KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Welcome to the KuppingerCole analysts chat. I'm your host. My name is
Hi, John. Good to have you.
Hello, Mathias. Good to talk to you again. Yeah. Great to talk to you. You have been working on a leadership compass recently and it has just been published and it is about enterprise authentication solutions. Can you give a short definition? What are enterprise authentication solutions? Sure.
So enterprise authentication solutions are more discreetly packaged services usually usually delivered as services, uh, that allows organizations to sort of upgrade their, I am on the side, uh, if they need to offer different forms of authentication or stronger and multifactor authentication, but maybe they're somewhat limited by their, I am solution.
Uh, enterprise authentication services are ad-ons that generally by definition mean they work with, I am solutions, but allow companies to offer, you know, MFA risk, adaptive authentication, uh, and then be able to integrate that in and dump the information that happens there into their security incident and event management. So they get a better picture overall of risks to the enterprise. They can manage the enterprise and enforce more granular authentication policies. So when organizations are looking into enterprise authentication solutions, they want to achieve just what you mentioned.
They want to augment their existing IBM solution to improve it, to add additional functionality that they are missing in their original solution. That is one business driving for organizations who are looking into these solutions. What else could be reasons for organizations, for companies looking at the market segment that you just covered?
Yeah, exactly. People companies may need to add capabilities and, you know, there are a couple of other major drivers there. So we've been hearing about passwordless authentication.
You know, passwords are often route into data breachers and they're inconvenient for users. So many companies, you know, from a usability perspective, want to improve the customer experience and decrease support costs because it is kind of costly to do password resets. And then there are regulatory reasons like PSD, two strong customer authentication. If a company has an I am system that they don't feel like ripping and replacing, but they need to be able to offer a PSD two SCA compliant, multifactor authentication, then enterprise authentication solutions can be add on for that.
Uh, and then as we all know, over the last year, the pandemic has increased work from home work remotely, and many businesses are realizing that they need strong multifactor authentication in front of, you know, enterprise resources, whether they be using those enterprise resources natively in the cloud or coming through VPN, it can help decrease the risks of, uh, you know, remote takeover as well as the insider threat and even some kinds of industrial espionage. Right.
And, and we have been talking about zero trust architecture just recently a lot, and it is really still a hype topic and they, and a buzzword, but strong identity, strong authentication processes are of course also, uh, uh, important building blocks when it comes to going towards zero trust architectures. Um, so is this also an enabler for organizations moving in that direction?
Yeah, definitely. Um, it allows you to, again, enforce more granular authentication policies to make sure that adhering to zero trust principles you authenticate and authorize every transaction within your environment.
So that's, you know, knowing that user context, the device contexts that they're coming from, and then what entitlements might be required to access particular resources. So enterprise authentication is definitely one of the steps toward zero trust architecture, Not the first version, the first iteration of this report. And we have 2021 users expect that, um, authentication is smooth and has a good user experience and a secure, uh, what has happened in the meantime is two years or so since you had to form a version out, right?
So what, what has happened? Yeah, the previous version, we split into two different leadership campuses that were really based on deployment model, whether there were options for on-premise deployment versus cloud.
Again, probably as a result of the pandemic move, more and more organizations are accelerating their move to the cloud. So I decided to combine these into simply enterprise authentication solutions. So in cases where they do offer on-premise options, I know that in chapter five, but generally we're just comparing features within the solutions themselves, regardless of what the deployment model is, whether it's cloud first cloud native or on-premise. And if there are cases where is not feature parity between on-premise versions in the cloud, I call that out on the chapter five entries. Right.
Um, and so when it comes to, to, to standards, when it comes to technical observations, um, what is most striking or what has changed most dramatically? I assume, um, standards are an important part when this is an augmentation to existing IAM structures, right?
Yeah, exactly. You know, there, there I am has a lot of good standards. Unfortunately, most of them don't overlap too much. The one that I've been really watching closely for the last few years, uh, is Fido, uh, fast identity online.
And it's, it really helps enable two factor multifactor authentication, including a pretty wide variety of, of authenticators, including biometrics and, and things like that that can increase usability. Um, support for Fido seems to be increasing, uh, and you know, Fido too, I think has a lot of advantages for both companies that choose to use it as well as the users.
But, you know, the number of companies who claim Fido support is a little higher than the number of companies that actually have obtained certifications. Fido has a nice certification process that by going through that, you know, a vendor can demonstrate that their authenticator or their, their server is actually Fido compliant.
