Magic Quadrant for User Authentication

Transcription

1 G Magic Quadrant for User Authentication Published: 9 December 2013 Analyst(s): Ant Allan The market is dominated by 5% of the vendors. Mobile and cloud are disruptive. Buyers give greater weight than before to user experience. Legacy authentication methods are increasingly deprecated. Vendors must invest appropriately to stay relevant. Strategic Planning Assumptions By year-end 2016, about 30% of enterprises will choose cloud-based services as the delivery option for new or refreshed user authentication implementations up from about 10% today. By year-end 2016, more than 30% of enterprises will use contextual authentication for workforce remote access up from about 5% today. Market Definition/Description A provider in the user authentication (see Note 1) market delivers on-premises software/hardware or a cloud-based service that makes real-time authentication decisions for users who are using an arbitrary endpoint device (that is, not just Windows PCs) to access one or more applications, systems or services in a variety of use cases. Where appropriate to the authentication methods supported, a provider in the user authentication market also delivers client-side software or hardware that end users utilize to make those real-time authentication decisions. (Also see the Inclusion and Exclusion Criteria section.) User authentication has been used since the early days of multiuser systems. Passwords remain the norm across all use cases, but over the past few decades, a wide range of authentication methods that provide higher levels of trust have been developed and adopted by the market. Within the last decade, the variety of authentication methods has proliferated (see Note 2). Passwords are ubiquitous, and higher-trust authentication methods are used by nearly all enterprises (and at least a significant minority of small or midsize businesses [SMBs)] across different use cases (see Note 3). The user authentication market is mature, with several vendors offering products that have been continuously offered over the past three decades (although ownership has changed over that time; for example, Security Dynamics' SecurID one-time password [OTP] tokens are now offered by RSA, The Security Division of EMC). However, new authentication methods and vendors continue to

2 emerge, with the most rapid growth occurring within the past decade in response to changing market needs. The greater adoption of user authentication over a wider variety of use cases, the impact of the Nexus of Forces (discussed in the Market Overview section) and the emergence of innovative authentication methods have all been disruptive. Gartner is aware of more than 200 vendors offering some kind of user authentication product, although only approximately 100 of these might be commercially viable, and perhaps fewer than 50 vendors have offerings that we would consider to be credible choices. This Magic Quadrant research covers the 20 vendors with the most significant market presence by number of customers or number of end users served (see the Inclusion and Exclusion Criteria section), although these numbers vary by orders of magnitude (see Note 4). The leading vendors in this Magic Quadrant account for the majority of the market by customer and end-user numbers. Some of the vendors not included in the Magic Quadrant are wide-focus vendors (see Note 5) that are poised to challenge the major players, while others are "specialist" vendors. A significant number of these are essentially "me, too" commodity vendors. These vendors fragment the market, diverting sales from more strategic players and potentially tying up buyers in "dead end" contracts. In addition, vendors in other markets especially identity and access management as a service (IDaaS), Web access management (WAM), federated single sign-on (SSO) and VPN are increasingly embedding higher-trust user authentication methods within their products. While these tend to be limited to phone-as-a-token methods, with a few vendors adding contextual authentication, they can still obviate the need for a third-party user authentication offering at least in the use cases served by those alternative products. Page 2 of 55 Gartner, Inc. G

3 Magic Quadrant Figure 1. Magic Quadrant for User Authentication Source: Gartner (December 2013) Vendor Strengths and Cautions Authentify Illinois-based Authentify offers a cloud service, Authentify Out-of-Band Authentication, that provides out of band (OOB) authentication via voice modes, and has multiple OEM relationships (with Gartner, Inc. G Page 3 of 55

4 vendors that are discussed in this Magic Quadrant and use Authentify for OOB voice modes). Authentify also offers: voice biometric verification (normally an adjunct to OOB authentication, but some universities and others use it as a single-factor authentication method, with the phone as just a capture device); 2CHK, an OOB app for mobile devices and PCs; and xfa, an app combining OOB push modes with voice verification and an X.509 software token. Authentify's customers predominate in financial services, e-commerce, education, government and healthcare. The majority of customers are larger enterprises. Deployment sizes at year-end 2012 spanned a median of tens to hundreds of thousands of end users, with a maximum on the order of tens of millions or more end users. Authentify demonstrates a very sound market understanding and a very strong product strategy, and remains a Visionary in this Magic Quadrant. Strengths It has a growth rate well above the market norm. It supports contextual authentication including telephone data analytics. Its new xfa app addresses the needs of mobile use cases. It offers a canned "click and go" solution for SMBs in response to demand. Its pricing is in the lowest quartile for Scenario 4 (see Note 6) for cloud solutions. Cautions It lacks on-premises server software or appliances, nor does it offer or support OTP hardware tokens. Its customer base is skewed toward the U.S. (about three-fifths of customers) and Europe (about one-fifth). CA Technologies New York-based CA Technologies offers a wide-focus authentication and Web fraud detection (WFD) platform that is delivered as server software (CA Advanced Authentication, or integrating CA AuthMinder and CA RiskMinder) and as a cloud service (CA CloudMinder Advanced Authentication). These support a wide range of authentication methods, with OTP apps for mobile phones and X. 509 software tokens (see Strengths below) most commonly used. Almost half of CA's customers are in financial services, with others spread across multiple vertical industries. The majority of customers are larger enterprises. Deployment sizes range from thousands to millions of end users. CA Technologies remains a Leader in this Magic Quadrant. Page 4 of 55 Gartner, Inc. G

