Magic Quadrant for User Authentication
User authentication is dominated by three well-established, wide-focus vendors that command the majority of the market. Newer wide- and tight-focus vendors are making significant inroads and offer enterprises sound alternatives across a range of needs.
This document was revised on 30 January 2012. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.
A provider in the user authentication market delivers on-premises software/hardware or a cloud-based service that makes real-time authentication decisions and can be integrated with one or more enterprise systems to support one or more use cases. Where appropriate to the authentication methods supported, a provider in the user authentication market also delivers client-side software or hardware used by end users in those real-time authentication decisions.
This market definition does not include providers that deliver only one or more of the following:
1. Client-side software or hardware, such as PC middleware, smart cards and biometric capture devices (sensors)
2. Software, hardware or a service, such as access management or Web fraud detection (WFD), that makes a real-time access decision and may interact with discrete user authentication software, hardware or services (for example, to provide “step up” authentication)
3. Credential management software, hardware or services, such as password management tools, card management (CM) tools and public-key infrastructure (PKI) certification authority (CA) and registration authority (RA) tools (including OCSP responders)
4. Software, hardware or services in other markets, such as Web access management (WAM) or VPN, that embed native support for one or many authentication methods
A provider in the user authentication market may, of course, deliver one or more such offerings as part of, or in addition to, its user authentication offering. Note, however, that, for the purposes of this Magic Quadrant, offerings of Type 2, 3 and 4 are not considered to be user authentication offerings and were not included in customer, end-user or revenue figures.
Source: Gartner (January 2012)
This Magic Quadrant replaces “MarketScope for Enterprise Broad-Portfolio Authentication Vendors.” There are several important changes from the previous document. The change of document type, from MarketScope to Magic Quadrant, reflects the increasing maturity and significance of the user authentication market and the need to more clearly differentiate among the vendors along two axes. The Evaluation Criteria, which are detailed below, are significantly different from those used in the MarketScope. They were changed to include tight-focus vendors and wide-focus (or broad-portfolio) vendors. In addition, the minimum-revenue criterion no longer applies, which avoids penalizing vendors that offer lower pricing.
Gartner sees user authentication vendors falling into four different categories with somewhat indistinct boundaries:
1. Specialist vendors: A specialist user authentication vendor focuses on a distinctive proprietary authentication method — either a unique method or a proprietary instantiation of a common method — and also offers a corresponding infrastructure or a software development kit (SDK) that will allow it to plug into customers’ applications or other vendors’ extensible infrastructures.
2. Commodity vendors: These vendors focus on one or a few well-established authentication methods, such as one-time password (OTP) tokens (hardware or software) and out of band (OOB) authentication methods. A commodity vendor may provide a basic infrastructure to support only those few methods, and its offerings will primarily interest small or midsize businesses (SMBs) and some small enterprises that still have narrower needs.
3. Tight-focus vendors: We characterize a commodity vendor that provides a robust, scalable infrastructure that can meet the needs of larger enterprises and global service providers — and sometimes augment other vendors’ extensible infrastructures — as a tight-focus vendor.
4. Wide-focus (broad-portfolio) vendors: The defining characteristic of these vendors is offering or supporting many distinct authentication methods. A wide-focus vendor may also be a specialist vendor. It will typically offer a versatile, extensible authentication infrastructure that can support a wider range of methods than it offers, which may be sourced through original OEM agreements with one or more other vendors in any of these categories, or left to the enterprise to source directly from those vendors.
The vendors included in this Magic Quadrant fall into the third and fourth of these categories.
Gartner’s estimate for revenue across all segments of the authentication market for 2011 remains approximately $2 billion. However, the margin of error in this estimate is high, because not all the vendors included in this Magic Quadrant provided revenue data and because of the “long tail” of the more than 150 authentication vendors not included in it. Individual vendors included in this Magic Quadrant that did provide revenue data reported year-over-year revenue changes ranging from a greater than 10% decline to nearly 300% growth, with the median approximately 20% to 30% growth. More vendors — although still not all — provided customer numbers, and a majority of vendors reported growth in the 20% to 40% range, with some smaller vendors showing far greater growth.
We estimate the overall growth in the market by customers to be approximately 30% year over year. Because of the shift toward lower-cost authentication solutions, we estimate the overall growth by revenue to be approximately only 20%.
