LEADERSHIP COMPASS KUPPINGERCOLE REPORT - SECUREAUTH
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
KuppingerCole Report
LEADERSHIP COMPASS by John Tolbert | September 2018
Adaptive Authentication
This report provides an overview of the market for on-premise Adaptive
Authentication solutions and provides you with a compass to help you to find the
product that best meets your needs. We examine the market segment, vendor
product and service functionality, relative market share, and innovative
approaches to providing on-premise Adaptive Authentication solutions.
by John Tolbert
jt@kuppingercole.com
September 2018
Leadership Compass
KuppingerCole Leadership Compass
Adaptive Authentication
Adaptive Authentication By KuppingerCole
Report No.: 79011
Content
1 Introduction ................................................................................................................................. 4
1.1 Market Segment ....................................................................................................................... 6
1.2 Delivery models ........................................................................................................................ 6
1.3 Required Capabilities ................................................................................................................ 6
2 Leadership.................................................................................................................................. 10
3 Correlated View ......................................................................................................................... 18
3.1 The Market/Product Matrix ................................................................................................... 18
3.2 The Product/Innovation Matrix .............................................................................................. 20
3.3 The Innovation/Market Matrix............................................................................................... 22
4 Products and Vendors at a glance ............................................................................................... 24
4.1 Ratings at a glance .................................................................................................................. 24
5 Product/service evaluation ......................................................................................................... 26
5.1 AdNovum nevisAuth ............................................................................................................... 27
5.2 CA Technologies Advanced Authentication and Rapid App Security ..................................... 28
5.3 Entrust Datacard IdentityGuard ............................................................................................. 29
5.4 Ergon Informatik Airlock ......................................................................................................... 30
5.5 Evidian Web Access Manager................................................................................................. 31
5.6 ForgeRock ............................................................................................................................... 32
5.7 HID Global Authentication solutions ...................................................................................... 33
5.8 IBM Security Access Manager ................................................................................................ 34
5.9 OneSpan Adaptive Authentication (formerly VASCO) ........................................................... 35
5.10 RSA Adaptive Authentication and SecurID Access ................................................................. 36
5.11 SecureAuth + Core Security SecureAuth IdP .......................................................................... 37
6 Vendors and Market Segments to watch ..................................................................................... 38
6.1 AvocoSecure ........................................................................................................................... 38
6.2 EZMCOM ................................................................................................................................. 38
6.3 InWebo ................................................................................................................................... 38
6.4 Micro Focus Access Manager ................................................................................................. 39
6.5 NokNok Labs S3 Authentication Server .................................................................................. 39
6.6 Oracle Adaptive Access Manager ........................................................................................... 40
6.7 Ping Identity............................................................................................................................ 40
6.8 Ubisecure ................................................................................................................................ 40
KuppingerCole Leadership Compass
Adaptive Authentication
Report No.: 79011
Page 2 of 50
6.9 United Security Providers ....................................................................................................... 40
7 Methodology.............................................................................................................................. 42
7.1 Types of Leadership ................................................................................................................ 42
7.2 Product rating ......................................................................................................................... 43
7.3 Vendor rating .......................................................................................................................... 45
7.4 Rating scale for products and vendors ................................................................................... 46
7.5 Spider graphs .......................................................................................................................... 47
7.6 Inclusion and exclusion of vendors ........................................................................................ 49
8 Copyright ................................................................................................................................... 49
Content of Tables
Table 1: Comparative overview of the ratings for the product capabilities ............................................... 24
Table 2: Comparative overview of the ratings for vendors ........................................................................ 25
Content of Figures
Figure 1: The Overall Leadership rating for the Adaptive Authentication market segment ...................... 10
Figure 2: Product leaders in the Adaptive Authentication market segment .............................................. 12
Figure 3: Innovation leaders in the Adaptive Authentication market segment ......................................... 14
Figure 4: Market leaders in the Adaptive Authentication market segment ............................................... 16
Figure 5: The Market/Product Matrix ......................................................................................................... 18
Figure 6: The Product/Innovation Matrix ................................................................................................... 20
Figure 7: The Innovation/Market Matrix .................................................................................................... 22
Related Research
Leadership Brief: Why Adaptive Authentication Is A Must - 72008
Leadership Brief: Mobile Connect - 71518
Leadership Brief: Transforming IAM – not Panicking - 71411
Leadership Compass: Adaptive Authentication – 71173
KuppingerCole Leadership Compass
Adaptive Authentication
Report No.: 79011
Page 3 of 50
1 Introduction
Identity and Access Management (IAM) systems have continued to evolve significantly over the last
two decades. Increasing security and improving usability have both been contributing factors to this
evolution. Data owners and IT architects have pushed for better ways to authenticate and authorize
users, based on changing business and security risks as well as the availability of newer technologies.
Businesses have lobbied for these security checks to become less obtrusive and provide a better user
experience (UX). One of these such enhancements is Adaptive Authentication.
Adaptive Authentication (AA) is the process of gathering additional attributes about users and their
environments and evaluating the attributes in the context of risk-based policies. The goal of AA is to
provide the appropriate risk-mitigating assurance levels for access to sensitive resources by requiring
users to further demonstrate that they are who they say they are. This is usually implemented by
“step-up” authentication. Different kinds of authenticators can be used to achieve this, some of
which are unobtrusive to the user experience. Examples of step-up authenticators include
phone/email/SMS One Time Passwords (OTPs), mobile apps for push notifications, mobile apps with
native biometrics, FIDO U2F or UAF transactions, hardware tokens, SmartCards, and behavioral
biometrics. Behavioral biometrics can provide a framework for continuous authentication, by
constantly evaluating user behavior to a baseline set of patterns. Behavioral biometrics usually
involves keystroke analysis, mobile “swipe” analysis, and even mobile gyroscopic analysis.
