offer a wide-enough range of authentication methods, it may still be able to deliver much of the value of a true VAS. However, enterprises must consider the impact of vendor lock-in, particularly when it may restrict the future adoption of fit-for-purpose authentication methods.

customer is adopting only one kind of authentication method from such a vendor, it will be

implementing a VAS that gives it the flexibility to change or add methods to support future needs. Tight-focus vendors are necessarily not VAS vendors.

Cloud-Based Authentication Services

Several included vendors offer cloud-based authentication services — either traditional managed (hosted) services or new multitenanted cloud-based services — or partner with third-party managed security service providers (MSSPs) ranging from global telcos to smaller, local firms (for example, Sygnify, Tata Communications and Verizon Business). A cloud-based service can be a VAS, but most MSSPs to date have focused on supporting only a small range of methods — typically OTP hardware tokens and sometimes OOB authentication methods. However, we are also seeing some interest in smart cards as a service offering, especially among U.S. federal government agencies seeking to leverage the Personal Identity Verification (PIV) cards mandated by Homeland Security Presidential Directive 12 (HSPD-12).

Historically, cloud-based authentication services have had the most traction among SMBs — companies with fewer than 1,000 employees — and in public-sector verticals (government and higher education). Costs, resources and around-the-clock support considerations make a service offering appealing to these customers.

However, adoption of cloud-based authentication services among private-sector enterprises is increasing, although not because they are explicitly seeking this delivery option. Gartner sees several vendors successfully offering only a cloud-based service (or promoting such a service over any on-premises offering), and enterprises are choosing such solutions based on their overall value proposition. (Of course, the cost advantages of cloud-based services are implicitly part of that value proposition.)

We expect greater adoption of based services among enterprises as multitenanted cloud-based services mature and as cloud computing becomes more widely adopted as a way of delivering business applications and services generally. Gartner predicts that, by 2017, more than 50% of enterprises will choose cloud-based services as the delivery option for new or refreshed user authentication implementations, up from less than 10% today. However, it is likely that on-premises solutions will persist, especially in more risk-averse enterprises that want to retain full control of identity administration, credentialing and verification.

Adaptive Access Control

A number of the vendors included in this Magic Quadrant have WFD tools (see "Magic Quadrant for Web Fraud Detection") that are primarily aimed at financial services providers but have attracted interest from enterprises in other sectors, notably government and healthcare. WFD tools provide adaptive access control capabilities; several vendors use the term "risk-based authentication," but the scope of these solutions goes beyond authentication alone (see "Adaptive Access Control Emerges").

status, IP reputation, IP- or GPS-based geolocation, and user history and behavior — to make an access decision. Above a defined risk threshold, the tool can be set to deny a transaction, allow it but alert, prompt for reauthentication or authentication with a higher-assurance method, prompt for transaction verification, and so on. This capability provides an essential component in a layered fraud prevention approach (see "The Five Layers of Fraud Prevention and Using Them to Beat Malware").

In typical enterprise use cases, adaptive access control capability can minimize the burden of higher-assurance authentication on the user by limiting its use to those instances where the level of risk demands it. For example, if a user accesses a VPN or Web application from a known endpoint and location, then a legacy password alone may suffice; however, if the endpoint is unknown or the location is unusual, then the user would, for example, be prompted to use OOB authentication. Gartner projects that, during the next two to three years, such capability will become more important over a wider range of use cases and will be more widely supported among mainstream user authentication products and services, especially among wide-focus vendors. By 2015, 30% of business to business (B2B) and business to enterprise (B2E) enterprise user authentication

implementations will incorporate adaptive access control capability, up from less than 5% today. X.509 Tokens

Unlike OTP tokens and OOB authentication offerings, "authentication using X.509 tokens" does not represent a complete product of fully integrated components provided by a single vendor, but rather an ensemble of discrete components from two or more vendors. Thus, X.509 token projects can be significantly more complex than they may appear at first. Enterprises must identify

combinations of the different components that are interoperable, as demonstrated through true technology partnerships, rather than simply through comarketing and coselling agreements, and should demand multiple reference implementations.

Among the vendors included in this Magic Quadrant, some (such as ActivIdentity, Gemalto and SafeNet) provide only the smart cards, middleware and CM tools. Others (such as Symantec) provide only the PKI components. For many enterprises, the PKI tools embedded in Microsoft Windows Active Directory will be good enough, so any of the former vendors may be sound

choices. Where enterprises have a need for richer functionality in their PKI components, both types of vendor are needed.

It is important to note, however, that this "incompleteness" is a market reality for X.509-based authentication, and vendors offering smart tokens and supporting X.509-based authentication in their authentication infrastructure products were not penalized for lacking PKI tools in the

development of this Magic Quadrant. Moreover, X.509-based authentication for Windows PC and network login is natively supported, so it does not need an authentication infrastructure, such as those offered by the vendors included in this Magic Quadrant. Enterprises seeking to support this can consider other vendors offering smart tokens (for example, G&D, Morpho and Oberthur

Pricing Scenarios

For this Magic Quadrant, vendor pricing was evaluated across the following scenarios: ■ _{Scenario 1 — Communications (publishing and news media): Small enterprise (3,000}

employees) with 3,000 workforce users of "any" kind. Usage: Daily, several times per day. Endpoints: PC — approximately 60% Windows XP and Vista (AD), and 40% Mac OS X

(OpenLDAP). Endpoints owned by: Company. User location: Corporate LAN. Access to: PC and LAN, downstream business and content management applications, mixture of internal and external Web and legacy. Sensitivity: Company- and customer-confidential information. Notes: The company also plans to refresh its building access systems and may be receptive to a "common access card" approach. The average (median) price for this scenario was approximately $125,000.

