magic quadrant for user authentication...
TRANSCRIPT
Magic Quadrant for User Authentication
17 January 2012 ID:G00227026
Analyst(s): Ant Allan
VIEW SUMMARY
User authentication is dominated by three well-established, wide-focus vendors that command the majority of the market. Newer wide- and tight-focus vendors are making significant inroads and offer enterprises sound alternatives across a range of needs.
Market Definition/Description
A provider in the user authentication market delivers on-premises software/hardware or a cloud-based
service that makes real-time authentication decisions and can be integrated with one or more
enterprise systems to support one or more use cases. Where appropriate to the authentication methods
supported, a provider in the user authentication market also delivers client-side software or hardware
used by end users in those real-time authentication decisions.
This market definition does not include providers that deliver only one or more of the following:
1. Client-side software or hardware, such as PC middleware, smart cards and biometric capture
devices (sensors)
2. Software, hardware or a service, such as access management or Web fraud detection (WFD),
that makes a real-time access decision and may interact with discrete user authentication
software, hardware or services (for example, to provide "step up" authentication)
3. Credential management software, hardware or services, such as password management tools,
card management (CM) tools and public-key infrastructure (PKI) certification authority (CA) and
registration authority (RA) tools (including OCSP responders)
4. Software, hardware or services in other markets, such as Web access management (WAM) or
VPN, that embed native support for one or many authentication methods
A provider in the user authentication market may, of course, deliver one or more such offerings as part
of, or in addition to, its user authentication offering. Note, however, that, for the purposes of this Magic
Quadrant, offerings of Type 2, 3 and 4 are not considered to be user authentication offerings and were
not included in customer, end-user or revenue figures.
Return to Top
Magic Quadrant
Figure 1. Magic Quadrant for User Authentication
Source: Gartner (January 2012)
Return to Top
This Magic Quadrant replaces "MarketScope for Enterprise Broad-Portfolio Authentication Vendors."
There are several important changes from the previous document. The change of document type, from
MarketScope to Magic Quadrant, reflects the increasing maturity and significance of the user
authentication market and the need to more clearly differentiate among the vendors along two axes.
The Evaluation Criteria, which are detailed below, are significantly different from those used in the
MarketScope. They were changed to include tight-focus vendors and wide-focus (or broad-portfolio)
vendors. In addition, the minimum-revenue criterion no longer applies, which avoids penalizing vendors
that offer lower pricing.
STRATEGIC PLANNING ASSUMPTIONS
By 2017, more than 50% of enterprises will choose
cloud-based services as the delivery option for new or
refreshed user authentication implementations, up
from less than 10% today.
By 2015, 30% of business-to-business and business-to
-enterprise user authentication implementations will
incorporate adaptive access control capability, up from
less than 5% today.
ACRONYM KEY AND GLOSSARY TERMS
ANSI American National Standards
Institute
ASL Automated Systems Holdings Ltd.
B2B business to business
B2E business to enterprise
CA certification authority
CAP Chip Authentication Program
CM card management
DPA Dynamic Passcode Authentication
(Visa)
DSS Data Security Standard (PCI)
EMV Europay, MasterCard and Visa
ESSO enterprise single sign-on
FDS Fraud Detection System (Symantec)
FERC Federal Energy Regulatory
Commission (U.S.)
HIPAA Health Insurance Portability and
Accountability Act (U.S.)
HITECH Health Information Technology for
Economic and Clinical Health
HMAC Hash-based Message Authentication
Code
HOTP HMAC-based OTP
HSM hardware security module
HSPD-12 Homeland Security Presidential
Directive 12
HVD hosted virtual desktop
IAM identity and access management
KBA knowledge-based authentication
LDAP Lightweight Directory Access Protocol
MLPS Multi-Level Protection Scheme
(China)
MSSP managed security service provider
NERC North American Electrical Reliability
Corporation
NIST National Institute of Standards and
Technology
OATH Initiative for Open Authentication
OCRA OATH Challenge-Response
Algorithms
OOB out of band
OTP one-time password
PIV Personal Identity Verification
PKI public-key infrastructure
RA registration authority
Gartner sees user authentication vendors falling into four different categories with somewhat indistinct
boundaries:
1. Specialist vendors: A specialist user authentication vendor focuses on a distinctive proprietary
authentication method — either a unique method or a proprietary instantiation of a common
method — and also offers a corresponding infrastructure or a software development kit (SDK)
that will allow it to plug into customers' applications or other vendors' extensible infrastructures.
2. Commodity vendors: These vendors focus on one or a few well-established authentication
methods, such as one-time password (OTP) tokens (hardware or software) and out of band
(OOB) authentication methods. A commodity vendor may provide a basic infrastructure to
support only those few methods, and its offerings will primarily interest small or midsize
businesses (SMBs) and some small enterprises that still have narrower needs.
3. Tight-focus vendors: We characterize a commodity vendor that provides a robust, scalable
infrastructure that can meet the needs of larger enterprises and global service providers — and
sometimes augment other vendors' extensible infrastructures — as a tight-focus vendor.
4. Wide-focus (broad-portfolio) vendors: The defining characteristic of these vendors is
offering or supporting many distinct authentication methods. A wide-focus vendor may also be a
specialist vendor. It will typically offer a versatile, extensible authentication infrastructure that
can support a wider range of methods than it offers, which may be sourced through original OEM
agreements with one or more other vendors in any of these categories, or left to the enterprise
to source directly from those vendors.
The vendors included in this Magic Quadrant fall into the third and fourth of these categories.
Market Size
Gartner's estimate for revenue across all segments of the authentication market for 2011 remains
approximately $2 billion. However, the margin of error in this estimate is high, because not all the
vendors included in this Magic Quadrant provided revenue data and because of the "long tail" of the
more than 150 authentication vendors not included in it. Individual vendors included in this Magic
Quadrant that did provide revenue data reported year-over-year revenue changes ranging from a
greater than 10% decline to nearly 300% growth, with the median approximately 20% to 30% growth.
More vendors — although still not all — provided customer numbers, and a majority of vendors
reported growth in the 20% to 40% range, with some smaller vendors showing far greater growth.
We estimate the overall growth in the market by customers to be approximately 30% year over year.
Because of the shift toward lower-cost authentication solutions, we estimate the overall growth by
revenue to be approximately only 20%.
Range of Authentication Methods
Enterprise interest in OTP methods, broadly defined, remains high; however, as has already been
noted, we have seen a significant shift in preference from traditional hardware tokens to phone-based
authentication methods. Wide-focus user authentication vendors offer all these and more, generally
offering or supporting knowledge-based authentication (KBA) methods or X.509 tokens (such as smart
cards) as well. Most of the tight-focus vendors offer just phone-based authentication methods,
especially OOB authentication methods (sometimes incorporating voice recognition as an option), with a
few (none of which are included in this Magic Quadrant) offering only KBA or biometric authentication
methods.
The vendors included in this Magic Quadrant may offer any of a variety of methods across a range of
categories (see "A Taxonomy of Authentication Methods, Update"). These categories, and, where
appropriate, the corresponding categories from the National Institute of Standards and Technology
(NIST) Special Publication 800-63-1 "Electronic Authentication Guideline" (July 2011 draft), are:
KBA Lexical: This approach combines improved password methods and Q&A methods. An
improved password method lets a user continue to use a familiar password, but provides more
secure ways of entering the password or generating unique authentication information from the
password. A Q&A method prompts the user to answer one or more questions, with the answers
preregistered or based on on-hand or aggregated life history information. It corresponds to the
NIST "preregistered knowledge token" category.
KBA Graphical: KBA graphical authentication uses pattern-based OTP methods and image-based
methods. A pattern-based OTP method asks the user to remember a fixed, arbitrary pattern of
cells in an on-screen grid that is randomly populated for each login and to construct an OTP from
numbers assigned to those cells. An image-based method asks the user to remember a set of
images or categories of images and to identify the appropriate images from random arrays
presented at login. There is no corresponding NIST category.
OTP Token: This authentication method uses a specialized device or software application for an
existing device, such as a smartphone, that generates an OTP, either continuously (time-
synchronous) or on demand (event-synchronous), which the user enters at login. The token may
incorporate a PIN or be used in conjunction with a simple password. This category also includes
transaction authentication number (TAN) lists and grid cards for "generating" OTPs. Note that the
"OTP" category does not include "OTP by SMS" or similar methods, which Gartner classes as OOB
authentication methods. One of several algorithms may be used:
American National Standards Institute (ANSI) X9.9 (time- or event-synchronous or challenge
-response)
Initiative for Open Authentication (OATH) HMAC-based OTP (HOTP), time-based OTP (TOTP)
or OATH Challenge-Response Algorithms (OCRA)
Europay, MasterCard and Visa (EMV); MasterCard Chip Authentication Program (CAP); or
Visa Dynamic Passcode Authentication (DPA), also called remote chip authentication
A proprietary algorithm
The corresponding NIST categories are "multifactor OTP hardware token," "single-factor OTP token" and
"look-up secret token":
X.509 token: This X.509 PKI-based method that uses a specialized hardware device, such as a
smart card, or software that holds public-key credentials (keys or certificates) that are used in an
automated cryptographic authentication mechanism. The token may be PIN-protected, biometric-
enabled or used in conjunction with a simple password. It corresponds to NIST categories
"multifactor hardware cryptographic token," "multifactor software cryptographic token" and "single
-factor cryptographic token."
SAML Security Assertion Markup Language
SaaS software as a service
SAM SafeNet Authentication Manager
SAPM shared account password
management
SDK software development kit
SMB small or midsize business
SSL Secure Sockets Layer
SSO single sign-on
TAN transaction authentication number
TCO total cost of ownership
UAS Universal Authentication Server (i-
Sprint)
TOTP time-based OTP
VAS versatile authentication server
WAM Web access management
VIP Validation and ID Protection Service
WFD Web fraud detection
Ability to Execute
Product/Service: Core goods and services offered by
the vendor that compete in/serve the defined market.
This includes current product/service capabilities,
quality, feature sets, skills and so on, whether offered
natively or through OEM agreements/partnerships, as
defined in the market definition and detailed in the
subcriteria.
Overall Viability (Business Unit, Financial,
Strategy, Organization): Viability includes an
assessment of the overall organization's financial
health, the financial and practical success of the
business unit, and the likelihood that the individual
business unit will continue investing in the product, will
continue offering the product and will advance the
state of the art within the organization's portfolio of
products.
Sales Execution/Pricing: The vendor's capabilities in
all presales activities and the structure that supports
them. This includes deal management, pricing and
negotiation, presales support, and the overall
effectiveness of the sales channel.
Market Responsiveness and Track Record: Ability
to respond, change direction, be flexible and achieve
competitive success as opportunities develop,
competitors act, customer needs evolve and market
dynamics change. This criterion also considers the
vendor's history of responsiveness.
Marketing Execution: The clarity, quality, creativity
and efficacy of programs designed to deliver the
organization's message to influence the market,
promote the brand and business, increase awareness
of the products, and establish a positive identification
with the product/brand and organization in the minds
of buyers. This "mind share" can be driven by a
combination of publicity, promotional initiatives,
thought leadership, word-of-mouth and sales activities.
Customer Experience: Relationships, products and
services/programs that enable clients to be successful
with the products evaluated. Specifically, this includes
the ways customers receive technical support or
account support. This can also include ancillary tools,
customer support programs (and the quality thereof),
availability of user groups, service-level agreements
and so on.
Operations: The ability of the organization to meet its
goals and commitments. Factors include the quality of
the organizational structure, including skills,
experiences, programs, systems and other vehicles
that enable the organization to operate effectively and
efficiently on an ongoing basis.
Completeness of Vision
Market Understanding: Ability of the vendor to
understand the buyers' wants and needs and to
translate those into products and services. Vendors
that show the highest degree of vision listen to and
understand buyers' wants and needs, and can shape or
enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of
messages consistently communicated throughout the
organization and externalized through the website,
advertising, customer programs and positioning
statements.