AA solutions can use multiple authentication schemes and authentication challenges presented to a
user or service according to defined policies based on any number of factors, for example the time of
day, the category of user, the location or the device from which a user or device attempts
authentication. The factors just listed as examples can be used to define variable authentication
policies which are often referred to as context- or policy-based AA. A more advanced form of AA uses
risk-scoring analytics algorithms to first baseline regular access patterns and then be able to identify
anomalous behaviour which triggers additional authentication challenges. This can be referred to as
dynamic AA, yet it is difficult to categorize AA products into dynamic or static AA categories, since
the strongest products are able to use a combination of both approaches. This is invariably a positive
feature, as there are use cases where the use of either static or dynamic AA proves the most
appropriate, and both approaches are not without their limitations.
KuppingerCole Leadership Compass
Adaptive Authentication
Report No.: 79011
Page 4 of 50
A wide variety of adaptive authentication mechanisms and methods exist in the market today.
Examples include:
● Knowledge-based authentication (KBA)
● Strong/Two-Factor or Multi-Factor Authentication (Smart Cards, USB authenticators, biometrics)
● One-time password (OTP), delivered via phone, email, or SMS
● Mobile push notifications / Out-of-band (OOB) application confirmation
● Identity context analytics, including
• IP address
• Geo-location
• Geo-velocity
• Device ID and device health assessment
• User Behavioral Analysis
• Etc.
Many organizations today employ a variety of Adaptive Authentication methods. Consider the
following sample case. Suppose a user successfully logs in to a financial application with a username
and password. Behind the scenes, the financial application has already examined the user’s IP
address, geo-location, and Device ID to determine if the request context fits within historical
parameters for this user. Further suppose that the user has logged in from a new device, and the
attributes about the new device do not match recorded data. The web application administrator has
set certain policies for just this situation. The user then receives an email at their chosen address,
asking to confirm that they are aware of the session and that they approve of the new device being
used to connect to their accounts. If the user responds affirmatively, the session continues; if not,
the session is terminated.
Going one step further in the example, consider that the user would like to make a high-value
transaction in this session. Again, the administrator can set risk-based policies correlated to
transaction value amounts. In order to continue, the user is sent a notification via the mobile
banking app on his phone. The pop-up asks the user to confirm. The user presses “Yes”, and the
transaction is processed.
Adaptive authentication, then, can be considered a form of authorization. The evaluation of these
additional attributes can be programmed to happen in response to business policies and changing
risk factors. Since access to applications and data are the goal, adaptive authentication can even be
construed as a form of attribute-based access control (ABAC).
Adaptive authentication is being used today by enterprises to provide additional authentication
assurance for access to applications involving health care, insurance, travel, aerospace, defense,
government, manufacturing, and retail. Adaptive authentication can help mitigate risks and protect
enterprises against fraud and loss. Moreover, many organizations are increasingly using AA systems
in conjunction with Physical Access Control Systems (PACS), i.e., opening doors and gates. This is a
particularly innovative usage which will be noted in Chapter 5 for vendors that support these types of
use cases.
There are a number of vendors in the Adaptive Authentication market. Many of them provide
complete IAM solutions, and Adaptive Authentication is just one part of their overall solution. Other
vendors have developed specialized Adaptive Authentication products and services, which can
KuppingerCole Leadership Compass
Adaptive Authentication
Report No.: 79011
Page 5 of 50
integrate with other IAM components. The major players in the Adaptive Authentication segment are
covered within this KuppingerCole Leadership Compass. Sometimes these solutions are also referred
to as Advanced Authentication, Contextual Authentication, or just Step-Up Authentication. This
Leadership Compass will examine solutions that are available for primarily on-premise deployment.
Overall, the breadth of functionality is growing rapidly. Support for standard adaptive authentication
mechanisms is now nearly ubiquitous in this market segment; and the key differentiators have
become the use of new technologies to step up the user’s authentication assurance level or to collect
and analyze information about the user’s session.
1.1 Market Segment
This market segment is mature but constantly evolving, due to innovations in authenticator
technology and risk analysis engines. We expect to see more changes within the next few years.
However, given the surging demand of businesses and the need to provide better security, many
organizations must implement Adaptive Authentication if they have not already to help reduce the
risk of fraud and data loss.
Picking solutions always requires a thorough analysis of customer requirements and a comparison
with product features. Leadership does not always mean that a product is the best fit for a particular
customer and their requirements. However, this Leadership Compass will help identifying those
vendors that customers should look at more closely.
1.2 Delivery models
In this Leadership Compass, we consider on-premises solutions only. See KuppingerCole Leadership
Compass on Cloud-based Multi-Factor Authentication for similar solutions available as PaaS or as
SaaS.
1.3 Required Capabilities
Various technologies support all the different requirements customers are facing today. The
requirements are
● Support multiple authenticators such as;
− Smart Cards, CAC/PIV cards, x.509
− USB tokens
− Mobile apps and push notifications
− Biometrics
− OTP: phone, email, and SMS
● Integrate with IAM systems
● Perform real-time risk analysis of behavioral and environmental factors
● Support federation via OAuth2, OIDC, and SAML
● Facilitate compliance with existing and emerging regulatory frameworks, particularly EU GDPR
and PSD2 (Revised Payment Service Directive).
KuppingerCole Leadership Compass
Adaptive Authentication
Report No.: 79011
Page 6 of 50● Adhere to policy-based access controls model so that IT departments and Line of Business
application owners can define risk appropriate authentication rules.
● Integrate with security intelligence and forensic systems.
● Provide administrators with management dashboards and configurable reporting.
● Allow for delegated and role-based administration.
● Consider threat intelligence: subscription to 3rd party services that identify malicious IP addresses,
URLs, and compromised credentials.
Adaptive Authentication is an outgrowth of yesterday’s IAM systems. Many organizations are feeling
and responding to the pressure to move away from just using usernames and passwords for
authentication. While many strong authentication options have existed for years, such as
SmartCards, it is not often feasible from an economic perspective to deploy SmartCards or other
hardware tokens to every possible user of a system. Moreover, hardware tokens continue to have
usability issues. The mix of authenticators and associated user attributes that most commercial
Adaptive Authentication systems present are increasingly sufficient to meet the needs of higher
identity assurance for access to sensitive digital resources and high-value transactions.