■ _{Scenario 2 — Retail ("high street" and online store): Large enterprise (10,000 employees)} with 50 workforce users, limited to system administrators and other data center staff. Usage: Daily, several times per day. Endpoints: PC — mixture of Windows XP and Vista. Endpoints owned by: Company. User location: Corporate LAN. Access to: Windows, Unix, and IBM i and z servers, Web and application servers, network infrastructure. Sensitivity: Business-critical platforms. Notes: Users have personal accounts on all servers, plus use of shared accounts mediated by shared account password management (SAPM) tool (for example, Cyber-Ark Software and Quest Software). Users also need contingency access to assets via an SSL VPN from PCs ("any" OS). The company has already deployed 1,500 RSA SecurID hardware tokens for remote access for its mobile workforce. It must comply with the U.S. Sarbanes-Oxley Act, PCI Data Security Standard (DSS) and other requirements as appropriate to targets accessed. The average (median) price for this scenario was approximately $7,000.

■ _{Scenario 3 — Healthcare (teaching hospital): Large enterprise (10,000 employees) with 1,000} external users, comprising doctors and other designated staff in doctors' practices. Usage: Daily, several times per day. Endpoints: PC — mixture of Windows XP and Vista, some Windows 7 and Mac OS X, and maybe others. Endpoints owned by: Doctors' practices. User location: On LANs in doctors' practices. Access to: Electronic health record applications; mixture of Web and legacy (via SSL VPN). Sensitivity: Patient records. Notes: Enterprise must comply with the U.S. Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act requirements. PCs may be shared by doctors and other staff in doctors' practices. The average (median) price for this scenario was approximately $70,000.

■ _{Scenario 4 — Utilities (power): Large enterprise (20,000 employees) with 5,000 users}

company is also investigating endpoint encryption solutions for its traveling workforce's PCs. The average (median) price for this scenario was approximately $200,000.

■ _{Scenario 5 — Financial services (retail bank): Large enterprise (20,000 employees) with 1} million external users, all retail banking customers. Usage: Variable, up to once every few months. Endpoints: PC — mixture of Windows XP and Vista, some Windows 7 and Mac OS X; smartphones (including Android and iOS) and tablets (mainly iOS). Endpoints owned by: Customers, Internet cafes and others, possibly also customers' employers. User location: Public Internet, sometimes worldwide; possibly corporate LANs. Access to: Web application. Sensitivity: Personal bank accounts, up to $100,000 per account. Notes: Most customers are based in metropolitan and urban areas, but approximately 10% are in areas without mobile network coverage. The average (median) price for this scenario was approximately $1.9 million. Note that these pricing scenarios do not reflect any discounts that a vendor may offer particular customers or prospects, and they do not reflect other considerations that contribute to the TCO of a user authentication solution (see "Gartner Authentication Method Evaluation Scorecards, 2011: Total Cost of Ownership").

Vendor Strengths and Cautions

ActivIdentity

ActivIdentity, based in Fremont, California, was formed by the 2005 merger of ActivCard (which had acquired A-Space in 2004, giving it the 4TRESS product, focused on authentication in financial services) and Protocom (an enterprise single sign-on [ESSO] vendor). ActivIdentity was purchased by Assa Abloy in December 2010 and made part of its HID Global unit. The company has a long history in authentication and adjacent markets. Its current focus is on authentication and credential management across multiple market segments. As part of HID Global, ActivIdentity now has a stronger focus on common access cards for physical security, as well as for enterprise PC and network login.

ActivIdentity offers 4TRESS Authentication Server as a hardware appliance, aimed at enterprise and online banking or other external user implementations, or a software appliance aimed at enterprises and SMBs, as well as an SDK for direct integration in banking (or other) applications. It also offers 4TRESS AAA Server, with support for a small range of authentication methods (OTP tokens), as software for enterprises and SMBs.

Strengths

■ _{4TRESS Authentication Server has one of the widest ranges of supported authentication} methods, and ActivIdentity offers one of the widest ranges of authentication methods. Overall, ActivIdentity has one of the strongest product or service offerings.

■ _{ActivIdentity demonstrated a strong sales strategy.}

■ _{Reference customers typically cited functional capabilities, the pricing model or TCO as} important decision factors.

Cautions

■ _{ActivIdentity has a small market share by customer numbers in comparison with other vendors} in this research. However, overall, it is used by approximately 10 million end users.

■ _{Reference customer comments raised concerns about ActivIdentity's customer support, the} reliability of the software and target system integration. Overall, reference customers were ambivalent about the company's customer support.

Authentify

Authentify, based in Chicago, was established in 1999. It offers OOB authentication services and has multiple OEM relationships (which include other vendors discussed in this Magic Quadrant). Authentify has a strong market focus on financial services, and tailors its offerings to banks' and others' need for layered security and fraud prevention measures.

In 2001, Authentify launched its multitenanted, cloud-based service providing OOB authentication by voice modes, adding SMS modes in 2007 and transaction verification for electronic funds transfer by voice modes in 2008. In voice modes, additional assurance can be provided by biometric voice (speaker) recognition. Authentify has recently launched 2CHK, a desktop and mobile app, activated by an OOB voice call or SMS exchange, that provides more robust transaction verification.

About half of Authentify's customers come from its channel partners, which include DocuSign, Entrust, FIS, RSA and Symantec. Direct customers come mainly from financial services, including major banks and insurance companies, but can also be found in healthcare, technology and service provider verticals.

Strengths

■ _{Although it has negligible market share by customer numbers, across its own and partner} implementations, Authentify is likely used by hundreds of millions of end users.

■ _{Authentify clearly articulated a good market understanding and demonstrated a good} geographic strategy.

■ _{Direct SS7 layer monitoring enables Authentify to detect call forwarding in many areas,} defeating one type of attack against OOB authentication by voice.