Uh, I think it's, it's good to be able to demonstrate compliance with those specifications. Then I would say that, you know, mobile push notifications, that's, you know, the swipe to accept kind of thing, as well as biometrics are more popular among users end users these days.
And, you know, with these modular enterprise authentication solutions, it's easy for enterprises to deploy them. Then, um, you know, another, another factor that I measured was which of these vendors provides SDKs for creating their own or embedding their own authentication services into customer mobile applications.
I think, you know, that's, that's an important piece of the puzzle as well. Uh, companies, if they're going to write an app and want to be able to build in, you know, strong authentication where they can, uh, SDKs can be a way of picking up a device intelligence so that the authenticating organization can, you know, review that at, at transaction time and make a much more fine grain decision about whether or not to permit the transaction transaction to go through, or maybe require additional information, the step up authentication event, that sort of thing.
So we're moving away also from these white labeled applications or adding to that by providing the opportunity to, to create their own applications with the functionality, just baked into that. Yeah. Yeah. I think many companies need to be able to move rapidly in response to changing business conditions and having things like an STK that enables them to change what is offered from an I am or CIN perspective, you know, pretty quickly helps businesses compete more effectively these days as well. Right.
And you've mentioned the, the risk engines, the telemetry that you have from the devices, more detailed, more device intelligence. Is this also something that you see in the authentication process itself? So this risk adaptive and continuous authentication, is this already there? Is this something that organizations can base their authentication processes?
Yes, there are really mature enterprise authentication solutions that have good implementation of risk-based and granular authentication policies, you know, that can pull up information from user history or from the device and make high quality decisions at run time. And I think both for workforce employee kinds of scenarios, that's important for reducing insider threat or, you know, especially in days where employees are increasingly remote.
Uh, it's very helpful, but it's also helpful on the consumer side as well. And we've seen again as a result of COVID a pretty huge spike in fraud. So being able to present good authentication choices that increased security and are also more usable, I think helps companies that need to offer authentication solutions to consumers. So that area of innovation has already arrived in the actual solutions. And I think we see a lot of innovation in the authentication market right now.
What are you looking at when it comes to judging vendors as part of such a leadership compass when it comes to innovation, where's your focus? You know, I think looking at, uh, on the different methods, you know, the ones that are kind of leading edge on accepting multi-factor authentication or allowing customers, deploying organization customers, that is a choice to integrate whatever kinds of authenticators that come along.
That's, that's kind of a key flexibility area that these vendors have right now, plus the granularity of the risk engine, different sources of credential and device intelligence that may be consumed and processed natively by the authentication solution. You know, there are lots of different like credential and device intelligence feeds out there. But I think a lot of end-user companies don't necessarily want to spend lots of money on subscription costs and then lots of time to, you know, effectively write the policies.
If you can use an authentication solution that bundles those intelligence sources and makes good risk decisions, you know, that's definitely a benefit for consumer-facing organizations term. So we're looking at something like, um, enterprise authentication as a service with all this already bundled into an overall yeah. Service delivery package that you could just can subscribe to. Yeah. Yeah. There are a number of different licensing options. Generally the most popular seem to be around like monthly active users.
So, um, you know, it let's say as a, as an enterprise with a workforce, that's essentially analogous to your registered user number. You're not paying for hardware equipment specifically, uh, to instantiate the service, but like on the consumer side, the monthly active users is useful because there maybe certain kinds of services where people come to quarterly or even annually.
So, uh,
Well, there are, there are a number of large vendors out there and they've been there for awhile, but there, this is a market where it's possible for startups to get a good foothold and, and, you know, really focus on a specific subset of capabilities that meet either a niche in the market or, you know, regional requirements, regional, uh, regulatory requirements. So we see a number of vendors in this year's report that wasn't in the previous report.
And, you know, I kind of expect that to continue. There's still room for innovation and room for entries into the overall market here.
Great, Great. Thank you very much, John, for giving us that insight into enterprise authentication and what is going on there. The leadership compass is online at our site. KuppingerCole dot com. I will definitely have a look at it because we are using this concept.
Of course, also as part of our identity fabric to augment, to add additional services to existing, I am infrastructures. And that is where you really get, um, these solutions well integrated into an overall architecture. Thanks again, John, for being my guest today, uh, looking forward to having you soon in another episode of this podcast.
Well, thank you. Look forward to next time we can chat. Absolutely. Thank you. And bye-bye,
