EXECUTIVE VIEW MYDIGIPASS.COM. KuppingerCole Report. by Alexei Balaganski August by Alexei Balaganski

Transcription

1 KuppingerCole Report EXECUTIVE VIEW by Alexei Balaganski August 2013 by Alexei Balaganski August 2013

2 Content 1 Introduction Product Description Strengths and Challenges Copyright... 7 Related Research: Snapshot: OAuth August 2012 Scenario: The Future of Authentication July 2012 Advisory Note: Strong Authentication June 2011 Vendor Report: Vasco June 2011 Page 2 of 8

3 1 Introduction One of the most important consequences of the ongoing trend of IT consumerization driven by growing adoption of mobile and cloud computing has been the exponential growth of the number of identities businesses and consumers have to deal with. Unfortunately, as the number of ways for individuals and businesses to interact over the Internet is growing, controlling and securing these information flows becomes much more complicated. With all the recent news about malware attacks, industrial espionage, corporate security breaches, and massive leaks of personal information, it is obvious that traditional methods of information security simply cannot keep up with new challenges. This is especially true for password authentication, which despite of all efforts by security specialists, remains the most common method of authentication on the Internet. Static passwords are difficult to manage, easy to intercept via network attacks or exploits, and above all, passwords stolen from one service often allow hackers to get access to other resources with the same credentials. For more than a decade, different methods of secure authentication have been proposed to replace static passwords, including combinations of biometric authentication (using fingerprints, faces, or retina scans), specialized hardware (OTP tokens, smart cards, mobile phones) and strong cryptographic algorithms. The most popular method of two-factor authentication is arguably one-time password tokens. They are widely used in the banking industry, where strong authentication has been mandated by authorities, and by certain enterprises. Recently, such popular websites as Google, Twitter and Amazon have been experimenting with different methods of multifactor authentication, but still only as an optional (and rarely used) feature. Among smaller websites, adoption remains very low. However, the trend has been slowly changing in the recent years, driven by factors like adoption of stricter government regulations regarding handling sensitive personal information and growing demand from customers for more trusted services. The biggest obstacle for implementing strong authentication is obviously the amount of initial investments needed. Thus, a new market has emerged in the recent years for hosted solutions commonly known as Authentication-as-a-service (AaaS). They all aim at taking the burden of implementing and managing a secure authentication infrastructure from businesses, providing the highest level of security and compliance and ensuring high availability. The AaaS market segment has already matured enough to provide a full spectrum of services for many different scenarios, however one important factor that still needs to be addressed is providing a completely frictionless user experience that s comparable with the familiar password authentication. The service from VASCO is positioned as a solution that combines strong authentication with user convenience and ease of integration, promising frictionless experience for both service owners and customers. Page 3 of 8

4 2 Product Description VASCO Data Security International, Inc. is a multinational public company with headquarters in Chicago and Zurich. Founded in 1997, it has long established itself as one of the leaders in strong authentication, electronic signatures, and digital signatures solutions. Historically, VASCO s primary customers have been banks and other financial institutions, as well as large enterprises. To address different use cases and security requirements, the company offers a wide range of hardware tokens, as well as software authenticators in the form of apps for popular mobile platforms. VASCO s DIGIPASS technology is also embedded in Intel s Identity Protection Technology, making it available in most new laptops built with the Ivy Bridge chipset inside. According to company s estimates, more than 100 million users around the world already possess a DIGIPASS-enabled device. All available client authentication technologies are supported by a single back-end platform called VACMAN Controller, which can be utilized directly to provide the maximum flexibility or as a part of offthe-shelf solutions like IDENTIKEY Authentication Server or axsguard Gatekeeper security appliance. This allows VASCO to address different verticals with different security requirements, while still maintaining a single integrated management platform. Unfortunately, the platform does not support any third party authenticators, meaning that the choice of authenticators, although very broad, is still limited to VASCO s own models. VASCO is a relatively late newcomer in the cloud solutions market, for many years concentrating on traditional on-premise deployments. In 2010, the company launched DIGIPASS as a Service, a cloudbased solution where a VACMAN Controller is hosted and managed by VASCO on their own servers, allowing application service providers to reduce implementation costs and ensure high security and availability. DIGIPASS as a Service is available as a standalone solution or can be integrated with Salesforce, Google Apps and Onelogin., launched in 2012, is the next step along this path by providing a completely managed and self-contained authentication platform targeted towards businesses and consumers at the same time. The biggest emphasis of this new offering is on providing strong, yet convenient security. is in essence a combination of three components: Managed strong authentication platform based on proven DIGIPASS technology 1 ; Set of standard-based APIs that ensure easy integration into existing websites 2 ; Web-based password management app for consumers, which manages access to both websites secured by DIGIPASS and other popular resources 3. By integrating, application service providers can quickly leverage VASCO s security infrastructure and tap into a community of millions of DIGIPASS users without any investments in OTP hardware. Additionally, platform ensures a higher level of identity validation, Page 4 of 8

