Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA
Tel: +1 617.613.6000 | Fax: +1 617.613.5000 | www.forrester.com
Market Overview: Employee And Customer Authentication Solutions In 2013, Part 2 Of 2by Eve Maler and Andras Cser, February 24, 2014
For: Security & Risk Professionals
Key TaKeaways
It’s No Longer Possible To Overlook Usability In authentication ProcessesWhen you’re authenticating employees, productivity and job satisfaction ride on the outcome. And in the age of the customer, the success of the business may depend on security and risk pros working closely with customer experience and eBusiness pros to get authentication processes right.
authentication solutions are Morphing againFirst-generation strong authentication was all about security. The second generation improved usability and security by leveraging mobile devices, but authentication demands continued to increase. A massive third generation of innovation centers on smart mobile devices and contextual checks, and covers many more populations and scenarios.
Biometrics are Becoming a Lot More Interesting But aren’t a PanaceaTraditional biometrics mostly have niche use cases, but emerging biometric solutions have a bright future. Forrester expects several new software-based, mobile-fueled biometrics to become available in the next 12 to 18 months. Wield biometric-based solutions with care and never alone; many have subtle security and privacy challenges.
© 2014, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To purchase reprints of this document, please email [email protected]. For additional information, go to www.forrester.com.
For Security & riSk ProFeSSionalS
why Read ThIs RePORT
Part 1 of this report captured what you need to know about the seven important trends in the frothy authentication market, which spans three generations of technology. Part 2 dives into the usability, deployability, and security characteristics of dozens of traditional and emerging authentication-related solutions and assesses their suitability for different populations, authentication stages, and user interaction channels.
table of contents
assess authentication solutions’ Usability, deployability, and security
solution assessments
First-Generation authentication: Hardcore Solutions For traditional Security Scenarios
Second-Generation authentication: Solutions responding to the Mobile era
third-Generation authentication: Solutions that add contextual nuance
Biometric authentication: Solutions Based on “Something you are”
user onboarding: Solutions Suitable For enrollment and Verification
supplemental Material
notes & resources
Forrester conducted research with over three dozen vendors and several it end user companies and experts. See the end of this document for a list. Forrester based the authentication assessment framework used in this report on the one proposed in “the Quest to replace Passwords: a Framework for comparative evaluation of Web authentication Schemes,” Proc. ieee Symp. on Security and Privacy, 2012 by Joseph Bonneau, cormac Herley, Paul c. van oorschot, and Frank Stajano. the authors have not endorsed the Forrester framework.
related research Documents
Market overview: employee and customer authentication Solutions in 2013, Part 1 of 2December 30, 2013
introducing the customer authentication assessment FrameworkJune 12, 2013
the Forrester customer authentication assessment FrameworkJune 12, 2013
Market Overview: employee and Customer authentication solutions In 2013, Part 2 Of 2three Generations of Vendor Solutions tackle Various challengesby eve Maler and andras cserwith Stephanie Balaouras and Jennie Duong
2
11
32
FeBruary 24, 2014
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 2
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
assess aUTheNTICaTION sOLUTIONs’ UsaBILITy, dePLOyaBILITy, aNd seCURITy
If you could ever overlook the usability implications of authentication processes, it’s no longer possible. When you’re authenticating employees, productivity, efficiency, and even job satisfaction ride on the outcome. And in the age of the customer, the very success of the business may depend on security and risk pros working closely with customer experience and eBusiness pros to get authentication processes right: While you’re managing fraud rates by catching bad guys, remember that you must also enable streamlined, higher-value transactions and better experiences for legitimate customers.1
Forrester uses a 26-criteria framework for assessing the usability, deployability, and security characteristics of different authentication-related solutions (see Figure 1). This framework builds on one proposed by academic researchers in a paper called “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes.”2 In using Forrester’s framework, be mindful that:
■ An assessment is not the last word on the solution’s suitability for a task. Each assessment describes: 1) the primary task-interaction channels supported by the solution; 2) authentication stages assisted by the solution; 3) the solution’s scope and assumptions; and 4) whether the solution fully meets, almost meets, or does not meet each of the criteria: eight for usability, seven for deployability, and 11 for security. This approach enables you to apply best practices, along with compensating controls as required, to strengthen your use of a solution, and even perform your own solution assessments. But most solutions let you configure a variety of deployment variables to address different sweet spots — and even a 100-criteria assessment won’t substitute for understanding your own scenario, population, and risks (see Figure 2).3
■ A solution’s “footprint” in the lives of real users makes a big difference. Some solutions provide generic authentication servers that support a variety of actual authentication methods, and many solutions offer a backup method that works when the primary one is impractical or unavailable, such as enabling a soft token when the user has lost his or her hard token. In most cases we focus on a single primary method; see each solution’s description for nuances.
■ In 2014, no list of authentication-related solutions is likely to be complete. The market is highly competitive. We estimate the market to include 100 to 200 authentication vendors. Ultimately we assessed 40 solutions, representing all three generations of authentication technology and many exemplars of the seven trends identified in the first part of this report. However, don’t assume every vendor, variation on a theme, or product from a vendor appearing here is represented. For example, we assessed only a few solutions in the largely commoditized space for one-time passwords (OTPs) sent through short message service (SMS) text messages.
