Content of Figures
- Figure 1 The Overall Leadership rating for the cloud-based MFA market segment
- Figure 2 Product leaders in the Cloud-based MFA market segment
- Figure 3 Innovation leaders in the Cloud-based MFA market segment
- Figure 4 Market leaders in the Cloud-based MFA market segment
- Figure 5 The Market/Product Matrix.
- Figure 6 The Product/Innovation Matrix
- Figure 7 The Innovation/Market Matrix
Identity and Access Management (IAM) systems have continued to evolve significantly over the last two decades. Increasing security and improving usability have both been contributing factors to this evolution. Data owners and IT architects have pushed for better ways to authenticate and authorize users, based on changing business and security risks as well as the availability of newer technologies. Businesses have lobbied for these security checks to become less obtrusive and provide a better user experience (UX). Many organizations are opting to deploy these capabilities in conjunction with their Identity-as-a-Service (IDaaS) solutions or as part of a “cloud-first” strategy.
Cloud-based MFA is the process of using a SaaS solution to gather additional attributes about users and their environments and evaluate the attributes in the context of risk-based policies. The goal of Cloud MFA is to provide the appropriate risk-mitigating assurance levels for access to sensitive resources by requiring users to further demonstrate that they are who they say they are. This is usually implemented by “step-up” authentication. Different kinds of authenticators can be used to achieve this, some of which are unobtrusive to the user experience. Examples of step-up authenticators include phone/email/SMS One Time Passwords (OTPs), mobile apps for push notifications, mobile apps with native biometrics, FIDO U2F or UAF transactions, SmartCards, and behavioral biometrics. Behavioral biometrics can provide a framework for continuous authentication, by constantly evaluating user behavior to a baseline set of patterns. Behavioral biometrics usually involves keystroke analysis, mobile “swipe” analysis, and even mobile gyroscopic analysis.
Cloud MFA Solutions can use multiple authentication schemes and authentication challenges presented to a user or service according to defined policies based on any number of factors, for example the time of day, the category of user, the location or the device from which a user or device attempts authentication. The factors just listed as examples can be used to define variable authentication policies. A more advanced form of Cloud MFA uses risk-scoring analytics algorithms to first baseline regular access patterns and then be able to identify anomalous behavior which triggers additional authentication challenges. This can be referred to as dynamic Cloud MFA, yet it is difficult to categorize Cloud MFA products into dynamic or static Cloud MFA categories, since the strongest products are able to use a combination of both approaches. This is invariably a positive feature, as there are use cases where the use of either static or dynamic Cloud MFA proves the most appropriate, and both approaches are not without their limitations.
A wide variety of Cloud-based MFA mechanisms and methods exist in the market today. Examples include:
- Knowledge-based authentication (KBA)
- Strong/Two-Factor or Multi-Factor Authentication (Smart Cards, USB authenticators, biometrics)
- One-time password (OTP), delivered via phone, email, or SMS
- Out-of-band (OOB) application confirmation
- Identity context analytics, including
- IP address
- Device ID and device health assessment
- User Behavioral Analysis (UBA)
Many organizations today employ a variety of authentication methods. Consider the following sample case. Suppose a user successfully logs in to a financial application with a username and password. Behind the scenes, the financial application has already examined the user’s IP address, geo-location, and Device ID to determine if the request context fits within historical parameters for this user. Further suppose that the user has logged in from a new device, and the attributes about the new device do not match recorded data. The web application administrator has set certain policies for just this situation. The user then receives an email at their chosen address, asking to confirm that they are aware of the session and that they approve of the new device being used to connect to their accounts. If the user responds affirmatively, the session continues; if not, the session is terminated.
Going one step further in the example, consider that the user would like to make a high-value transaction in this session. Again, the administrator can set risk-based policies correlated to transaction value amounts. In order to continue, the user is sent a notification via the mobile banking app on his phone. The pop-up asks the user to confirm. The user presses “Yes”, and the transaction is processed.
Cloud-based MFA, then, can be considered a form of authorization. The evaluation of these additional attributes can be programmed to happen in response to business policies and changing risk factors. Since access to applications and data are the goal, Cloud-based MFA can even be construed as a form of attribute-based access control (ABAC).
The story above is just one possible example. Cloud-based MFA is being used today by enterprises to provide additional authentication assurance for access to applications involving health care, insurance, travel, aerospace, defense, government, manufacturing, and retail. Cloud-based MFA can help mitigate risks and protect enterprises against fraud and loss.
