KuppingerCole Report
Leadership Compass
By John Tolbert

Cloud-based MFA Solutions

This report provides an overview of the market for Cloud-based Multi-Factor Authentication (MFA) Solutions and provides you with a compass to help you to find the service that best meets your needs. We examine the market segment, vendor service functionality, relative market share, and innovative approaches to providing Cloud-based MFA Solutions.

1 Introduction

Identity and Access Management (IAM) systems have continued to evolve significantly over the last two decades. Increasing security and improving usability have both been contributing factors to this evolution. Data owners and IT architects have pushed for better ways to authenticate and authorize users, based on changing business and security risks as well as the availability of newer technologies. Businesses have lobbied for these security checks to become less obtrusive and provide a better user experience (UX). Many organizations are opting to deploy these capabilities in conjunction with their Identity-as-a-Service (IDaaS) solutions or as part of a “cloud-first” strategy.

Cloud-based MFA is the process of using a SaaS solution to gather additional attributes about users and their environments and evaluate the attributes in the context of risk-based policies. The goal of Cloud MFA is to provide the appropriate risk-mitigating assurance levels for access to sensitive resources by requiring users to further demonstrate that they are who they say they are. This is usually implemented by “step-up” authentication. Different kinds of authenticators can be used to achieve this, some of which are unobtrusive to the user experience. Examples of step-up authenticators include phone/email/SMS One Time Passwords (OTPs), mobile apps for push notifications, mobile apps with native biometrics, FIDO U2F or UAF transactions, SmartCards, and behavioral biometrics. Behavioral biometrics can provide a framework for continuous authentication, by constantly evaluating user behavior to a baseline set of patterns. Behavioral biometrics usually involves keystroke analysis, mobile “swipe” analysis, and even mobile gyroscopic analysis.

Cloud MFA Solutions can use multiple authentication schemes and authentication challenges presented to a user or service according to defined policies based on any number of factors, for example the time of day, the category of user, the location or the device from which a user or device attempts authentication. The factors just listed as examples can be used to define variable authentication policies. A more advanced form of Cloud MFA uses risk-scoring analytics algorithms to first baseline regular access patterns and then be able to identify anomalous behavior which triggers additional authentication challenges. This can be referred to as dynamic Cloud MFA, yet it is difficult to categorize Cloud MFA products into dynamic or static Cloud MFA categories, since the strongest products are able to use a combination of both approaches. This is invariably a positive feature, as there are use cases where the use of either static or dynamic Cloud MFA proves the most appropriate, and both approaches are not without their limitations.

A wide variety of Cloud-based MFA mechanisms and methods exist in the market today. Examples include:

  • Knowledge-based authentication (KBA)
  • Strong/Two-Factor or Multi-Factor Authentication (Smart Cards, USB authenticators, biometrics)
  • One-time password (OTP), delivered via phone, email, or SMS
  • Out-of-band (OOB) application confirmation
  • Identity context analytics, including
    • IP address
    • Geo-location
    • Geo-velocity
    • Device ID and device health assessment
    • User Behavioral Analysis (UBA)

Many organizations today employ a variety of authentication methods. Consider the following sample case. Suppose a user successfully logs in to a financial application with a username and password. Behind the scenes, the financial application has already examined the user’s IP address, geo-location, and Device ID to determine if the request context fits within historical parameters for this user. Further suppose that the user has logged in from a new device, and the attributes about the new device do not match recorded data. The web application administrator has set certain policies for just this situation. The user then receives an email at their chosen address, asking to confirm that they are aware of the session and that they approve of the new device being used to connect to their accounts. If the user responds affirmatively, the session continues; if not, the session is terminated.

Going one step further in the example, consider that the user would like to make a high-value transaction in this session. Again, the administrator can set risk-based policies correlated to transaction value amounts. In order to continue, the user is sent a notification via the mobile banking app on his phone. The pop-up asks the user to confirm. The user presses “Yes”, and the transaction is processed.

Cloud-based MFA, then, can be considered a form of authorization. The evaluation of these additional attributes can be programmed to happen in response to business policies and changing risk factors. Since access to applications and data are the goal, Cloud-based MFA can even be construed as a form of attribute-based access control (ABAC).