It is important to understand the primary use cases that drive the requirements for AA and MFA
products, as most of the major market players in this space tend to develop solutions tailored for
consumer or employee use cases. Some offerings are geared towards specific industry verticals.
A good AA solution needs to balance integration flexibility with simplicity. Today’s newest offerings
in this area provide multiple authentication mechanisms, including many mobile options; risk engines
which evaluate numerous definable factors which can be gathered at runtime and compared against
enterprise policies; and out-of-the-box (OOTB) connectors for the majority of popular on-premise
and cloud enterprise applications.
Integration with existing IAM platforms should be a primary factor in selecting a suitable product.
The advantages of taking a single-vendor approach are primarily due to the potential licensing cost
savings that arise from negotiating product bundle discounts. The advantages gained from the
imagined greater ease of integrating disparate products from the same vendor rarely offer the
reduced complexity promised by sales. Most major solutions support popular identity store back-
ends, generally LDAP but sometimes also SQL. While adaptive and multi-factor authentication may
mitigate many authentication risks, no security solution is impenetrable. It is important to plan for
rapid response measures when security breaches do occur. Even the best defensive systems can
suffer breaches.
KuppingerCole Leadership Compass
Adaptive Authentication
Report No.: 79011
Page 7 of 50The criteria evaluated in this Leadership Compass reflect the varieties of use cases, experiences,
business rules, and technical capabilities required by KuppingerCole clients today, and what we
anticipate clients will need in the future. The products examined meet many of the requirements
described above, although they sometimes take different approaches in solving the business
problems.
When evaluating the services, besides looking at the aspects of
• overall functionality • partner ecosystem
• size of the company • licensing models
• number of customers • core features of Adaptive
• number of developers Authentication technology
we thus considered a series of specific features. These functional areas, which are reflected in the spider
charts for each company in Chapter 5 include:
Basic Authenticators Username/password: the most basic form, not recommended. Knowledge-
based authentication (KBA): Security questions and answers that are
determined at registration time. KBA is sometimes used in cases where
users have forgotten their passwords, and need to have them reset, or as a
step-up authentication method. KBA is not recommended, as many of the
answers to common questions chosen are not secrets.
OATH One Time Passwords (OTP): OATH standardizes the use of
randomized, single use passwords based on cryptographic hashes. OTP
delivery methods can be phone calls, email, or SMS (text) messages. As a
more secure variation, OATH specifies time-limited OTPs, sometimes
expressed as TOTP. Due to the fact that SMS OTP implementations are not
truly random, and attackers have discovered ways to circumvent SMS OTP,
some organizations such as US NIST have deprecated the use of SMS OTP as
a primary or step-up authentication method.
Advanced Authenticators FIDO 2.0, U2F, and UAF: The FIDO Alliance has defined two standards for
mobile and two-factor authentication. U2F applies to various hard token
generators, whereas UAF works in conjunction with mobile devices, such as
smartphones. The FIDO framework allows device and software
manufacturers to utilize different technologies as the basis for
authentication events, such as PINs, biometrics, and cryptography. FIDO 2.0
is the latest iteration and will likely surpass U2F and UAF in adoption in the
years ahead.
SmartCards have small processors and secure storage devices that contain
digital certificates and various user attributes. SmartCards can be used to
facilitate the highest levels of authentication assurance. SmartCards are
used for not only authentication, both as primary and adaptive
authentication methods, but also for physical access and digital signatures.
Other types of hardware tokens employ similar technologies in different
form factors, such as RSA SecurID and Yubikeys.
KuppingerCole Leadership Compass
Adaptive Authentication
Report No.: 79011
Page 8 of 50Biometrics is the term applied to any security technology, usually employed
for authentication and authorization, which functions by comparing
registered measurements to run-time measurements. Examples of
biometrics include fingerprint, face, voice, iris, and behavioral. Biometrics
can be used as primary authenticators or as policy-invoked adaptive
authentication mechanisms.
Mobile support Service providers are increasingly building their own mobile apps for
authentication and authorization. Mobile apps can offer a variety of
authentication methods, from simple screen swipes to including biometrics
(see below). Push notifications are a different type of mobile app which can
be used as a second factor in authentication or to authorize transactions
out-of-band. The ratings for mobile support include whether or not a
product adheres the Global Platform Secure Element (SE) and Trusted
Execution Environment (TEE) for Android, and whether or not the product
utilizes Secure Enclave in iOS.
Risk Analysis Factors such as IP address, device fingerprints, device health assessment
geo-location, geo-velocity, integration of 3rd-party threat intelligence, user
behavior profiling
Threat Intelligence Subscriptions to real-time feeds of known bad IP addresses, locations,
proxies, malicious URLs, and compromised credentials
WAM integration Integration of products within a suite; Interoperability via SSO
SaaS integration Use of federation technologies such as OAuth, OIDC, and SAML to allow
authenticated users to seamlessly access popular SaaS applications.
Each of the categories above will be considered in the product evaluations below. We’ve also looked at
specific USPs (Unique Selling Propositions) and innovative features of products which distinguish them
from other offerings available in the market.
Please note that we only listed major features, but also considered other capabilities as well when
evaluating and rating the various Adaptive Authentication products.
KuppingerCole Leadership Compass
Adaptive Authentication
Report No.: 79011
Page 9 of 502 Leadership
Selecting a vendor of a product or service must not be only based on the comparison provided by a
KuppingerCole Leadership Compass. The Leadership Compass provides a comparison based on
standardized criteria and can help identifying vendors that shall be further evaluated. However, a
thorough selection includes a subsequent detailed analysis and a Proof of Concept of pilot phase, based
on the specific criteria of the customer.