There are a number of vendors in the Cloud-based MFA market. Many of the vendors have developed specialized Cloud-based MFA products and services, which can integrate with customers’ on-site IAM components or other IDaaS. The major players in the Cloud-based MFA segment are covered within this KuppingerCole Leadership Compass.
Overall, the breadth of functionality is growing rapidly. Support for standard Cloud-based MFA mechanisms and the requisite identity federation are now nearly ubiquitous in this market segment; and the key differentiators have become the use of new technologies to step up the user’s authentication assurance level or to collect and analyze information about the user’s session.
1.1 Market Segment
This market segment is mature but constantly evolving, due to innovations in authenticator technology and risk analysis engines. We expect to see more ...Login Get full Access
1.2 Delivery models
In this Leadership Compass, we consider cloud-based solutions only. See the recently released KuppingerCole Leadership Compass on Adaptive Authenticat ...Login Get full Access
1.3 Required Capabilities
Various technologies support all the different requirements customers are facing today. The requirements are
- Support multiple authenticators such ...
Selecting a vendor of a product or service must not be only based on the comparison provided by a KuppingerCole Leadership Compass. The Leadership Com ...Login Get full Access
2.1 Overall Leadership
We find several companies in the Leader section. Microsoft, Idaptive, and Entrust are at the top, showing strong ratings in all Leadership categories. ...Login Get full Access
2.2 Product Leadership
Product Leadership is the first specific category examined below. This view is mainly based on the analysis of product/service features and the overal ...
Product Leadership, or in this case, Service Leadership, is where we examine the functional strength and completeness of services. Idaptive is at the ...Login Get full Access
2.3 Innovation Leadership
Next, we examine innovation in the marketplace. Innovation is, from our perspective, a key capability in all IT market segments. Customers require i ...
When looking at Innovation Leadership, Idaptive is slightly ahead of all others, based on excellent support for leading edge authentication techniques ...Login Get full Access
2.4 Market Leadership
Lastly, we analyze Market Leadership. This is an amalgamation of the number of customers, the geographic distribution of customers, the size of depl ...
Microsoft is the Market leader, due to its large global customer base, partner and support network.
Entrust Datacard, Gemalto, Idaptive, Okta, OneS ...Login Get full Access
3 Correlated View
While the Leadership charts identify leading vendors in certain categories, many customers are looking not only for a product leader, but for a vendor ...Login Get full Access
3.1 The Market/Product Matrix
The first of these correlated views contrasts Product Leadership and Market Leadership.
Vendors below the line have a weaker market position than expected according to their product maturity. Vendors above the line are sort of “overperf ...Login Get full Access
3.2 The Product/Innovation Matrix
This view shows how Product Leadership and Innovation Leadership are correlated. It is not surprising that there is a pretty good correlation between ...
Vendors below the line are more innovative, vendors above the line are, compared to the current Product Leadership positioning, less innovative.
In ...Login Get full Access
3.3 The Innovation/Market Matrix
The third matrix shows how Innovation Leadership and Market Leadership are related. Some vendors might perform well in the market without being Innova ...
Vendors above the line are performing well in the market compared to their relatively weak position in the Innovation Leadership rating; while vendors ...Login Get full Access
4 Products and Vendors at a glance
This section provides an overview of the various products we have analyzed within this KuppingerCole Leadership Compass on Cloud-based MFA. Aside from ...Login Get full Access
4.1 Ratings at a glance
Based on our evaluation, a comparative overview of the ratings of all the products covered in this document is shown in table 1.Login Get full Access
In addition, we provide in table 2 an overview which also contains four additional ratings for the vendor, going beyond the product view provided in t ...Login Get full Access
Table 2 requires some additional explanation regarding the “critical” rating.