Range of Authentication Methods
Enterprise interest in OTP methods, broadly defined, remains high; however, as has already been noted, we have seen a significant shift in preference from traditional hardware tokens to phone-based authentication methods. Wide-focus user authentication vendors offer all these and more, generally offering or supporting knowledge-based authentication (KBA) methods or X.509 tokens (such as smart cards) as well. Most of the tight-focus vendors offer just phone-based authentication methods, especially OOB authentication methods (sometimes incorporating voice recognition as an option), with a few (none of which are included in this Magic Quadrant) offering only KBA or biometric authentication methods.
The vendors included in this Magic Quadrant may offer any of a variety of methods across a range of categories (see “A Taxonomy of Authentication Methods, Update”). These categories, and, where appropriate, the corresponding categories from the National Institute of Standards and Technology (NIST) Special Publication 800-63-1 “Electronic Authentication Guideline” (July 2011 draft), are:
- KBA Lexical: This approach combines improved password methods and Q&A methods. An improved password method lets a user continue to use a familiar password, but provides more secure ways of entering the password or generating unique authentication information from the password. A Q&A method prompts the user to answer one or more questions, with the answers preregistered or based on on-hand or aggregated life history information. It corresponds to the NIST “preregistered knowledge token” category.
- KBA Graphical: KBA graphical authentication uses pattern-based OTP methods and image-based methods. A pattern-based OTP method asks the user to remember a fixed, arbitrary pattern of cells in an on-screen grid that is randomly populated for each login and to construct an OTP from numbers assigned to those cells. An image-based method asks the user to remember a set of images or categories of images and to identify the appropriate images from random arrays presented at login. There is no corresponding NIST category.
- OTP Token: This authentication method uses a specialized device or software application for an existing device, such as a smartphone, that generates an OTP, either continuously (time-synchronous) or on demand (event-synchronous), which the user enters at login. The token may incorporate a PIN or be used in conjunction with a simple password. This category also includes transaction authentication number (TAN) lists and grid cards for “generating” OTPs. Note that the “OTP” category does not include “OTP by SMS” or similar methods, which Gartner classes as OOB authentication methods. One of several algorithms may be used:
- American National Standards Institute (ANSI) X9.9 (time- or event-synchronous or challenge-response)
- Initiative for Open Authentication (OATH) HMAC-based OTP (HOTP), time-based OTP (TOTP) or OATH Challenge-Response Algorithms (OCRA)
- Europay, MasterCard and Visa (EMV); MasterCard Chip Authentication Program (CAP); or Visa Dynamic Passcode Authentication (DPA), also called remote chip authentication
- A proprietary algorithm
The corresponding NIST categories are “multifactor OTP hardware token,” “single-factor OTP token” and “look-up secret token”:
- X.509 token: This X.509 PKI-based method that uses a specialized hardware device, such as a smart card, or software that holds public-key credentials (keys or certificates) that are used in an automated cryptographic authentication mechanism. The token may be PIN-protected, biometric-enabled or used in conjunction with a simple password. It corresponds to NIST categories “multifactor hardware cryptographic token,” “multifactor software cryptographic token” and “single-factor cryptographic token.”
- Other token: This category of methods embraces any other type of token, such as a magnetic stripe card, an RFID token or a 125kHz proximity card, a CD token or proprietary software that “tokenizes” a generic device, such as a USB NAND flash drive or an MP3 player. There is no corresponding NIST category.
- OOB authentication: This category of methods uses an OOB channel (for example, SMS or voice telephony) to exchange authentication information (for example, sending the user an OTP that he or she enters via the PC keyboard). It is typically used in conjunction with a simple password. (Some vendors also support OTP delivery via email in a similar way; however, this is not strictly “OOB,” because the OTP is sent over the same data channel as the connection to the server.) The corresponding NIST category is “out-of-band token.”
- Biological biometric: A biological biometric authentication method uses a biological characteristic (such as face topography, iris structure, vein structure of the hand or a fingerprint) as the basis for authentication. It may be used in conjunction with a simple password or some type of token. There’s no corresponding NIST category.
- Behavioral biometric: A behavioral biometric authentication method uses a behavioral trait (such as voice and typing rhythm) as the basis for authentication. It may be used in conjunction with a simple password or some kind of token. There’s no corresponding NIST category.
In the research for this Magic Quadrant, a vendor’s range of authentication methods offered and supported was evaluated as part of the assessment of the strength of its product or service offering. Note that some vendors offer only one or a few authentication methods, which may limit their position within the Magic Quadrant. Nevertheless, such a vendor could offer a solution that is ideally suited to your needs.