■ There’s an even wider world of authentication out there. This report focuses on the market for solutions feasible to deploy in a private-sector context for employees and customers using web, mobile app, and phone (both human and interactive voice response) channels. This eliminates,
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 3
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
for example: 1) covert biometric methods used in law enforcement; 2) methods exclusively used for physical access or access to nonmobile hardware platforms; and 3) methods targeted specifically to citizens (“eIDs”) or government employees and contractors.
Figure 1 Usability, Deployability, And Security Criteria For Assessing Solutions
Source: Forrester Research, Inc.109861
Source: Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano, “The Quest toReplace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes,” theUniversity of Cambridge Computer Laboratory, March 2012
*Called a “benefit” in the “Quest” framework.†“Quasi” in the “Quest” framework means that the scheme receives an “Almost” assessment.‡The criteria and definitions so marked, and all comments, are original Forrester content.
U2: Scalable-For-Users
U3: Nothing-To-Carry
U4: Physically-Effortless
Using the scheme for hundreds ofaccounts does not increase the burdenon the user. . . . we mean “scalable” only from the user’s perspective, looking at the cognitive load, not from a system deployment perspective, looking at allocation of technical resources.
Users do not need to carry anadditional physical object (electronicdevice, mechanical key, piece ofpaper) to use the scheme. Quasi-Nothing-To-Carry is awarded if theobject is one that they’d carryeverywhere all the time anyway, suchas their mobile phone, but not if it’stheir computer (including tablets).
The authentication process does notrequire physical (as opposed tocognitive) user effort beyond, say,pressing a button. Schemes that don’toffer this benefit include those thatrequire typing, scribbling, orperforming a set of motions. We grantQuasi-Physically-Effortless if the user’seffort is limited to speaking, on thebasis that even illiterate people find thatnatural to do.
Unlike the original researchers, we are lookingfor practical scale; assume the user willinteract with multiple solutions, some of whichmay have a cognitive load. A solution meets thecriterion only if it has no impact on cognitiveload (such as pushing an approval button) orfor onboarding solutions where the identicalauthenticator can be used for all interactionsusing this method. KBA does not meet thecriterion, nor does having a single sign-on (SSO) mode.
Multiple-choice question challenges, such as inKBA, almost meet the criterion. Voicebiometrics meet the criterion only if theyoperate on natural speech rather thanpreregistered phrases.
Criterion* Description† Comments‡
U1: Memorywise-
Effortless
Users of the scheme do not have toremember any secrets at all. We granta Quasi-Memorywise-Effortless if usershave to remember one secret foreverything (as opposed to one perverifier).
Knowledge-based authentication (KBA)solutions do not meet the criterion. One-timepassword (OTP) solutions and other solutionsthat do not explicitly mention involving secretsdo meet it. Solutions targeted primarily toemployees and partners assume mobiledevices that must be unlocked with a secretsuch as a PIN.
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 4
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 1 Usability, Deployability, And Security Criteria For Assessing Solutions (Cont.)
Source: Forrester Research, Inc.109861
Source: Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano, “The Quest toReplace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes,” theUniversity of Cambridge Computer Laboratory, March 2012
*Called a “benefit” in the “Quest” framework.†“Quasi” in the “Quest” framework means that the scheme receives an “Almost” assessment.‡The criteria and definitions so marked, and all comments, are original Forrester content.
Criterion* Description† Comments‡
U5: Easy-To-Learn
U6: Efficient-To-Use
U7: Infrequent-Errors
U8: Easy-Recovery-From-Loss
D1: Accessible
Users who don’t know the scheme canfigure it out and learn it without toomuch trouble, and then easily recallhow to use it.
The time the user must spend for eachauthentication is acceptably short. Thetime required for setting up a newassociation with a verifier, althoughpossibly longer than that forauthentication, is also reasonable.
The task that users must perform to login usually succeeds when performed bya legitimate and honest user. In otherwords, the scheme isn’t so hard to useor unreliable that genuine users areroutinely rejected.
A user can conveniently regain theability to authenticate if the token is lostor the credentials forgotten. Thiscombines usability aspects such as lowlatency before restored ability; low userinconvenience in recovery (e.g., norequirement for physically standing inline); and assurance that recovery willbe possible, for example via built-inbackups or secondary recoveryschemes. If recovery requires someform of re-enrollment, this benefit ratesits convenience.
Users who can use passwords are notprevented from using the scheme bydisabilities or other physical (notcognitive) conditions.
Risk-based authentication (RBA) solutionsmeet the criterion because the user is unawareof them, and solutions that involve usertranscription of an OTP almost meet thecriterion. Solutions requiring multiple orcomplex steps, such as using a mobile device’scamera or retrieving a smart card andpositioning it in a reader, do not meet thecriterion unless they are used for onboardingonly.
Solutions with a relatively high false rejectionrate experienced by users, such as KBA, donot meet the criterion. Solutions with provenrates in the 1% range almost meet it, as doRBA schemes, because marginal risk scoresare often false positives that force step-up.OTP-based solutions do meet the criterion,but passwords only almost meet it because ofthe frequency of forgotten secrets.
If a solution that otherwise would have highlatency offers at least a second-generationsolution as a backup method, it meets thecriterion; security challenge questions foraccount recovery don’t count. Solutions focusing on onboarding and RBA “meet” thecriterion because it’s moot.