Sales Strategy: The strategy for selling products that
uses the appropriate network of direct and indirect
sales, marketing, service, and communication affiliates
that extend the scope and depth of market reach,
skills, expertise, technologies, services and the
customer base.
Offering (Product) Strategy: The vendor's approach
to product development and delivery that emphasizes
differentiation, functionality, methodology and feature
sets as they map to current and future requirements.
Business Model: The soundness and logic of the
vendor's underlying business proposition.
Other token: This category of methods embraces any other type of token, such as a magnetic
stripe card, an RFID token or a 125kHz proximity card, a CD token or proprietary software that
"tokenizes" a generic device, such as a USB NAND flash drive or an MP3 player. There is no
corresponding NIST category.
OOB authentication: This category of methods uses an OOB channel (for example, SMS or voice
telephony) to exchange authentication information (for example, sending the user an OTP that he
or she enters via the PC keyboard). It is typically used in conjunction with a simple password.
(Some vendors also support OTP delivery via email in a similar way; however, this is not strictly
"OOB," because the OTP is sent over the same data channel as the connection to the server.) The
corresponding NIST category is "out-of-band token."
Biological biometric: A biological biometric authentication method uses a biological
characteristic (such as face topography, iris structure, vein structure of the hand or a fingerprint)
as the basis for authentication. It may be used in conjunction with a simple password or some
type of token. There's no corresponding NIST category.
Behavioral biometric: A behavioral biometric authentication method uses a behavioral trait
(such as voice and typing rhythm) as the basis for authentication. It may be used in conjunction
with a simple password or some kind of token. There's no corresponding NIST category.
In the research for this Magic Quadrant, a vendor's range of authentication methods offered and
supported was evaluated as part of the assessment of the strength of its product or service offering.
Note that some vendors offer only one or a few authentication methods, which may limit their position
within the Magic Quadrant. Nevertheless, such a vendor could offer a solution that is ideally suited to
your needs.
Use Cases for New Authentication Methods
Many enterprises adopt new authentication methods to support one or many use cases — the most
common of which are workforce remote access, especially access to corporate networks and
applications via a VPN or hosted virtual desktop (HVD), and external-user remote access, especially
retail-customer access to Web applications. The same new authentication method may be used across
one or a few use cases, but the more use cases an enterprise must support, the more likely it needs to
support multiple authentication methods to provide a reasonable and appropriate balance of
authentication strength, total cost of ownership (TCO) and user experience in each case.
A full range of use cases is enumerated below. Vendors included in this Magic Quadrant can typically
support multiple use cases. The endpoint access use cases, however, cannot use a vendor's
authentication infrastructure, because the endpoints are not network-connected at login, but rather
demand direct integration of a new authentication method into the client OS. (Note that Microsoft
Windows natively supports "interactive smart card login" — that is, X.509 token-based authentication.)
Not all vendors have equal experience in all use cases; some may have a stronger track record in
enterprise use cases, such as workforce remote access, while others may focus on access to retail-
customer applications, especially in financial services. Not all the vendors in this Magic Quadrant were
able to break down their customer numbers on this basis.
The authentication use cases that Gartner considered in preparing this Magic Quadrant (with the
relevant subcategories) are:
Endpoint access
PC preboot authentication: Preboot access to a stand-alone or networked PC by any user
PC login: Access to a stand-alone PC by any user
Mobile device login: Access to a mobile device by any user
Workforce local access
Windows LAN: access to Windows network by any workforce user
Business application: Access to any individual business applications (Web or legacy) by any
workforce user
Cloud applications: Access to cloud applications, such as salesforce.com and Google Apps, by any
remote or mobile workforce user
Server (system administrator): Access to a server (or similar) by a system administrator (or
similar)
Network infrastructure (network administrator): Access to firewalls, routers, switches and so on by
a network administrator (or similar) on the corporate network
Workforce remote access
VPN: Access to the corporate network via an IPsec VPN or a Secure Sockets Layer (SSL) VPN, by
any remote or mobile workforce user
HVD: Access to the corporate network via a Web-based thin client (for example, Citrix XenDesktop
or VMware View) or zero client (for example, Teradici) by any remote or mobile workforce user
Business Web applications: Access to business Web applications by any workforce user
Portals: Access to portal applications, such as Outlook Web App and self-service HR portals by any
remote or mobile workforce user
Cloud applications: Access to cloud apps, such as salesforce.com and Google apps, by any remote
or mobile workforce user
External users
VPN: Access to back-end applications via IPsec or SSL VPN by any business partner, supply chain
partner or other external user
HVD: Access to the corporate network via a Web-based thin client (for example, Citrix XenDesktop
or VMware View) or zero client (for example, Teradici) by any business partner, supply chain
partner or other external user
Business Web applications: Access to Web applications by any business partner, supply chain or
other external user (except retail customers)
Retail customer applications: Access to customer-facing Web applications
Vertical/Industry Strategy: The vendor's strategy
to direct resources, skills and offerings to meet the
specific needs of individual market segments, including
vertical markets.
Innovation: Direct, related, complementary and
synergistic layouts of resources, expertise or capital for
investment, consolidation, defensive or pre-emptive
purposes.
Geographic Strategy: The vendor's strategy to direct
resources, skills and offerings to meet the specific
needs of geographies outside the "home" or native
geography, either directly or through partners,
channels and subsidiaries, as appropriate for that
geography and market.
©
2012 Gartner, Inc. and/or its affiliates. All rights
reserved. Gartner is a registered trademark of Gartner,
Inc. or its affiliates. This publication may not be
reproduced or distributed in any form without Gartner’s
prior written permission. The information contained in
this publication has been obtained from sources believed
to be reliable. Gartner disclaims all warranties as to the
accuracy, completeness or adequacy of such information
and shall have no liability for errors, omissions or
inadequacies in such information. This publication
consists of the opinions of Gartner’s research
organization and should not be construed as statements
of fact. The opinions expressed herein are subject to
change without notice. Although Gartner research may
include a discussion of related legal issues, Gartner does
not provide legal advice or services and its research
should not be construed or used as such. Gartner is a
public company, and its shareholders may include firms
and funds that have financial interests in entities covered
in Gartner research. Gartner’s Board of Directors may
include senior managers of these firms or funds. Gartner
research is produced independently by its research
organization without input or influence from these firms,
funds or their managers. For further information on the
independence and integrity of Gartner research, see
“Guiding Principles on Independence and Objectivity” on
For each use case, the enterprise must identify the methods, or combinations of methods, that fit best,
considering at least authentication strength, TCO and user experience (see "How to Choose New
Authentication Methods").
Note that some vendors have a particular focus on one use case or a few use cases, which may limit
their position within the Magic Quadrant. Nevertheless, such a vendor could offer a solution that is
ideally suited to your needs.
Market Trends and Other Considerations
Versatile Authentication Servers (VASs)
A VAS is a single product or service that supports a variety of open and proprietary authentication
methods in multiplatform environments. It may be delivered as server software, as a virtual or
hardware appliance, or as a cloud-based service, typically with a multitenanted architecture.
A VAS typically supports OTP tokens and OOB authentication, and may also support one or more of the
following: KBA methods, X.509 tokens and biometric authentication methods. A VAS must, at
minimum, support one or more standards-based authentication methods — most commonly, OTP
tokens using algorithms developed by the OATH — or have an extensible architecture to enable third-
party authentication methods to be "plugged in" as required, without the need for a discrete third-party
server or service.
A VAS vendor is likely a wide-focus authentication vendor, but not all wide-focus authentication vendors
are VAS vendors. Even if a vendor supports a wide range of methods, its authentication infrastructure
does not properly qualify as "versatile" if it supports only the vendor's proprietary methods or those
licensed from another vendor. (RSA, The Security Division of EMC, is the most notable example of such
a vendor.) Nonetheless, if the vendor can offer a wide-enough range of authentication methods, it may
still be able to deliver much of the value of a true VAS. However, enterprises must consider the impact
of vendor lock-in, particularly when it may restrict the future adoption of fit-for-purpose authentication
methods.
Most wide-focus vendors are now VAS vendors. With few exceptions, VASs are the only authentication
infrastructure they offer (although with different delivery options). Thus, even if a customer is adopting
only one kind of authentication method from such a vendor, it will be implementing a VAS that gives it
the flexibility to change or add methods to support future needs.
Tight-focus vendors are necessarily not VAS vendors.
Cloud-Based Authentication Services
Several included vendors offer cloud-based authentication services — either traditional managed
(hosted) services or new multitenanted cloud-based services — or partner with third-party managed
security service providers (MSSPs) ranging from global telcos to smaller, local firms (for example,
Sygnify, Tata Communications and Verizon Business). A cloud-based service can be a VAS, but most
MSSPs to date have focused on supporting only a small range of methods — typically OTP hardware
tokens and sometimes OOB authentication methods. However, we are also seeing some interest in
smart cards as a service offering, especially among U.S. federal government agencies seeking to
leverage the Personal Identity Verification (PIV) cards mandated by Homeland Security Presidential
Directive 12 (HSPD-12).
Historically, cloud-based authentication services have had the most traction among SMBs —companies
with fewer than 1,000 employees — and in public-sector verticals (government and higher education).
Costs, resources and around-the-clock support considerations make a service offering appealing to
these customers.
However, adoption of cloud-based authentication services among private-sector enterprises is
increasing, although not because they are explicitly seeking this delivery option. Gartner sees several
vendors successfully offering only a cloud-based service (or promoting such a service over any on-
premises offering), and enterprises are choosing such solutions based on their overall value proposition.
(Of course, the cost advantages of cloud-based services are implicitly part of that value proposition.)
We expect greater adoption of cloud-based services among enterprises as multitenanted cloud-based
services mature and as cloud computing becomes more widely adopted as a way of delivering business
applications and services generally. Gartner predicts that, by 2017, more than 50% of enterprises will
choose cloud-based services as the delivery option for new or refreshed user authentication
implementations, up from less than 10% today. However, it is likely that on-premises solutions will
persist, especially in more risk-averse enterprises that want to retain full control of identity
administration, credentialing and verification.
Adaptive Access Control
A number of the vendors included in this Magic Quadrant have WFD tools (see "Magic Quadrant for Web
Fraud Detection") that are primarily aimed at financial services providers but have attracted interest
from enterprises in other sectors, notably government and healthcare. WFD tools provide adaptive
access control capabilities; several vendors use the term "risk-based authentication," but the scope of
these solutions goes beyond authentication alone (see "Adaptive Access Control Emerges").
Adaptive access control uses a dynamic risk assessment based on a range of user and asset attributes,
and other contextual information — for example, transaction value, endpoint identity and status, IP
reputation, IP- or GPS-based geolocation, and user history and behavior — to make an access decision.
Above a defined risk threshold, the tool can be set to deny a transaction, allow it but alert, prompt for
reauthentication or authentication with a higher-assurance method, prompt for transaction verification,
and so on. This capability provides an essential component in a layered fraud prevention approach (see
"The Five Layers of Fraud Prevention and Using Them to Beat Malware").
In typical enterprise use cases, adaptive access control capability can minimize the burden of higher-
assurance authentication on the user by limiting its use to those instances where the level of risk
demands it. For example, if a user accesses a VPN or Web application from a known endpoint and
location, then a legacy password alone may suffice; however, if the endpoint is unknown or the location
is unusual, then the user would, for example, be prompted to use OOB authentication. Gartner projects
that, during the next two to three years, such capability will become more important over a wider range
of use cases and will be more widely supported among mainstream user authentication products and
services, especially among wide-focus vendors. By 2015, 30% of business to business (B2B) and
its website,
business to enterprise (B2E) enterprise user authentication implementations will incorporate adaptive
access control capability, up from less than 5% today.
X.509 Tokens
Unlike OTP tokens and OOB authentication offerings, "authentication using X.509 tokens" does not
represent a complete product of fully integrated components provided by a single vendor, but rather an
ensemble of discrete components from two or more vendors. Thus, X.509 token projects can be
significantly more complex than they may appear at first. Enterprises must identify combinations of the
different components that are interoperable, as demonstrated through true technology partnerships,
rather than simply through comarketing and coselling agreements, and should demand multiple
reference implementations.