Based on our rating, we created the various Leadership ratings. The Overall Leadership rating provides a
combined view of the ratings for
● Product Leadership
● Innovation Leadership
● Market Leadership
FORGEROCK
HID GLOBAL
EVIDIAN
ERGON
RSA
IBM
ADNOVUM
ONESPAN
CA TECHNOLOGIES
SECUREAUTH
ENTRUST
Figure 1: The Overall Leadership rating for the Adaptive Authentication market segment
This year we find many companies in the Leader section. RSA leads the field, showing strong ratings in all
Leadership categories.
CA Technologies, Entrust Datacard, ForgeRock, IBM, and SecureAuth are also overall leaders in the AA
field. Each one of these vendors has compelling products with a wide variety of authenticator choices,
granular risk analysis engines, ability to consume threat intelligence, and excellent manageability. All have
the scalability and general IAM interoperability and integration that enterprises need to operate
efficiently and securely.
In the Challenger segment, Evidian is close to becoming a leader. After Evidian we find OneSpan.
OneSpan, with a recent name change from Vasco, has robust mobile authentication options fine-tuned
for its primary target industry of finance. Ergon and AdNovum are also in the Challenger segment. Both
companies have capable products tailored to their customer requirements.
In the Follower segment, we see that HID Global is nearly a Challenger. Their solution is missing some
standard AA features, but has some unique advantages that their customers consider essential.
KuppingerCole Leadership Compass
Adaptive Authentication
Report No.: 79011
Page 10 of 50Overall Leaders are (in alphabetical order):
● CA Technologies
● ForgeRock ● RSA
● IBM ● SecureAuth
KuppingerCole Leadership Compass
Adaptive Authentication
Report No.: 79011
Page 11 of 50Product Leadership is the first specific category examined below. This view is mainly based on the analysis
of product/service features and the overall capabilities of the various products/services.
SECUREAUTH
ENTRUST
IBM
CA TECHNOLOGIES
FORGEROCK RSA
EVIDIAN
ONESPAN
ERGON
ADNOVUM
HID GLOBAL
Figure 2: Product leaders in the Adaptive Authentication market segment
Product Leadership, or in some cases Service Leadership, is where we examine the functional strength
and completeness of products. SecureAuth is on top, with their diverse range of authentication choices,
complex risk engine, and integrated threat intelligence. Following closely behind SecureAuth is CA
Technologies, Entrust Datacard, IBM, ForgeRock, and RSA. Each of these products also provides customers
with a large selection of authenticator types to meet the wide array of business cases and regulatory
requirements on a global scale. They have the ability to process threat intelligence, whether produced by
their own networks or from 3rd parties. This is a key functional requirement for many organizations today.
KuppingerCole Leadership Compass
Adaptive Authentication
Report No.: 79011Ergon, Evidan, and OneSpan occupy the top half of the Challenger section. Both have good authenticator
choices and risk engines, but do not process external threat intelligence and may be missing some
protocol support that would increase interoperability with other IAM and security components.
Following them, we see AdNovum. AdNovum has specific strengths related to their target markets and
geography, but lacks a few features we expect to see.
In the Follower segment, we find HID Global, with narrower feature sets than the baseline described
above.
Product Leaders (in alphabetical order):
● CA Technologies ● IBM
● Entrust Datacard ● RSA
● ForgeRock ● SecureAuth
KuppingerCole Leadership Compass
Adaptive Authentication
Report No.: 79011
Page 13 of 50Next, we examine innovation in the marketplace. Innovation is, from our perspective, a key
capability in all IT market segments. Customers require innovation to meet evolving and even
emerging business requirements. Innovation is not about delivering a constant flow of new
releases. Rather, innovative companies take a customer-oriented upgrade approach,
delivering customer-requested cutting-edge features, while maintaining compatibility with
previous versions.
FORGEROCK SECUREAUTH
ENTRUST RSA
CA TECHNOLOGIES IBM
ONESPAN EVIDIAN
HID GLOBAL
ERGON
ADNOVUM
Figure 3: Innovation leaders in the Adaptive Authentication market segment
When looking at Innovation Leadership, SecureAuth is slightly ahead of all others, based on the inclusive
set of cutting edge authenticators and risk factors it supports. Closely following (in alphabetical order) are
CA Technologies, Entrust Datacard, ForgeRock, IBM, and RSA, which are constantly delivering new
features at customer request, such as adding FIDO support, risk engine configurability, and extensive API
integration.
KuppingerCole Leadership Compass
Adaptive Authentication
Report No.: 79011
Page 14 of 50Evidian and OneSpan are in the top half of the Challenger section. Both of these vendors have made
significant enhancements to their products that address real business needs. In the remainder of the
Challenger block, in alphabetical order, we find AdNovum, Ergon, and HID Global. They are building in
more Adaptive Authentication baseline functionality and we expect them to improve in the months
ahead.
Innovation Leaders (in alphabetical order):
● CA Technologies ● IBM
● Entrust Datacard ● RSA
● ForgeRock ● SecureAuth
KuppingerCole Leadership Compass
Adaptive Authentication
Report No.: 79011
Page 15 of 50Lastly, we analyze Market Leadership. This is an amalgamation of the number of customers, the
geographic distribution of customers, the size of deployments and services, the size and geographic
distribution of the partner ecosystem, and financial health of the participating companies. Market
Leadership, from our point of view, requires global reach.
RSA
CA TECHNOLOGIES
EVIDIAN
IBM
FORGEROCK
SECUREAUTH
ENTRUST
ONESPAN
ERGON
ADNOVUM
HID GLOBAL
Figure 4: Market leaders in the Adaptive Authentication market segment
RSA is the Market leader, due to its large global customer base, partner and support network.
CA Technologies, Evidian, and IBM are also Market Leaders. As very large software companies and service
providers, we are not surprised by their strong position in this market. They each also have customers
around the world, with large and experienced partners for implementations and support.