Solutions involving generic mobile and desktopplatforms on which users can enableaccessibility features, such as voice-activatedscreen button clicks, and screen readers, meetthe criterion. Hard tokens, smart cards, andcamera-dependent methods do not, but thevarious “soft” OTPs do. Solutions completelyunavailable to the blind or speech-impairedwith no backup method do not meet thecriterion.
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 5
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 1 Usability, Deployability, And Security Criteria For Assessing Solutions (Cont.)
Source: Forrester Research, Inc.109861
Source: Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano, “The Quest toReplace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes,” theUniversity of Cambridge Computer Laboratory, March 2012
*Called a “benefit” in the “Quest” framework.†“Quasi” in the “Quest” framework means that the scheme receives an “Almost” assessment.‡The criteria and definitions so marked, and all comments, are original Forrester content.
Criterion* Description† Comments‡
D2: Negligible-Cost-Per-User
D3: Server-Compatible
D4: Nothing-To-Provision-To-
User‡
D5: Mature
The total cost per user of the scheme,adding up the costs at both the prover’send (any devices required) and theverifier’s end (any share of theequipment and software required) isnegligible. The scheme is plausible forstartups with no per-user revenue.
At the verifier’s end, the scheme iscompatible with text-based passwords.Providers don’t have to change theirexisting authentication setup to supportthe scheme.
The verifier delivers a secret or otherauthentication method to users throughan out-of-band device, app, and/orcommunications channel the usersalready have, with no need to provisionany hardware or software at all, simplya need to register the channel inquestion (also called “bring your owntoken” or BYOT). The commonestmethod is to send an OTP by shortmessage service (SMS) to a mobilephone. An OTP that arrives throughunprotected third-party channels opensitself to man-in-the-middle attacks.‡
The scheme aligns roughly withForrester’s TechRadar™ ecosystemphase definitions: Creation phasetechnologies do not meet the criterion.Survival phase technologies aregranted an Almost. Growth, Equilibrium,and Decline phase technologies aregranted a Yes. Schemes related tospecific implementations, products, orvendors may be demoted if they have atenuous business value, but neverpromoted.‡
Solutions with a dedicated per-user hardwarecomponent that must be purchased orotherwise cost the equivalent of more than$1 per user per month at typicallydeployed scale do not meet the criterion.Solutions without dedicated hardware that costunder $1 per user per month at typicalscale almost meet it. Solutions that are free orcost pennies per user per month at scale domeet it.
Solutions with a cloud-based servercomponent where integration consists only ofweb-based configuration with no coding meetsthe criterion, as do on-premises solutions thatwork within the constraints of existingpassword-handling systems. On-premisessolutions that support a named list of IAMsuites almost meet the criterion, as do cloud-based solutions that require integration withAPIs.
Browser-resident zero-install apps meet thecriterion, as do solutions integrated directly intothe user’s primary app through a softwaredevelopment kit (SDK). Solutions that enablechoice per population among mobile apps andBYOT methods almost meet it.
First-generation and most second-generationsolutions are mature; most third-generationsolutions are less so.
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 6
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 1 Usability, Deployability, And Security Criteria For Assessing Solutions (Cont.)
Source: Forrester Research, Inc.109861
Source: Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano, “The Quest toReplace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes,” theUniversity of Cambridge Computer Laboratory, March 2012
*Called a “benefit” in the “Quest” framework.†“Quasi” in the “Quest” framework means that the scheme receives an “Almost” assessment.‡The criteria and definitions so marked, and all comments, are original Forrester content.
Criterion* Description† Comments‡
D6: Multiple-Purposes‡
D7: Available-Offline‡
S1: Resilient-To-Physical-
Observation
S2: Resilient-To-Targeted-
Impersonation
The scheme has auxiliary purposes, or ithas a main nonauthentication purposethat can be combined with an auxiliaryauthentication purpose. Examples areUSB keys that can be used forencrypted storage, or SMS or pushnotification channels that can be usedfor transaction confirmations, customeralerts, BC/DR alerts, and other uses.‡
The authenticator works without a needfor network connectivity on asecondary channel. A password isavailable offline since it can beremembered (or looked up on paper). Atime-based token is available offline. AnOTP delivered over email or SMS is notavailable offline.‡
An attacker cannot impersonate a userafter observing them authenticate oneor more times. We grant Quasi-Resilient-To-Physical-Observation if thescheme could be broken only byrepeating the observation more than,say, 10 to 20 times. Attacks includeshoulder surfing, filming the keyboard,recording keystroke sounds, or thermalimaging of keypad.
It is not possible for an acquaintance (orskilled investigator) to impersonate aspecific user by exploiting knowledge ofpersonal details (birth date, names ofrelatives, etc.). Personal knowledgequestions are the canonical schemethat fails on this point.
Identity verification and authentication are notconsidered two distinct purposes.
If there’s at least a second-generation offlinebackup method for a scheme that normallyrequires an online channel, the solution almostmeets the criterion. Solutions that are trulysingle-channel because the primary interactionis assumed to have connectivity “meet” thecriterion because it’s moot.
KBA solutions almost meet the criterionbecause the specific secrets tend to vary(versus passwords). Solutions where additionalfactors prevent use of the observedauthenticator meet it.
The prevalence of consensual impersonationthrough password-sharing leads us to considerpasswords and PINs not to meet this criterion.
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 7
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 1 Usability, Deployability, And Security Criteria For Assessing Solutions (Cont.)