Among the vendors included in this Magic Quadrant, some (such as ActivIdentity, Gemalto and
SafeNet) provide only the smart cards, middleware and CM tools. Others (such as Symantec) provide
only the PKI components. For many enterprises, the PKI tools embedded in Microsoft Windows Active
Directory will be good enough, so any of the former vendors may be sound choices. Where enterprises
have a need for richer functionality in their PKI components, both types of vendor are needed.
It is important to note, however, that this "incompleteness" is a market reality for X.509-based
authentication, and vendors offering smart tokens and supporting X.509-based authentication in their
authentication infrastructure products were not penalized for lacking PKI tools in the development of
this Magic Quadrant. Moreover, X.509-based authentication for Windows PC and network login is
natively supported, so it does not need an authentication infrastructure, such as those offered by the
vendors included in this Magic Quadrant. Enterprises seeking to support this can consider other vendors
offering smart tokens (for example, G&D, Morpho and Oberthur Technologies), PC middleware (from
the smart token vendors or others, such as charismathics) and CM tools (from the smart token vendors
or others, such as Bell ID and Intercede).
Pricing Scenarios
For this Magic Quadrant, vendor pricing was evaluated across the following scenarios:
Scenario 1 — Communications (publishing and news media): Small enterprise (3,000
employees) with 3,000 workforce users of "any" kind. Usage: Daily, several times per day.
Endpoints: PC — approximately 60% Windows XP and Vista (AD), and 40% Mac OS X
(OpenLDAP). Endpoints owned by: Company. User location: Corporate LAN. Access to: PC and
LAN, downstream business and content management applications, mixture of internal and
external Web and legacy. Sensitivity: Company- and customer-confidential information. Notes:
The company also plans to refresh its building access systems and may be receptive to a
"common access card" approach. The average (median) price for this scenario was approximately
$125,000.
Scenario 2 — Retail ("high street" and online store): Large enterprise (10,000 employees)
with 50 workforce users, limited to system administrators and other data center staff. Usage:
Daily, several times per day. Endpoints: PC — mixture of Windows XP and Vista. Endpoints owned
by: Company. User location: Corporate LAN. Access to: Windows, Unix, and IBM i and z servers,
Web and application servers, network infrastructure. Sensitivity: Business-critical platforms.
Notes: Users have personal accounts on all servers, plus use of shared accounts mediated by
shared account password management (SAPM) tool (for example, Cyber-Ark Software and Quest
Software). Users also need contingency access to assets via an SSL VPN from PCs ("any" OS). The
company has already deployed 1,500 RSA SecurID hardware tokens for remote access for its
mobile workforce. It must comply with the U.S. Sarbanes-Oxley Act, PCI Data Security Standard
(DSS) and other requirements as appropriate to targets accessed. The average (median) price for
this scenario was approximately $7,000.
Scenario 3 — Healthcare (teaching hospital): Large enterprise (10,000 employees) with
1,000 external users, comprising doctors and other designated staff in doctors' practices. Usage:
Daily, several times per day. Endpoints: PC — mixture of Windows XP and Vista, some Windows 7
and Mac OS X, and maybe others. Endpoints owned by: Doctors' practices. User location: On LANs
in doctors' practices. Access to: Electronic health record applications; mixture of Web and legacy
(via SSL VPN). Sensitivity: Patient records. Notes: Enterprise must comply with the U.S. Health
Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for
Economic and Clinical Health (HITECH) Act requirements. PCs may be shared by doctors and other
staff in doctors' practices. The average (median) price for this scenario was approximately
$70,000.
Scenario 4 — Utilities (power): Large enterprise (20,000 employees) with 5,000 users
comprising traveling workforce and a "roaming" campus workforce. Usage: Daily, several times
per day to several times per week. Endpoints: PC (mainly Windows XP), smartphones (mainly
BlackBerry) and some other devices. Endpoints owned by: The company. User location: Public
Internet and corporate WLAN. Access to: Business applications, mixture of internal Web and
legacy, via SSL VPN or WLAN. Sensitivity: Company- and customer-confidential information,
financial systems (some users), information about critical infrastructure (some users). Notes: Must
comply with U.S. Federal Energy Regulatory Commission (FERC), North American Electrical
Reliability Corporation (NERC) and other regulatory and legal requirements. The company is also
investigating endpoint encryption solutions for its traveling workforce's PCs. The average (median)
price for this scenario was approximately $200,000.
Scenario 5 — Financial services (retail bank): Large enterprise (20,000 employees) with 1
million external users, all retail banking customers. Usage: Variable, up to once every few months.
Endpoints: PC — mixture of Windows XP and Vista, some Windows 7 and Mac OS X; smartphones
(including Android and iOS) and tablets (mainly iOS). Endpoints owned by: Customers, Internet
cafes and others, possibly also customers' employers. User location: Public Internet, sometimes
worldwide; possibly corporate LANs. Access to: Web application. Sensitivity: Personal bank
accounts, up to $100,000 per account. Notes: Most customers are based in metropolitan and
urban areas, but approximately 10% are in areas without mobile network coverage. The average
(median) price for this scenario was approximately $1.9 million.
Note that these pricing scenarios do not reflect any discounts that a vendor may offer particular
customers or prospects, and they do not reflect other considerations that contribute to the TCO of a
user authentication solution (see "Gartner Authentication Method Evaluation Scorecards, 2011: Total
Cost of Ownership").
Return to Top
Vendor Strengths and Cautions
ACTIVIDENTITY
ActivIdentity, based in Fremont, California, was formed by the 2005 merger of ActivCard (which had
acquired A-Space in 2004, giving it the 4TRESS product, focused on authentication in financial services)
and Protocom (an enterprise single sign-on [ESSO] vendor). ActivIdentity was purchased by Assa Abloy
in December 2010 and made part of its HID Global unit. The company has a long history in
authentication and adjacent markets. Its current focus is on authentication and credential management
across multiple market segments. As part of HID Global, ActivIdentity now has a stronger focus on
common access cards for physical security, as well as for enterprise PC and network login.
ActivIdentity offers 4TRESS Authentication Server as a hardware appliance, aimed at enterprise and
online banking or other external user implementations, or a software appliance aimed at enterprises
and SMBs, as well as an SDK for direct integration in banking (or other) applications. It also offers
4TRESS AAA Server, with support for a small range of authentication methods (OTP tokens), as
software for enterprises and SMBs.
Strengths
4TRESS Authentication Server has one of the widest ranges of supported authentication methods,
and ActivIdentity offers one of the widest ranges of authentication methods. Overall, ActivIdentity
has one of the strongest product or service offerings.
ActivIdentity demonstrated a strong sales strategy.
ActivIdentity came out very well in the pricing scenarios and was among the lowest-cost options
for Scenario 5.
Reference customers typically cited functional capabilities, the pricing model or TCO as important
decision factors.
Cautions
ActivIdentity has a small market share by customer numbers in comparison with other vendors in
this research. However, overall, it is used by approximately 10 million end users.
Reference customer comments raised concerns about ActivIdentity's customer support, the
reliability of the software and target system integration. Overall, reference customers were
ambivalent about the company's customer support.
Return to Top
AUTHENTIFY
Authentify, based in Chicago, was established in 1999. It offers OOB authentication services and has
multiple OEM relationships (which include other vendors discussed in this Magic Quadrant). Authentify
has a strong market focus on financial services, and tailors its offerings to banks' and others' need for
layered security and fraud prevention measures.
In 2001, Authentify launched its multitenanted, cloud-based service providing OOB authentication by
voice modes, adding SMS modes in 2007 and transaction verification for electronic funds transfer by
voice modes in 2008. In voice modes, additional assurance can be provided by biometric voice
(speaker) recognition. Authentify has recently launched 2CHK, a desktop and mobile app, activated by
an OOB voice call or SMS exchange, that provides more robust transaction verification.
About half of Authentify's customers come from its channel partners, which include DocuSign, Entrust,
FIS, RSA and Symantec. Direct customers come mainly from financial services, including major banks
and insurance companies, but can also be found in healthcare, technology and service provider
verticals.
Strengths
Although it has negligible market share by customer numbers, across its own and partner
implementations, Authentify is likely used by hundreds of millions of end users.
Authentify clearly articulated a good market understanding and demonstrated a good geographic
strategy.
Direct SS7 layer monitoring enables Authentify to detect call forwarding in many areas, defeating
one type of attack against OOB authentication by voice.
Authentify came out fairly well in the pricing scenarios, and was among the lowest-cost options for
Scenario 5, which represents its target market segment. Although it was the highest-cost option
for Scenario 4 by a huge margin, this use case is not representative of its target market segment.
Cautions
Authentify offers only OOB authentication. Furthermore, a majority of Authentify's clients use its
OOB authentication for "transactional" systems, rather than as a primary authentication method
for login — for example, registration confirmation, password change or recovery, real-time PIN
delivery, credential activation, login from unknown machine or location (in the context of WFD or
adaptive access control), transaction verification for funds withdrawal or transfer (often in the
context of WFD or adaptive access control). However, these use cases map well to the wants and
needs of Authentify's target market segment.
Authentify's offerings lack Security Assertion Markup Language (SAML) integration to cloud-based
applications and services.
Authentify did not clearly articulate a strong sales or marketing strategy in comparison with other
vendors in this research, nor did it demonstrate strong sales execution. However, Gartner notes
that Authentify performs strongly within its target market segment.
Return to Top
CA TECHNOLOGIES
CA Technologies' history dates back to the 1970s, and the company has a history of growth through
mergers and acquisitions, as well as internal product development. In 2010, CA Technologies acquired
Arcot Systems, with which it already had an important strategic partnership. With its WebFort and
RiskFort products, Arcot had made inroads into the WFD and online customer authentication markets
(as well as for card issuers authorizing e-commerce payments) and, more recently, in the enterprise
authentication market. The integrated products are now offered under the CA Advanced Authentication
name, as hosted managed services, server software and SDK/APIs for direct integration into target
systems, and CA AuthMinder as-a-Service (formerly Arcot A-OK) as a multitenanted cloud-based
service. One of CA Technologies' distinctive features is ArcotID, a proprietary X.509 software token
technology that protects the credentials on the endpoint device and binds them to the device.
The ex-Arcot portfolio also includes e-payment card authentication, secure electronic notification and
delivery, and digital signature integrated with Adobe Acrobat. The acquisition also gave CA Technologies
an established cloud services infrastructure and expertise for cloud delivery of other identity and access
management (IAM) offerings.
CA Technologies offers OTP hardware tokens from Gemalto and others. (Like other OATH-compliant
vendors, it can support other OATH-compliant tokens.)
Strengths
Overall, CA Technologies has one of the strongest product or service offerings. CA Advanced
Authentication tightly integrates the adaptive access control capabilities of its WFD tool, CA Arcot
RiskFort, its WFD tool, with the authentication component, CA Arcot WebFort (soon to be renamed
CA AuthMinder).
CA Technologies clearly articulated good market understanding and product/service strategy, as
well as market, sales and geographic strategies. (This is where Arcot's acquisition by CA
Technologies has had the most significant impact on the vendor's position in the market.)
Although it has a very small market share by customer numbers in comparison with other vendors
in this Magic Quadrant, CA Technologies is used by more than 100 million end users.
CA Technologies came out well in the pricing scenarios, and was among the lowest-cost options
for Scenarios 2, 3, 4 and 5. Notably, it offers zero-cost OTP software tokens for mobile phones.
Reference customers typically cited functional capabilities and good feedback from reference
implementations as important decision factors. (However, some were unsure about recommending
CA Technologies to their peers.) Reference customers were fairly satisfied with CA Technologies'
customer support.
Cautions
CA Technologies is not as well-suited for SMBs, because its direct sales force typically does not do
deals with an end-user count below 1,000.
The majority of CA Technologies' customers are in the Americas (with the bulk likely in North
America).
Reference customer comments raised concerns about technical integration with existing
infrastructure components and other implementation issues.