ForgeRock sits at the top of the Challenger segment. They have captured many customers, and have a
very good support ecosystem. Entrust, OneSpan, and Secure Auth are also placed near the top of the
KuppingerCole Leadership Compass
Adaptive Authentication
Report No.: 79011
Page 16 of 50Challenger segment, with a growing customer set and support ecosystem. Ergon is also a Challenger, with
a relatively large number of customers but fairly localized in the DACH region.
Finally, we see AdNovum and HID Global in the Followers section. AdNovum, like Ergon, is based in
Switzerland and is branching out. HID Global is also small in customer base currently, but growing.
Market Leaders (in alphabetical order):
● CA Technologies ● IBM
● Evidian ● RSA
KuppingerCole Leadership Compass
Adaptive Authentication
Report No.: 79011
Page 17 of 503 Correlated View
While the Leadership charts identify leading vendors in certain categories, many customers are looking
not only for a product leader, but for a vendor that is delivering a solution that is both feature-rich and
continuously improved, which would be indicated by a strong position in both the Product Leadership
ranking and the Innovation Leadership ranking. Therefore, we provide the following analysis that
correlates various Leadership categories and delivers an additional level of information and insight.
3.1 The Market/Product Matrix
The first of these correlated views contrasts Product Leadership and Market Leadership
MARKET
CHAMPIONS
RSA
CA TECHNOLOGIES
EVIDIAN
IBM
FORGEROCK
SECUREAUTH
ONESPAN
ENTRUST
MARKET
ERGON
ADNOVUM
HID GLOBAL
PRODUCT
Figure 5: The Market/Product Matrix. Vendors below the line have a weaker market position than expected according to their product
maturity. Vendors above the line are sort of “overperformers” when comparing Market Leadership and Product Leadership.
KuppingerCole Leadership Compass
Adaptive Authentication
Report No.: 79011
Page 18 ofIn this comparison, it becomes clear which vendors are better positioned in our analysis of Product Leadership compared to their position in the Market Leadership analysis. Vendors above the line are sort of “overperforming” in the market. It comes as no surprise that these are mainly the very large vendors, while vendors below the line frequently are innovative but focused on specific regions. The matrix shows a picture that is typical for evolving market segments, with a rather broad distribution of the various players across the quadrants and a weak correlation between Market Leadership and Product Leadership. In the upper right box, we find CA Technologies, IBM, and RSA. These vendors are leading in both the product and market ratings. Below these, we find Entrust, ForgeRock, and SecureAuth, which are product leaders but not (yet) in the Market Leader’s segment. On the other hand, in the center top box, we see Evidian, both having a significant market share while not being counted amongst the Product Leaders. In the center of the graphic, Ergon and OneSpan appear. They have respectable positions in both the Product Leadership and Market Leadership ratings and thus are interesting options to the leading vendors. AdNovum is in the lower center, while HID Global is in the lower left. These have smaller market shares and products that may be concentrated on specific feature sets for targeted customers. KuppingerCole Leadership Compass Adaptive Authentication Page 19 of 50 Report No.: 79011
3.2 The Product/Innovation Matrix
This view shows how Product Leadership and Innovation Leadership are correlated. It is not surprising
that there is a pretty good correlation between the two views with few exceptions. This distribution and
correlation are tightly constrained to the line, with a significant number of established vendors plus some
smaller vendors.
TECHNOLOGY
LEADERS
SECUREAUTH
CA TECHNOLOGIES
ENTRUST
FORGEROCK IBM
RSA
EVIDIAN
PRODUCT
ERGON
ONESPAN
ADNOVUM
HID GLOBAL
INNOVATION
Figure 6: The Product/Innovation Matrix. Vendors below the line are more innovative, vendors above the line are, compared to the current
Product Leadership positioning, less innovative.
KuppingerCole Leadership Compass
Adaptive Authentication Page 20 of 50
Report No.: 79011This chart shows a quite interesting picture. The line split is nearly horizontal rather than diagonal, which is more often the case. CA Technologies, ForgeRock, IBM, RSA, and SecureAuth are the technology leaders, with many advanced features. The spaces below technology leaders are empty. In the top center near the Technology Leader vertex, we see Entrust, with a strong product containing many innovative features. Most vendor products reside in the center of the chart: AdNovum, Ergon, Evidian, and OneSpan. HID Global is in the lower center. KuppingerCole Leadership Compass Adaptive Authentication Page 21 of 50 Report No.: 79011
3.3 The Innovation/Market Matrix
The third matrix shows how Innovation Leadership and Market Leadership are related. Some vendors
might perform well in the market without being Innovation Leaders. This might impose a risk for their
future position in the market, depending on how they improve their Innovation Leadership position. On
the other hand, vendors which are highly innovative have a good chance for improving their market
position. However, they might also fail, especially in the case of smaller vendors.
BIG
ONES
RSA
CA TECHNOLOGIES
EVIDIAN
IBM
FORGEROCK
SECUREAUTH
ONESPAN
ENTRUST
MARKET
ERGON
ADNOVUM
HID GLOBAL
INNOVATION
Figure 7: The Innovation/Market Matrix
Vendors above the line are performing well in the market compared to their relatively weak position in
the Innovation Leadership rating; while vendors below the line show an ability to innovate, and thus the
biggest potential for improving their market position.
KuppingerCole Leadership Compass
Adaptive Authentication Page 22 of 50
Report No.: 79011CA Technologies, IBM, and RSA occupy the top left sector, having both an excellent position in the market and presenting innovative capabilities to their customers. ForgeRock and SecureAuth appear on the rightmost side also, indicating very strong innovation, but having somewhat less market share. Evidian is in the top center box, commanding good market share relative to their level of innovation. Entrust, Ergon, and OneSpan are in the center of the chart, possessing a moderate mix of market share and good innovation. AdNovum and HID Global are found in the lower center, offering some innovative features but not yet capturing a large share of the market KuppingerCole Leadership Compass Adaptive Authentication Page 23 of 50 Report No.: 79011
4 Products and Vendors at a glance
This section provides an overview of the various products we have analyzed within this KuppingerCole
Leadership Compass on Adaptive Authentication. Aside from the rating overview, we provide additional
comparisons that put Product Leadership, Innovation Leadership, and Market Leadership in relation to
each other. These allow identifying, for instance, highly innovative but specialized vendors or local players
that provide strong product features but do not have a global presence and large customer base yet.
