KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
The intention of this presentation is to provide an overview of the authentication based on my analysis of the access management solution in the market and from hearing from customers of Cooper. Nicole also, I'll give you some of my insight on how I see authentication market evolving and some criteria for your organization. You may want to consider when evaluating authentication or access management solutions. So I'm not able to see the presentation or if it's being advanced to the agenda or content. There we go. Great.
So if we get advanced to the next slide, please, so I'll start out by talking about the authentication market and some related topics to help set the context when looking at authenticators, and once I'm done, I'll share some insight on what I see in the market, starting with some trends or some more traditional forms of authentication, based on, as I mentioned, what I see in the access management leadership compass report, that includes a strong focus on authentication.
Next we'll look at some advanced or beyond the traditional forms of tradition, for instance, you know what I'm seeing in the market as kind of a summary that you could take away. And then finally, I'll give a brief summary, or as I mentioned, a take away of what I see in the market, so let's get started if you want to click to the next and one more click, there you go. So authentication is really about proving who you are in the digital world, that process or action of making an assertion and then verifying an identity. You want to go ahead and click and then one more. Thank you.
So what is enterprise authentication? It's really provides one or more services that authenticates an entity to a variety of different applications or services across an organization. And these enterprise authentication services validates the users or an entities credentials, and that authentication capabilities are delivered from logical perspective based on different technologies in order to interact with different internal digital services or applications, which could be SaaS service, for example.
And you also need to be able to support what you already have with the intent to gradually migrate to from legacy systems, to what you want in the future. So if you wanna go ahead and click or I'll, you also have to consider all the different types of identities that include more than just employees, such as partners, consumers, identities also extend into devices and other things like bots and IOT, go ahead and click. And these entities access different types of services in different kinds of environments from the cloud to legacy it in a broader sense.
And when you look at the capabilities you need, what you need is really drive from your use cases in your business requirements, such as having strong or adaptive authentication. For example, many enterprises may choose to augment their IM systems, biologically separating authentication from the IM stack and utilizing discrete services that offer for instance, multifactor authentication.
But we see enterprise authentication market segment adds fairly mature with many common feature sets that are, that are very stable, but vendors are still continuing to introduce innovation authentication technologies. So we expect to see this trend to continue in the future. So go ahead and do the next slide in the context of digital identities. As I mentioned earlier, an entity could be either human, like an employee partner or contractor or machine of some sort like an RPA bot or IOT device.
It's anything that needs to access enterprise resources for the sake of this presentation, go ahead and click and you could click probably one or two more times there. So the, a critical decision point is how much information is needed about this entity. One consideration is how sensitive is the information it will need to access.
Another consideration may be, you know, how is this information collected, but I, I won't go into those details of that process, but only to say that, you know, some of these questions will help determine the strength or the level of identity assurance that you'll need in this process of collecting and verifying entities. Information is often referred to identity proofing. So once the information is collected, there's an association or a binding between the entity and the information about it.
And an authenticator can be given to an entity at any time, like a hardware token, for example, but the association between the authenticator and the digital identity information through a registration process is when things really start to happen, that entity can now present or assert its credentials specific to its identity during the authentication process, whether that authentication method type is password based or multifactor, et cetera, let's go ahead to the next slide. So when I'm asked, you know, what authentication method should I use? I have to answer.
It depends, for example, on the left hand side of this graph is the impact level. If an organization is breached, could be low to high, and I would recommend that whatever authenticator or authentication method you use would be adequate in both identity assurance, how you collect that information about an entity and the authentication strength. So that credential that's used when the authentication method happens to really prevent any potential breach or impact on your organization or individual. So let's move on to the next slide.
So when considering an authentication service, it's best to think holistically. So when evaluating that service, you you're, you're looking at, you may want to consider, does the service have, you know, a flexible support for different types of authenticators? Does it have strong authentication options? Does it provide risk, adaptive context based authentication that allows for a step up and continuous authentication, does it provide passwordless authentication options or device authentication?