Return to Top
CRYPTOCARD
Cryptocard, based in Ottawa, Canada, and Bracknell, U.K., has focused on the enterprise authentication
market since 1989, often positioning itself as the lower-cost alternative to the market leaders. In 2006,
Cryptocard merged with WhiteHat Consulting, adding a managed authentication service to its portfolio.
Cryptocard now offers three core products and services: Blackshield Cloud, a multitenanted cloud-based
service; Blackshield Server, application software intended to run on one or more server instances; and
Blackshield Service Provider Edition, a software application that service providers can use to create their
own hosted versions of Blackshield Cloud.
Strengths
Cryptocard clearly articulated a good product/service strategy, coupled with strong technical
innovation, as well as strong marketing, vertical industry and geographic strategies. It also
demonstrated good market responsiveness.
Cryptocard came out fairly well in the pricing scenarios, and was among the lowest-cost options
for Scenario 2.
Reference customers typically cited functional capabilities and expected performance and
scalability as important decision factors. They liked Cryptocard's Active Directory synchronization
and broad range of "token" form factors (including OOB authentication options). In addition, they
were fairly satisfied with Cryptocard's customer support.
Cautions
Cryptocard has few customers in the Asia/Pacific region.
Reference customer comments raised concerns about ease of migration from Crypto-MAS to the
Blackshield cloud-based service.
Return to Top
DS3
Founded in 1998 as RT Systems, this Singapore-based company changed its name to Data Security
System Solutions (DS3) in 2001 to better reflect its market focus. In 2010, it raised institutional
funding to expand and execute on its vision to provide solutions that will meet the user and data
authentication requirements for different customer segments, different industries and different use
cases.
DS3 offers DS3 Authentication Server as a hardware or software appliance for large-scale B2B/B2C
deployments (launched in 2004); DS3 Authentication Security Module as a hardware appliance for
smaller enterprise intranet implementations; DS3 Authentication Toolkit, an SDK/APIs for direct
integration in banking (or other) applications (2009); and a hosted authentication service (2011). DS3
has a global partnership with IBM Security Services, which offers the DS3 Authentication Server
worldwide under the name "IBM Identity and Access Management Services — total authentication
solution."
DS3 offers OTP and X.509 hardware tokens from RSA, SafeNet, Vasco and others. DS3's partners
benefit by being able to sell large volumes of tokens without the overheads of selling and supporting
their own authentication infrastructure products.
Strengths
DS3 clearly articulated a good sales strategy and demonstrated good market responsiveness.
Notably, DS3 responded positively to the financial crisis in 2008, when sales to banks slowed
significantly, by expanding into other vertical industries, with some success.
DS3 Authentication Server has one of the widest ranges of supported authentication methods,
including support for multiple OTP token types, and DS3 offers a wide range of authentication
methods. DS3's broad OTP token support is also an advantage for an enterprise migrating from
another vendor's offering, because it allows the continued use of that vendor's tokens for their
remaining lifetime without the need to maintain that vendor's authentication server in parallel.
DS3's solutions are very scalable, which Gartner believes was an important factor in DS3's winning
Singapore's National Authentication Framework for a countrywide authentication service.
DS3 came out very well in the pricing scenarios, and was among the lowest-cost options for
Scenarios 1, 2, 4 and 5.
Reference customers in financial services typically cited DS3's industry experience and reputation
as important decision factors. Most found that DS3 responds to support requests fully and
promptly. Overall, they were satisfied with DS3's customer support.
Cautions
DS3 has a negligible market share by customer numbers. However, it is already used by the
Singapore government and many banks in the region, giving DS3 total end-user numbers of more
than 5 million.
The majority of DS3's customers are in the Asia/Pacific region, although its partnership with IBM
has begun to yield a few significant global sales, such as ING Bank in the Netherlands.
DS3 did not clearly articulate a strong market understanding or marketing strategy in comparison
with other vendors in this research, or demonstrate strong marketing execution.
DS3's offerings lack SAML integration with cloud-based applications and services.
Reference customer comments raised minor concerns about the stability of features and
customizability.
Return to Top
ENTRUST
Entrust, headquartered in Dallas, Texas, is a well-established security vendor offering fraud detection,
citizen e-ID and data encryption tools, in addition to its authentication portfolio. Entrust's core
authentication infrastructure, Entrust IdentityGuard, supports a much broader range of authentication
method than the OTP grid cards that first bore that name. Entrust, a public company since 1997, was
taken private in 2009 by the private equity investment firm Thoma Bravo.
Since 2005, Entrust has offered IdentityGuard Authentication Server as server software. Entrust offers
OOB authentication through a partnership with Authentify.
Strengths
Overall, Entrust has one of the strongest product or service offerings in the user authentication
market. IdentityGuard incorporates some adaptive access control capabilities natively and can be
coupled with TransactionGuard for full-blown WFD functions.
Entrust was among the lowest-cost options for Scenarios 4 and 5, but its pricing for Scenario 2
was second-highest. We also note that SAML integration to cloud-based applications and services
for IdentityGuard requires a discrete "Federation Module" at an additional cost.
Reference customers typically cited functional capabilities and expected performance and
scalability as important decision factors.
Cautions
Entrust did not clearly articulate a good market understanding or demonstrate strong market
responsiveness or customer experience in comparison with other vendors in this research.
Entrust has a very small market share by customer numbers in comparison with other vendors in
this research. However, it is used by an installed base of approximately 40 million end users.
There is no appliance or cloud-based version of IdentityGuard. Entrust tells us that it will be
introducing a cloud-based version early in 2012.
Return to Top
EQUIFAX
Equifax, based in Atlanta, Georgia, has a long history in identity, going back to 1899. It entered the
user authentication market in 2010 with its acquisition of Anakam, a wide-focus authentication vendor
with a market focus on healthcare and government.
Equifax's core offering in this market is the Anakam.TFA Two-Factor Authentication server software,
launched in 2005, which is complemented by tools for identity proofing, risk assessment and
credentialing. In 2011, it launched Anakam.ODI On-Demand Identity, a multitenanted, cloud-based
service that integrates its product offerings with SAML-based federated single sign-on (SSO).
Strengths
Although it has negligible market share by customer numbers, Equifax is used by more than 100
million end users.
Equifax clearly articulated a good vertical industry strategy and demonstrated its overall viability.
Reference customers in healthcare typically cited Equifax's industry experience and understanding
of their business needs as important decision factors. Reference customers were satisfied with
Equifax's customer support.
Cautions
A significant majority of Equifax's customers are in North America, although the company does
have a presence in Latin America and Europe.
Equifax did not clearly articulate a strong product/service strategy, strong technical innovation or
a strong sales strategy in comparison with other vendors in this research.
Only Equifax's Anakam.ODI On-Demand Identity offering provides SAML integration to cloud-
based applications and services.
Return to Top
GEMALTO
Amsterdam-based Gemalto, formed in 2006 by the merger of Axalto (formerly the smart card division
of Schlumberger) and Gemplus, is a leading smart card vendor, with a strong presence in the
authentication market. It offers OTP tokens, as well as smart tokens. With the acquisitions of Xiring's
authentication portfolio and, in particular, of Todos, Gemalto has broadened the range of its offerings in
the financial services industry, which it has identified as a key market. Other recent acquisitions
relevant to its authentication portfolio include Trusted Logic (a provider of open, secure software for
consumer devices and digital services), Valimo (a pioneer in mobile digital ID, with solutions that
enable secure authentication, digital signatures and transaction verification) and Multos International
(originator of the Multos smart card OS).
Gemalto's core infrastructure products are Protiva Strong Authentication Server (server software) and
Protiva Strong Authentication Service (a hosted managed service), as well as the Ezio System (server
software for financial services and e-commerce) from the Todos acquisition.
Strengths
Gemalto came out well in the pricing scenarios, and was among the lowest-cost options for
Scenarios 1, 3 and 5. (However, it did not provide a quotation for Scenario 2.)
Gemalto demonstrated significant growth in its OTP token product lines, and has established itself
as a credible provider of these authentication methods.
Reference customers were fairly satisfied with Gemalto's customer support, and their comments
about the products were generally positive.
Cautions
Gemalto did not clearly articulate good marketing strategy or technical innovation.
Although Gemalto is widely recognized as a leading smart card vendor, the company is rarely cited
by Gartner clients in calls about authentication, generally.
Return to Top
I-SPRINT INNOVATIONS
Singapore-based i-Sprint Innovations was founded in 2000 by ex-Citibank security professionals and is
backed by global institutional investors. It was acquired in 2011 by Automated Systems Holdings Ltd.
(ASL), a subsidiary of Teamsun. The companies are listed in the Hong Kong Stock Exchange and
Shanghai Stock Exchange respectively. The purchase bodes well for the expansion of i-Sprint's offerings
into the Chinese market, given the Multi-Level Protection Scheme (MLPS) in China, which obliges
companies to use only domestic security solutions.
Its AccessMatrix Universal Authentication Server (UAS), launched in 2005, is part of an integrated set
of server software products, which also includes ESSO, WAM and SAPM tools.
i-Sprint offers OTP hardware tokens from ActivIdentity, Gemalto, SafeNet, Vasco and others. (Like
other OATH-compliant vendors, it can support other OATH-compliant tokens.)
Strengths
AccessMatrix UAS has one of the widest ranges of supported authentication methods, including
support for multiple OTP token types, and i-Sprint offers a wide range of authentication methods.
i-Sprint clearly articulated a good product/service strategy, coupled with strong technical
innovation, and it demonstrated good customer experience. Reference customers were very or
extremely satisfied with i-Sprint's customer support.
i-Sprint was among the lowest-cost options for Scenarios 4 and 5.
Reference customers in financial services typically cited i-Sprint's industry experience, conformity
to technical standards, and pricing model or TCO as important decision factors. They praised the
robustness, maturity and sophistication of the product.
Cautions
i-Sprint has a negligible market share by customer numbers (although it is used by several million
end users).
i-Sprint did not clearly articulate a strong market understanding or sales strategy in comparison
with other vendors in this research.
The majority of i-Sprint's customers are in Asia/Pacific. Although its acquisition by ASL and likely
future growth in China will only reinforce this bias, ASL may well provide the resources to enable
significant overseas growth.
Reference customer comments raised some concerns about the complexity of UAS's
administration interface and the suitability of audit reports for business users.
Return to Top
NORDIC EDGE
Sweden-based Nordic Edge was founded in 2001 and acquired by Intel in early 2011. Nordic Edge
provides a broad range of IAM solutions, from provisioning of user information and SSO to software as
a service (SaaS), as well as its wide-focus authentication offering.
Nordic Edge's core product is the Nordic Edge One Time Password Server, which can be delivered as
server software, an SDK/API for Java and .NET/COM, and an on-demand Web service. Nordic Edge
Opacus is also offered to service providers for them to offer a cloud-based authentication service as
part of ERP, CRM and business intelligence cloud services, and this approach represents approximately
5% of its customers.
Nordic Edge offers OTP hardware tokens from Feitian Technologies and Yubico. (Like other OATH-
compliant vendors, it can support other OATH-compliant tokens.)
Strengths
Nordic Edge was among the lowest-cost options for Scenarios 2, 4 and 5. Notably, OTP software
tokens for mobile phones are included in its OTP Server offering.
Reference customers typically cited Nordic Edge's industry experience, conformity to technical
standards, and expected performance and scalability as important decision factors. Some
reference customers highlighted Nordic Edge's flexibility, scalability and ease of installation.
Reference customers were, on average, very satisfied with the vendor's customer support, and
noted that it always dealt with technical support requests fully and promptly.
Cautions
Nordic Edge has a negligible market share by customer numbers. (However, it is used by more
than 1 million end users.)
Nordic Edge did not clearly articulate a strong marketing strategy or demonstrate strong market
responsiveness in comparison with other vendors in this research.
The majority of Nordic Edge's deployments are in companies with fewer than 1,000 users.