Cautions

■ _{Authentify offers only OOB authentication. Furthermore, a majority of Authentify's clients use its} OOB authentication for "transactional" systems, rather than as a primary authentication method for login — for example, registration confirmation, password change or recovery, real-time PIN delivery, credential activation, login from unknown machine or location (in the context of WFD or adaptive access control), transaction verification for funds withdrawal or transfer (often in the context of WFD or adaptive access control). However, these use cases map well to the wants and needs of Authentify's target market segment.

■ _{Authentify's offerings lack Security Assertion Markup Language (SAML) integration to} cloud-based applications and services.

■ _{Authentify did not clearly articulate a strong sales or marketing strategy in comparison with} other vendors in this research, nor did it demonstrate strong sales execution. However, Gartner notes that Authentify performs strongly within its target market segment.

CA Technologies

CA Technologies' history dates back to the 1970s, and the company has a history of growth through mergers and acquisitions, as well as internal product development. In 2010, CA

Technologies acquired Arcot Systems, with which it already had an important strategic partnership. With its WebFort and RiskFort products, Arcot had made inroads into the WFD and online customer authentication markets (as well as for card issuers authorizing e-commerce payments) and, more recently, in the enterprise authentication market. The integrated products are now offered under the CA Advanced Authentication name, as hosted managed services, server software and SDK/APIs for direct integration into target systems, and CA AuthMinder as-a-Service (formerly Arcot A-OK) as a multitenanted cloud-based service. One of CA Technologies' distinctive features is ArcotID, a proprietary X.509 software token technology that protects the credentials on the endpoint device and binds them to the device.

The ex-Arcot portfolio also includes e-payment card authentication, secure electronic notification and delivery, and digital signature integrated with Adobe Acrobat. The acquisition also gave CA Technologies an established cloud services infrastructure and expertise for cloud delivery of other identity and access management (IAM) offerings.

CA Technologies offers OTP hardware tokens from Gemalto and others. (Like other OATH-compliant vendors, it can support other OATH-OATH-compliant tokens.)

Strengths

■ _{CA Technologies clearly articulated good market understanding and product/service strategy,} as well as market, sales and geographic strategies. (This is where Arcot's acquisition by CA Technologies has had the most significant impact on the vendor's position in the market.) ■ _{Although it has a very small market share by customer numbers in comparison with other}

vendors in this Magic Quadrant, CA Technologies is used by more than 100 million end users. ■ _{CA Technologies came out well in the pricing scenarios, and was among the lowest-cost}

options for Scenarios 2, 3, 4 and 5. Notably, it offers zero-cost OTP software tokens for mobile phones.

■ _{Reference customers typically cited functional capabilities and good feedback from reference} implementations as important decision factors. (However, some were unsure about

recommending CA Technologies to their peers.) Reference customers were fairly satisfied with CA Technologies' customer support.

Cautions

■ _{CA Technologies is not as well-suited for SMBs, because its direct sales force typically does} not do deals with an end-user count below 1,000.

■ _{The majority of CA Technologies' customers are in the Americas (with the bulk likely in North} America).

■ _{Reference customer comments raised concerns about technical integration with existing} infrastructure components and other implementation issues.

Cryptocard

Cryptocard, based in Ottawa, Canada, and Bracknell, U.K., has focused on the enterprise

authentication market since 1989, often positioning itself as the lower-cost alternative to the market leaders. In 2006, Cryptocard merged with WhiteHat Consulting, adding a managed authentication service to its portfolio.

Cryptocard now offers three core products and services: Blackshield Cloud, a multitenanted cloud-based service; Blackshield Server, application software intended to run on one or more server instances; and Blackshield Service Provider Edition, a software application that service providers can use to create their own hosted versions of Blackshield Cloud.

Strengths

■ _{Cryptocard clearly articulated a good product/service strategy, coupled with strong technical} innovation, as well as strong marketing, vertical industry and geographic strategies. It also demonstrated good market responsiveness.

■ _{Reference customers typically cited functional capabilities and expected performance and} scalability as important decision factors. They liked Cryptocard's Active Directory

synchronization and broad range of "token" form factors (including OOB authentication options). In addition, they were fairly satisfied with Cryptocard's customer support.

Cautions

■ _{Cryptocard has few customers in the Asia/Pacific region.}

■ _{Reference customer comments raised concerns about ease of migration from Crypto-MAS to} the Blackshield cloud-based service.

DS3

Founded in 1998 as RT Systems, this Singapore-based company changed its name to Data Security System Solutions (DS3) in 2001 to better reflect its market focus. In 2010, it raised

institutional funding to expand and execute on its vision to provide solutions that will meet the user and data authentication requirements for different customer segments, different industries and different use cases.

DS3 offers DS3 Authentication Server as a hardware or software appliance for large-scale B2B/B2C deployments (launched in 2004); DS3 Authentication Security Module as a hardware appliance for smaller enterprise intranet implementations; DS3 Authentication Toolkit, an SDK/APIs for direct integration in banking (or other) applications (2009); and a hosted authentication service (2011). DS3 has a global partnership with IBM Security Services, which offers the DS3 Authentication Server worldwide under the name "IBM Identity and Access Management Services — total authentication solution."

DS3 offers OTP and X.509 hardware tokens from RSA, SafeNet, Vasco and others. DS3's partners benefit by being able to sell large volumes of tokens without the overheads of selling and

supporting their own authentication infrastructure products.

Strengths

■ _{DS3 clearly articulated a good sales strategy and demonstrated good market responsiveness.} Notably, DS3 responded positively to the financial crisis in 2008, when sales to banks slowed significantly, by expanding into other vertical industries, with some success.