5 Strengths Its growth rate is above the market norm. Its OTP seeds and X.509 credentials are protected by CA's proprietary "cryptographic camouflage." The CA RiskMinder WFD component provides rich contextual authentication, and is used by about half of CA's customers. It is the joint third most frequently shortlisted vendor among all reference customers. Its pricing is in the lowest quartile for all scenarios (except Scenario 5 for cloud solutions) including the lowest pricing for Scenario 3 for on-premises and cloud solutions. Cautions Its customer numbers are in the lowest tier; however, the majority are large enterprises, and end-user numbers are in the upper midtier. Its customer base is skewed toward the Americas (three-fifths of its customers are most likely in the U.S.) and EMEA (one-quarter). Deepnet Security U.K.-based Deepnet Security offers a wide-focus authentication platform delivered as server software (DualShield Unified Authentication Platform), as a virtual appliance of Linux (DualShield VE) and as a software development kit (SDK). Since the previous Magic Quadrant (see "Magic Quadrant for User Authentication"), Deepnet has added a managed service (DualShield SaaS) and a cloud service (DualShield Cloud). These all support a wide range of authentication methods, with OTP apps for mobile phones, OTP hardware tokens and OOB SMS modes being most commonly used. Deepnet's customers are well-spread across vertical industries; they also are spread over SMBs and enterprises. Deployment sizes at year-end 2012 spanned a median in the range of thousands of end users, with a maximum on the order of 100,000 end users or more. Deepnet remains a Niche Player in this Magic Quadrant. Strengths It has an exceptionally wide range of authentication methods, including biometric authentication (that is, face, voice). It offers simple contextual authentication. Its pricing is in the lowest quartile for Scenarios 2 and 4 for on-premises solutions. Gartner, Inc. G Page 5 of 55

6 Cautions Its end-user numbers are in the lowest tier (but its customer numbers are moderate, with a growth rate above the market norm). Its customer base is skewed toward Europe (more than half of customers) and the U.S. (about one-third). Its pricing is in the highest quartile for Scenario 5 for on-premises solutions. It has a key person dependency on its current CEO, who is the single decision maker over all aspects of the business. EMC (RSA) Massachusetts-based RSA, The Security Division of EMC, offers a wide-focus authentication platform, RSA Authentication Manager (AM), which supports the well-known RSA SecurID OTP tokens (among other methods). AM is delivered as server software, as virtual and hardware appliances, and as an SDK. RSA AM Express, a hardware appliance aimed at SMBs, has now been superseded by the latest version of AM. RSA also offers RSA Adaptive Authentication (AA; see "Magic Quadrant for Web Fraud Detection"), which is used for user authentication by some larger enterprises in nonbanking vertical industries. RSA offers a fairly broad (but proprietary) range of authentication methods. OTP hardware tokens are still most commonly used, but OTP apps for smartphones are being marketed more aggressively. AM (and AA) lacks native biometric authentication, but this will likely change following the July 2013 acquisition of PassBan. RSA has customers across all vertical industries. The majority are larger enterprises. RSA provided no information about industry breakdown or deployment sizes. RSA has a strong position in this market (customer and end-user numbers are in the highest tiers), as well as a very strong product strategy and innovation. In our opinion, the March 2011 breach (see "RSA SecurID Compromise Is of Concern, but Likely Not a Fatal Flaw" [Note: This document has been archived; some of its content may not reflect current conditions]) was a catalyst for a significant shift of focus away from its legacy SecurID hardware tokens. RSA remains a Leader in this Magic Quadrant. Strengths AM now has rich contextual authentication capabilities (what RSA calls "Risk-Based Authentication") ported from AA. There is an additional one-off licensing cost for this. It is the most frequently shortlisted vendor among other vendors' reference customers. It is the vendor most often cited as the competitor to beat by the others included in this research. Page 6 of 55 Gartner, Inc. G

7 Its pricing is in the lowest quartile for Scenario 5 for on-premises solutions, as well as for Scenarios 4 and 5 for cloud solutions. However, this was based on AA rather than AM, reflecting RSA's positioning of these products for different use cases. (RSA didn't quote pricing for Scenarios 1, 2 or 3 for cloud solutions.) It has huge brand depth (even if SecurID is still frequently misspelled). Cautions There is no cloud-service version of AM (but managed services are provided globally by a wide range of MSSPs). There are no OOB voice modes in AM (only in AA via Authentify). It is the vendor most often cited in inquiries, but these are mainly critical of the TCO and UX of RSA SecurID hardware tokens. (However, clients including RSA customers are not always aware that RSA itself offers lower-tco, better-ux methods.) RSA was most often disqualified by other vendors' reference customers on pricing. Its customer base is skewed toward the Americas (three-fifths of customers, most of which are likely in the U.S.) and EMEA (one-third). Entrust Texas-based Entrust offers a wide-focus authentication platform, IdentityGuard, which is delivered as server software. (Entrust introduced its cloud service, IdentityGuard Cloud Services, in late 2013, but this was not included in our analysis.) IdentityGuard supports a wide range of authentication methods, with OTP apps, OTP hardware tokens and OTP grid cards being the most commonly used. The vendor also has public-key infrastructure (PKI) product and service offerings in its identity and access management (IAM) portfolio. Financial services and government each account for about one-third of Entrust's customers. The majority of its customers are enterprises. Deployment sizes at year-end 2012 spanned a median in the region of hundreds to thousands of end users, with a maximum on the order of 10 million end users or more. Entrust remains a Niche Player in this Magic Quadrant. Strengths Its growth rate is above the market norm. Its cloud application integration (via IdentityGuard Federation Module) supports OpenID as well as SAML. Gartner, Inc. G Page 7 of 55