The story above is just one possible example. Cloud-based MFA is being used today by enterprises to provide additional authentication assurance for access to applications involving health care, insurance, travel, aerospace, defense, government, manufacturing, and retail. Cloud-based MFA can help mitigate risks and protect enterprises against fraud and loss.

There are a number of vendors in the Cloud-based MFA market. Many of the vendors have developed specialized Cloud-based MFA products and services, which can integrate with customers’ on-site IAM components or other IDaaS. The major players in the Cloud-based MFA segment are covered within this KuppingerCole Leadership Compass.

Overall, the breadth of functionality is growing rapidly. Support for standard Cloud-based MFA mechanisms and the requisite identity federation are now nearly ubiquitous in this market segment; and the key differentiators have become the use of new technologies to step up the user’s authentication assurance level or to collect and analyze information about the user’s session.

1.1 Market Segment

This market segment is mature but constantly evolving, due to innovations in authenticator technology and risk analysis engines. We expect to see more ...

Login Get full Access

1.2 Delivery models

In this Leadership Compass, we consider cloud-based solutions only. See the recently released KuppingerCole Leadership Compass on Adaptive Authenticat ...

Login Get full Access

1.3 Required Capabilities

Various technologies support all the different requirements customers are facing today. The requirements are

  • Support multiple authenticators such ...
Login Get full Access

2 Leadership

Selecting a vendor of a product or service must not be only based on the comparison provided by a KuppingerCole Leadership Compass. The Leadership Com ...

Login Get full Access

2.1 Overall Leadership

We find several companies in the Leader section. Microsoft, Idaptive, and Entrust are at the top, showing strong ratings in all Leadership categories. ...

Login Get full Access

2.2 Product Leadership

Product Leadership is the first specific category examined below. This view is mainly based on the analysis of product/service features and the overal ...

Product Leadership, or in this case, Service Leadership, is where we examine the functional strength and completeness of services. Idaptive is at the ...

Login Get full Access

2.3 Innovation Leadership

Next, we examine innovation in the marketplace. Innovation is, from our perspective, a key capability in all IT market segments. Customers require i ...

When looking at Innovation Leadership, Idaptive is slightly ahead of all others, based on excellent support for leading edge authentication techniques ...

Login Get full Access

2.4 Market Leadership

Lastly, we analyze Market Leadership. This is an amalgamation of the number of customers, the geographic distribution of customers, the size of depl ...

Microsoft is the Market leader, due to its large global customer base, partner and support network.

Entrust Datacard, Gemalto, Idaptive, Okta, OneS ...

Login Get full Access

3 Correlated View

While the Leadership charts identify leading vendors in certain categories, many customers are looking not only for a product leader, but for a vendor ...

Login Get full Access

3.1 The Market/Product Matrix

The first of these correlated views contrasts Product Leadership and Market Leadership.

Vendors below the line have a weaker market position than expected according to their product maturity. Vendors above the line are sort of “overperf ...

Login Get full Access

3.2 The Product/Innovation Matrix

This view shows how Product Leadership and Innovation Leadership are correlated. It is not surprising that there is a pretty good correlation between ...

Vendors below the line are more innovative, vendors above the line are, compared to the current Product Leadership positioning, less innovative.

In ...

Login Get full Access

3.3 The Innovation/Market Matrix

The third matrix shows how Innovation Leadership and Market Leadership are related. Some vendors might perform well in the market without being Innova ...

Vendors above the line are performing well in the market compared to their relatively weak position in the Innovation Leadership rating; while vendors ...

Login Get full Access

4 Products and Vendors at a glance

This section provides an overview of the various products we have analyzed within this KuppingerCole Leadership Compass on Cloud-based MFA. Aside from ...

Login Get full Access

4.1 Ratings at a glance

Based on our evaluation, a comparative overview of the ratings of all the products covered in this document is shown in table 1.

Login Get full Access

In addition, we provide in table 2 an overview which also contains four additional ratings for the vendor, going beyond the product view provided in t ...

Login Get full Access

Table 2 requires some additional explanation regarding the “critical” rating.

In Innovativeness, this rating is applied if vendors provide none or v ...