5 providing additional protection against fraud, and, as a convenient side effect, prevents account sharing between legitimate customers. The actual authentication workflow is based on OAuth 2.0, meaning that an average developer having previous experience with the standard can implement basic integration within hours. Developer documentation covers several typical scenarios including authenticating existing users, creating new accounts and linking existing users with new identities. A complete (although somewhat functionally limited) sandbox environment is provided for testing. For customers, ensures a smooth authentication process with minimal interaction. When using a smartphone for authentication, the only step necessary is scanning a QR code. A webbased password manager (called Launchpad ) provides access to a catalog of popular websites from the built-in marketplace. Each card in the Launchpad represents a bookmark with a set of securely stored credentials. Naturally, all -secured websites are added to the Launchpad automatically. In its current state, password manager is somewhat lacking in functionality compared to other popular password management products, but integration with other VASCO tools is already planned. 3 Strengths and Challenges Obviously, the biggest strength of the service is ubiquity of its underlying authentication platform. With its broad range of hardware tokens, apps for ios, Android and BlackBerry platforms and even integration with Intel chipsets, users of the platform are able to reach a broad audience already in possession of an authentication device. However, lack of third party connector support can alienate potential customers planning to support multiple token vendors. Nevertheless, VASCO is capable of addressing a vast number of verticals with different usage scenarios and security requirements. Their flexible pricing model with different packages based on either the number of users or the number of transactions is another plus, especially for SMBs. For developers, VASCO provides an easy to use standard-based API, extensive documentation, complete sandbox environment and comprehensive support during the rollout period. The customer-facing web password manager is not as feature-rich as other popular password managers, and the UI is somewhat unpolished in some places. Apparently, this part of the solution is still being worked on. However, the actual authentication workflow is solid and flawless. Overall, is a complete turnkey strong authentication solution with near frictionless experience for consumers and surprisingly easy integration for developers. Definitely recommended for evaluation. Page 5 of 8

6 Strengths A completely self-contained managed platform from a single reputable vendor; Broad range of authentication hardware, support for major mobile platforms, including Intel IPT; Easy integration using the industry standard OAuth 2.0 protocol; a developer toolkit and testing environment are provided; Flexible pricing model, various branding options Challenges No support for third party authentication devices; Password management functionality is limited compared to other popular password management products MZDIGIPASS.COM

7 4 Copyright 2013 Kuppinger Cole Ltd. All rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. Page 7 of 8

8 The Future of Information Security Today KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in relevant decision making processes. As a leading analyst company KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business. KuppingerCole, founded in 2004, is a leading Europe-based analyst company for identity focused information security, both in classical and in cloud environments. KuppingerCole stands for expertise, thought leadership, and a vendor-neutral view on these information security market segments, covering all relevant aspects like Identity and Access Management (IAM), Governance, Risk Management and Compliance (GRC), IT Risk Management, Authentication and Authorization, Single Sign-On, Federation, User Centric Identity Management, eid cards, Cloud Security and Management, and Virtualization. For further information, please contact clients@kuppingercole.com Kuppinger Cole Ltd. Am Schloßpark Wiesbaden Germany Phone +49 (211) Fax +49 (211)