Return to Top
PHONEFACTOR
PhoneFactor, based in Overland, Kansas, and established in 2001 as Positive Networks, has offered its
multitenanted, cloud-based OOB authentication service since 2007. PhoneFactor provides agents for
target system integration to VPNs, HVDs, Web applications and other systems, and an SDK/API for
integration with Web application login and transaction processes. In conjunction with a third-party WFD
tool, PhoneFactor can be used to authenticate high-risk logins or for transaction verification.
Strengths
PhoneFactor is the OOB authentication vendor most frequently cited by Gartner clients.
PhoneFactor is one of the few OOB authentication vendors that does not pass an OTP over the
data channel in either direction, with all authentication information being exchanged over the air
by the voice or SMS channel, making it less vulnerable to man-in-the-middle attacks.
PhoneFactor was among the lowest-cost options for Scenarios 2 and 5.
Reference customers typically cited PhoneFactor's functional capabilities and expected
performance and scalability as important decision factors. PhoneFactor's ease of implementation
and management were explicitly mentioned. Reference customers were very satisfied with the
vendor's customer support, and noted that it always dealt with technical support requests fully
and promptly.
Phone Factor offers a free version of its service, restricted to 25 users for one or two applications,
with no time limit. This may provide a complete solution for some SMBs, but it also offers a low-
risk proof of concept for any company seeking a larger implementation. Clients tell us that nearly
all proof-of-concept implementations are converted to full enterprise licenses.
Cautions
PhoneFactor offers only phone-based authentication (OOB authentication, as well as a software
token using push notification that was released in late 2011).
The company has very small market share by customer numbers in comparison with other
vendors in this research (but is one of the larger pure-play, phone-based authentication vendors).
PhoneFactor did not clearly articulate good market understating, product/service strategy or
marketing, vertical industry or geographic strategies, nor did it demonstrate strong market
responsiveness in comparison with other vendors in this research.
Reference customer comments raised some concerns about technical integration with some
existing infrastructure components.
Return to Top
QUEST SOFTWARE
Quest Software, based in Aliso Viejo, California, offers a wide range of Windows, application, database
and virtualization management tools. It has recently strengthened its IAM offerings with the acquisition
of Voelcker Informatik. Its authentication offering is the Defender product line (offered in succession
since 1995 by AssureNet Pathways, Axent Technologies, Symantec and PassGo Technologies).
The company's core infrastructure product is Quest Defender Security Server, delivered as security
software. Defender offers OTP hardware tokens from ActivIdentity, SafeNet, Vasco, Yubico and others.
(Like other OATH-compliant vendors, it can support other OATH-compliant tokens.)
Strengths
Quest Software has relationships with several of the leading token manufacturers, which enable it
to support one of the widest selections of OTP hardware tokens, as well as OTP software tokens
and other methods. This is an advantage for an enterprise migrating from another vendor's
offering, because it enables the continued use of that vendor's tokens for their remaining lifetime,
without the need to maintain that vendor's authentication server in parallel.
Quest Software clearly articulated a good marketing strategy and demonstrated good marketing
execution.
Quest Software was among the lowest-cost options for Scenarios 2 and 4. Some reference
customers indicated that its TCO can be significantly lower than its major competitors', owing to,
for example, reduced infrastructure requirements.
Reference customers typically cited Defender's functional capabilities and pricing model or TCO as
important decision factors. Reference customers were very satisfied with the vendor's customer
support, and noted that it always dealt with technical support requests fully and promptly.
Cautions
Quest has negligible market share by customer numbers and is used by fewer than 200,000 end
users. The majority of Quest Software's deployments are in companies with fewer than 1,000
users.
Quest Software did not clearly articulate a strong product/service strategy or geographic strategy,
nor did it demonstrate strong market responsiveness in comparison with other vendors in this
research.
Defender Security Server lacks SAML integration with cloud-based applications and services.
Quest Software offers no appliance or cloud-based delivery options.
Return to Top
RSA, THE SECURITY DIVISION OF EMC
RSA, The Security Division of EMC, which is based in Bedford, Massachusetts, has a long history in the
authentication market. Security Dynamics was founded in 1984, and began shipping its SecurID tokens
in 1986. Security Dynamics acquired RSA Data Security in July 1996, to form RSA Security. In 2006,
RSA was acquired by EMC. Other acquisitions have provided RSA with a broad portfolio of access and
intelligence products.
RSA's flagship infrastructure product is RSA Authentication Manager (formerly ACE/Server), which is
now offered as either server software or a hardware appliance. It also offers RSA SecurID
Authentication Engine, a Java/C++ SDK/API for direct integration into applications and portals.
From its acquisitions of Cyota (2005) and PassMark Security (2006), RSA has a WFD product, RSA
Adaptive Authentication. It also offers RSA Adaptive Authentication for the enterprise, which can be
used as part of an enterprise's layered authentication approach. The risk engine from RSA Adaptive
Authentication is combined with RSA SecurID on-demand OOB authentication in the RSA Authentication
Manager Express hardware appliance, launched in 2010 and targeted at remote access use cases in
SMBs or small deployments in enterprises.
From its acquisition of Verid (2007), RSA Identity Verification provides identity proofing for new account
registration, but can also be used for authentication of infrequent users (who would be unlikely to
remember legacy password) and call center caller verification.
RSA offers OOB authentication through a partnership with Authentify.
The Impact of the RSA Breach
In March 2011, RSA was successfully attacked by what Gartner believes to have been two China-based
hacking groups, at least one of which has a history of going after U.S. defense companies. We have
inferred that the breach exposed the token records of all then-extant RSA SecurID hardware tokens,
including the seed values used to generate the OTPs, allowing the attackers to successfully masquerade
as legitimate users. We believe that this formed the basis of the subsequent (unsuccessful) attack
against Lockheed Martin. That attack prompted RSA to offer replacement hardware or software tokens
to its customers — all hardware tokens shipped after a brief hiatus following the attack are not
compromised, and software tokens were never exposed — and we understand that many customers
have replaced their tokens. (RSA tells us, however, that a "significant majority" have not.) The cost to
RSA of replacing these tokens is estimated at $60 million. However, RSA has been impacted by the
breach in other ways.
Since the breach, many Gartner clients have told us that they are looking at alternatives to RSA
SecurID hardware tokens, but this is only sometimes because of the security concerns. In the majority
of cases, the breach has prompted the company to review its historical decision to adopt RSA SecurID,
leading the company to seek alternatives that offer a similar, or sometimes lower, level of assurance
with lower TCO or better user experience — something that has long been a popular topic in client
inquiries. Furthermore, we believe that RSA has lost much goodwill among some of its customers
because of poor communication regarding the nature and impact of the breach (even though they
might understand why RSA has focused its attention on its defense customers, which it believed were
most at risk), the time RSA took to offer replacement tokens (although we believe that RSA would not
have had the manufacturing capacity to do this any earlier) and to fulfill replacement requests (with
several clients receiving their replacements over a period of months), and the contractual terms for the
replacements (although we understand that RSA cannot provide free replacements under U.S. General
Services Administration rules). These customers are likely to be looking hard at alternatives to RSA in
the coming years. Nonetheless, it is highly likely that customer attrition will remain relatively small,
given the "stickiness" of RSA SecurID deployments (because of the breadth of technical integration RSA
offers) and, increasingly, a shift toward RSA SecurID software tokens and adaptive access control
(especially if and when RSA integrates its risk engine into RSA Authentication Manager).
Strengths
Gartner estimates that RSA has a market share by customer numbers of about 25%, although this
is appreciably lower than the previous year. (Note that this market share is based on 2010
numbers, and does not reflect any impact of the breach discussed above.) Overall, RSA is used by
tens of millions of end users.
RSA is seen as the principal competitor by the majority of vendors in this research and has strong
mind share among Gartner clients.
RSA demonstrated good overall viability (among the strongest of the vendors discussed in this
research) and good marketing execution.
Reference customers in financial services typically cited RSA's industry experience as an important
decision factor. All references also cited the functional capabilities, and some the expected
performance and scalability, of RSA's products. Reference customers noted that the company
generally dealt with technical support requests fully and promptly. Although reference customers
were, on average, fairly satisfied with RSA's customer support, the rankings were widely spread.
Cautions
Although RSA offers a market-leading WFD tool, RSA Adaptive Authentication, and we see
significant enterprise interest in RSA Adaptive Authentication for the Enterprise, these products
are only loosely coupled with RSA Authentication Manager. RSA now offers RSA Authentication
Manager Express, which is aimed at the SMB market and combines the risk engine from RSA
Adaptive Authentication with OOB authentication (RSA SecurID On-demand). However, RSA
Authentication Manager still lacks this integration.
The majority of RSA's customers are in the Americas (with the bulk likely in North America).
RSA Authentication Manager and RSA Authentication Manager Express lack SAML integration to
cloud-based applications and services.
Reference customer comments raised some concerns about ease of user management in RSA
Authentication Server (which was often echoed by other vendors' reference customers' reasons for
deciding against RSA).
A frequently mentioned reason among other vendors' reference customers for deciding against
RSA Authentication Manager/RSA SecurID was its high cost. In fact, RSA was average or worse in
most of the pricing scenarios, and was the highest-cost option for Scenario 5 by a wide margin.
Although there is certainly a bias because of RSA's presence in the market, a significant number of
client inquiries ask about "lower-cost alternatives to RSA."
Return to Top
SAFENET
SafeNet, based in Baltimore, Maryland, was established in 1983 as Industrial Resource Engineering and
changed its name in 2000. In 2007, SafeNet was acquired by Vector Capital, which also acquired
Aladdin Knowledge Systems two years later. Both firms now trade under the SafeNet name. Common
ownership brings SafeNet's authentication offerings (from the 2004 to 2008 acquisitions of Rainbow
Technologies and Datakey) together with those of Aladdin, which had a much stronger presence in that
market segment with its legacy eToken offerings, as well as those from its acquisitions in 2008 of
Eutronsec and the SafeWord product line from Secure Computing (one of the oldest lines of OTP
tokens). SafeNet's other major product lines focus on software rights management and cryptography
for data protection, including hardware security modules (HSMs).
SafeNet has two server software offerings: SafeNet Authentication Manager (SAM), which was formerly
Aladdin's Token Management System, and SafeNet Authentication Manager Express, which was
formerly SafeWord 2008. The latter supports a restricted set of authentication methods (OTP tokens
and OOB authentication via SMS). SAM also provides CM capabilities and federated SSO to cloud-based
applications. SafeNet also offers SafeNet OTP Authentication Engine, an SDK and API for direct
integration of OTP authentication into target systems.
Strengths
SafeNet offers a wide range of authentication methods. Overall, SafeNet has one of the strongest
product or service offerings in the market.
Gartner estimates that SafeNet has a market share by customer numbers of approximately 20%.
Overall, SafeNet is used by tens of millions of end users.
SafeNet clearly articulated its technical innovation, as well as good marketing, industry vertical
and geographic strategy, and demonstrated good customer experience. It also demonstrated good
overall viability, market responsiveness and market execution, as well as good customer
experience. Reference customers were very satisfied with SafeNet's customer support (one
remarking that SafeNet had "gone to great lengths") and noted that it generally dealt with
technical support requests fully and promptly.
SafeNet came out quite well in the pricing scenarios, and was among the lowest-cost options for
Scenarios 2, 3 and 4; however, it was one of the higher-cost options for Scenario 5.
Reference customers' comments about the products were generally positive.
Cautions
SafeNet lacks any adaptive access control capability. Gartner sees this as a significant caution for
a vendor with such a strong focus on the financial services market. SafeNet tells us that this
capability is in development and will be released in 2Q12.
Although SafeNet has good mind share among Gartner clients, this still attaches to the SafeWord
and (now defunct) Aladdin brand names, rather than to the SafeNet name itself. Gartner sees this
as a continuing marketing challenge for SafeNet in the near term.
Return to Top
SECUREAUTH
Formed in 2005 as MultiFactor Corporation, this Irvine, California-based vendor changed its name to
SecureAuth in 2010. SecureAuth IEP, which is delivered as a hardware or software appliance, combines
its authentication infrastructure with the SSO capability of a WAM and support for federation using
multiple protocols (see "MarketScope for Web Access Management").