4.1 Ratings at a glance
Based on our evaluation, a comparative overview of the ratings of all the products covered in this
document is shown in table 1.
Product Security Functionality Integration Interoperability Usability
ADNOVUM positive positive neutral strong positive neutral
CA TECHNOLOGIES strong positive strong positive strong positive positive strong positive
ENTRUST positive strong positive strong positive neutral strong positive
ERGON positive neutral strong positive neutral neutral
EVIDIAN neutral strong positive neutral positive positive
FORGEROCK positive strong positive positive strong positive neutral
HID GLOBAL neutral positive weak weak positive
IBM strong positive strong positive positive strong positive neutral
ONESPAN positive strong positive positive neutral neutral
RSA strong positive strong positive weak strong positive positive
SECUREAUTH strong positive positive strong positive strong positive positive
Table 1: Comparative overview of the ratings for the product capabilities
KuppingerCole Leadership Compass
Adaptive Authentication Page 24 of 50
Report No.: 79011In addition, we provide in table 2 an overview which also contains four additional ratings for the vendor,
going beyond the product view provided in the previous section. While the rating for Financial Strength
applies to the vendor, the other ratings apply to the product.
Vendor Innovativeness Market Position Financial Strength Ecosystem
neutral weak positive weak
ADNOVUM
positive positive positive positive
CA TECHNOLOGIES
positive neutral positive positive
ENTRUST
neutral neutral neutral neutral
ERGON
positive positive strong positive positive
EVIDIAN
positive positive positive positive
FORGEROCK
positive weak neutral weak
HID GLOBAL
positive positive positive positive
IBM
positive neutral positive positive
ONESPAN
strong positive neutral strong positive strong positive
RSA
positive positive neutral positive
SECUREAUTH
Table 2: Comparative overview of the ratings for vendors
Table 2 requires some additional explanation regarding the “critical” rating.
In Innovativeness, this rating is applied if vendors provide none or very few of the more advanced
features we have been looking for in that analysis, like support for multi-tenancy, shopping cart
approaches for requesting access, and others.
These ratings are applied for Market Position in the case of vendors which have a very limited visibility
outside of regional markets like France or Germany or even within these markets. Usually the number of
existing customers is also limited in these cases.
In Financial Strength, this rating applies in case of a lack of information about financial strength or for
vendors with a very limited customer base but is also based on some other criteria. This doesn’t imply
that the vendor is in a critical financial situation; however, the potential for massive investments for quick
growth appears to be limited. On the other hand, it’s also possible that vendors with better ratings might
fail and disappear from the market.
Finally, a critical rating regarding Ecosystem applies to vendors which have no or a very limited ecosystem
with respect to numbers and regional presence. That might be company policy, to protect their own
consulting and system integration business. However, our strong belief is that growth and successful
market entry of companies into a market segment relies on strong partnerships.
KuppingerCole Leadership Compass
Adaptive Authentication Page 25 of 50
Report No.: 790115 Product/service evaluation
This section contains an overview for every product/service we’ve included in this KuppingerCole
Leadership Compass document. For many of the products there are additional KuppingerCole Product
Reports and Executive Views available, providing more detailed information.
KuppingerCole Leadership Compass
Adaptive Authentication Page 26 of 50
Report No.: 790115.1 AdNovum nevisAuth
AdNovum was founded in 1988 in Switzerland. Today, they have expanded to Budapest, Lisbon, Munich,
and Singapore as well. nevisAuth is a separately licensable product within the Nevis Security Suite which
includes components for complete IAM, IGA, and WAF. AdNovum’s largest customer base is in the DACH
region, where they focus on medium to large enterprise customers, particularly in finance and insurance.
Strengths Challenges
● Good selection of strong MFA mechanisms ● Small customer base mostly localized in EU
● Finance and insurance industry experience ● No 3rd party threat intelligence
● Tightly integrated with full IAM and IGA consumption
suite ● More mobile support planned, including
● Bundled WAF FIDO UAF authenticators
Table 3: AdNovum’s major strengths and challenges
nevisAuth supports authentication mechanisms including KBA, Kerberos, email/SMS OTP, Google
Authenticator, RADIUS, RSA SecurID, SmartCards, and SuisseID. Mobile authentication options are
currently lacking, but FIDO support is coming in September 2018. nevisAuth can accept social logins
including Facebook, Microsoft, LinkedIn, Twitter, etc. SAML and OAuth are supported for federation and
authorization. LDAP is used as user data repository.
Administrators can create risk-based authentication policies which can require evaluation of IP address,
day/time, geo-location, HTTP headers, and device fingerprints; as well as user and resource attributes.
Risk factors can be weighted. Different actions can be required based on the outcome of the evaluation.
At present, the solution does not integrate with 3rd party cyber threat intelligence or compromised
credential intelligence.
AdNovum can send event data to SIEM solutions. OIDC and SAML support enable SSO to common SaaS
applications.
Security positive
Functionality positive
Integration neutral
Interoperability strong positive
Usability neutral
Table 4: AdNovum’s rating
AdNovum is a privately owned IAM and
security company with a strong DACH
regional presence. The product has some
good authentication options. Its risk
analysis engine is adequate but would
benefit from integration with 3rd party intelligence providers. Support for FIDO-based authenticators is
coming later in 2018 and will strengthen the product offering.