Login Get full Access

5 Product/service evaluation

This section contains a quick rating for every product/service we’ve included in this KuppingerCole Leadership Compass document. For many of the pro ...

Login Get full Access

5.1 Entrust

Entrust Datacard commands a large share of the global EMV market and has thousands of customers across the globe, serving millions of users, in both t ...

Login Get full Access

5.2 Gemalto (was acquired by Thales in 2019/04)

Gemalto, founded in 2006 in France and currently headquartered in the Netherlands, delivers IAM, encryption, and big data tools. It is also the world...

Login Get full Access

5.3 HID Global

HID Global is part of ASSA Abloy, which is headquartered in Sweden. ASSA Abloy is a publicly-traded conglomerate that also produces many physical acce ...

Login Get full Access

5.4 Idaptive

Idaptive (formerly Centrify), well-known for its privilege management and cross-platform identity solutions, also offers MFA as SaaS. Idaptive’s MFA ...

Login Get full Access

5.5 ID Dataweb

ID Data Web was founded in 2011 outside the Beltway in Northern Virginia as a spin out of Criterion Systems, an IT services firm specializing in cyber ...

Login Get full Access

5.6 Microsoft

Microsoft Azure Active Directory is their well-known cloud-based identity and access management service. The adaptive authentication offering is archi ...

Login Get full Access

5.7 Okta

Okta platform offers an adaptive MFA service in conjunction with their multi-tenant enterprise IDaaS solution. Okta has a focus on security, with FedR ...

Login Get full Access

5.8 One Identity

Originally founded in 2000, One Identity became a distinct legal entity of Quest Software in 2017. The company is a leading IAM vendor with multiple ...

Login Get full Access

5.9 OneSpan

VASCO has been re-named OneSpan. The cloud service considered here is OneSpan’s Intelligent Adaptive Authentication based on its open architected Tr ...

Login Get full Access

5.10 Ping Identity

PingIdentity has been a pioneer in identity federation since its inception in 2002. PingFederate was the flagship product, but Ping has expanded and c ...

Login Get full Access

5.11 Symantec (was acquired by Broadcom Inc.)

California-based Symantec, well-known for cybersecurity and information security solutions, also is a provider of IAM services, including cloud-delive ...

Login Get full Access

5.12 ThreatMetrix

ThreatMetrix was recently acquired by LexisNexis Risk Solutions. ThreatMetrix is known for its threat intelligence services, which cover device, domai ...

Login Get full Access

6 Vendors and Market Segments to watch

Aside from the vendors covered in detail in this Leadership Compass document, we also observe other vendors in the market that we find interesting. So ...

Login Get full Access

6.1 AvocoSecure

AvocoSecure is a privately-owned UK company offering Cloud and Adaptive Authentication services. Their product is called Trust Platform. Trust Platfor ...

Login Get full Access

6.2 CA Technologies

CA Identity Portfolio comprises Identity Management and Governance, Privileged Access Management, Single Sign-On, Advanced Authentication, and Directo ...

Login Get full Access

6.3 Duo Security

Duo Security provides a scalable MFA solution that can support a small to enterprise-size user base. Duo Security focuses on reducing the complexity o ...

Login Get full Access

6.4 IBM

IBM Security Access Manager (SAM) is their tightly integrated adaptive authentication package. SAM can run on a hardware or virtual appliance, either ...

Login Get full Access

6.5 Iovation

Portland, OR based Iovation was founded in 2004. It was acquired by TransUnion in May of 2018. The company provides an integrated MFA and fraud reduct ...

Login Get full Access

6.6 NokNok Labs Strong Authentication SaaS

NokNokLabs, a Silicon Valley based startup, has delivered a set of mobile-oriented products that perform adaptive authentication, in conformance with ...

Login Get full Access

6.7 RSA Adaptive Authentication and SecurID Access

RSA is a major player in the security hardware and software markets. Their Adaptive Authentication product, part of the RSA® Fraud and Risk Intellig ...

Login Get full Access

6.8 United Security Providers Secure Entry Server

USP is a Swiss-based vendor of security solutions. Their Secure Entry Server combines access management, federation, authorization, network access con ...

Login Get full Access



©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst company, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.