In Innovativeness, this rating is applied if vendors provide none or v ...Login Get full Access
5 Product/service evaluation
This section contains a quick rating for every product/service we’ve included in this KuppingerCole Leadership Compass document. For many of the pro ...Login Get full Access
Entrust Datacard commands a large share of the global EMV market and has thousands of customers across the globe, serving millions of users, in both t ...Login Get full Access
5.2 Gemalto (was acquired by Thales in 2019/04)
Gemalto, founded in 2006 in France and currently headquartered in the Netherlands, delivers IAM, encryption, and big data tools. It is also the world...Login Get full Access
5.3 HID Global
HID Global is part of ASSA Abloy, which is headquartered in Sweden. ASSA Abloy is a publicly-traded conglomerate that also produces many physical acce ...Login Get full Access
Idaptive (formerly Centrify), well-known for its privilege management and cross-platform identity solutions, also offers MFA as SaaS. Idaptive’s MFA ...Login Get full Access
5.5 ID Dataweb
ID Data Web was founded in 2011 outside the Beltway in Northern Virginia as a spin out of Criterion Systems, an IT services firm specializing in cyber ...Login Get full Access
Microsoft Azure Active Directory is their well-known cloud-based identity and access management service. The adaptive authentication offering is archi ...Login Get full Access
Okta platform offers an adaptive MFA service in conjunction with their multi-tenant enterprise IDaaS solution. Okta has a focus on security, with FedR ...Login Get full Access
5.8 One Identity
Originally founded in 2000, One Identity became a distinct legal entity of Quest Software in 2017. The company is a leading IAM vendor with multiple ...Login Get full Access
VASCO has been re-named OneSpan. The cloud service considered here is OneSpan’s Intelligent Adaptive Authentication based on its open architected Tr ...Login Get full Access
5.10 Ping Identity
PingIdentity has been a pioneer in identity federation since its inception in 2002. PingFederate was the flagship product, but Ping has expanded and c ...Login Get full Access
5.11 Symantec (was acquired by Broadcom Inc.)
California-based Symantec, well-known for cybersecurity and information security solutions, also is a provider of IAM services, including cloud-delive ...Login Get full Access
ThreatMetrix was recently acquired by LexisNexis Risk Solutions. ThreatMetrix is known for its threat intelligence services, which cover device, domai ...Login Get full Access
6 Vendors and Market Segments to watch
Aside from the vendors covered in detail in this Leadership Compass document, we also observe other vendors in the market that we find interesting. So ...Login Get full Access
AvocoSecure is a privately-owned UK company offering Cloud and Adaptive Authentication services. Their product is called Trust Platform. Trust Platfor ...Login Get full Access
6.2 CA Technologies
CA Identity Portfolio comprises Identity Management and Governance, Privileged Access Management, Single Sign-On, Advanced Authentication, and Directo ...Login Get full Access
6.3 Duo Security
Duo Security provides a scalable MFA solution that can support a small to enterprise-size user base. Duo Security focuses on reducing the complexity o ...Login Get full Access
IBM Security Access Manager (SAM) is their tightly integrated adaptive authentication package. SAM can run on a hardware or virtual appliance, either ...Login Get full Access
Portland, OR based Iovation was founded in 2004. It was acquired by TransUnion in May of 2018. The company provides an integrated MFA and fraud reduct ...Login Get full Access
6.6 NokNok Labs Strong Authentication SaaS
NokNokLabs, a Silicon Valley based startup, has delivered a set of mobile-oriented products that perform adaptive authentication, in conformance with ...Login Get full Access
6.7 RSA Adaptive Authentication and SecurID Access
RSA is a major player in the security hardware and software markets. Their Adaptive Authentication product, part of the RSA® Fraud and Risk Intellig ...Login Get full Access
6.8 United Security Providers Secure Entry Server
USP is a Swiss-based vendor of security solutions. Their Secure Entry Server combines access management, federation, authorization, network access con ...Login Get full Access
7 Related Research
Executive View: Entrust IdentityGuard for Enterprise – 71321
Executive View: ForgeRock Identity Platform – 70296
Executive View: Idaptive (formerly Centrify) Next-Gen Access Platform – 79036
Executive View: Microsoft Azure Information Protection – 72540
Executive View: Microsoft Azure Stack – 72592
Executive View: OneGini Connect – 79031
Executive View: One Identity Safeguard – 79042
Executive View: Ping Identity’s PingDirectory – 70294
Executive View: Ping Identity’s PingOne – 70288
Executive View: Symantec CloudSOCTM – 70615
Executive View: Symantec Advanced Threat Protection – 71155
Leadership Brief: Why Adaptive Authentication Is A Must – 72008
Leadership Brief: Mobile Connect – 71518
Leadership Brief: Transforming IAM – not Panicking – 71411
Leadership Compass: Adaptive Authentication – 71173
Leadership Compass: Adaptive Authentication – 79011