8 It supports contextual authentication via a native "risk-based" engine, which is used by about half of its customers. Its reference customers were extremely satisfied with Entrust's customer support. Its pricing is in the lowest quartile for Scenario 5 for on-premises solutions. Cautions Its customer base is skewed toward the U.S. (about two-fifths of customers), Europe and Latin America (about one-fifth in each). It has exceptionally high pricing for Scenario 2, and its pricing for Scenario 3 for on-premises solutions is in the highest quartile. Gartner clients were dissatisfied with its internationalization capabilities. Equifax Georgia-based Equifax offers a wide-focus authentication platform, Anakam.TFA, which is delivered as server software and as a cloud service. This supports a fairly wide range of authentication methods, with OOB SMS modes being the most commonly used. Anakam.TFA is one part of Equifax's broad range of fraud and identity solutions. This reflects Equifax's goal to be a broader identity assurance provider, rather than a direct competitor to Leaders in this market. More than half of Equifax's customers are in financial services; other key markets are healthcare and the public sector. Equifax didn't provide a customer breakdown by size, but we estimate the average deployment size to be upward of hundreds of thousands of end users. Equifax remains a Niche Player in this Magic Quadrant. Strengths It is part of a uniquely broad identity assurance portfolio. It offers simple contextual authentication. Its pricing is in the lowest quartile for Scenario 1 for cloud solutions. Cautions Its customer numbers are in the lowest tier (but the majority of customers are large enterprises, while Equifax's end-user numbers are in the upper midtier). Reference customers were dissatisfied with its reporting/analytics. It has exceptionally high pricing for Scenarios 2 and 3 for on-premises solutions. Page 8 of 55 Gartner, Inc. G

9 Its customer base is skewed toward the U.S. (about two-thirds of customers) and Europe (about one-fifth). Gemalto Netherlands-based Gemalto, still best known as a smart-card vendor, offers two wide-focus authentication platforms: Protiva IDConfirm 1000, which is targeted at business-to-employee use cases; and Ezio Server, which incorporates technology from Gemalto's December 2012 acquisition of DS3, and is targeted at B2C use cases. IDConfirm is typically delivered as server software or as a managed service; Ezio is typically delivered as a virtual appliance or a hardware appliance. Gemalto offers a wide range of authentication methods, with X.509 hardware tokens (smart cards and so on) being most commonly used, while OTP tokens (including RCA readers) and OOB SMS modes are quickly gaining ground. Gemalto also offers Coesys egov, which is aimed at e-government applications and combines user authentication and federated SSO. The majority of Gemalto's customers are in financial services, government and healthcare. The majority of customers are also larger enterprises. Deployment sizes at year-end 2012 spanned a median in the region of hundreds of thousands of end users, with a maximum of several million end users. Gemalto has demonstrated very sound market understanding and very strong innovation, and remains a Leader in this Magic Quadrant. Strengths Its customers are well-dispersed geographically. Its pricing is in the lowest quartile for all scenarios for on-premises solutions, including the lowest pricing for Scenarios 1 and 2. It is the joint third most frequently shortlisted vendor among other vendors' reference customers. Cautions It still lacks contextual authentication, as well as native server-side support for biometric authentication. However, it can support client-side match-on-card capabilities. Its multitenanted cloud service is available only via third-party providers. HID Global California-based HID Global has two wide-focus authentication platforms that are delivered as server software (ActivID Authentication Server, which is primarily targeted at banks and cloud services providers, and ActivID AAA Server, which is primarily targeted at workforce remote Gartner, Inc. G Page 9 of 55

10 access); it also has virtual and hardware appliances (such as ActivID Authentication Appliance) as well as an SDK. It offers a very wide range of authentication methods, with OTP hardware tokens being most commonly used ahead of OTP apps, OOB SMS modes and X.509 hardware tokens. In addition, HID offers other ancillary products, including card management (CM) tools. The majority of HID's customers are in government, financial services and technology. They are also enterprises. Deployment sizes at year-end 2012 spanned a median in the region of hundreds of end users, with a maximum on the order of 1 million end users or more. HID faces some brand depth issues: ActivIdentity (the name of the company HID acquired in 2010) still has greater market recognition than HID's ActivID brand (which was introduced in 2012). HID continued to use the "ActivIdentity" logotype in publicity materials (such as event sponsorship) throughout HID Global has demonstrated very sound market understanding and remains a Visionary in this Magic Quadrant. Strengths It has broad target system integration. It offers biometric authentication (interface interactivity) through its BehavioSec partnership. It has strong "common access card" play, including support for the use of legacy building access cards for user authentication. It supports rich contextual authentication via ActivID Threat Detection Service (under OEM license from ThreatMetrix) integrated with other ActivID products. However, this is a separate line item and is contingent on that third-party relationship. Cautions It still lacks a cloud service. However, managed hosted services are available through partner managed security service providers (MSSPs), and HID Global tells us a cloud service is planned for 1Q14. It lacks out-of-the-box support for OOB voice modes (but integration with Authentify, TeleSign and so on can be supported). Its pricing is the highest quoted for Scenarios 1, 2 and 3 for on-premises solutions. Its customer base is skewed toward Europe (about one-half of customers) and the U.S. (about one-third). HID tells us that it sees strong growth, especially among banking customers, in other regions. Page 10 of 55 Gartner, Inc. G