Source: Forrester Research, Inc.109861
Source: Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano, “The Quest toReplace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes,” theUniversity of Cambridge Computer Laboratory, March 2012
*Called a “benefit” in the “Quest” framework.†“Quasi” in the “Quest” framework means that the scheme receives an “Almost” assessment.‡The criteria and definitions so marked, and all comments, are original Forrester content.
Criterion* Description† Comments‡
S3: Resilient-To-Throttled-Guessing
S4: Resilient-To-Unthrottled-
Guessing
An attacker whose rate of guessing isconstrained by the verifier cannotsuccessfully guess the secrets of asignificant fraction of users. Theverifier-imposed constraint might beenforced by an online server, a tamper-resistant chip, or any other mechanismcapable of throttling repeated requests.To give a quantitative example, wemight grant this benefit if an attackerconstrained to, say, 10 guesses peraccount per day could compromise atmost 1% of accounts in a year. Lack ofthis benefit is meant to penalize schemes in which it is frequent foruser-chosen secrets to be selectedfrom a small and well-known subset(low min-entropy).
An attacker whose rate of guessing isconstrained only by availablecomputing resources cannotsuccessfully guess the secrets of asignificant fraction of users. We mightfor example grant this benefit if anattacker capable of attempting up to240 or even 264 guesses per accountcould still only reach fewer than 1% ofaccounts. Lack of this benefit is meantto penalize schemes where the spaceof credentials is not large enough towithstand brute force search (includingdictionary attacks, rainbow tables, andrelated brute force methods smarterthan raw exhaustive search, ifcredentials are user-chosen secrets).
Solutions that can be configured to lock orfreeze accounts on a certain number of failedattempts meet this criterion.
Solutions with a high-entropy secret and thosethat can be configured to lock or freezeaccounts on failed attempts meet the criterion.
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 8
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 1 Usability, Deployability, And Security Criteria For Assessing Solutions (Cont.)
Source: Forrester Research, Inc.109861
Source: Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano, “The Quest toReplace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes,” theUniversity of Cambridge Computer Laboratory, March 2012
*Called a “benefit” in the “Quest” framework.†“Quasi” in the “Quest” framework means that the scheme receives an “Almost” assessment.‡The criteria and definitions so marked, and all comments, are original Forrester content.
Criterion* Description† Comments‡
S5: Resilient-To-Internal-
Observation
S6: Resilient-To-Leaks-From-
Other-Verifiers
An attacker cannot impersonate a userby intercepting the user’s input frominside the user’s device (e.g., bykeylogging malware) or eavesdroppingon the clear text communicationbetween prover and verifier (we assumethat the attacker can also defeat TLS ifit is used, perhaps through the CA). Aswith Resilient-To-Physical-Observationabove, we grant Quasi-Resilient-To-Internal-Observation if the schemecould be broken only by interceptinginput or eavesdropping cleartext morethan, say, 10 to 20 times. This penalizesschemes that are not replay-resistant,whether because they send a staticresponse or because their dynamicresponse countermeasure can becracked with a few observations. Thisbenefit assumes that general-purposedevices like software-updatablepersonal computers and mobile phonesmay contain malware, but that hardwaredevices dedicated exclusively to thescheme can be made malware-free. Wegrant Quasi-Resilient-To-Internal-Observation to two-factor schemeswhere both factors must be malware-infected for the attack to work. If infecting only one factor breaks thescheme, we don’t grant the benefit.
Nothing that a verifier could possiblyleak can help an attacker impersonatethe user to another verifier. Thispenalizes schemes where insider fraudat one provider, or a successful attackon one back end, endangers the user’saccounts at other sites.
Solutions where the user inputs a static sharedsecret into the primary channel and where noother elements mitigate this threat do not meetthe criterion. Nor do other types of solutions resident in software, even if given extra protection, versus a hardware security module. Solutions based on OTPs generally meet it.
This penalizes any secrets that are used acrossdifferent verifiers. Biometrics and KBAsolutions based on public data will tend not tomeet the criterion. Nor will passwords, whichusers tend to reuse to achieve “faux SSO.”
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 9
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 1 Usability, Deployability, And Security Criteria For Assessing Solutions (Cont.)
Source: Forrester Research, Inc.109861
Source: Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano, “The Quest toReplace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes,” theUniversity of Cambridge Computer Laboratory, March 2012
*Called a “benefit” in the “Quest” framework.†“Quasi” in the “Quest” framework means that the scheme receives an “Almost” assessment.‡The criteria and definitions so marked, and all comments, are original Forrester content.
S7: Resilient-To-Phishing
S8: Resilient-To-Theft
S9: No-Trusted-Third-Party
S10: Requiring-Explicit-Consent
An attacker who simulates a validverifier (including by DNS manipulation)cannot collect credentials that can laterbe used to impersonate the user to theactual verifier. This penalizes schemesallowing phishers to get victims toauthenticate to look-alike sites andlater use the harvested credentialsagainst the genuine sites. It is notmeant to penalize schemes vulnerableto more sophisticated real-time man-in-the-middle or relay attacks, in whichthe attackers have one connection tothe victim prover (pretending to be theverifier) and simultaneously anotherconnection to the victim verifier(pretending to be the prover).
If the scheme uses a physical object forauthentication, the object cannot beused for authentication by anotherperson who gains possession of it. Westill grant Quasi-Resilient-To-Theft if theprotection is achieved with the modeststrength of a PIN, even if attempts arenot rate controlled, because the attackdoesn’t easily scale to many victims.