And then you also wanna make sure that you have the toolkits that you need in case you need to add additional authenticators. So depending on the size of the organization and the complexity of the it environments, these services really should be delivered in a modern architecture.
And this may mean, you know, using a microservice based solution or that's delivered in containers and providing a consistent set of APIs that could be managed, you know, for all the, these different technologies that will be used so that it could happen in a relatively flexible manner and as well as providing hybrids environments as well. And give it an API lever layer that, you know, exposes the identity services that are needed in the process. More organizations are using cloud services. So it's important to use standard based protocols like OAuth and open ID connect.
You may want to consider protecting those APIs against attacks by using API authentication, of course, and then looking at the level of analytics or access intelligence used within the authentication service that you're considering. Okay, let's move on. I'd like to give you some insight on what I've seen in regards to authentication trends, based on that recently released access management, leadership compass.
And so enterprise authentication services can provide multiple authentication schemes in methods and challenges to the users or services according or defined by policies that could be based on a number of factors. And what I'm showing here is what I call traditional authentication methods. Meaning typically, you know, this is what has been seen over a longer period of time from, from authentication solutions. And it makes sense that access management vendors provide what customers are asking for, but that also gives you some insight into what organizations are actually using.
So out of those 30 vendors that are initially evaluated, a hundred percent of those vendors provided username and password, which you know, is, is that's expected. That's been around forever. And then there's SMS OTP, and then mobile push notification options in the 90% range, there's email OTP or links, client side certificates, radius, and some vendor supplied mobile apps are, are typically offered. And in that 90% or 80%, their support curbs and then 70% support QR codes.
So this should give you a rough idea of what to expect in the market today, or what vendors are offering in their solutions. So let's move on to the next slide, please. So here are some popular hardware tokens. I'll just let you look over the chart, but in general, hardware tokens are often used in cases where you need to have some kind of physical possession of a second factor as such as an two FA or multifactor. It could be anything from a certificate based key card to other types of hardware authenticators.
And just to note that many of these hardware token support biometrics, USB NFC in the Fido standard, which seems to be, be the trend now, and I'm not seen as much presence in the use of one time passwords or time based token codes. Again, this is not an exhaustive list, but it should give you an, an idea or a sense of what's supported out there. Let's go on to the next slide, please. And these are the types of authenticators that, you know, are easy and more convenient to use.
And, and we see here that the popularity or the availability of this type of biometrics is centered around facial and fingerprints. So, you know, biometric data could be stored and processed within a database such as a secure device or encrypted token or physical token. And most people are probably familiar with fingerprints and, you know, it matches the patterns on your fingerprints, which is pretty good and it's resilient. But what some people really don't understand is that, you know, it, it doesn't work for all populations.
And so this is a case where companies may wanna offer different types of biometrics for the different population base within their organization. Facial recognition, fairly limited number of spatial geometric points on the face are used, and it compares, you know, what you have at registration time and to authentication time. But in the past, there's been some issues with interference.
You know, if you, at registration time, you have a beard and then the next time you don't or vice versa, or you're wearing some cosmetics or wearing a hat, but this is getting better as well. Voice there's two major types text in independent and dependent Iris recognition. So actually this has the highest number of unique factors that could be analyzed. And it has the benefit that the Iris doesn't change over time where fingerprints or face or even voice could be subject to that. And then vein recognition, which is not seem very often, but it can't be available.
The advantages are reportedly that has a very high accuracy rate and you can't, you know, take a vein pattern off a, off a, you know, an object that's touched like you can with a fingerprint, but some of the disadvantages are around, you know, that vein patterns, chain slightly as people age, and the technology is very expensive due to the precision needed to make it work. So let's go on to the next slide. So APIs have increased and focused over the recent years due to different factors.