11 Mi-Token Texas-based Mi-Token offers an OATH-compliant OTP and OOB authentication solution that is delivered as server software (Mi-Token Server), a virtual appliance (Mi-Token V Server), a cloud service (Mi-Token Cloud Server), and as an SDK. The core products and services are intended to integrate simply with Active Directory for low total cost of ownership (TCO) and a short time to value. Mi-Token provides an optional hardware security module for secure seed generation within the enterprise. The vendor also offers a fairly broad range of authentication options, with OTP hardware tokens and OTP apps for smartphones being most commonly used. In October 2013, Mi- Token announced a partnership with Microlatch for biometric-enabled hardware tokens. Mi-Token's offerings also include innovative technology for payment security. About half of Mi-Token's customers are in financial services, and another third are in government. The majority are enterprises. Deployment sizes at year-end 2012 spanned a median in the region of thousands of end users, with a maximum on the order of 1 million end users or more. Mi-Token is new in this Magic Quadrant. Strengths It offers simple contextual authentication. Reference customers were very or extremely satisfied with its customer support. Its pricing is in the lowest quartile for Scenarios 2 and 4 for on-premises solutions. It is the only vendor in this Magic Quadrant with a significant share of its business in the Middle East and Africa. Cautions Its end-user numbers are in the lowest tier (but its customer numbers are moderate, and its growth rate is well above the market norm). Reference customers were dissatisfied with its reporting/analytics. Mi-Token tell us that additional reporting/analytics is available at an extra fee. Its pricing is in the highest quartile for Scenario 5 for on-premises solutions. Its customer base is skewed toward the U.S. (one-third of customers), EMEA and Asia/Pacific, excluding Japan (one-quarter in each), with a limited presence in Europe. Microsoft Washington-based Microsoft offers a phone-as-a-token authentication platform, Windows Azure Multi-Factor Authentication, that is delivered as a cloud service or an on-premises/cloud hybrid, based on its October 2012 acquisition of PhoneFactor. Microsoft offers only phone-as-a-token authentication methods, albeit with a wide range of options, and its implementation offers security Gartner, Inc. G Page 11 of 55

12 and user experience (UX) advantages. It can support other vendors' OATH OTP hardware tokens. It also offers biometric voice authentication, but only as an adjunct to OOB voice modes. Microsoft did not provide any customer breakdown by vertical industry, size or deployment size. While its sales execution remains sound, Microsoft's presence in the market is modest, and, in our opinion, its focus on the acquisition and integration into Windows Azure has diverted attention from other execution and vision criteria. Microsoft remains a Niche Player in this Magic Quadrant. Strengths Reference customers were extremely satisfied with its customer support. It is the joint third most frequently shortlisted vendor among other vendors' reference customers. Its pricing is in the lowest quartile for Scenarios 2, 3 and 4 for cloud solutions, including the lowest pricing quoted for Scenario 2. It has a pay-for-what-you-use pricing model (only users active during a month are counted for billing). Cautions It has no contextual authentication as such, but offers endpoint identity (EPI) and IP address whitelisting. Its end-user numbers are in the lowest tier (but its customer numbers are moderate). Gartner understands that the great majority of its customers are in the U.S. It has presented exceptionally high pricing for Scenario 5 for cloud solutions. While Windows Azure Multi-Factor Authentication is offered independently of its Windows Azure framework, we remain somewhat wary about its longer-term status. Microsoft demonstrated no clear product or marketing strategy for it, apart from the overall Windows Azure "Cloud OS" messaging. PointSharp Sweden-based PointSharp offers an OATH-compliant authentication solution, PointSharp ID, that is delivered as server software, as a virtual appliance, as managed service and as an SDK. It offers a fairly broad range of authentication methods, including OTP hardware tokens, although OTP apps for smartphones and OOB SMS modes are most commonly used. The company focus is on mobility and security "mobile access management." Page 12 of 55 Gartner, Inc. G