Strengths
During the past year, SecureAuth has been one of the authentication vendors most frequently
cited by Gartner clients, typically because of its low cost or ease of installation or because of its
"tokenless" authentication method.
SecureAuth IEP is a single platform that integrates user authentication with federated SSO to
cloud-based and Web applications, as well as VPNs. However, Gartner clients rarely cite this as a
decision factor in choosing SecureAuth, and the company's lead with this approach may be
somewhat eroded as other vendors roll out their support for SAML to provide similar federated
SSO capabilities.
SecureAuth clearly articulated a good vertical/industry strategy.
SecureAuth was among the lowest-cost options for Scenarios 1 and 5, and SecureAuth IEP can
cost less than some stand-alone solutions for federated SSO or user authentication.
Cautions
SecureAuth's primary authentication method is a kind of X.509 software token. This is not
something Gartner sees widely used in practice, although SecureAuth does provide simple
implementation of this method, without the constraints of legacy PKI approaches. Although
SecureAuth offers KBA and OOB authentication methods (with out-of-the-box support for YubiKey
and OATH-compliant tokens planned for 1Q12), and provides a flexible way of linking together
multiple methods, relatively few of its customers use any of these other methods as their primary
authentication methods.
SecureAuth does not provide high-assurance authentication methods, although it can integrate
third-party methods such as X.509 hardware tokens (for example, PIV cards) to support high-
assurance needs.
The vendor has negligible market share by customer numbers. Year-over-year growth has,
however, been exceptionally strong. In this respect, SecureAuth is outperforming most larger
vendors in this research.
SecureAuth did not clearly articulate a strong sales strategy or geographic strategy in comparison
with other vendors considered in this research. Neither did it clearly articulate a strong market
understanding in line with Gartner's view of enterprises' wants and needs across the market as a
whole. Nevertheless, SecureAuth's growth demonstrates that it is addressing the wants and needs
of a segment of the market.
Return to Top
SECURENVOY
U.K.-based SecurEnvoy, formed in 2003, was one of the first vendors to offer OOB authentication
solutions.
SecurEnvoy offers two server software products that meet the market definition for this Magic
Quadrant: SecurAccess, launched in 2004 and aimed primarily at workforce remote access use cases,
and SecurICE, launched in 2006, which supports secure remote access in the event of a disaster or
other contingency. (Several other vendors support this as part of their standard user authentication
product offering.) In 2009, SecurEnvoy launched SecurCloud, a program for resellers to deploy an
authentication service based on the SecurEnvoy product suite as part of a wider cloud offering.
In addition, the company offers SecurMail, a simple email encryption tool, and SecurPassword, which
allows secure self-service password reset for Windows using OOB techniques.
Strengths
SecurEnvoy clearly articulated a good vertical industry strategy.
The vendor provides a range of configuration options for OOB authentication via SMS modes that
enable an enterprise to address operational issues (such as latency and lack of signal) and balance
user experience against a desired level of security.
SecurEnvoy came out well in the pricing scenarios, and was among the lowest-cost options for
Scenarios 2, 3 and 4.
Cautions
SecurEnvoy has small market share by customer numbers in comparison with other vendors in
this research (but is one of the larger pure-play, phone-based authentication vendors).
A significant majority of SecurEnvoy's customers are in Europe. However, a majority of its larger
customers use SecurEnvoy globally.
In comparison with the other vendors in this Magic Quadrant, SecurEnvoy did not clearly articulate
a strong geographic strategy, nor did it demonstrate strong overall viability, marketing execution
or customer experience (although no reference customers raised specific concerns).
SecurEnvoy's offerings lack SAML integration to cloud-based applications and services.
SecurEnvoy tells us that SAML will be supported via Active Directory Federation Services early in
2012.
SecurEnvoy has no appliance- or cloud-based delivery options; however, these are available
through some channel partners. SecurEnvoy also supports authentication as part of third-party
cloud-based services via its SecurCloud offering.
Return to Top
SMS PASSCODE
Denmark-based SMS Passcode was established in 1999 as Conecto A/S, a consulting operation
implementing mobile solutions. SMS Passcode OOB authentication, delivered as server software, was
launched in 2005. At the end of 2009, the company sold off its consulting business and adopted the
name of the product.
Strengths
SMS Passcode was among the lowest-cost options for Scenario 2.
Reference customers typically cited SMS Passcode's functional capabilities as an important
decision factor. Expected performance and scalability, an understanding of business needs, and
pricing model or TCO were often cited as well.
Reference customers were mostly extremely satisfied with SMS Passcode's customer support, and
noted that it always dealt with support requests fully and promptly.
Cautions
SMS Passcode has a small market share by customer numbers in comparison with other vendors
in this research (but is one of the larger pure-play, phone-based authentication vendors).
Although it has customers in more than 40 countries, a significant majority of SMS Passcode's
customers are in Europe.
SMS Passcode offers only OOB authentication. However, despite its name, the company does
support voice modes, as well as SMS modes, through a partnership with TeleSign.
SMS Passcode did not clearly articulate a strong vertical industry strategy or demonstrate strong
overall viability in comparison with other vendors in this research. (The vendor's emphasis is
squarely on supporting common workforce access use cases out of the box and horizontally across
all industries.)
Return to Top
SWIVEL SECURE
U.K.-based Swivel Secure was established in 2000 and launched its PINsafe product line in 2003.
Unique to Swivel's offerings is its proprietary enhanced password method, which allows a user to
generate an OTP by combining a known PIN or pattern with a security string or graphic presented on
the login pane or on a mobile phone (functioning as a token). Swivel also offers conventional OOB
authentication with SMS and voice modules.
Strengths
Swivel offers the broadest range of delivery options of any provider discussed in this Magic
Quadrant. PINsafe is available as a hardware or software appliance, server software, a managed
service with customer premises equipment, and a multitenanted cloud-based service.
Swivel was among the lowest-cost options for Scenarios 3, 4 and 5. Notably, it offers zero-cost
mobile clients (equivalent to OTP software tokens) for mobile phones.
Reference customers typically cited Swivel's pricing model or TCO as an important decision factor.
They were very satisfied with the vendor's customer support, and noted that it always dealt with
support requests fully and promptly.
Swivel is one of the few vendors in this Magic Quadrant to offer an enhanced password method,
which is popular with many SMBs that are looking for an improvement over legacy password
authentication but do not want or cannot justify "two-factor authentication." In addition, Swivel
uses the same enhanced password method with its phone-based authentication methods,
providing additional assurance compared with competing solutions that rely on a legacy password
or a simple PIN.
Cautions
Swivel has very small market share by customer numbers in comparison with other vendors in
this research.
Swivel did not clearly articulate a strong market understanding or marketing strategy, or
demonstrate strong overall viability or marketing execution in comparison with other vendors in
this research.
A significant majority of Swivel's customers are in Europe. However, these include some sizable
global deployments supporting users in North America and the Asia/Pacific region, as well as in
Europe.
Return to Top
SYMANTEC
Symantec, based in Mountain View, California, has been a publicly traded company since 1989. It
entered the authentication market in 2010 with the acquisition of VeriSign's Identity and Authentication
business. (VeriSign had been spun off from RSA Security in 1995 to focus on PKI offerings.) The deal
allows Symantec to use the VeriSign brand for its identity and authentication products until 2015, as
well as VeriSign's "tick" icon, which has been incorporated into Symantec's logotype. Symantec has a
more coherent and better-articulated vision for Validation and ID Protection Service (VIP) and adjacent
products than VeriSign had.
Symantec VIP (formerly VeriSign Identity Protection Authentication Service) is delivered as a
multitenanted cloud-based service. Symantec also offers a WFD tool, Symantec Fraud Detection System
(FDS), as server software or a hosted managed service. The company also cites "synergies" with its
data loss prevention and encryption products, but Gartner clients are not seeking authentication
solutions in that context.
Symantec offers OTP hardware tokens from ActivIdentity, RSA, SafeNet, Vasco and others, and OOB
authentication through a partnership with Authentify. (Like other OATH-compliant vendors, it can
support other OATH-compliant tokens.)
Strengths
Symantec demonstrated good marketing execution, and it is one of the authentication vendors
most frequently cited by Gartner clients.
The vendor offers a wide range of authentication methods, including zero-cost OTP software
tokens for mobile phones. However, although Symantec VIP does support OOB authentication, the
majority of its customers use this as a backup for users who cannot use their OTP tokens, rather
than as a primary authentication method.
In late 2011, Symantec incorporated the adaptive access control capabilities from its FDS into VIP
to provide what Symantec calls "intelligent authentication."
Symantec was among the lowest-cost options for Scenarios 3, 4 and 5.
Reference customers typically cited Symantec's functional capabilities as an important decision
factor (one said, "everything is as advertised"). Expected performance and scalability and, for
financial services, industry experience were often cited, as well. One customer called attention to
the flexibility of VIP and the ease of extending it to meet business needs. Some clients tell us that
Symantec VIP is difficult to integrate with target systems; however, all but one of the reference
customers asserted that they had no technical implementation challenges.
Reference customers were very or extremely satisfied with Symantec's customer support, and
noted that it always dealt with support requests fully and promptly.
Cautions
Symantec has a small market share by customer numbers in comparison with other vendors in
this research. However, its offerings are used by a few million end users, and year-over-year
growth for 2009 to 2010 was exceptionally strong.
Symantec did not clearly articulate a strong vertical industry strategy in comparison to other
vendors in this research.
Symantec VIP lacks SAML integration to cloud-based applications and services. Symantec tells us
that this will be provided in the first half of 2012 as part of Symantec O3.
Reference customer comments raised some concerns about the reliability of the ID-1 OTP
hardware token.
Return to Top
TECHNOLOGY NEXUS
Sweden-based Technology Nexus was founded as a management buyout from Saab Technologies in
1984. In 2010, it acquired PortWise, another Swedish company, adding PortWise's authentication
portfolio, Web access management and identity federation platform, and SSL VPN tool to its own PKI-
based authentication and other offerings, giving the merged company a broader portfolio of
authentication methods and a broader customer base. (PortWise, under its former name of Lemon
Planet, was one of the first vendors to offer OOB authentication.)
Technology Nexus offers PortWise Authentication Server as server software, PortWise Virtual Appliance
as a software appliance, and Technology Nexus Safe Login as a multitenanted, cloud-based service and
a hosted managed service.
Strengths
Although it has only a small market share by customer numbers in comparison with other vendors
in this research, Technology Nexus is used by several tens of millions of end users.
Overall, Technology Nexus has one of the strongest product or service offerings in the market. It
includes adaptive access control capabilities through its Policy Service module in PortWise
Authentication Server.
Technology Nexus clearly articulated a good geographic strategy, and demonstrated good
customer experience. Reference customers were very satisfied with Technology Nexus' customer
support.
Technology Nexus came out well in the pricing scenarios, and was among the lowest-cost options
for Scenarios 1, 2 and 4.
Reference customers cited a variety of vendor and product characteristics as important decision
factors. One said that it was "proud" of its decision to implement PortWise Authentication Server.
Cautions
Technology Nexus has relatively few customers in the Americas — less than 20% overall.
Technology Nexus did not demonstrate strong market responsiveness and track record in
comparison with other vendors included in this Magic Quadrant.
Reference customers typically cited integration into the existing infrastructure as an
implementation challenge. One cited ongoing browser compatibility issues and poor log
management with PortWise Authentication Server.
Return to Top
TELESIGN
TeleSign, based in Marina del Rey, California, was established in 2005. It provides an OOB
authentication service — TeleSign Two-Factor Authentication, a multitenanted cloud-based service —
and has a market focus on large global service providers, especially for consumer access, and several
OEM relationships (which include other vendors discussed in this Magic Quadrant). TeleSign also offers
PhoneID, which evaluates the fraud risk of the phone being used for OOB authentication.
Strengths
TeleSign sends calls to more than 200 countries and in more than 85 languages. Voice prompts
are localized for native accents to optimize user experience.