Use Cases for New Authentication Methods
Many enterprises adopt new authentication methods to support one or many use cases — the most common of which are workforce remote access, especially access to corporate networks and applications via a VPN or hosted virtual desktop (HVD), and external-user remote access, especially retail-customer access to Web applications. The same new authentication method may be used across one or a few use cases, but the more use cases an enterprise must support, the more likely it needs to support multiple authentication methods to provide a reasonable and appropriate balance of authentication strength, total cost of ownership (TCO) and user experience in each case.
A full range of use cases is enumerated below. Vendors included in this Magic Quadrant can typically support multiple use cases. The endpoint access use cases, however, cannot use a vendor’s authentication infrastructure, because the endpoints are not network-connected at login, but rather demand direct integration of a new authentication method into the client OS. (Note that Microsoft Windows natively supports “interactive smart card login” — that is, X.509 token-based authentication.) Not all vendors have equal experience in all use cases; some may have a stronger track record in enterprise use cases, such as workforce remote access, while others may focus on access to retail-customer applications, especially in financial services. Not all the vendors in this Magic Quadrant were able to break down their customer numbers on this basis.
The authentication use cases that Gartner considered in preparing this Magic Quadrant (with the relevant subcategories) are:
- PC preboot authentication: Preboot access to a stand-alone or networked PC by any user
- PC login: Access to a stand-alone PC by any user
- Mobile device login: Access to a mobile device by any user
Workforce local access
- Windows LAN: access to Windows network by any workforce user
- Business application: Access to any individual business applications (Web or legacy) by any workforce user
- Cloud applications: Access to cloud applications, such as salesforce.com and Google Apps, by any remote or mobile workforce user
- Server (system administrator): Access to a server (or similar) by a system administrator (or similar)
- Network infrastructure (network administrator): Access to firewalls, routers, switches and so on by a network administrator (or similar) on the corporate network
Workforce remote access
- VPN: Access to the corporate network via an IPsec VPN or a Secure Sockets Layer (SSL) VPN, by any remote or mobile workforce user
- HVD: Access to the corporate network via a Web-based thin client (for example, Citrix XenDesktop or VMware View) or zero client (for example, Teradici) by any remote or mobile workforce user
- Business Web applications: Access to business Web applications by any workforce user
- Portals: Access to portal applications, such as Outlook Web App and self-service HR portals by any remote or mobile workforce user
- Cloud applications: Access to cloud apps, such as salesforce.com and Google apps, by any remote or mobile workforce user
- VPN: Access to back-end applications via IPsec or SSL VPN by any business partner, supply chain partner or other external user
- HVD: Access to the corporate network via a Web-based thin client (for example, Citrix XenDesktop or VMware View) or zero client (for example, Teradici) by any business partner, supply chain partner or other external user
- Business Web applications: Access to Web applications by any business partner, supply chain or other external user (except retail customers)
- Retail customer applications: Access to customer-facing Web applications
For each use case, the enterprise must identify the methods, or combinations of methods, that fit best, considering at least authentication strength, TCO and user experience (see “How to Choose New Authentication Methods”).
Note that some vendors have a particular focus on one use case or a few use cases, which may limit their position within the Magic Quadrant. Nevertheless, such a vendor could offer a solution that is ideally suited to your needs.
Market Trends and Other Considerations
Versatile Authentication Servers (VASs)
A VAS is a single product or service that supports a variety of open and proprietary authentication methods in multiplatform environments. It may be delivered as server software, as a virtual or hardware appliance, or as a cloud-based service, typically with a multitenanted architecture.
A VAS typically supports OTP tokens and OOB authentication, and may also support one or more of the following: KBA methods, X.509 tokens and biometric authentication methods. A VAS must, at minimum, support one or more standards-based authentication methods — most commonly, OTP tokens using algorithms developed by the OATH — or have an extensible architecture to enable third-party authentication methods to be “plugged in” as required, without the need for a discrete third-party server or service.
A VAS vendor is likely a wide-focus authentication vendor, but not all wide-focus authentication vendors are VAS vendors. Even if a vendor supports a wide range of methods, its authentication infrastructure does not properly qualify as “versatile” if it supports only the vendor’s proprietary methods or those licensed from another vendor. (RSA, The Security Division of EMC, is the most notable example of such a vendor.) Nonetheless, if the vendor can offer a wide-enough range of authentication methods, it may still be able to deliver much of the value of a true VAS. However, enterprises must consider the impact of vendor lock-in, particularly when it may restrict the future adoption of fit-for-purpose authentication methods.
Most wide-focus vendors are now VAS vendors. With few exceptions, VASs are the only authentication infrastructure they offer (although with different delivery options). Thus, even if a customer is adopting only one kind of authentication method from such a vendor, it will be implementing a VAS that gives it the flexibility to change or add methods to support future needs.