13 About one-quarter of PointSharp's customers are in financial services and one-quarter are in government, with the rest spread across multiple vertical industries. The majority of customers are enterprises, some of which are large. Deployment sizes at year-end 2012 spanned a median in the region of hundreds to thousands of end users, with a maximum on the order of 100,000 end users or more. PointSharp is new in this Magic Quadrant. Strengths It has simple contextual authentication. It has simple integration with Microsoft Exchange from mobile devices. Reference customers were very satisfied with its customer support. PointSharp makes creative use of social media here. Its pricing is in the lowest quartile for Scenarios 2, 4 and 5 for on-premises solutions. Cautions Its end-user numbers are in the lowest tier (but its customer numbers are moderate, and its growth rate is very well above the market norm). It offers cloud service only through partners. Its customer base is very heavily skewed toward Europe (about nine-tenths of customers). SafeNet Baltimore-based SafeNet offers three wide-focused server-software products SafeNet Authentication Manager (SAM), SafeNet Authentication Manager Express (SAMx) and SafeNet Authentication Service for service providers (SAS SPE) and a cloud service, SafeNet Authentication Service (SAS, based on its March 2012 acquisition of Cryptocard). It offers a very wide range of authentication methods (with SAM supporting the whole range, including X.509 tokens, while SAMx and SAS support somewhat narrower ranges). OTP hardware tokens are the most widely used, ahead of X.509 tokens and phone-as-a-token options. About one-third of SafeNet's customers are in government, about one-quarter are in financial services, and about one-fifth are in healthcare. They range from SMBs to very large enterprises. Deployment sizes at year-end 2012 spanned a median in the region of thousands of end users with a maximum on the order of 1 million end users or more. SafeNet has a strong position in this market (customer numbers are in the highest tier, while enduser numbers are in the upper midtier), and demonstrated significantly improved marketing execution through It also demonstrated a very sound market understanding, as well as a very strong product strategy and innovation. Gartner, Inc. G Page 13 of 55

14 It remains a Leader in this Magic Quadrant. Strengths It is the joint third most frequently shortlisted vendor among other vendors' reference customers. It is one of three vendors most often cited as the competitor to beat by others included in this research. SAM supports contextual authentication (also planned for SAS in 2014). Reference customers were very or extremely satisfied with its customer support. Its pricing is in the lowest quartile for Scenarios 2 and 4 for on-premises solutions, and for Scenarios 1, 2, 3 and 4 for cloud solutions. (However, it was most often disqualified by other vendors' reference customers on pricing.) It has an all-in, per-user, per-month pricing model for all offerings. Cautions Its customer base is skewed toward EMEA (nearly one-half of customers) and the U.S. (more than two-fifths). It lacks native server-side support for biometric authentication, but can support client-side match-on-card capabilities (biometric-enabled X.509 tokens). SecureAuth California-based SecureAuth offers SecureAuth IdP, which Gartner categorizes primarily as a WAM product that delivers federated SSO with broad protocol support, strong mobile device support (including an integration toolkit for mobile Web and resident mobile applications) and native support for a range of authentication methods. However, Gartner sees many clients evaluating SecureAuth IdP solely as a direct replacement for other vendors' "pure" user authentication offerings hence, its inclusion in this research. SecureAuth IdP is delivered as server software, as virtual and hardware appliances, and as a cloud service. SecureAuth's Universal Browser Credential (UBC) does double duty as an X.509 software token and as the anchor for SecureAuth IdP's SSO and authentication workflow. Apart from this, SecureAuth offers a fairly wide range of authentication methods, with OOB authentication methods being most widely used. SecureAuth can also support other methods by being able to "consume" identities authenticated by other services, such as Microsoft Active Directory or a social network. SecureAuth's customers are spread across multiple vertical industries, with about one-third in healthcare. The majority are very large enterprises. Deployment sizes at year-end 2012 spanned a median in the region of tens to hundreds of thousands of end users, with a maximum on the order of 10 million end users or more. Page 14 of 55 Gartner, Inc. G

15 SecureAuth demonstrated improved business strategies to match its product strategy and innovation, and moves from Niche Player to Visionary in this Magic Quadrant. Strengths It offers simple contextual authentication via HTML5-based EPI. It has federated SSO based on OpenID as well as SAML. Reference customers were extremely satisfied with its customer support. Its pricing is in the lowest quartile for Scenario 4 for on-premises solutions. It has a very good internationalization model: All text is abstracted, and professional translations in several languages are available. It continues to be the user authentication vendor most often cited positively by clients, who point to the ease of implementation and ongoing administration, as well as to the good UX provided by SecureAuth's UBCs. Cautions While its target system integration is fairly broad, it hinges on UBC, which requires a Web interface, so integration to legacy target systems must be proxied through a Web-enabled gateway. Its customer numbers are in the lowest tier (but its end-user numbers are moderate, and its growth rate is well above market norms). Reference customers were dissatisfied with its reporting/analytics. Its pricing is in the highest quartile for Scenarios 2, 3, 4 and 5 for cloud solutions. The pricing quoted for Scenario 1 for cloud solutions was exceptionally high. Its customer base is skewed toward the U.S. (about one-half of customers) and Europe (about one-fifth). SecurEnvoy U.K.-based SecurEnvoy offers a phone-as-a-token authentication platform, SecurAccess, which is delivered as server software. SecurEnvoy has a roughly even spread of customers across multiple vertical industries. They range from SMBs to very large enterprises. Deployment sizes at year-end 2012 spanned a median in the region of thousands to tens of thousands of end users, with a maximum of 100,000 end users or more. SecurEnvoy is a very strong innovator and remains a Visionary in this Magic Quadrant. Gartner, Inc. G Page 15 of 55