TeleSign demonstrated good market responsiveness (for example, shifting its marketing strategy
to target large online website and service providers as fraudster activity shifted to online arenas
and social media platforms).
TeleSign guarantees "enterprise-level uptime" and asserts that it consistently outperforms this
level of service. TeleSign sends voice calls and SMS messages via multiple routes to ensure
deliverability. The performance and reliability of TeleSign's offering are underscored by the
experience of a major global service provider, which had been using TeleSign only for OOB in
voice mode, but switched over to TeleSign's SMS mode, as well, when it had problems with its
incumbent solution, and never went back.
Reference customers typically cited TeleSign's functional capabilities as an important decision
factor. Direct SS7 layer monitoring now enables TeleSign to detect call forward in many areas,
defeating one type of attack against OOB authentication by voice. Product implementation is
"smooth," and operational use is unproblematic. Reference customers were very or extremely
satisfied with TeleSign's customer support, and noted that it always dealt with support requests
fully and promptly.
TeleSign came out well in the pricing scenarios. It was consistently among the lowest-cost
options. (Note that this assessment is based on a pricing structure that was introduced in mid-
2011.)
Cautions
TeleSign offers only OOB authentication.
TeleSign has a small market share by customer numbers in comparison with the other vendors in
this Magic Quadrant, and a significant majority of its customers are in North America (however, it
is used by tens of millions of end users globally).
TeleSign did not clearly articulate a good vertical industry strategy (although this is not
necessarily a significant caution given its market focus).
Return to Top
VASCO
Vasco, based in Chicago, Illinois, entered the OTP token market in 1996 with the acquisition of
Digipass, and it continues to use Digipass branding for its portfolio of authentication products. Other
authentication-relevant Vasco acquisitions include Lintel Security in 1996, AOS-Hagenuk in 2005, and
Able and Logico in 2006. In 2011, Vasco acquired Alfa & Ariss, enhancing its Digipass as a Service.
The company is well-established in the financial services market globally, with a substantial presence in
retail banking outside North America, and continues to make significant inroads into enterprise use
cases globally.
Vasco acquired DigiNotar in 2011, not long before the attack that precipitated DigiNotar's bankruptcy
(see "Certificate Authority Breaches Impact Web Servers, Highlighting the Need for Better Controls").
This has had some impact on Vasco's financial situation, but none at all on the viability of its Digipass
product line.
Vasco offers a number of products and services: Vacman Controller SDK/APIs, which provide direct
integration with online applications, especially in retail banking and online gaming; Identikey Server as
server software (the most widely deployed, by a very wide margin); aXsGuard Identifier and aXsGuard
Gatekeeper as hardware appliances, the latter aimed at SMBs; and Digipass as a Service, a managed
service with customer premises equipment. Authentication method support varies across these
offerings, with aXsGuard Gatekeeper having the most restricted set.
Strengths
Vasco offers one of the widest range of authentication methods. Overall, Vasco has one of the
strongest product or service offerings.
Vasco clearly articulated a good sales strategy and demonstrated good overall viability and
marketing execution.
Gartner estimates that Vasco has a market share by customer numbers of approximately 15%.
Overall, Vasco is used by approximately 10 million users.
Reference customers frequently cited Vasco's pricing model or TCO (but see Cautions), functional
capabilities, industry experience (in financial services), expected performance, and scalability and
conformity to technical standards as important decision factors. Several view Vasco as a strategic
partner. Most reference customers were, on average, very satisfied with Vasco's customer support
(with one outlier that was unsatisfied), and noted that it generally dealt with support requests fully
and promptly.
Cautions
Vasco lacks any adaptive access control capability. Gartner sees this as a significant caution for a
vendor with such a strong focus on the financial services market.
Although Vasco has a mature business globally, the majority of its customers are in Europe.
Vasco was only average across the pricing scenarios and was one of the higher-cost options for
Scenario 5 (but note the reference customer comments about pricing models and, particularly,
TCO, cited under Strengths above). We also note that SAML integration to cloud-based
applications and services for Vasco's on-premises offerings is provided by a discrete product,
Identikey Federation Server, at additional cost.
Reference customer comments raised some concerns about ease of integration with enterprise
remote access tools and Lightweight Directory Access Protocol (LDAP) directory services.
Return to Top
YUBICO
Yubico, based in Stockholm, Sweden, and Palo Alto, California, was established in 2007. Yubico offers
distinctive USB hardware tokens for OTP authentication, along with open-source infrastructure products
and a new cloud-based service. It has a market focus on enterprises, especially for workforce remote
access, and several OEM relationships (which include other vendors discussed in this Magic Quadrant).
Yubico offers YubiKey Validation Server software for Linux, the baseline open-source offering for firms
that want to build their own authentication server or service. YubiRADIUS VA is a software appliance in
Open Virtualization Format built on open-source components, YubiCloud is a multitenanted cloud-based
service, and YubiHSM is an HSM for securing server-side token keys (seed values). The YubiKey
hardware tokens have a unique, robust form factor and need no client software, and token keys are
held and managed solely by the customer.
Two-thirds of Yubico's customers and partners use the YubiCloud service, with the other third
integrating its low-level library directly into their authentication products or using OATH-compliant
YubiKeys with their existing OATH-compliant authentications systems.
Strengths
Gartner estimates that Yubico has a market share by customer numbers of approximately 10%.
Although a significant portion of these are very small implementations, Yubico does have large
enterprise and service provider implementations.
YubiKeys can be quickly integrated at a low cost. For example, one small manufacturing company
implemented YubiKeys for its 20 system administrators within one hour for $500. Yubico came out
exceptionally well in the pricing scenarios, with the lowest cost for pricing Scenarios 1, 2, 3 and 4,
although it was more expensive than the majority of competitors in Scenario 5.
Reference customers typically cited Yubico's functional capabilities as an important decision factor.
Expected performance and scalability, and pricing model or TCO, were often cited, as well. The
reference customers were very satisfied with the vendor's customer support, and noted that it
generally dealt with support requests fully and promptly. (However, Yubico did not demonstrate
strong frameworks for managing customer experience in comparison with other vendors in this
Magic Quadrant.)
Cautions
Yubico did not clearly articulate a good product/service strategy, sales strategy or geographic
strategy, nor did it demonstrate good marketing execution.
The vendor has few customers in the Asia/Pacific region.
Yubico's offerings lack SAML integration to cloud-based applications and services. The vendor tells
us that this will be available the first half of 2012.
Unlike traditional OTP hardware tokens, YubiKeys require a standard (Type A) USB port, so they
cannot be used with devices that lack them — easily (that is, without an adapter cable) or at all
(for example, with iOS devices). One reference customer raised this issue as a problem with iPads.
Yubico tells us that this issue will be addressed in early 2012, with YubiApp OTP software tokens
for mobile devices, and later in 2012 with YubiKey+ tokens for use with Near Field Communication
-enabled devices.
Return to Top
Vendors Added or Dropped
We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change.
As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may
change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next
does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection
of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.
Return to Top
ADDED
Authentify: A U.S.-based OOB authentication service provider with a market focus on financial
services and multiple OEM relationships (which include other vendors in this Magic Quadrant)
Equifax: A U.S.-based financial information services provider offering a wide-focus authentication
solution with a market focus on healthcare and government through its acquisition of Anakam
i-Sprint Innovations: A Singapore-based IAM vendor with a market focus on financial services,
offering an integrated set of access products that includes ESSO, WAM and SAPM tools, as well as
a wide-focus user authentication offering
Nordic Edge: A Sweden-based IAM vendor, recently acquired by Intel, with a strong focus on the
cloud and a portfolio that includes provisioning of user information and SSO to SaaS, as well as its
wide-focus authentication offering
PhoneFactor: A U.S.-based OOB authentication service provider with a market focus on
enterprises, especially for workforce remote access
SecureAuth: A U.S.-based vendor offering an integrated user authentication and gateway
product providing SSO to on-premises and cloud-based target systems
SecurEnvoy: A U.K.-based OOB authentication service provider with a market focus on
enterprises, especially for workforce remote access
SMS Passcode: A Denmark-based OOB authentication service provider with a market focus on
enterprises, especially for workforce remote access
Swivel Secure: A U.K.-based authentication vendor with a market focus on enterprises,
especially for workforce remote access, that is often characterized as a phone-based
authentication vendor but has probably achieved greater traction with software-only
implementations of its PINsafe enhanced password authentication methods
TeleSign: A U.S.-based OOB authentication service provider with a market focus on large global
service providers, especially for consumer access, and several OEM relationships (which include
other vendors in this Magic Quadrant)
Yubico: A Sweden-based company with a market focus on enterprises, especially for workforce
remote access, and several OEM relationships (which include other vendors in this Magic
Quadrant) offering distinctive USB hardware tokens for OTP authentication, along with open-
source infrastructure products and a new cloud-based service
The following vendors were included in the earlier MarketScope, but their names have changed because
of a merger or acquisition:
Arcot Systems: now part of CA Technologies
PortWise: now part of Technology Nexus.
VeriSign: now part of Symantec (the remainder of VeriSign, which focuses on DNS business,
conducts business under the Verisign name; note the lowercase "s").
Return to Top
DROPPED
The following vendor failed to meet the inclusion criteria for this year's Magic Quadrant, because of its
small market share by customer numbers:
Fujitsu Services: Finland-based Fujitsu Services, a subsidiary of Fujitsu, offers the mPollux line
of authentication products and services. Fujitsu Services supports and offers only a narrow range
of supported authentication methods and is tightly focused on local markets. Notably, it provides a
government-to-citizen authentication service, managed by the Finnish State Treasury, that spans
more than 50 municipalities and agencies. Fujitsu Services may still be an appropriate choice for
enterprises in the Nordic region with more-focused needs.
The following vendors are noteworthy, but were not rated in this Magic Quadrant:
AuthenWare: Based in Miami, Florida, AuthenWare offers a practicable behavioral biometric
authentication technology based on typing rhythm (also known as keystroke dynamics). Other
vendors offer this authentication method, but the AuthenWare Technology product is differentiated
by being simple to implement, scalable and robust, as well as providing good user experience.
Many Gartner clients report that they have a positive view of AuthenWare. (AuthenWare did not
meet the inclusion criteria for customer numbers.)
DigitalPersona: DigitalPersona, headquartered in Redwood City, California, offers a suite of
solutions that include user authentication and ESSO, as well as full-disk encryption,
email/document encryption and VPN multifactor authentication. DigitalPersona has expanded its
support for other vendors' authentication methods, and these methods integrate with
DigitalPersona's ESSO and VPN components. The company has an OEM deal with HP to include
DigitalPersona's software, rebranded as HP ProtectTools, on HP computers. Although
DigitalPersona's user authentication options can be implemented independently of its ESSO
capabilities, integration is restricted to the endpoint device. (For this reason, DigitalPersona did
not fit the market definition for this Magic Quadrant.)
LexisNexis: Dayton, Ohio-based LexisNexis offers InstantID Q&A, a KBA service endorsed by the
American Bankers Association and used by more than 200 financial services and other
organizations worldwide. InstantID Q&A is "powered by" RSA Identity Verification KBA technology
(formerly Verid) and exploits LexisNexis' access to billions of public records and vast amounts of
noncredit data to generate robust verification questions. (LexisNexis was excluded, because there
is no functional modification of the technology licensed from RSA.)
ValidSoft: Ireland-based ValidSoft, now a subsidiary of telecommunications vendor Elephant Talk
Communications, offers OOB authentication and transaction verification methods. Its offering is
technically sound, and it has a good track record in enterprise and financial services use cases,
including private and retail banking. (ValidSoft did not meet the inclusion criteria for customer
numbers.)
Return to Top
Inclusion and Exclusion Criteria
The following inclusion criteria apply:
Relevance of offering: The offering meets the user authentication market definition detailed
above.
Longevity of offering: The offering has been generally available since at least 1 May 2010.
Origination of offering: The offering is manufactured or operated by the vendor or is a
significantly modified version obtained through an OEM relationship. (We discount any software,
hardware or service that has merely been obtained without functional modification through a
licensing agreement from another vendor — for example, as part of a reseller/partner agreement.)