The scheme does not rely on a trustedthird party (other than the prover andthe verifier) who could, upon beingattacked or otherwise becominguntrustworthy, compromise the prover’ssecurity or privacy.
The authentication process cannot bestarted without the explicit consent ofthe user. This is both a security and aprivacy feature (a rogue wireless RFID-based credit card reader embedded ina sofa might charge a card without userknowledge or consent).
KBA solutions almost meet the criterionbecause the specific secrets tend to vary(versus passwords). Solutions where additionalfactors prevent use of the observedauthenticator meet it.
Mobile-fueled solutions targeted primarily toemployees and partners almost meet thecriterion because organizations have the optionto enforce locking of mobile devices.
Solutions that can be installed on-premises anddon’t involve third-party communicationschannels meet the criterion. Cloud-onlydeployability is incompatible with this criterion,but some solutions offer a choice ofdeployment options.
Criterion* Description† Comments‡
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 10
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 1 Usability, Deployability, And Security Criteria For Assessing Solutions (Cont.)
Source: Forrester Research, Inc.109861
Source: Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano, “The Quest toReplace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes,” theUniversity of Cambridge Computer Laboratory, March 2012
*Called a “benefit” in the “Quest” framework.†“Quasi” in the “Quest” framework means that the scheme receives an “Almost” assessment.‡The criteria and definitions so marked, and all comments, are original Forrester content.
Criterion* Description† Comments‡
S11: Unlinkable Colluding verifiers cannot determine,from the authenticator alone, whetherthe same user is authenticating to both.This is a privacy feature. To rate thisbenefit we disregard linkabilityintroduced by other mechanisms (sameuser ID, same IP address, etc.).
Due to the contextual nature of modernauthentication, we must consider some“other mechanisms” to break unlinkability. KBAsolutions based on public data sources do notmeet the criterion, nor do solutions thatcommunicate with the user solely through aphone number or email address. KBA solutionsbased on private data sources and biometricswith proprietary storage models almost meet it.
Figure 2 The Forrester Customer Authentication Assessment
Source: Forrester Research, Inc.109861
The spreadsheet associated with this �gure contains additional data.
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 11
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
sOLUTION assessMeNTs
The solution assessments are organized into five categories: 1) first-generation; 2) second-generation; 3) third-generation; 4) biometric; and 5) user onboarding. Pay close attention to each assessment’s
“description and scope” field; it captures key assumptions that informed our assessment. Be prepared to revise assessments as you make your own solution and deployment choices.
First-Generation authentication: hardcore solutions For Traditional security scenarios
First-generation strong authentication was all about security. This category includes solutions such as smartcards and hard tokens. Its population focus is employees, contractors, business partners, and, occasionally, individual high-net-worth banking customers and serious online gamers. We assessed nine sample solutions in this category, including the incumbent method: web passwords (see Figure 3). A notable additional vendor with solutions in this space (as well as in later generations of authentication) is Entrust (recently acquired by Datacard Group).
The assessments support the following observations: 1) Hard tokens and smartcards shore up password security weaknesses, but they have usability and deployability challenges of their own, and 2) risk-based authentication (RBA) solutions serve as an excellent “booster shot” because they have both usability and security strengths, but they show weakness around privacy-related security areas (S10 and, often, S11). Notable vendors with additional solutions in this space, as well as in later generations of authentication, include Entrust (recently acquired by Datacard Group) and CA Technologies (which also has an RBA solution).4
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 12
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 3 Assessments Of First-Generation Authentication Solutions
Source: Forrester Research, Inc.109861
Solution descriptions3-1
Webpassword
User-chosen password conforming to a typicalpassword format policy, with at least an OTPlink sent over email or similar for accountrecovery but with no lockout limit.
Web
Mobile
Voice
Onboard
Log in
Step up
Recover
x x x
Applicable channels Applicable tasks
SolutionPasswords
CA ArcotIDPKI
Software client enabling the user to use anapplication password in the normal fashion,using a protected software-resident digitalcertificate to sign responses to a server-sidechallenge without sending the password. A“roaming” credential without additionalpassword protection is assessed.
x x xx
Certificates
EquifaxAnakam.TFA HardTokens
Time-based Initiative for Open Authentication(OATH)-compatible OTP in a hard token formfactor usable by any bearer. Solution istargeted primarily to employees.
x x x xx
RSA Auth-enticationManager(SecurIDhard token)
Time-based proprietary OTP in a hard tokenform factor with seed records held by vendor.Includes some optional RBA features. Tokenrequiring PIN unlock is assessed. Solution istargeted primarily to employees.
x x xx
Hard tokens
DirectRMAuthenti-cationSmart Card
PIN-unlockable smart card that enables the userto reset the PIN directly on the card andoptionally provides payment/loyalty cardfeatures. Backup method is a site-displayedQR code.
x x x x x
x
x
GemaltoIDConfirm1000IDPrimesmart cardwith OTP
X.509-based smart card with a time-basedOATH-compatible OTP display. Assessed hereis a PIN-protected card. Backup method issecurity questions. Solution is targetedprimarily to employees.
x x xx
xSafeNetAuthenti-cationManager(smart card)
On-premises authentication platform with avariety of options preintegrated; assessed hereis the X.509-based smart card option, with RBApolicy elements incorporated, PIN unlocking,and user data storage. Solution is targetedprimarily to employees.
x x xx
Smart cards
Description and scope
x
x
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 13
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 3 Assessments Of First-Generation Authentication Solutions (Cont.)