16 Strengths Unique among phone-as-a-token authentication vendors, SecurEnvoy provides preboot authentication via integration with Sophos. It offers simple contextual authentication. Reference customers were extremely satisfied with its customer support. It has grown beyond its domestic market and now has a significant customer base in the U.S. and Asia/Pacific. Its pricing is in the lowest quartile for Scenarios 2, 4 and 5 for on-premises solutions. Its pricing model is all-in. Cautions It focuses on phone-as-a-token authentication (with OOB SMS modes and OTP apps for smartphones being the most widely used). However, implementation is superior: Multiple configuration options for OOB SMS modes enable tuning security-ux balance. It has no cloud service. SecurEnvoy's rationale is that channel partners with long experience in managed and cloud services can offer superior quality of service. Its end-user numbers are in the lowest tier (but its customer numbers are moderate, and its growth rate is above the market norm). SMS Passcode Denmark-based SMS Passcode offers an OOB authentication platform of the same name, which is delivered as server software. SMS modes are the most widely used; voice modes are supported by partnerships with TeleSign, Twilio and others. It can also support Yubico YubiKey OTP hardware tokens. SMS Passcode's customers predominate in manufacturing, natural resources, government and financial services. Nine-tenths of them are SMBs. Deployment sizes at year-end 2012 spanned a median in the region of tens to hundreds of end users, with a maximum on the order of 100,000 end users or more. SMS Passcode remains a Niche Player in this Magic Quadrant. Strengths It offers simple contextual authentication based on behavior patterns and geolocation. It stands out for making creative use of social media in its marketing. Cautions It has no cloud service (although this can be offered by third-party MSSPs). Page 16 of 55 Gartner, Inc. G

17 Its end-user numbers are in the lowest tier (but its customer numbers are moderate, and its growth rate is above the market norm). This is consistent with its focus on SMBs. Its pricing is in the highest quartile for Scenarios 1 and 3 for on-premises solutions. It didn't present pricing for Scenario 5, commenting that the use case didn't match its channel-driven "plug and play" go-to-market model. Its customer base is heavily skewed toward Europe (about four-fifths of customers). Swivel Secure U.K.-based Swivel Secure offers a phone-as-a-token platform delivered as server software (Swivel Core Software) and as virtual and hardware appliances (Swivel Virtual Appliance and Swivel Appliance). All these also support Swivel Secure's variety of improved password and pattern-based OTP knowledge-based authentication (KBA) methods, which work with nonce challenges ("security strings") and can be displayed on the login screen in the simplest implementation. Swivel Secure also offers OOB push(ish) and SMS modes that combine the KBA methods and can also support OTP hardware tokens. Swivel Secure's customers are spread across multiple vertical industries. They range from SMBs to very large enterprises. Deployment sizes at year-end 2012 spanned a median in the region of hundreds to thousands of end users, with a maximum on the order of 100,000 end users or more. Swivel Secure remains a Niche Player in this market. Strengths It has a unique combination of KBA and phone-as-a-token authentication methods that span a range of trust levels and have good UX. It is preintegrated with Microsoft Office 365 and Microsoft Business Productivity Online Suite. Its pricing is in the lowest quartile for Scenario 4 for on-premises solutions. Cautions It has no contextual authentication. It has no cloud service (but rather has a subscription pricing model to better compete with cloud services). Its customer base is very heavily skewed toward Europe (about nine-tenths of customers). It has weak marketing and brand depth. Symantec California-based Symantec offers a wide-focus authentication platform, Symantec Validation and ID Protection Service (VIP), which is delivered as a cloud service. VIP offers a fairly wide range of Gartner, Inc. G Page 17 of 55

18 authentication methods, with OTP apps for mobile phones being most commonly used ahead of OTP hardware tokens. While VIP lacks native federated SSO to support cloud applications, this can be provided at additional cost by Symantec's fledgling cloud access security broker, Symantec O 3. About one-third of Symantec's customers are in financial services, with the rest spread across most other vertical industries. The majority of Symantec's customers are enterprises. Deployment sizes at year-end 2012 spanned a median in the region of thousands to tens of thousands of end users, with a maximum on the order of 1 million end users or more. Symantec is a very strong innovator, but its product or service and market responsiveness ratings are not yet on a par with leading vendors. It remains a Visionary in this Magic Quadrant. Strengths Its growth rate is above market norms. It embeds rich contextual authentication under the name "Intelligent Authentication." Reference customers were very or extremely satisfied with its customer support. It is the joint third most frequently shortlisted vendor among other vendors' reference customers. Its pricing is in the lowest quartile for Scenarios 1, 3 and 4 for cloud solutions. Cautions Its pricing is in the highest quartile for Scenario 5 for cloud solutions (based on a per-user model; however, per-transaction pricing might be lower depending on transaction volumes). Its customer base is skewed toward the U.S. (about one-half of customers) and Europe (about one-third). Its lack of cloud-services security operations centers outside the U.S. inhibits global sales. It has no discrete WFD offering. Symantec VIP alone may not meet financial services customers' needs, or match other vendors' full-blown WFD offerings. (This market accounts for one-third of Symantec's customers down from about one-half in the previous year.) It has no on-premises server software or appliance offering, which limits its appeal (as shown by Gartner client interactions). Technology Nexus Sweden-based Technology Nexus offers a range of wide-focus authentication platforms: PortWise Authentication Server (server software), Nexus Appliance Platform (a virtual appliance based on CentOS), Nexus Managed Service (a managed hosted service) and Nexus Cloud Service (a cloud service). Page 18 of 55 Gartner, Inc. G