You know, how the business interacts with their customers, implementations the new digital services with more integration points to consider increases in an automation, including workflows and orchestrations processes or DevOps for the tools that they use. You wanna go ahead and click? Thank you.
So, as we see here, support is strongest around the use of OWA and open ID connect. API keys are still used, but it comes with some issues of their own such as, you know, keeping up with key rotation and then is the traffic traffic sniffing, or to steal the API keys or replay attacks that sort of things. And go ahead and click one more time. But you know, these, there are some use cases that vendors use for API keys. And what I have here is, is what I'm seeing in the market and how it's being used by vendors in, in other use cases. So let's go ahead and move on to the next slide, please.
So here are some advanced authentication trends that I'm seeing in the market, and also the term advanced just means beyond what's traditionally used or more modern or more, more recent. So let's move on. So passwordless is a popular term used in enterprise authentication when vendors are, are, are selling their products.
Some passwordless options have been around for a while, but we're starting to see that they're being implemented more at the enterprise level options include biometrics and mobile push apps, as well as simple possession of a registration device password list can also mean the evaluation of contextual risk factors without interrupting that that user flow. But what we see here from this chart is that the passwordless market is growing and, and that's really the, the point that I'm making here. So let's move on to the next slide, please.
So phyto standards provide a good balance of strong authentication with the convenience of use and low friction for the users and UAF or universal authentication framework was really defined as a password list protocol for mobile devices. And U two F was primarily intended to be used as a second factor in the authentication scheme and then 5 0 2 with features of both you two F and UAF with some JavaScript elements that are standardized by the w three C can be uniformly implemented in all w three C compliant browser agents. And this has the greatest adoption or support by vendors.
And even the vendors that I evaluated that don't yet support five, two, they have it on their near term roadmap. So this is something that could be expected from vendors. Let's move on to the next side. So risk based multifactor authentication is being used today by enterprises to provide additional authentication assurance for access to applications and many industries and risk based can also help protect enterprises against fraud and loss using contextual attributes.
Some of what we see here, the most supported or popular context attributes being supported by vendors are in the areas of device profiling and tagging network profiling, user activity and location information. And that based on adaptive policies, any changes to these context or attributes can trigger step up authentication or other scenarios. So let's move on. So continuous authentication just means running those same checks in the last slide that I showed. And it could define literally hundreds of different kinds of options or attributes that are available in authentication solutions today.
And when doing checks over time in the risk score changes, you know, a typical policy might say, okay, so the risk is getting higher. I may want to introduce some friction and require something like a mobile push notification to increase the likelihood that it's the right user on the right end of that transaction. And let's go ahead. So the last thing I would like to note are verifiable credentials. So this is something that we're starting to look at in access management solutions. And it's an open standard that defines a data model that is used when issuing credentials.
And it could represent information found in physical credentials that we have today, like a passport. This information or attributes are cryptographically signed with strong authentication and binding. The holder could have a digital wallet, or, and they're also have the option of selectively disclosing what information they want. And the issuer can revoke that credential anytime that they want. So in this model, the issuer trust the holder, the holder trusts the verifier and the verifier trusts the issuer. So it really comes down to who do you trust?
And only 40% of the access management vendors that are reviewed support verifiable credentials, but that range from full implementation of a standard to only partial support, relying on third party technology partners to supply some are all of the capabilities. So let's quickly go to the summary. I think I'm going over maybe a minute or two. So all vendors that I evaluated in the access management leadership compass report support and provide some level of multifactor and adaptive risk based authentication.
And I would consider these baseline expected capabilities of vendors today passwordless authentication has gained a lot of momentum, which will make the goal of becoming passwordless that much more easy, 5 0 2 support can also be expected from vendors and verifiable credentials is an interesting and innovative type of authentication that could be used in many different ways. And although there are some good viable solutions out there, adoption is still in the early stages.
So I, I, as I mentioned, I think I'm over time, so we have a good panel coming up next. So thank you for your time.