■ _{DS3 Authentication Server has one of the widest ranges of supported authentication methods,} including support for multiple OTP token types, and DS3 offers a wide range of authentication methods. DS3's broad OTP token support is also an advantage for an enterprise migrating from another vendor's offering, because it allows the continued use of that vendor's tokens for their remaining lifetime without the need to maintain that vendor's authentication server in parallel. ■ _{DS3's solutions are very scalable, which Gartner believes was an important factor in DS3's}

■ _{DS3 came out very well in the pricing scenarios, and was among the lowest-cost options for} Scenarios 1, 2, 4 and 5.

■ _{Reference customers in financial services typically cited DS3's industry experience and} reputation as important decision factors. Most found that DS3 responds to support requests fully and promptly. Overall, they were satisfied with DS3's customer support.

Cautions

■ _{DS3 has a negligible market share by customer numbers. However, it is already used by the} Singapore government and many banks in the region, giving DS3 total end-user numbers of more than 5 million.

■ _{The majority of DS3's customers are in the Asia/Pacific region, although its partnership with} IBM has begun to yield a few significant global sales, such as ING Bank in the Netherlands. ■ _{DS3 did not clearly articulate a strong market understanding or marketing strategy in}

comparison with other vendors in this research, or demonstrate strong marketing execution. ■ _{DS3's offerings lack SAML integration with cloud-based applications and services.}

■ _{Reference customer comments raised minor concerns about the stability of features and} customizability.

Entrust

Entrust, headquartered in Dallas, Texas, is a well-established security vendor offering fraud

detection, citizen e-ID and data encryption tools, in addition to its authentication portfolio. Entrust's core authentication infrastructure, Entrust IdentityGuard, supports a much broader range of

authentication method than the OTP grid cards that first bore that name. Entrust, a public company since 1997, was taken private in 2009 by the private equity investment firm Thoma Bravo.

Since 2005, Entrust has offered IdentityGuard Authentication Server as server software. Entrust offers OOB authentication through a partnership with Authentify.

Strengths

■ _{Overall, Entrust has one of the strongest product or service offerings in the user authentication} market. IdentityGuard incorporates some adaptive access control capabilities natively and can be coupled with TransactionGuard for full-blown WFD functions.

■ _{Entrust was among the lowest-cost options for Scenarios 4 and 5, but its pricing for Scenario 2} was second-highest. We also note that SAML integration to cloud-based applications and services for IdentityGuard requires a discrete "Federation Module" at an additional cost. ■ _{Reference customers typically cited functional capabilities and expected performance and}

Cautions

■ _{Entrust did not clearly articulate a good market understanding or demonstrate strong market} responsiveness or customer experience in comparison with other vendors in this research. ■ _{Entrust has a very small market share by customer numbers in comparison with other vendors}

in this research. However, it is used by an installed base of approximately 40 million end users. ■ _{There is no appliance or cloud-based version of IdentityGuard. Entrust tells us that it will be}

introducing a cloud-based version early in 2012.

Equifax

Equifax, based in Atlanta, Georgia, has a long history in identity, going back to 1899. It entered the user authentication market in 2010 with its acquisition of Anakam, a wide-focus authentication vendor with a market focus on healthcare and government.

Equifax's core offering in this market is the Anakam.TFA Two-Factor Authentication server software, launched in 2005, which is complemented by tools for identity proofing, risk assessment and

credentialing. In 2011, it launched Anakam.ODI On-Demand Identity, a multitenanted, cloud-based service that integrates its product offerings with SAML-based federated single sign-on (SSO).

Strengths

■ _{Although it has negligible market share by customer numbers, Equifax is used by more than 100} million end users.

■ _{Equifax clearly articulated a good vertical industry strategy and demonstrated its overall} viability.

■ _{Reference customers in healthcare typically cited Equifax's industry experience and}

understanding of their business needs as important decision factors. Reference customers were satisfied with Equifax's customer support.

Cautions

■ _{A significant majority of Equifax's customers are in North America, although the company does} have a presence in Latin America and Europe.

■ _{Equifax did not clearly articulate a strong product/service strategy, strong technical innovation} or a strong sales strategy in comparison with other vendors in this research.

Gemalto

Amsterdam-based Gemalto, formed in 2006 by the merger of Axalto (formerly the smart card division of Schlumberger) and Gemplus, is a leading smart card vendor, with a strong presence in the authentication market. It offers OTP tokens, as well as smart tokens. With the acquisitions of Xiring's authentication portfolio and, in particular, of Todos, Gemalto has broadened the range of its offerings in the financial services industry, which it has identified as a key market. Other recent acquisitions relevant to its authentication portfolio include Trusted Logic (a provider of open, secure software for consumer devices and digital services), Valimo (a pioneer in mobile digital ID, with solutions that enable secure authentication, digital signatures and transaction verification) and Multos International (originator of the Multos smart card OS).

Gemalto's core infrastructure products are Protiva Strong Authentication Server (server software) and Protiva Strong Authentication Service (a hosted managed service), as well as the Ezio System (server software for financial services and e-commerce) from the Todos acquisition.

Strengths

■ _{Gemalto came out well in the pricing scenarios, and was among the lowest-cost options for} Scenarios 1, 3 and 5. (However, it did not provide a quotation for Scenario 2.)

■ _{Gemalto demonstrated significant growth in its OTP token product lines, and has established} itself as a credible provider of these authentication methods.

■ _{Reference customers were fairly satisfied with Gemalto's customer support, and their} comments about the products were generally positive.

Cautions

■ _{Gemalto did not clearly articulate good marketing strategy or technical innovation.}

■ _{Although Gemalto is widely recognized as a leading smart card vendor, the company is rarely} cited by Gartner clients in calls about authentication, generally.

i-Sprint Innovations

Singapore-based i-Sprint Innovations was founded in 2000 by ex-Citibank security professionals and is backed by global institutional investors. It was acquired in 2011 by Automated Systems Holdings Ltd. (ASL), a subsidiary of Teamsun. The companies are listed in the Hong Kong Stock Exchange and Shanghai Stock Exchange respectively. The purchase bodes well for the expansion of i-Sprint's offerings into the Chinese market, given the Multi-Level Protection Scheme (MLPS) in China, which obliges companies to use only domestic security solutions.