KuppingerCole Leadership Compass
Adaptive Authentication Page 27 of 50
Report No.: 790115.2 CA Technologies Advanced Authentication and Rapid App Security
Well known for enterprise IAM, CA Technologies tightly integrated suite is also used in B2C environments
that need higher security. CA Identity Portfolio comprises Identity Management and Governance,
Privileged Access Management, Single Sign-On, Advanced Authentication, and Directory products. The
product can be deployed on-premise on Red Hat or SUSE Linux, or Windows Servers. The Rapid App
Security add-on provides a single SDK for authentication and connections to CA Mobile API Gateway.
Strengths Challenges
● Many strong authentication options ● Mobile apps should use Trusted Execution
● Robust risk engine for Adaptive Environment
Authentication ● FIDO support coming soon
● Mobile API Gateway (MAG), API ● Can use in-network but does not use 3rd-
Management, Bluetooth, and QR code party threat intelligence sources
support for IoT integration
Table 5: CA Technologies’ major strengths and challenges
For authentication, the CA solution accepts Mobile Push, RADIUS, RSA SecurID, Smart Cards, Yubikeys,
Google Authenticator, social logins, and native Apple and Samsung biometrics. Several 3rd-party
authenticators interoperate with the platform. CA is a sponsor member of the FIDO Alliance, and we
expect to see FIDO protocol support in the near term. The risk engine analyzes up to 200 different risk
factors, including detailed device DNA, user behavioral profiling, root/jailbreak checks, and IMEI and SIM
serial numbers on mobile devices. The management interface is intuitive and features a drop-down list
style policy building tool. Different authentication methods and actions can be triggered based on very
granular risk scores. LDAP but not SCIM interfaces are available for provisioning. OAuth, OIDC, and SAML
protocols are supported. The product integrates with SIEM/RTSI via syslog, and with GRC and SRM
systems via APIs. It can work in conjunction with CA’s own Privileged Access Management product. The
CA solution also allows for user self-management of devices.
Security strong positive
Functionality strong positive
Integration strong positive
Interoperability positive
Usability positive
Table 6: CA Technologies’ rating
CA Adaptive Authentication and Rapid App
Security are widely deployed and highly
scalable. Tight integration with other CA
products and good standards support
enables it to fit well into complex IAM and
CIAM deployments. The good selection of authenticators and granular risk engine make it suitable for
environments where high security and authentication assurance is needed.
KuppingerCole Leadership Compass
Adaptive Authentication Page 28 of 50
Report No.: 790115.3 Entrust Datacard IdentityGuard
Entrust Datacard commands a large share of the global EMV market and has thousands of customers
across the globe, serving millions of users, in both the B2C and B2E space. Entrust Datacard’s
IdentityGuard product is on-premises, IntelliTrust is SaaS; both provide the same functionality.
Strengths Challenges
● Virtual Smart Card – NIST 800-157 ● Lacks integration with Service
Support; works with physical access Request Management
control systems and IoT systems
● Large selection of innovative ● Currently must export logs as
authentication mechanisms .csv to SIEM; syslog in work
● Sophisticated risk analytics engine
● Integration with Cyber Threat
Intelligence providers
Table 7: Entrust Datacard’s major strengths and weaknesses.
Entrust IdentityGuard is a full-featured adaptive authentication solution that supports a wide range of
authenticators, including Kerberos, mobile push apps, OATH OTPs, RADIUS, biometrics, and 3rd party
authenticators. Mobile apps which leverage Secure Elements and Trusted Execution Environment are
available. It also enables connections to SaaS and WAM via OAuth, OIDC, and SAML. Entrust Datacard
offers a Mobile Smart Card solution, adhering to NIST 800-157 Derived PIV Credentials, which allows
organizations with Smart Card deployments to issue parallel strongly vetted, high assurance credentials
for use on mobile devices as a backup for physical cards and as a key for physical access controls (over
NFC).
IdentityGuard’s risk analytics engine can evaluate up to 50 different risk factors, such as device fingerprint
and health, geo-location, geo-velocity, IP address/network, and user attributes. Administrators can weigh
the factors in policies to require step-up authentication. The product also performs user behavioral
profiling. The risk engine also can integrate with 3rd party fraud/risk Intelligence providers, such as
Iovation. IdentityGuard can output data via csv to SIEM systems. Entrust Datacard partners with
SailPoint for IGA functionality. Entrust Datacard is a FIDO Alliance member, and support for FIDO
authentication is planned.
Security positive
Functionality strong positive
Integration strong positive
Interoperability neutral
Usability strong positive
Table 8: Entrust Datacard’s rating.
Entrust IdentityGuard has an innovative
feature set for customers who need high
security. Support for a large number of
authenticators, virtual smart cards, an
advanced risk engine, and industry-leading
inclusion of cyber threat intelligence put IdentityGuard on the short list for organizations looking for
adaptive authentication capabilities.
KuppingerCole Leadership Compass
Adaptive Authentication Page 29 of 50
Report No.: 790115.4 Ergon Informatik Airlock
Ergon Informatik, maker of the Airlock Suite, was founded in 1984 in Zurich. It is a privately held company
with a strong history of providing IAM solutions in Europe to customers in a variety of industries, including
finance. Hundreds of clients use Airlock Suite to protect thousands of applications and millions of
customer identities.
Strengths Challenges
● Support for diverse set of authenticators, ● No mobile SDK or FIDO support
including some specialty 3rd party credentials ● Coarse-grained risk engine output
● Integrated WAF ● Small customer base mostly localized in EU
Table 9: Ergon's major strengths and challenges
Ergon Airlock accepts the following authentication types, including CrontoPush (mobile push app),
CrontoSign Swiss: Scan & TAN, Google Authenticator, Grid cards, Kerberos, Kobil AST Suite, Kobil SecOVID,
Mobile Signature Service ID, mTAN SMS, RADIUS, RSA SecurID, Smart Cards, SMS OTP, Vasco Cronto: Scan
& TAN, Scan & Login, Vasco Digipass OTP including token management, x.509, and Yubikeys.