Source: Forrester Research, Inc.109861
RSAAdaptiveAuthenti-cation
RBA and fraud detection platform that analyzesand profiles user behavior, devices used, andfraud-related data feeds.
x x xx
RBA
RedcoreKeyVault
Password-protected mobile or PC app thatprovides a cryptographically secure connectionto a website through a hardened browser. The solution is also available as an in-app SDK.
x xx
Other
Solution descriptions (Cont.)3-1
Web
Mobile
Voice
Onboard
Log in
Step up
Recover
Applicable channels Applicable tasks
Solution Description and scope
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 14
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 3 Assessments Of First-Generation Authentication Solutions (Cont.)
Source: Forrester Research, Inc.109861
Solution criterion
Deployability
Usability
Web
pas
swo
rd
CA
Arc
otID
PK
I
Eq
uifa
x A
naka
m.T
FAH
ard
Tok
ens
RS
A A
uthe
ntic
atio
n M
anag
er(S
ecur
ID h
ard
toke
n)
Dire
ctR
M A
uthe
ntic
atio
nS
mar
t C
ard
Gem
alto
IDC
onfir
m 1
000
IDP
rime
smar
t ca
rd w
ith O
TP
Saf
eNet
Aut
hent
icat
ion
Man
ager
(sm
art
card
)
RS
A A
dap
tive
Aut
hent
icat
ion
Red
core
Key
Vaul
t
U1: Memorywise-Effortless
U2: Scalable-For-Users
U3: Nothing-To-Carry
U4: Physically-Effortless
U5: Easy-To-Learn
U6: Efficient-To-Use
U7: Infrequent-Errors
U8: Easy-Recovery-From-Loss
D1: Accessible
D2: Negligible-Cost-Per-User
D3: Server-Compatible
D4: Nothing-To-Provision-To-User
D5: Mature
D6: Multiple-Purposes
D7: Available-Offline
Solution assessments3-2
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 15
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 3 Assessments Of First-Generation Authentication Solutions (Cont.)
Source: Forrester Research, Inc.109861
Solution assessments (Cont.)3-2
Solution criterion
SecurityW
eb p
assw
ord
CA
Arc
otID
PK
I
Eq
uifa
x A
naka
m.T
FAH
ard
Tok
ens
RS
A A
uthe
ntic
atio
n M
anag
er(S
ecur
ID h
ard
toke
n)
Dire
ctR
M A
uthe
ntic
atio
nS
mar
t C
ard
Gem
alto
IDC
onfir
m 1
000
IDP
rime
smar
t ca
rd w
ith O
TP
Saf
eNet
Aut
hent
icat
ion
Man
ager
(sm
art
card
)
RS
A A
dap
tive
Aut
hent
icat
ion
Red
core
Key
Vaul
tS8: Resilient-To-Theft
S9: No-Trusted-Third-Party
S10: Requiring-Explicit-Consent
S11: Unlinkable
S1: Resilient-To-Physical-Observation
S2: Resilient-To-Targeted-Impersonation
S3: Resilient-To-Throttled-Guessing
S4: Resilient-To-Unthrottled-Guessing
S5: Resilient-To-Internal-Observation
S6: Resilient-To-Leaks-From-Other-Verifiers
S7: Resilient-To-Phishing
Almost meets criterion =Meets criterion =
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 16
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
second-Generation authentication: solutions Responding To The Mobile era
Forrester defines mobile-fueled authentication as an authentication process that leverages a mobile device. The second generation of authentication improved usability and security by leveraging mobile devices, bringing an opportunity for stronger authentication to consumer populations for the first time. This category includes solutions such as sending OTPs over SMS, contacting the user by a secondary phone channel, and deploying software-based OTP tokens in the form of mobile apps. We assessed 11 sample solutions in this category (see Figure 4).
The assessments support the following observations: 1) While methods that exploit the SMS channel to send OTPs improve on passwords alone, most have security challenges around unlocked mobile device security and reliance on cellular networks; 2) soft tokens mitigate some of these challenges while facing complementary ones; 3) this era saw valuable experimentation in graphical authentication challenges; and 4) phone-based approval loops, while not a fancy new technique, show quite positive results across the board. While some first-generation solutions could be used for auxiliary purposes (criterion D6) such as physical access control, solutions in this category tend to offer features relevant to broader populations, such as secure transaction signing and customer engagement through the SMS channel.
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 17
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 4 Assessments Of Second-Generation Authentication Solutions
Source: Forrester Research, Inc.109861
Solution descriptions4-1
ConfidentImage-Shield for Web Security
Image-based solution integrated into a website;the user inputs an OTP by identifying displayedpictures that fit categories the user choseduring enrollment. Solution can also beintegrated into a mobile app for OOBauthentication.