19 Nexus offers a wide range of authentication methods, with OTP apps for mobile phones and OOB SMS modes being most commonly used. It also offers ancillary tools, as well as WAM and federated SSO tools. Nexus has about one-third of its customers in financial services and in government, with about onefifth in manufacturing and natural resources. The majority of Nexus' customers are large enterprises. Deployment sizes at year-end 2012 spanned a median in the region of tens of thousands of end users, with a maximum of tens of millions of end users. Technology Nexus demonstrated very sound market understanding and very strong product strategy and innovation, and remains a Leader in this Magic Quadrant. Strengths Cloud integration options include OAuth and System for Cross-Domain Identity Management (SCIM), as well as SAML. It has one of the widest ranges of authentication methods, including biometric authentication (interface interactivity) through a BehavioSec partnership. It offers simple contextual authentication. Its pricing is in the lowest quartile for Scenarios 2 and 4 for on-premises solutions, and for Scenarios 2, 3 and 4 for cloud solutions. Cautions Its pricing is in the highest quartile for Scenario 5 for cloud solutions. Its customer base is skewed toward Europe and Asia/Pacific (about two-fifths in each geography). TeleSign California-based TeleSign offers a phone-as-a-token authentication platform, TeleSign Verify (formerly 2FA), which is delivered as a cloud service. Its February 2013 acquisition of RoutoMessaging (now TeleSign Mobile) gives TeleSign a global mobile messaging platform and access to network data that has enhanced its offerings. TeleSign now offers a dual-mode OOB push mode/otp smartphone app, as well as its legacy OOB voice and SMS modes. Several other vendors, including some in this research, license TeleSign for (at least voice-based) OOB authentication. About three-fifths of TeleSign's customers are in cloud services (including social media) and e- commerce, with about one-quarter in financial services and others in online gaming and Web-based . Just over half of TeleSign's customers are SMBs. Deployment sizes at year-end 2012 spanned a median in the region of hundreds of thousands of end users, with a maximum of hundreds of millions of end users. Gartner, Inc. G Page 19 of 55

20 TeleSign demonstrated a very strong product strategy and innovation, and remains a Visionary in this Magic Quadrant. Strengths It supports contextual authentication, leveraging its PhoneID offering to provide a variety of information about a phone number. Its growth rate is very well above market norms, with end-user numbers bolstered by its strong presence among very large global service providers (including social media). Reference customers were very or extremely satisfied with its customer support. Its pricing is in the lowest quartile for all scenarios for cloud solutions. It has the lowest pricing for Scenarios 1, 3 and 5. Cautions It has somewhat limited target system integration. This depends heavily on APIs rather than standard protocols; however, TeleSign contends that this, modeled on Amazon's authentication model with a shared secret key, makes it more secure. Its customer base is skewed toward the U.S. (about half) and Europe (about one-fifth and growing). However, it supports end users of global service providers in more than 200 countries, and internationalization is excellent. It lacks on-premises server software or an appliance offering. It does not support OTP hardware tokens. However, TeleSign's partners, including vendors in this research, can meet such needs. Vasco Data Security Illinois-based Vasco offers a range of wide-focus authentication platforms: Identikey (server software), Identikey Virtual Appliance, Identikey Appliance (a hardware appliance), Digipass as a Service (private cloud service), MyDigipass.com (public cloud service) and Vacman Controller (APIbased authentication library). Vasco offers a wide range of authentication methods with OTP hardware tokens, OTP apps for smartphones and X.509 software tokens being most commonly used. More than one-third of Vasco's customers are in financial services; another third are in communications, media and services; and the rest are spread across other vertical industries. Vasco provided no information about customer or deployment sizes. Vasco Data Security has a strong position in this market (customer numbers are in the highest tier, with end-user numbers in the upper midtier) and is a very strong innovator. It remains a Leader in this Magic Quadrant. Strengths It is the second most frequently shortlisted vendor among other vendors' reference customers. Page 20 of 55 Gartner, Inc. G

21 It is one of the three vendors most often cited as the competitor to beat by the others included in this research. It has a federated SSO based on OpenID as well as SAML. It has one of the widest ranges of authentication methods (although support varies across offerings). Its pricing is in the lowest quartile for Scenarios 2 and 4 for on-premises solutions and cloud solutions. Cautions It has no contextual authentication capability. Its pricing is in the highest quartile for Scenario 1 for on-premises solutions and cloud solutions. It is most often disqualified by other vendors' reference customers based on pricing. Its customer base is skewed toward EMEA (about two-thirds of customers). Vendors Added and Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor. Added Mi-Token: A Texas-based commodity user authentication vendor. PointSharp: A Sweden-based user authentication and mobile management vendor. Dropped DS3 was acquired by Gemalto early in December The following vendors failed to meet the elevated inclusion criteria for this Magic Quadrant: i-sprint Innovations: Singapore-based i-sprint was founded in 2000 and acquired in 2011 by Automated Systems Holdings (ASL), a subsidiary of Teamsun. i-sprint's core offering in this market is AccessMatrix Universal Authentication Server (UAS), a server software product that is one of an integrated set of IAM technologies. AccessMatrix UAS fully supports a broad range of third-party proprietary and OATH-compliant OTP tokens, as well as biometric authentication methods. i-sprint continues to execute well in its core market, but is limited by its target vertical industry (financial services) and geography (although its Chinese ownership does give it access Gartner, Inc. G Page 21 of 55