Airlock IAM also supports policy-based adaptive authentication and transaction authorization. The built-in
risk engine can evaluate Airlock WAF fingerprint, browser fingerprint, device ID, geo-location, geo-
velocity, IP address, IP reputation, SSO cookies, time/date, and user attributes and history. The risk engine
is extensible and can be customized to process additional risk factors, such as 3rd party fraud/risk
intelligence, via their Risk-Extractor plug-in interface. The risk engine provides coarse-grained actions as
output (permit, step-up, re-authenticate, or session termination), but risk factors cannot be
independently weighted and the engine itself is not addressable via API.
Ergon does not have pre-built connectors, but interoperates with IGA, SaaS, and WAM systems using
OAuth, OIDC, and SAML. Airlock can send data to SIEMs using CEF, ELK, syslog, and some custom
connectors.
Security positive
Functionality neutral
Integration strong positive
Interoperability neutral
Usability neutral
Table 10: Ergon’s rating
Ergon has a comparatively small market share,
localized mostly in Switzerland, but is seeking
to expand in the DACH region. The company
has a long and stable history and financial
situation. The Airlock product supports a good
variety of authenticators, but the risk engine needs sophistication. Enterprises seeking adaptive
authentication with a bundled WAF should take a look at Ergon Airlock Suite.
KuppingerCole Leadership Compass
Adaptive Authentication Page 30 of 50
Report No.: 790115.5 Evidian Web Access Manager
Evidian is a division of Atos, a large European IT service provider. The company provides a comprehensive
portfolio in the area of IAM, as well as e-commerce, supply chain, and CRM support. Their WAM product
contains the essential adaptive authentication capabilities. It is integrated with other Evidian solutions
both in Identity Provisioning, Governance, and Enterprise Single Sign-On.
Strengths Weaknesses
● Accepts many types of strong ● Requires deployment of full Evidian suite
authenticators ● Lacks interoperability with PAM solutions
● Supports social logins: Facebook,
LinkedIn, Twitter, FranceConnect
● Detailed browser and device
“fingerprinting” for risk analysis
Table 11: Evidian’s major strengths and weaknesses.
Evidian Web Access Manager is a mature solution for Adaptive Authentication. It runs on various Linux,
UNIX, and Windows Server versions. The product supports many authentication mechanisms, such as
email/SMS OTP, Kerberos, mobile push, RSA SecurID, SmartCards, social logins, and x.509 (CAC, PIV, and
other national ID cards by extension), as well as non-standard forms such as QR codes and grid cards.
Support for FIDO authentication is planned.
The risk engine can evaluate many risk factors, such as browser and device fingerprints, IP
address/network, geo-location, geo-velocity, and user attributes and history. Advanced user behavioral
analysis is not available in the product yet. The product can consume risk scores from generated by 3rd
party intelligence sources. The risk engine performs coarse-grained scoring; admins can prioritize risk
factors and choose assurance levels appropriate to requested resources.
Evidian’s solution can provide data to SIEM via REST APIs. It works in conjunction with its own Identity
Governance product. Evidian supports OAuth, OIDC, and SAML for federation to WAM or SaaS systems.
The product does not currently interoperate with PAM solutions.
Security neutral
Functionality strong positive
Integration neutral
Interoperability positive
Usability positive
Table 12: Evidian’s rating.
Evidian delivers a respectable offering in the
area of adaptive authentication, particularly
with a focus on accepting strong, two-factor
authenticators for high assurance use cases.
Features planned for upcoming releases, such
as FIDO support will strengthen an already solid product. Overall, the Evidian solution deserves evaluation
in AA procurement decision-making processes.
KuppingerCole Leadership Compass
Adaptive Authentication Page 31 of 50
Report No.: 790115.6 ForgeRock
ForgeRock is a leading vendor in the IAM space. ForgeRock was founded by Sun Microsystems alumni, and
originally released their product as open source. Their offering for Adaptive Authentication, called
Intelligent Authentication, is a separately licensed module available in their Identity Platform. It can run
on most every platform, including IaaS/PaaS.
Strengths Challenges
● Large scale deployments ● No OOTB integration with 3rd party
● Integration with PACS Identity Governance products
● Very broad support for various ● Needs mobile SDKs and SE/TEE support
authentication methods
● Excellent support for 3rd-party risk
intelligence
● Intuitive GUI for policy design
Table 13: ForgeRock’s major strengths and weaknesses.
ForgeRock’s Identity Platform contains a strong web access management product with built-in adaptive
authentication functionality. The core product supports many standards protocols, such as SAML, XACML,
OIDC, OAuth2, and OATH; and many step-up authentication mechanisms, including email/SMS OTP,
mobile apps with “swipe” or Apple or Samsung native biometrics, Mobile Connect, RSA SecurID, Smart
Cards, Yubikeys; moreover 3rd-party authenticators can be integrated as well. ForgeRock also allows
adaptive authentication policies to protect access to non-HTTP resources, such as databases, VMs, and
even physical resources, such as doors and gates.
Risk analysis takes place in the Intelligent Authentication engine. The risk engine processes detailed
device fingerprints, geo-location, geo-velocity, and user and device history. The console features
Authentication Trees, an industry-leading easy-to-use flow-chart policy building tool. Admins can
configure multiple external fraud/risk/cyber intelligence sources as needed.
The product is very extensible and supports almost all applicable standards. It can output logs to SIEM
and integrate with Privilege Management and Service Request Management systems. Identity
Governance is part of ForgeRock Identity Platform.
Security positive
Functionality strong positive
Integration positive
Interoperability strong positive
Usability neutral
Table 14: ForgeRock’s rating.
ForgeRock is well-financed by VCs and
continues to invest heavily in product
enhancement. This results in both rapidly
improving the already excellent capabilities
of the product and has led to an increasing
market share. ForgeRock has many innovative features in the AA space and should definitely be
considered in product evaluations.
KuppingerCole Leadership Compass
Adaptive Authentication Page 32 of 50
Report No.: 79011You can also read