Number of customers and end users (including customers of third-party service
providers and their end users): The vendor has either:
200 or more current customers that have been using the vendor's authentication offerings in
a production environment for at least three months
50 or more such customers with a total of 5 million or more end users
Vendors with minimal or negligible apparent market share among Gartner clients, or with no currently
shipping products, may be excluded from the ratings.
Return to Top
Evaluation Criteria
ABILITY TO EXECUTE
Gartner analysts evaluate technology providers on the quality and efficacy of the processes, systems,
methods or procedures that enable IT provider performance to be competitive, efficient and effective,
and to positively impact revenue, retention and reputation. Ultimately, technology providers are judged
on their ability and success in capitalizing on their vision.
Product/Service
We evaluate:
The current capabilities, quality and feature sets of one or more on-premises software or hardware
products or cloud-based services that make real-time authentication decisions and can be
integrated with any of a variety of enterprise systems, as well as supporting skills
The range and variety of user authentication methods offered or supported, along with the client-
side software or hardware used by end users in those real-time authentication decisions
The applicability and suitability of these offerings to a wide range of use cases across different
kinds of users and different enterprise systems
We also evaluate the capabilities, quality, and feature sets of ancillary and adjacent products and
services relevant to enterprises' user authentication needs.
Overall Viability (Business Unit, Financial, Strategy, Organization
We evaluate the organization's overall financial health, the financial and practical success of the user
authentication line of business, and the likelihood that the vendor will continue investing in and advance
the state of the art of the user authentication portfolio, and, if appropriate, will continue offering the
portfolio within the vendor's broader product portfolio.
Sales Execution/Pricing
We evaluate the vendor's capabilities in such areas as deal management, pricing and negotiation,
presales support, and the overall effectiveness of the sales channel, including value-added resellers and
third-party managed service providers.
We evaluate pricing over a number of different scenarios. Clients are increasingly price-sensitive as
they seek the optimal balance of assurance and accountability, user experience, and cost when
selecting new user authentication methods.
Market Responsiveness and Track Record
We evaluate the vendor's demonstrated ability to respond, change direction, be flexible and achieve
competitive success as opportunities develop, competitors act, customer needs evolve and market
dynamics change.
We give particular consideration to how the vendor has embraced or responded to standards initiatives
in the user authentication and adjacent market segments.
Marketing Execution
We evaluate the clarity, quality, creativity and efficacy of programs designed to deliver the vendor's
message to influence the market, promote the brand and business, increase awareness of the products,
and establish a positive identification with the product/brand and organization in the minds of buyers.
This mind share can be driven by a combination of publicity, promotional initiatives, thought leadership,
word-of-mouth and sales activities.
Customer Experience
We evaluate the vendor's relationships and services/programs — such as technical support and
professional services — that facilitate customers' successful implementations and use of the vendor's
user authentication offerings.
We consider Gartner client and reference customer feedback.
Operations
We evaluate the ability of the organization to meet its goals and commitments. Factors include the
quality of the organizational structure, including skills, experiences, programs, systems and other
vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.
Table 1. Ability to Execute Evaluation Criteria
Evaluation Criteria Weighting
Product/Service High
Overall Viability (Business Unit, Financial, Strategy, Organization) Standard
Sales Execution/Pricing High
Market Responsiveness and Track Record Standard
Marketing Execution Standard
Customer Experience Standard
Operations Low
Source: Gartner (January 2012)
COMPLETENESS OF VISION
Gartner analysts evaluate technology providers on their ability to convincingly articulate logical
statements about current and future market direction, innovation, customer needs and competitive
forces, and how well they map to the Gartner position. Ultimately, technology providers are rated on
their understanding of how market forces can be exploited to create opportunity for the provider.
Market Understanding
We evaluate the vendor's understanding of buyers' needs and how it translates these needs into
offerings. Vendors that show the highest degree of vision listen and understand buyers' wants and
needs, and can shape or enhance those wants with their added vision.
Marketing Strategy
We evaluate the clarity and differentiation of the vendor's marketing messages, and the consistency of
communication throughout the organization and externally through its website, advertising, customer
programs and positioning statements.
Sales Strategy
We evaluate the vendor's strategy for selling its user authentication offerings that uses the appropriate
network of direct and indirect sales, marketing, service and communication affiliates that extend the
scope and depth of market reach, skills, expertise, technologies, services and the customer base. In
particular, we evaluate business development, partnerships with system integrators and channel
execution.
Offering (Product) Strategy
We evaluate the vendor's approach to developing and delivering its user authentication offerings that
emphasizes differentiation, functionality, and feature sets as they map to current and future
requirements for enterprises across multiple use cases — differentiated not only by level of risk, but
also by business needs and technical, logistical and other constraints.
We consider support for open standards and extensibility to support proprietary authentication methods
offered by other vendors. We also consider support for mobile devices as endpoints and for access to
cloud-based applications and services.
Business Model
We evaluate the soundness and logic of the vendor's underlying business proposition.
Vertical/Industry Strategy
We evaluate the vendor's strategy to direct resources, skills and offerings to meet the specific needs of
individual market segments, including SMBs and vertical industries. We consider the vendor's focus on
supporting different use cases, and if and how it can deliver adjacent products and services, that are
important to different market segments.
Innovation
We evaluate the vendor's continuing track record in market-leading innovation, including early
standards and technology adoption, how well it anticipates and adjusts to changes in market dynamics
and customer and end-user needs, and the provision of distinctive products, functions, capabilities,
pricing models and so on.
Geographic Strategy
We evaluate how the vendor directs resources, skills and offerings to meet the specific needs of
geographies outside its home geography — either directly or through partners, channels and
subsidiaries — as appropriate for each geography and market.
Table 2. Completeness of Vision
Evaluation Criteria
Evaluation Criteria Weighting
Market Understanding Standard
Marketing Strategy Standard
Sales Strategy Standard
Offering (Product) Strategy High
Business Model Standard
Vertical/Industry Strategy Standard
Evaluation Criteria Weighting
Innovation High
Geographic Strategy Standard
Source: Gartner (January 2012)
Quadrant Descriptions
LEADERS
Leaders in this Magic Quadrant are vendors with a wide-focus user authentication offering with a solid
track record and typically a significant presence in the market. They have a clearly articulated vision
that is in line with the market trends, which is typically backed by solid technical innovation. Their
business strategy and execution are very sound. Vendors in this quadrant can provide a strong solution
for many enterprises across one or many use cases, typically including emerging needs.
Return to Top
CHALLENGERS
Challengers in this Magic Quadrant are vendors with a wide-focus user authentication offering, a solid
track record and typically a significant presence in the market. Their business execution is generally
very sound, although their strategy may not be as strong. They may lack or may not clearly articulate a
vision that is in line with the market trends, although technical innovation may be sound. Vendors in
this quadrant can provide a strong solution for many enterprises across one or many use cases.
Return to Top
VISIONARIES
Visionaries in this Magic Quadrant are vendors with a clearly articulated vision that is in line with the
market trends, which is typically backed by technical innovation and a solid business strategy. They
may have a broad- or tight-focus user authentication offering with a steady track record, an appreciable
presence in the market and acceptable business execution. Vendors in this quadrant can typically
provide a quite satisfactory solution for many enterprises across one or many use cases, typically
including emerging needs, or a strong solution focused on one or a few particular use cases.
Return to Top
NICHE PLAYERS
Niche Players in this Magic Quadrant are vendors with a broad- or tight-focus user authentication
offering with a steady track record and appreciable presence in the market. They may lack or may not
clearly articulate a vision that is in line with the market trends, although, technically, innovation may be
sound. Their business strategy and execution are acceptable. Vendors in this quadrant can typically
provide a quite satisfactory solution for many enterprises across one or often many use cases. In this
market in particular, it is worth stressing that any Niche Player could offer a solution that is ideally
suited to your needs.
Return to Top
Context
Gartner defines "user authentication" as the real-time corroboration of a claimed identity with a
specified or understood level of confidence. This is a foundational IAM function, because without
sufficient confidence in users' identities, the value of other IAM functions — for example, authorization
and intelligence (audit and analytics) — is eroded. User authentication is provided by a range of
authentication methods and in a variety of ways. It may be natively supported in an OS or application,
or in a directory or access management tool, such as a WAM tool, that spans multiple applications. Or it
may be added to one or more target systems, including OSs and access management tools, via a third-
party component (an API or SDK) that allows it to be embedded directly in each system, or a discrete
authentication infrastructure, either on-premises software or hardware or increasingly a cloud-based
service, which can be integrated with multiple target systems via standard protocols, such as LDAP,
RADIUS or SAML, or proprietary software agents.
This Magic Quadrant evaluates the major vendors that provide such authentication infrastructures,
some of which also provide APIs, SDKs or components (such as smart cards) that can be consumed by
natively supported authentication methods. Many enterprises adopt such tools to support one or more
— sometimes many — use cases, the most common of which are workforce remote access, especially
access to corporate networks and applications via VPN or HVD, and external-user remote access,
especially retail-customer access to Web applications. The same new authentication method may be
used across one or a few use cases; however, the more use cases an enterprise must support, the
more likely it is to need to support multiple authentication methods to provide a reasonable and
appropriate balance of authentication strength, TCO and user experience in each use case.
Gartner's previous research on this market considered only those user authentication vendors that
offered or supported a wide range of authentication methods, catering to enterprises seeking to support
multiple use cases with a single authentication infrastructure. However, many of those vendors'
customers continue to use their solutions to provide a single authentication method in only one or a few
use cases. Moreover, Gartner client inquiries show that a significant number of enterprises remain
interested in vendors that have a tighter focus — that is, vendors that offer or support only one type of
authentication method. The most significant of these vendors have been included in this Magic
Quadrant.
Enterprise interest in OTP methods, broadly defined, remains high; however, during the past few years,
we have seen a significant shift in preference from traditional hardware tokens to phone-based
authentication methods. Wide-focus user authentication vendors offer all these approaches and more —
typically offering or supporting KBA methods or X.509 tokens (such as smart cards) as well. Most of the
tight-focus vendors offer only phone-based authentication methods, especially OOB authentication
methods.
The 23 user authentication vendors included in this Magic Quadrant are those that have the largest
presence in the market by number of customers or number of end users served. Gartner is aware of
more than 175 user authentication vendors worldwide, but the market is dominated by a far smaller set
of vendors. Just three — RSA, the Security Division of EMC; SafeNet; and Vasco — account for more
than three-fifths of the market by customer numbers. Some of the other vendors are poised to
challenge the major players, but most are essentially "me too" commodity vendors, offering technically
similar solutions and competing more on price than on quality or experience, while others focus on
particular market niches or innovative technologies that may be licensed to major vendors.
Return to Top
Market Overview
Customer wants and needs for user authentication continue to mature. Enterprises increasingly
recognize the need for authentication with higher assurance than legacy passwords can provide, across
a broader range of use cases, and are addressing that need. Moreover, enterprises are increasingly
aware of the need to find a reasonable and appropriate balance of authentication strength (assurance
and accountability), TCO and user experience in each use case. These factors are driving the adoption
of alternatives to traditional token-based authentication methods that offer higher levels of assurance,
but at a higher cost and with relatively poor user experience.
Although some of the growth in these alternative methods arises from enterprises replacing incumbent
tokens, many enterprises are implementing such methods in one or many use cases for the first time.
These wants and needs are also driving the adoption of authentication methods other than the few that
are typically natively supported (for example, in OSs, applications and WAM tools) and demand
proprietary authentication infrastructures. Although a majority of enterprises remain focused on one or
a few use cases that may be met by a single authentication method from any kind of vendor, we
continue to see modest growth in the number of enterprises taking a strategic view of authentication
and seeking to address a wider range of use cases that demand different authentication methods with a
single versatile, flexible infrastructure.
Return to Top
http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp.
About Gartner | Careers | Newsroom | Policies | Site Index | IT Glossary | Contact Gartner