Web
Mobile
Voice
Onboard
Log in
Step up
Recover
x x x x
Applicable channels Applicable tasks
Solution
EquifaxAnakam.TFA (basic)
OATH-compatible OTP in one of a variety ofform factors: SMS, mobile app, or phone.Multiple backup methods.
x x xx
MicrosoftWindowsAzureMulti-FactorAuthenti-cation
System that makes a phone call for userapproval, along with a mobile app that receivespush notifications for user approval. Backupmethod is a time-based soft token. Solution istargeted primarily to employees.
x x xxx
SafeNetAuthenti-cationManager(OTP)
On-premises authentication platform with avariety of options pre-integrated; assessed hereare the OTP options (desktop app, mobile softtoken app, sent over SMS, and sent over email,with RBA policy elements incorporated), withthe ability to choose options per population.
x x xxx
SafeNetAuthenti-cationService
OTP authentication platform offered as SaaSwith a variety of options pre-integrated,including desktop app, mobile soft token app,sent over SMS, and sent over email, with theability to choose options per population.
x xxx
Description and scope
x
*This vendor did not participate in this research; Forrester assessed this solution based on publicly availableinformation and client feedback.
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 18
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 4 Assessments Of Second-Generation Authentication Solutions (Cont.)
Source: Forrester Research, Inc.109861
R:\eEditing\2013\12 December\109861
Solution descriptions (Cont.)4-1
Web
Mobile
Voice
Onboard
Log in
Step up
Recover
Applicable channels Applicable tasks
Solution Description and scope
SMSPASSCODEMulti-FactorAuthenti-cation
Hardened and reliability-enhanced delivery ofOTPs over SMS. Solution is targeted primarily toemployees.
x xxxx
SymantecVIP
Cloud-based OATH-compatible OTP authentication platform with a variety of optionspre-integrated, including hard tokens, soft tokens, mobile devices, and OTPs sent over SMS and email, with RBA options, and with theability to choose options per population. Solution is primarily targeted to employees.
x x xxx
Swivel inbrowser
Image-based solution based on the “PINsafe protocol”: The user inputs an OTP response bymaking selections out of a graphically presentedchallenge, typing elements of the challenge thatcorrespond to the digit positions representedby a PIN the user chose during enrollment. Assessed here is the in-browser form factor;also available in a variety of others, including mobile app.
x xx
VascoDIGIPASSSDK
Feature integrated in-app through an SDK toturn the device it runs on into an OTP generator,using a secure execution environment ifavailable, and connecting to an on-premisesserver or cloud service for veri�cation. Optionally applies geolocation RBA. Assessedis a user-typed OTP; the SDK enables a variety of �ows.
YubicoYubiKeyStandard*
*This vendor did not participate in this research; Forrester assessed this solution based on publicly availableinformation and client feedback.
OATH-compatible OTP in a USB token formfactor that appears to the receptive device as aUSB keyboard and requires no softwareinstallation. When the user pushes a button onthe token, it generates an OTP and passes itautomatically to the app.
x
x x x
x
tyntec Hardened and reliability-enhanced delivery ofOTPs over SMS, giving end-to-end customercontrol over the entire SMS transmission path.
x x x x x
x x x
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 19
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 4 Assessments Of Second-Generation Authentication Solutions (Cont.)
Source: Forrester Research, Inc.109861
Usability
Solution assessments4-2
Solution criterion
U1: Memorywise-Effortless
U2: Scalable-For-Users
U3: Nothing-To-Carry
U4: Physically-Effortless
Con
fiden
t Im
ageS
hiel
d f
or
Web
Sec
urity
Eq
uifa
x A
naka
m.T
FA
(bas
ic)
Mic
roso
ft W
ind
ows
Azu
reM
ulti-
Fact
or A
uthe
ntic
atio
n
Sw
ivel
in b
row
ser
Saf
eNet
Aut
hent
icat
ion
Man
ager
(OTP
)
Saf
eNet
Aut
hent
icat
ion
Ser
vice
SM
S P
AS
SC
OD
E
Sym
ante
c V
IP
tynt
ec
Vasc
o D
IGIP
AS
S S
DK
Yub
ico
Yub
iKey
Sta
ndar
d*
U5: Easy-To-Learn
U6: Efficient-To-Use
U8: Easy-Recovery-From-Loss
D1: Accessible
D2: Negligible-Cost-Per-User
D3: Server-Compatible
D4: Nothing-To-Provision-To-User
D5: Mature
D6: Multiple-Purposes
D7: Available-Offline
Deployability
U7: Infrequent-Errors
*This vendor did not participate in this research; Forrester assessed this solution based on publicly availableinformation and client feedback.
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 20
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 4 Assessments Of Second-Generation Authentication Solutions (Cont.)
Source: Forrester Research, Inc.109861
Solution assessments (Cont.)4-2
Security
Solution criterion Con
fiden
t Im
ageS
hiel
d f
or
Web
Sec
urity
Eq
uifa
x A
naka
m.T
FA
(bas
ic)
Mic
roso
ft W
ind
ows
Azu
reM
ulti-
Fact
or A
uthe
ntic
atio
n
Sw
ivel
in b
row
ser
Saf
eNet
Aut
hent
icat
ion
Man
ager
(OTP
)
Saf
eNet
Aut
hent
icat
ion
Ser
vice
SM
S P
AS
SC
OD
E
Sym
ante
c V
IP
tynt
ec
Vasc
o D
IGIP
AS
S S
DK
Yub
ico
Yub
iKey
Sta
ndar
d*
S1: Resilient-To-Physical-Observation
S2: Resilient-To-Targeted-Impersonation
S3: Resilient-To-Throttled-Guessing
S4: Resilient-To-Unthrottled-Guessing
S5: Resilient-To-Internal-Observation
S6: Resilient-To-Leaks-FromOther-Veri�ers
S7: Resilient-To-Phishing
S8: Resilient-To-Theft
S9: No-Trusted-Third-Party
S10: Requiring-Explicit-Consent
S11: Unlinkable
*This vendor did not participate in this research; Forrester assessed this solution based on publicly availableinformation and client feedback.