Its AccessMatrix Universal Authentication Server (UAS), launched in 2005, is part of an integrated set of server software products, which also includes ESSO, WAM and SAPM tools.

Strengths

■ _{AccessMatrix UAS has one of the widest ranges of supported authentication methods,} including support for multiple OTP token types, and i-Sprint offers a wide range of authentication methods.

■ _{i-Sprint clearly articulated a good product/service strategy, coupled with strong technical} innovation, and it demonstrated good customer experience. Reference customers were very or extremely satisfied with i-Sprint's customer support.

■ _{i-Sprint was among the lowest-cost options for Scenarios 4 and 5.}

■ _{Reference customers in financial services typically cited i-Sprint's industry experience,} conformity to technical standards, and pricing model or TCO as important decision factors. They praised the robustness, maturity and sophistication of the product.

Cautions

■ _{i-Sprint has a negligible market share by customer numbers (although it is used by several} million end users).

■ _{i-Sprint did not clearly articulate a strong market understanding or sales strategy in comparison} with other vendors in this research.

■ _{The majority of i-Sprint's customers are in Asia/Pacific. Although its acquisition by ASL and} likely future growth in China will only reinforce this bias, ASL may well provide the resources to enable significant overseas growth.

■ _{Reference customer comments raised some concerns about the complexity of UAS's} administration interface and the suitability of audit reports for business users.

Nordic Edge

Sweden-based Nordic Edge was founded in 2001 and acquired by Intel in early 2011. Nordic Edge provides a broad range of IAM solutions, from provisioning of user information and SSO to software as a service (SaaS), as well as its wide-focus authentication offering.

Nordic Edge's core product is the Nordic Edge One Time Password Server, which can be delivered as server software, an SDK/API for Java and .NET/COM, and an on-demand Web service. Nordic Edge Opacus is also offered to service providers for them to offer a cloud-based authentication service as part of ERP, CRM and business intelligence cloud services, and this approach represents approximately 5% of its customers.

Strengths

■ _{Nordic Edge was among the lowest-cost options for Scenarios 2, 4 and 5. Notably, OTP} software tokens for mobile phones are included in its OTP Server offering.

■ _{Reference customers typically cited Nordic Edge's industry experience, conformity to technical} standards, and expected performance and scalability as important decision factors. Some reference customers highlighted Nordic Edge's flexibility, scalability and ease of installation. ■ _{Reference customers were, on average, very satisfied with the vendor's customer support, and}

noted that it always dealt with technical support requests fully and promptly.

Cautions

■ _{Nordic Edge has a negligible market share by customer numbers. (However, it is used by more} than 1 million end users.)

■ _{Nordic Edge did not clearly articulate a strong marketing strategy or demonstrate strong market} responsiveness in comparison with other vendors in this research.

■ _{The majority of Nordic Edge's deployments are in companies with fewer than 1,000 users.}

PhoneFactor

PhoneFactor, based in Overland, Kansas, and established in 2001 as Positive Networks, has offered its multitenanted, cloud-based OOB authentication service since 2007. PhoneFactor provides agents for target system integration to VPNs, HVDs, Web applications and other systems, and an SDK/API for integration with Web application login and transaction processes. In conjunction with a third-party WFD tool, PhoneFactor can be used to authenticate high-risk logins or for transaction verification.

Strengths

■ _{PhoneFactor is the OOB authentication vendor most frequently cited by Gartner clients.}

■ _{PhoneFactor is one of the few OOB authentication vendors that does not pass an OTP over the} data channel in either direction, with all authentication information being exchanged over the air by the voice or SMS channel, making it less vulnerable to man-in-the-middle attacks.

■ _{PhoneFactor was among the lowest-cost options for Scenarios 2 and 5.}

■ _{Reference customers typically cited PhoneFactor's functional capabilities and expected} performance and scalability as important decision factors. PhoneFactor's ease of

implementation and management were explicitly mentioned. Reference customers were very satisfied with the vendor's customer support, and noted that it always dealt with technical support requests fully and promptly.

■ _{Phone Factor offers a free version of its service, restricted to 25 users for one or two}

Clients tell us that nearly all proof-of-concept implementations are converted to full enterprise licenses.

Cautions

■ _{PhoneFactor offers only phone-based authentication (OOB authentication, as well as a software} token using push notification that was released in late 2011).

■ _{The company has very small market share by customer numbers in comparison with other} vendors in this research (but is one of the larger pure-play, phone-based authentication vendors).

■ _{PhoneFactor did not clearly articulate good market understating, product/service strategy or} marketing, vertical industry or geographic strategies, nor did it demonstrate strong market responsiveness in comparison with other vendors in this research.

■ _{Reference customer comments raised some concerns about technical integration with some} existing infrastructure components.

Quest Software

Quest Software, based in Aliso Viejo, California, offers a wide range of Windows, application, database and virtualization management tools. It has recently strengthened its IAM offerings with the acquisition of Voelcker Informatik. Its authentication offering is the Defender product line (offered in succession since 1995 by AssureNet Pathways, Axent Technologies, Symantec and PassGo Technologies).

The company's core infrastructure product is Quest Defender Security Server, delivered as security software. Defender offers OTP hardware tokens from ActivIdentity, SafeNet, Vasco, Yubico and others. (Like other OATH-compliant vendors, it can support other OATH-compliant tokens.)