22 to the burgeoning Chinese market). It remains a credible choice for large enterprise deployments. Yubico: Based in Stockholm and Palo Alto, California, Yubico was established in It has a number of core software and service offerings in this market, but it is best known for its distinctive OTP, X.509 and Near Field Communication hardware tokens, which are also supported by a number of other vendors in this Magic Quadrant. While Yubico has some notable deployments with large global enterprises, such as Facebook and Google, most of its direct customer deployments are too small for it to be able to qualify for inclusion in this Magic Quadrant. It remains a credible choice for firms seeking low-tco hardware token deployments. Other Changes PhoneFactor: This brand has disappeared, and Microsoft now offers the phone-as-a-token authentication platform as Windows Azure Multi-Factor Authentication. Honorable Mentions The following vendors did not meet the inclusion criteria (typically because of customer and enduser numbers), but are credible alternatives to the vendors included in this Magic Quadrant: CM: Netherlands-based CM offers a range of telephony services for messaging, payments and security. It is a communications partner and service operator for many vendors' OOB authentication offerings. Since 2010, it has offered an OOB authentication service (SMS modes) directly to end customers. It is aggressively priced and offers good quality of service, and is now CM's fastest-growing offering. Duo Security: Michigan-based Duo Security offers a wide-focus authentication platform delivered as cloud services. These services support OOB authentication (voice, SMS and push modes), OATH-compliant OTP tokens (printed media, hardware and software) and simple contextual authentication (behavior patterns and location). Almost all its customers are U.S.- based, where its growth rate is above the market norm. It is available on special terms to higher education institutions via InCommon and Internet2. Entersekt: South Africa-based Entersekt offers a phone-as-a-token authentication platform delivered as FIPS hardware appliances and encrypted messaging services. Its mobile phone app for smartphones and feature phones combines OOB push modes with an X.509 device credential that is used to sign messages from the phone; the app also can generate OATH-compliant OTPs as a fallback when mobile data or Wi-Fi services are unavailable. A mobile SDK is also available. Entersekt targets the financial services sector and has many domestic customers with millions of users. It is now gaining traction in Europe and, to a lesser degree, the U.S. Imprivata: Massachusetts-based Imprivata has been a successful vendor in the enterprise SSO (ESSO) market for several years with its OneSign ESSO appliance (see "Market Overview for Enterprise Single Sign-On Tools"). In the past few years, Imprivata has had a singular focus on and success in the healthcare market. It also offers OneSign Authentication Management (AM), a stand-alone user authentication product, as a hardware or virtual appliance. OneSign AM Page 22 of 55 Gartner, Inc. G

23 supports a full range of the authentication methods demanded by its target market, including the use of building access cards (contactless chip cards and RFID cards) and fingerprint biometric authentication, which are commonly used among healthcare customers in North America, and X.509 hardware tokens, which are widely used among healthcare customers in EMEA. Imprivata also offers OneSign Virtual Desktop Access, which provides API-level integration with leading virtualization platforms to automate and streamline the login process, including authenticating to the workstation, launching and authenticating to the virtual desktop client, and selecting the desktop. Within this target vertical industry, Imprivata is the leading vendor by market share, according to healthcare industry sources. Although, in our opinion, Imprivata doesn't fit our market definition for a general user authentication solution, Gartner clients in healthcare will likely find that it can meet their specific needs ahead of other vendors included in this Magic Quadrant. Kobil Systems: Germany-based Kobil offers a wide-focus authentication platform, Smart Security Management Server, which is delivered as server software, a virtual appliance and a managed service. It offers a wide variety of OTP hardware tokens (EMV-CAP, HHD and OATH HOTP) and X.509 tokens, as well as OOB push modes. It has targeted the financial services sector; it also has a strong, localized customer base in Germany, Austria, Switzerland and Turkey. While it has little visibility globally, Kobil asserted that it has firm plans for expansion. McAfee: A wholly owned subsidiary of Intel, McAfee has a Center of Expertise for Identity based in Sweden, built around Intel's January 2011 acquisition of Nordic Edge. McAfee offers a phone-as-a-token authentication platform, One Time Password, as well as a federated SSO platform, Cloud Single Sign On, which embeds the authentication offering. The OTP platform supports "Pledge" OTP apps (for desktops as well as phones) and OOB SMS modes, and offers good migration support for legacy OTP tokens. The product is notable for its ease of implementation, enabling proofs of concept without any vendor support (or any contact with McAfee a "see it, try it, buy it" model). The majority of its customers are in Europe, but since the acquisition, it is beginning to gain traction in North America. Inclusion and Exclusion Criteria The following inclusion criteria apply: Relevance of offering: Each core user authentication infrastructure product or service meets the user authentication market definition established above. This market definition does not include providers that deliver only one or more of the following: 1. Client-side software or hardware, such as PC middleware, smart cards and biometric capture devices (sensors). 2. Credential management tools, such as password management tools, CM tools, and PKI certification authority and registration authority tools (including OCSP responders). 3. Software, hardware or services in other markets (such as WAM, WFD or VPN) that embed native support for one or many authentication methods within that context only, or that Gartner, Inc. G Page 23 of 55