1 Introduction
As the number and severity of data breaches rise, businesses, governments, and other organizations seek to improve the authentication experience and raise assurance levels to mitigate against continuously evolving threats. Cyber-attacks put personal information, state secrets, trade secrets, and other forms of intellectual property at risk. Increasing security and improving usability are the twin goals of enterprise authentication upgrade projects. Data owners and IT architects have pushed for better ways to authenticate and authorize users, based on changing business and security risks as well as the availability of newer technologies. Businesses have lobbied for these security checks to become less obtrusive and provide a better user experience (UX). Legacy IAM systems sometimes struggle not only to meet changing business requirements but also to keep up with the latest authentication technologies. Many enterprises are choosing to augment their IAM systems by logically separating authentication from the IAM stack and utilizing discrete services that offer Multi-factor Authentication (MFA) with extensible risk analysis features informed by various types of intelligence. Many organizations are opting to deploy these capabilities in conjunction with their Identity-as-a-Service (IDaaS) solutions or as part of a “cloud-first” strategy.
MFA is the employment of multiple methods of determining that a user is who they are purporting to be in the context of an access request. Risk-adaptive authentication is the process of gathering additional attributes about users and their environments and evaluating those attributes in the context of risk-based policies. The goal of risk-based adaptive authentication is to provide the appropriate risk-mitigating assurance levels for access to sensitive resources by requiring users to further demonstrate that they are who they say they are. This is usually implemented by “step-up” authentication and/or the acquisition of additional attributes about the user, device, environment, and resources requested. Different kinds of authenticators can be used to achieve this, some of which are unobtrusive to the user experience. Examples of step-up authenticators include phone/email/SMS One Time Passwords (OTPs), mobile apps for push notifications, mobile apps with native biometrics, Smart Cards or other hardware tokens, and behavioral biometrics. FIDO Alliance is a leading organization that develops and promotes standards for strong authentication methods.
Behavioral biometrics can provide a framework for continuous authentication, by constantly evaluating user behavior to a baseline set of patterns. Behavioral biometrics usually involves keystroke analysis, mobile “swipe” analysis, and even mobile gyroscopic analysis. These methods generally require the use of client-side agents, either standalone or embedded into applications as SDKs.
Enterprise Authentication services can present multiple authentication schemes, methods, and challenges to a user or service according to defined policies based on any number of factors, for example, the time of day, the attributes of the user, their location, or the device from which a user or service attempts authentication. The factors just listed as examples can be used to define variable authentication policies. User Behavior Analysis (UBA) employs risk-scoring analytics algorithms to first baseline regular access patterns and then be able to identify anomalous behavior which can trigger additional authentication challenges or attribute collection.
A wide variety of risk-adaptive MFA mechanisms and methods exist in the market today. Examples include:
- Strong/Two-Factor or Multi-Factor Authentication devices, such as Smart Cards, mobile strong assurance credentials (e.g., Derived PIV credentials or other solutions which provide parallel x.509 certificates issued to mobile devices), USB authenticators, biometrics, etc.
- One-time passwords (OTP), delivered via phone, email, or SMS,
- Out-of-band (OOB) application confirmation, usually involving mobile phones,
- Identity context analytics, including
- IP address
- Geo-location
- Geo-velocity
- Device ID and device health assessment
- User Behavioral Analysis (UBA)
The method of Knowledge-based authentication (KBA), or asking “security questions”, is still used by some organizations, though it should be deprecated due to its inherent security weaknesses. Many organizations today employ a variety of risk-based authentication methods. Consider the following sample case. Suppose a user in the finance department successfully logs into her laptop using local credentials. In order to connect to enterprise resources, she must then authenticate to her company’s VPN, which requires entering a separate username/password combination. Behind the scenes, the authentication server examines the user’s IP address, geo-location, device ID, and health assessment to determine if the request context meets criteria set forth in security policies and fits within historical parameters for this user. Though it appears that username/password is the one and only gate, these other checks provide some additional contextual assurance.
Going one step further in the example, consider that the employee needs to make a high-value bank transaction in an online banking application. Entry to the banking app may be brokered by Single Sign-On (SSO - typically SAML, OAuth, or JWT) features in her enterprise IAM, and may not require a visibly distinct authentication event. A bank transfer like this is a task within her scope and role as defined by attributes in the user identity repository. However, the bank administrator has set a risk-based policy correlated to transaction value amounts, and in this case, the requested payment value exceeds the policy limits. In order to continue, the user is sent a notification via a mobile banking app on her phone, which had been previously registered with the bank. The pop-up asks the user to confirm. The user presses “Yes”, and the transaction is processed.