Strengths

■ _{Quest Software has relationships with several of the leading token manufacturers, which enable} it to support one of the widest selections of OTP hardware tokens, as well as OTP software tokens and other methods. This is an advantage for an enterprise migrating from another vendor's offering, because it enables the continued use of that vendor's tokens for their remaining lifetime, without the need to maintain that vendor's authentication server in parallel. ■ _{Quest Software clearly articulated a good marketing strategy and demonstrated good}

marketing execution.

■ _{Quest Software was among the lowest-cost options for Scenarios 2 and 4. Some reference} customers indicated that its TCO can be significantly lower than its major competitors', owing to, for example, reduced infrastructure requirements.

customer support, and noted that it always dealt with technical support requests fully and promptly.

Cautions

■ _{Quest has negligible market share by customer numbers and is used by fewer than 200,000 end} users. The majority of Quest Software's deployments are in companies with fewer than 1,000 users.

■ _{Quest Software did not clearly articulate a strong product/service strategy or geographic} strategy, nor did it demonstrate strong market responsiveness in comparison with other vendors in this research.

■ _{Defender Security Server lacks SAML integration with cloud-based applications and services.} ■ _{Quest Software offers no appliance or cloud-based delivery options.}

RSA, The Security Division of EMC

RSA, The Security Division of EMC, which is based in Bedford, Massachusetts, has a long history in the authentication market. Security Dynamics was founded in 1984, and began shipping its SecurID tokens in 1986. Security Dynamics acquired RSA Data Security in July 1996, to form RSA Security. In 2006, RSA was acquired by EMC. Other acquisitions have provided RSA with a broad portfolio of access and intelligence products.

RSA's flagship infrastructure product is RSA Authentication Manager (formerly ACE/Server), which is now offered as either server software or a hardware appliance. It also offers RSA SecurID Authentication Engine, a Java/C++ SDK/API for direct integration into applications and portals. From its acquisitions of Cyota (2005) and PassMark Security (2006), RSA has a WFD product, RSA Adaptive Authentication. It also offers RSA Adaptive Authentication for the enterprise, which can be used as part of an enterprise's layered authentication approach. The risk engine from RSA Adaptive Authentication is combined with RSA SecurID on-demand OOB authentication in the RSA

Authentication Manager Express hardware appliance, launched in 2010 and targeted at remote access use cases in SMBs or small deployments in enterprises.

From its acquisition of Verid (2007), RSA Identity Verification provides identity proofing for new account registration, but can also be used for authentication of infrequent users (who would be unlikely to remember legacy password) and call center caller verification.

RSA offers OOB authentication through a partnership with Authentify.

The Impact of the RSA Breach

successfully masquerade as legitimate users. We believe that this formed the basis of the subsequent (unsuccessful) attack against Lockheed Martin. That attack prompted RSA to offer replacement hardware or software tokens to its customers — all hardware tokens shipped after a brief hiatus following the attack are not compromised, and software tokens were never exposed — and we understand that many customers have replaced their tokens. (RSA tells us, however, that a "significant majority" have not.) The cost to RSA of replacing these tokens is estimated at $60 million. However, RSA has been impacted by the breach in other ways.

Since the breach, many Gartner clients have told us that they are looking at alternatives to RSA SecurID hardware tokens, but this is only sometimes because of the security concerns. In the majority of cases, the breach has prompted the company to review its historical decision to adopt RSA SecurID, leading the company to seek alternatives that offer a similar, or sometimes lower, level of assurance with lower TCO or better user experience — something that has long been a popular topic in client inquiries. Furthermore, we believe that RSA has lost much goodwill among some of its customers because of poor communication regarding the nature and impact of the breach (even though they might understand why RSA has focused its attention on its defense customers, which it believed were most at risk), the time RSA took to offer replacement tokens (although we believe that RSA would not have had the manufacturing capacity to do this any earlier) and to fulfill replacement requests (with several clients receiving their replacements over a period of months), and the contractual terms for the replacements (although we understand that RSA cannot provide free replacements under U.S. General Services Administration rules). These customers are likely to be looking hard at alternatives to RSA in the coming years. Nonetheless, it is highly likely that customer attrition will remain relatively small, given the "stickiness" of RSA SecurID

deployments (because of the breadth of technical integration RSA offers) and, increasingly, a shift toward RSA SecurID software tokens and adaptive access control (especially if and when RSA integrates its risk engine into RSA Authentication Manager).

Strengths

■ _{Gartner estimates that RSA has a market share by customer numbers of about 25%, although} this is appreciably lower than the previous year. (Note that this market share is based on 2010 numbers, and does not reflect any impact of the breach discussed above.) Overall, RSA is used by tens of millions of end users.

■ _{RSA is seen as the principal competitor by the majority of vendors in this research and has} strong mind share among Gartner clients.

■ _{RSA demonstrated good overall viability (among the strongest of the vendors discussed in this} research) and good marketing execution.

Cautions

■ _{Although RSA offers a market-leading WFD tool, RSA Adaptive Authentication, and we see} significant enterprise interest in RSA Adaptive Authentication for the Enterprise, these products are only loosely coupled with RSA Authentication Manager. RSA now offers RSA Authentication Manager Express, which is aimed at the SMB market and combines the risk engine from RSA Adaptive Authentication with OOB authentication (RSA SecurID On-demand). However, RSA Authentication Manager still lacks this integration.

■ _{The majority of RSA's customers are in the Americas (with the bulk likely in North America).} ■ _{RSA Authentication Manager and RSA Authentication Manager Express lack SAML integration}

to cloud-based applications and services.

■ _{Reference customer comments raised some concerns about ease of user management in RSA} Authentication Server (which was often echoed by other vendors' reference customers' reasons for deciding against RSA).

■ _{A frequently mentioned reason among other vendors' reference customers for deciding against} RSA Authentication Manager/RSA SecurID was its high cost. In fact, RSA was average or worse in most of the pricing scenarios, and was the highest-cost option for Scenario 5 by a wide margin. Although there is certainly a bias because of RSA's presence in the market, a significant number of client inquiries ask about "lower-cost alternatives to RSA."