Tight-focus vendors are necessarily not VAS vendors.
Cloud-Based Authentication Services
Several included vendors offer cloud-based authentication services — either traditional managed (hosted) services or new multitenanted cloud-based services — or partner with third-party managed security service providers (MSSPs) ranging from global telcos to smaller, local firms (for example, Sygnify, Tata Communications and Verizon Business). A cloud-based service can be a VAS, but most MSSPs to date have focused on supporting only a small range of methods — typically OTP hardware tokens and sometimes OOB authentication methods. However, we are also seeing some interest in smart cards as a service offering, especially among U.S. federal government agencies seeking to leverage the Personal Identity Verification (PIV) cards mandated by Homeland Security Presidential Directive 12 (HSPD-12).
Historically, cloud-based authentication services have had the most traction among SMBs—companies with fewer than 1,000 employees — and in public-sector verticals (government and higher education). Costs, resources and around-the-clock support considerations make a service offering appealing to these customers.
However, adoption of cloud-based authentication services among private-sector enterprises is increasing, although not because they are explicitly seeking this delivery option. Gartner sees several vendors successfully offering only a cloud-based service (or promoting such a service over any on-premises offering), and enterprises are choosing such solutions based on their overall value proposition. (Of course, the cost advantages of cloud-based services are implicitly part of that value proposition.)
We expect greater adoption of cloud-based services among enterprises as multitenanted cloud-based services mature and as cloud computing becomes more widely adopted as a way of delivering business applications and services generally. Gartner predicts that, by 2017, more than 50% of enterprises will choose cloud-based services as the delivery option for new or refreshed user authentication implementations, up from less than 10% today. However, it is likely that on-premises solutions will persist, especially in more risk-averse enterprises that want to retain full control of identity administration, credentialing and verification.
Adaptive Access Control
A number of the vendors included in this Magic Quadrant have WFD tools (see “Magic Quadrant for Web Fraud Detection”) that are primarily aimed at financial services providers but have attracted interest from enterprises in other sectors, notably government and healthcare. WFD tools provide adaptive access control capabilities; several vendors use the term “risk-based authentication,” but the scope of these solutions goes beyond authentication alone (see “Adaptive Access Control Emerges”).
Adaptive access control uses a dynamic risk assessment based on a range of user and asset attributes, and other contextual information — for example, transaction value, endpoint identity and status, IP reputation, IP- or GPS-based geolocation, and user history and behavior — to make an access decision. Above a defined risk threshold, the tool can be set to deny a transaction, allow it but alert, prompt for reauthentication or authentication with a higher-assurance method, prompt for transaction verification, and so on. This capability provides an essential component in a layered fraud prevention approach (see “The Five Layers of Fraud Prevention and Using Them to Beat Malware”).
In typical enterprise use cases, adaptive access control capability can minimize the burden of higher-assurance authentication on the user by limiting its use to those instances where the level of risk demands it. For example, if a user accesses a VPN or Web application from a known endpoint and location, then a legacy password alone may suffice; however, if the endpoint is unknown or the location is unusual, then the user would, for example, be prompted to use OOB authentication. Gartner projects that, during the next two to three years, such capability will become more important over a wider range of use cases and will be more widely supported among mainstream user authentication products and services, especially among wide-focus vendors. By 2015, 30% of business to business (B2B) and business to enterprise (B2E) enterprise user authentication implementations will incorporate adaptive access control capability, up from less than 5% today.
Unlike OTP tokens and OOB authentication offerings, “authentication using X.509 tokens” does not represent a complete product of fully integrated components provided by a single vendor, but rather an ensemble of discrete components from two or more vendors. Thus, X.509 token projects can be significantly more complex than they may appear at first. Enterprises must identify combinations of the different components that are interoperable, as demonstrated through true technology partnerships, rather than simply through comarketing and coselling agreements, and should demand multiple reference implementations.
Among the vendors included in this Magic Quadrant, some (such as ActivIdentity, Gemalto and SafeNet) provide only the smart cards, middleware and CM tools. Others (such as Symantec) provide only the PKI components. For many enterprises, the PKI tools embedded in Microsoft Windows Active Directory will be good enough, so any of the former vendors may be sound choices. Where enterprises have a need for richer functionality in their PKI components, both types of vendor are needed.