Authentication and the related identity and context assurance values, then, can be considered a pre-cursor to authorization. The evaluation of these additional attributes can be programmed to happen in response to business policies and changing risk factors.
The story above is just one possible permutation among thousands. Risk-based MFA is being used today by enterprises to provide additional authentication assurance for access to applications involving health care, insurance, travel, aerospace, defense, government, manufacturing, and retail. Risk-based MFA can help protect enterprises against fraud and loss.
“Passwordless” is a popular term among the Enterprise Authentication vendors today. Some passwordless options have been around for a while but are starting to be implemented more at enterprises and even consumer-facing businesses. Passwordless options include the aforementioned biometrics and mobile push apps as well as simple possession of registered devices and x.509 certificates. Passwordless can also mean the evaluation of contextual risk factors without interrupting the user flow (in happy path flows).
Account recovery must also be considered for IAM and especially authentication solutions: when users forget passwords, lose credentials, or change devices, they need ways to get access to their accounts. Account recovery techniques include Knowledge-Based Authentication (KBA; but it is recommended to avoid this method as it is usually even less secure than password authentication), email/phone/SMS OTP, mobile push notifications, and account linking. Help desk assistance may also be needed on occasion, but it is a costly measure.
There are a sizable number of vendors in the Enterprise Authentication market. Many of the vendors have developed specialized risk-based MFA products and services, which can integrate with customers’ on-site IAM components or other IDaaS. The major players in the Enterprise Authentication segment are covered within this KuppingerCole Leadership Compass.
Overall, the breadth of functionality is still growing. Support for a variety of MFA mechanisms, evaluation of user and contextual attributes, and the requisite identity federation are now nearly ubiquitous in this market segment; and the key differentiators have become the use of new technologies to step up the user’s authentication assurance level or to collect and analyze information about the user’s session. Device identity, fingerprint, health assessments, and intelligence are increasingly considered important factors to evaluate, as well as UBA, resource attributes, identity proofing, and other forms of intelligence collection. Machine Learning (ML) detection models may also be used to detect and classify outliers in device and user intelligence.
1.1 Market Segment
This market segment is mature and common feature sets are stable, but vendors are frequently introducing innovations in authenticator technologies and risk analysis engines. We expect to see this trend continue in the future. However, given the surging demands of businesses and the need to provide better security, many organizations must implement risk-based Enterprise Authentication solutions to augment IAM systems if they have not already to help reduce the risk of fraud and data loss.
Enterprise Authentication solutions are an evolution and differentiation of yesterday’s IAM systems. Many organizations are responding to the pressure to move away from just using usernames and passwords for authentication. Strong authentication options, such as Smart Cards or other hardware tokens, have existed for years. However, such solutions have historically been complex and costly to deploy and administer. Moreover, hardware tokens continue to have usability issues. The mix of authenticators and associated user attributes that most commercial Enterprise Authentication systems present are increasingly sufficient to meet the needs of higher identity assurance for access to sensitive digital resources and high-value transactions.
It is important to understand the primary use cases that drive the requirements for Enterprise Authentication products and services, as most of the major players in this space tend to develop solutions tailored for consumer or employee use cases. Some offerings are even geared towards specific industry verticals.
A good Enterprise Authentication solution needs to balance integration flexibility with simplicity. Today’s offerings in this area provide multiple authentication mechanisms, including many mobile options and SDKs; risk engines that evaluate numerous definable factors that can be gathered at runtime and compared against enterprise policies; and out-of-the-box (OOTB) connectors for the majority of popular on-premises and cloud-hosted enterprise applications.
Integration with existing IAM platforms should be a primary factor in selecting a suitable product. The advantages of taking a single-vendor approach are primarily due to the potential licensing cost savings that arise from negotiating product bundle discounts. The advantages gained from the imagined greater ease of integrating products from the same vendor rarely offer the reduced complexity promised by sales. All Enterprise Authentication solutions, almost by definition, require and support identity federation. While these solutions may mitigate many security risks, no security solution is impenetrable. It is important to plan for rapid response measures when security breaches do occur. Even the best defensive systems can suffer breaches.
The criteria evaluated in this Leadership Compass reflect the varieties of use cases, experiences, business rules, and technical capabilities required by KuppingerCole clients today, and what we anticipate clients will need in the future. The products examined meet many of the requirements described above, although they sometimes take different approaches in solving the business problems.
Picking solutions always requires a thorough analysis of specific customer requirements and a comparison with available product and/or service features. Leadership does not always mean that a product is the best fit for a particular customer and their requirements. However, this Leadership Compass will help to identify those vendors that customers should look at more closely.