SafeNet

SafeNet, based in Baltimore, Maryland, was established in 1983 as Industrial Resource Engineering and changed its name in 2000. In 2007, SafeNet was acquired by Vector Capital, which also

acquired Aladdin Knowledge Systems two years later. Both firms now trade under the SafeNet name. Common ownership brings SafeNet's authentication offerings (from the 2004 to 2008 acquisitions of Rainbow Technologies and Datakey) together with those of Aladdin, which had a much stronger presence in that market segment with its legacy eToken offerings, as well as those from its acquisitions in 2008 of Eutronsec and the SafeWord product line from Secure Computing (one of the oldest lines of OTP tokens). SafeNet's other major product lines focus on software rights management and cryptography for data protection, including hardware security modules (HSMs). SafeNet has two server software offerings: SafeNet Authentication Manager (SAM), which was formerly Aladdin's Token Management System, and SafeNet Authentication Manager Express, which was formerly SafeWord 2008. The latter supports a restricted set of authentication methods (OTP tokens and OOB authentication via SMS). SAM also provides CM capabilities and federated SSO to cloud-based applications. SafeNet also offers SafeNet OTP Authentication Engine, an SDK and API for direct integration of OTP authentication into target systems.

Strengths

■ _{Gartner estimates that SafeNet has a market share by customer numbers of approximately} 20%. Overall, SafeNet is used by tens of millions of end users.

■ _{SafeNet clearly articulated its technical innovation, as well as good marketing, industry vertical} and geographic strategy, and demonstrated good customer experience. It also demonstrated good overall viability, market responsiveness and market execution, as well as good customer experience. Reference customers were very satisfied with SafeNet's customer support (one remarking that SafeNet had "gone to great lengths") and noted that it generally dealt with technical support requests fully and promptly.

■ _{SafeNet came out quite well in the pricing scenarios, and was among the lowest-cost options} for Scenarios 2, 3 and 4; however, it was one of the higher-cost options for Scenario 5. ■ _{Reference customers' comments about the products were generally positive.}

Cautions

■ _{SafeNet lacks any adaptive access control capability. Gartner sees this as a significant caution} for a vendor with such a strong focus on the financial services market. SafeNet tells us that this capability is in development and will be released in 2Q12.

■ _{Although SafeNet has good mind share among Gartner clients, this still attaches to the} SafeWord and (now defunct) Aladdin brand names, rather than to the SafeNet name itself. Gartner sees this as a continuing marketing challenge for SafeNet in the near term.

SecureAuth

Formed in 2005 as MultiFactor Corporation, this Irvine, California-based vendor changed its name to SecureAuth in 2010. SecureAuth IEP, which is delivered as a hardware or software appliance, combines its authentication infrastructure with the SSO capability of a WAM and support for federation using multiple protocols (see "MarketScope for Web Access Management").

Strengths

■ _{During the past year, SecureAuth has been one of the authentication vendors most frequently} cited by Gartner clients, typically because of its low cost or ease of installation or because of its "tokenless" authentication method.

■ _{SecureAuth IEP is a single platform that integrates user authentication with federated SSO to} cloud-based and Web applications, as well as VPNs. However, Gartner clients rarely cite this as a decision factor in choosing SecureAuth, and the company's lead with this approach may be somewhat eroded as other vendors roll out their support for SAML to provide similar federated SSO capabilities.

■ _{SecureAuth clearly articulated a good vertical/industry strategy.}

Cautions

■ _{SecureAuth's primary authentication method is a kind of X.509 software token. This is not} something Gartner sees widely used in practice, although SecureAuth does provide simple implementation of this method, without the constraints of legacy PKI approaches. Although SecureAuth offers KBA and OOB authentication methods (with out-of-the-box support for YubiKey and OATH-compliant tokens planned for 1Q12), and provides a flexible way of linking together multiple methods, relatively few of its customers use any of these other methods as their primary authentication methods.

■ _{SecureAuth does not provide high-assurance authentication methods, although it can integrate} third-party methods such as X.509 hardware tokens (for example, PIV cards) to support high-assurance needs.

■ _{The vendor has negligible market share by customer numbers. Year-over-year growth has,} however, been exceptionally strong. In this respect, SecureAuth is outperforming most larger vendors in this research.

■ _{SecureAuth did not clearly articulate a strong sales strategy or geographic strategy in} comparison with other vendors considered in this research. Neither did it clearly articulate a strong market understanding in line with Gartner's view of enterprises' wants and needs across the market as a whole. Nevertheless, SecureAuth's growth demonstrates that it is addressing the wants and needs of a segment of the market.

SecurEnvoy

U.K.-based SecurEnvoy, formed in 2003, was one of the first vendors to offer OOB authentication solutions.

SecurEnvoy offers two server software products that meet the market definition for this Magic Quadrant: SecurAccess, launched in 2004 and aimed primarily at workforce remote access use cases, and SecurICE, launched in 2006, which supports secure remote access in the event of a disaster or other contingency. (Several other vendors support this as part of their standard user authentication product offering.) In 2009, SecurEnvoy launched SecurCloud, a program for resellers to deploy an authentication service based on the SecurEnvoy product suite as part of a wider cloud offering.

In addition, the company offers SecurMail, a simple email encryption tool, and SecurPassword, which allows secure self-service password reset for Windows using OOB techniques.

Strengths

■ _{SecurEnvoy clearly articulated a good vertical industry strategy.}

■ _{SecurEnvoy came out well in the pricing scenarios, and was among the lowest-cost options for} Scenarios 2, 3 and 4.

Cautions

■ _{SecurEnvoy has small market share by customer numbers in comparison with other vendors in} this research (but is one of the larger pure-play, phone-based authentication vendors).