It is important to note, however, that this “incompleteness” is a market reality for X.509-based authentication, and vendors offering smart tokens and supporting X.509-based authentication in their authentication infrastructure products were not penalized for lacking PKI tools in the development of this Magic Quadrant. Moreover, X.509-based authentication for Windows PC and network login is natively supported, so it does not need an authentication infrastructure, such as those offered by the vendors included in this Magic Quadrant. Enterprises seeking to support this can consider other vendors offering smart tokens (for example, G&D, Morpho and Oberthur Technologies), PC middleware (from the smart token vendors or others, such as charismathics) and CM tools (from the smart token vendors or others, such as Bell ID and Intercede).
For this Magic Quadrant, vendor pricing was evaluated across the following scenarios:
- Scenario 1 — Communications (publishing and news media): Small enterprise (3,000 employees) with 3,000 workforce users of “any” kind. Usage: Daily, several times per day.Endpoints: PC — approximately 60% Windows XP and Vista (AD), and 40% Mac OS X (OpenLDAP). Endpoints owned by: Company. User location: Corporate LAN. Access to: PC and LAN, downstream business and content management applications, mixture of internal and external Web and legacy. Sensitivity: Company- and customer-confidential information.Notes: The company also plans to refresh its building access systems and may be receptive to a “common access card” approach. The average (median) price for this scenario was approximately $125,000.
- Scenario 2 — Retail (“high street” and online store): Large enterprise (10,000 employees) with 50 workforce users, limited to system administrators and other data center staff. Usage:Daily, several times per day. Endpoints: PC — mixture of Windows XP and Vista. Endpoints owned by: Company. User location: Corporate LAN. Access to: Windows, Unix, and IBM i and z servers, Web and application servers, network infrastructure. Sensitivity: Business-critical platforms. Notes: Users have personal accounts on all servers, plus use of shared accounts mediated by shared account password management (SAPM) tool (for example, Cyber-Ark Software and Quest Software). Users also need contingency access to assets via an SSL VPN from PCs (“any” OS). The company has already deployed 1,500 RSA SecurID hardware tokens for remote access for its mobile workforce. It must comply with the U.S. Sarbanes-Oxley Act, PCI Data Security Standard (DSS) and other requirements as appropriate to targets accessed. The average (median) price for this scenario was approximately $7,000.
- Scenario 3 — Healthcare (teaching hospital): Large enterprise (10,000 employees) with 1,000 external users, comprising doctors and other designated staff in doctors’ practices.Usage: Daily, several times per day. Endpoints: PC — mixture of Windows XP and Vista, some Windows 7 and Mac OS X, and maybe others. Endpoints owned by: Doctors’ practices. User location: On LANs in doctors’ practices. Access to: Electronic health record applications; mixture of Web and legacy (via SSL VPN). Sensitivity: Patient records. Notes: Enterprise must comply with the U.S. Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act requirements. PCs may be shared by doctors and other staff in doctors’ practices. The average (median) price for this scenario was approximately $70,000.
- Scenario 4 — Utilities (power): Large enterprise (20,000 employees) with 5,000 users comprising traveling workforce and a “roaming” campus workforce. Usage: Daily, several times per day to several times per week. Endpoints: PC (mainly Windows XP), smartphones (mainly BlackBerry) and some other devices. Endpoints owned by: The company. User location:Public Internet and corporate WLAN. Access to: Business applications, mixture of internal Web and legacy, via SSL VPN or WLAN. Sensitivity: Company- and customer-confidential information, financial systems (some users), information about critical infrastructure (some users). Notes: Must comply with U.S. Federal Energy Regulatory Commission (FERC), North American Electrical Reliability Corporation (NERC) and other regulatory and legal requirements. The company is also investigating endpoint encryption solutions for its traveling workforce’s PCs. The average (median) price for this scenario was approximately $200,000.
- Scenario 5 — Financial services (retail bank): Large enterprise (20,000 employees) with 1 million external users, all retail banking customers. Usage: Variable, up to once every few months. Endpoints: PC — mixture of Windows XP and Vista, some Windows 7 and Mac OS X; smartphones (including Android and iOS) and tablets (mainly iOS). Endpoints owned by:Customers, Internet cafes and others, possibly also customers’ employers. User location:Public Internet, sometimes worldwide; possibly corporate LANs. Access to: Web application. Sensitivity: Personal bank accounts, up to $100,000 per account. Notes: Most customers are based in metropolitan and urban areas, but approximately 10% are in areas without mobile network coverage. The average (median) price for this scenario was approximately $1.9 million.
Note that these pricing scenarios do not reflect any discounts that a vendor may offer particular customers or prospects, and they do not reflect other considerations that contribute to the TCO of a user authentication solution (see “Gartner Authentication Method Evaluation Scorecards, 2011: Total Cost of Ownership”).