■ _{A significant majority of SecurEnvoy's customers are in Europe. However, a majority of its larger} customers use SecurEnvoy globally.

■ _{In comparison with the other vendors in this Magic Quadrant, SecurEnvoy did not clearly}

articulate a strong geographic strategy, nor did it demonstrate strong overall viability, marketing execution or customer experience (although no reference customers raised specific concerns). ■ _{SecurEnvoy's offerings lack SAML integration to cloud-based applications and services.}

SecurEnvoy tells us that SAML will be supported via Active Directory Federation Services early in 2012.

■ _{SecurEnvoy has no appliance- or cloud-based delivery options; however, these are available} through some channel partners. SecurEnvoy also supports authentication as part of third-party cloud-based services via its SecurCloud offering.

SMS Passcode

Denmark-based SMS Passcode was established in 1999 as Conecto A/S, a consulting operation implementing mobile solutions. SMS Passcode OOB authentication, delivered as server software, was launched in 2005. At the end of 2009, the company sold off its consulting business and adopted the name of the product.

Strengths

■ _{SMS Passcode was among the lowest-cost options for Scenario 2.}

■ _{Reference customers typically cited SMS Passcode's functional capabilities as an important} decision factor. Expected performance and scalability, an understanding of business needs, and pricing model or TCO were often cited as well.

■ _{Reference customers were mostly extremely satisfied with SMS Passcode's customer support,} and noted that it always dealt with support requests fully and promptly.

Cautions

■ _{Although it has customers in more than 40 countries, a significant majority of SMS Passcode's} customers are in Europe.

■ _{SMS Passcode offers only OOB authentication. However, despite its name, the company does} support voice modes, as well as SMS modes, through a partnership with TeleSign.

■ _{SMS Passcode did not clearly articulate a strong vertical industry strategy or demonstrate} strong overall viability in comparison with other vendors in this research. (The vendor's emphasis is squarely on supporting common workforce access use cases out of the box and horizontally across all industries.)

Swivel Secure

U.K.-based Swivel Secure was established in 2000 and launched its PINsafe product line in 2003. Unique to Swivel's offerings is its proprietary enhanced password method, which allows a user to generate an OTP by combining a known PIN or pattern with a security string or graphic presented on the login pane or on a mobile phone (functioning as a token). Swivel also offers conventional OOB authentication with SMS and voice modules.

Strengths

■ _{Swivel offers the broadest range of delivery options of any provider discussed in this Magic} Quadrant. PINsafe is available as a hardware or software appliance, server software, a

managed service with customer premises equipment, and a multitenanted cloud-based service. ■ _{Swivel was among the lowest-cost options for Scenarios 3, 4 and 5. Notably, it offers zero-cost}

mobile clients (equivalent to OTP software tokens) for mobile phones.

■ _{Reference customers typically cited Swivel's pricing model or TCO as an important decision} factor. They were very satisfied with the vendor's customer support, and noted that it always dealt with support requests fully and promptly.

■ _{Swivel is one of the few vendors in this Magic Quadrant to offer an enhanced password} method, which is popular with many SMBs that are looking for an improvement over legacy password authentication but do not want or cannot justify "two-factor authentication." In addition, Swivel uses the same enhanced password method with its phone-based

authentication methods, providing additional assurance compared with competing solutions that rely on a legacy password or a simple PIN.

Cautions

■ _{Swivel has very small market share by customer numbers in comparison with other vendors in} this research.

■ _{Swivel did not clearly articulate a strong market understanding or marketing strategy, or}

■ _{A significant majority of Swivel's customers are in Europe. However, these include some sizable} global deployments supporting users in North America and the Asia/Pacific region, as well as in Europe.

Symantec

Symantec, based in Mountain View, California, has been a publicly traded company since 1989. It entered the authentication market in 2010 with the acquisition of VeriSign's Identity and

Authentication business. (VeriSign had been spun off from RSA Security in 1995 to focus on PKI offerings.) The deal allows Symantec to use the VeriSign brand for its identity and authentication products until 2015, as well as VeriSign's "tick" icon, which has been incorporated into Symantec's logotype. Symantec has a more coherent and better-articulated vision for Validation and ID

Protection Service (VIP) and adjacent products than VeriSign had.

Symantec VIP (formerly VeriSign Identity Protection Authentication Service) is delivered as a multitenanted cloud-based service. Symantec also offers a WFD tool, Symantec Fraud Detection System (FDS), as server software or a hosted managed service. The company also cites "synergies" with its data loss prevention and encryption products, but Gartner clients are not seeking

authentication solutions in that context.

Symantec offers OTP hardware tokens from ActivIdentity, RSA, SafeNet, Vasco and others, and OOB authentication through a partnership with Authentify. (Like other OATH-compliant vendors, it can support other OATH-compliant tokens.)

Strengths

■ _{Symantec demonstrated good marketing execution, and it is one of the authentication vendors} most frequently cited by Gartner clients.

■ _{The vendor offers a wide range of authentication methods, including zero-cost OTP software} tokens for mobile phones. However, although Symantec VIP does support OOB authentication, the majority of its customers use this as a backup for users who cannot use their OTP tokens, rather than as a primary authentication method.

■ _{In late 2011, Symantec incorporated the adaptive access control capabilities from its FDS into} VIP to provide what Symantec calls "intelligent authentication."

■ _{Symantec was among the lowest-cost options for Scenarios 3, 4 and 5.}

■ _{Reference customers typically cited Symantec's functional capabilities as an important decision} factor (one said, "everything is as advertised"). Expected performance and scalability and, for financial services, industry experience were often cited, as well. One customer called attention to the flexibility of VIP and the ease of extending it to meet business needs. Some clients tell us that Symantec VIP is difficult to integrate with target systems; however, all but one of the reference customers asserted that they had no technical implementation challenges.