Almost meets criterion =Meets criterion =
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 21
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Third-Generation authentication: solutions That add Contextual Nuance
We’re now seeing a massive third generation of innovation, centering mostly on the capabilities and contexts of smart mobile devices and fully expanding opportunities for strong authentication to every population and scenario. These are not simply “soft tokens.” Many of them take a contextual approach, combining second-generation techniques with device identification and other RBA features to improve usability without compromising security. We assessed eight sample solutions in this category (see Figure 5).
Of the third-generation solutions assessed here, the DirectRM, inWebo, and Pindrop Security ones aren’t inherently mobile-fueled, while the Clef, Duo Push, Encap, Toopher, and YubiKey NEO ones are. And Clef, Duo Push, and Toopher are notable for entirely avoiding user-memorized static shared secrets — anything that could be characterized as a password. If Apple’s foray into biometric device-unlocking with iPhone 5s Touch ID becomes commonplace, these solutions could be used as
“kill the password” methods in some cases — providing both sufficient usability for routine or step-up login and sufficient authentication strength for account recovery.
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 22
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 5 Assessments Of Third-Generation Authentication Solutions
Source: Forrester Research, Inc.109861
Solution descriptions5-1
DirectRMInvisibleToken
Browser/app-resident zero-install soft token that automatically passes an OTP to the app based on a per-session dynamic key initializedthrough the user’s provided password. The userenrolls once per machine with an OOB OTP, repeating on a policy-based frequency (enrollment not assessed here).
Web
Mobile
Voice
Onboard
Log in
Step up
Recover
x x x x
Applicable channels Applicable tasks
SolutionNon-mobile-fueled
inWeboEnterpriseCloudToken
Browser/app-resident zero-install soft token that automatically passes an OTP to the app based on a per-session dynamic key initializedthrough the user’s provided password. The userenrolls once per machine with an OOB OTP.
x xxx
PindropFraudDetectionSystem
Phone fingerprinting through detection of audiochannel characteristics, optionally withvoiceprint recognition. Used primarily for frauddetection but also for authentication.
x xx
Clef x x xxx
Duo Push
Smart mobile device app that generates andstores a key pair on the device; using thedevice’s camera to capture a graphicallydisplayed “Clef Wave” on a website enablespairing the location with the user, verifying theorigin of the message with a signature, andlogging the user in.
SaaS-based authentication platform with several options preintegrated: mobile push noti�cations, time-based soft token, SMS OTP, and telephony approval. Assessed here is the Push feature. The app is provisioned with the private key from a key pair to secure service communications. Solution is targeted primarily to employees
x x xx
Mobile-fueled
Description and scope
x
Feature integrated in a mobile app through anSDK, which communicates with a serviceleveraging the app’s user-chosen PIN, a uniquekey pair (private key stored on client), the user’styping habits, and the device’s identity forauthentication and document signing. Backupmethod is OTP over SMS.
x x xxEncap
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 23
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 5 Assessments Of Third-Generation Authentication Solutions (Cont.)
Source: Forrester Research, Inc.109861
x x xx
Mobile app or in-app feature that receives push notifications for user approval and enableswebsite- and geolocation-specific automatic approvals. Backup method is a time-based softtoken.
Toopher
OATH-compatible OTP in a USB and Near FieldCommunication (NFC) token form factor thatappears to the receptive device as a USBkeyboard and requires no software installation.When the user pushes a button on the token, itgenerates an OTP and passes it automaticallyto the app.
YubicoYubiKeyNEO*
x x xx x
*This vendor did not participate in this research; Forrester assessed this solution based on publicly availableinformation and client feedback.
Solution descriptions5-1
Web
Mobile
Voice
Onboard
Log in
Step up
Recover
Applicable channels Applicable tasks
SolutionMobile-fueled
Description and scope
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 24
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 5 Assessments Of Third-Generation Authentication Solutions (Cont.)
Source: Forrester Research, Inc.109861
Solution assessments (Cont.)5-2
Almost meets criterion =Meets criterion =*This vendor did not participate in this research; Forrester assessed this solution based on publicly available information and client feedback.
U1: Memorywise-Effortless
U2: Scalable-For-Users
U3: Nothing-To-Carry
U4: Physically-Effortless
U5: Easy-To-Learn
U6: Efficient-To-Use
U7: Infrequent-Errors
U8: Easy-Recovery- From-Loss
D1: Accessible
D2: Negligible-Cost-Per-User
D3: Server-Compatible
D4: Nothing-To-Provision-To-User
D5: Mature
D6: Multiple-Purposes
D7: Available-Offline
Solution criterion Dire
ctR
M In
visi
ble
Toke
n
inW
ebo
Ent
erp
rise
Clo
ud T
oken
Pin
dro
p F
raud
Det
ectio
nS
yste
m
Cle
f
Duo
Pus
h
Enc
ap
Toop
her
Yub
ico
Yub
iKey
NE
O*
Usability
Deployability
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 25
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 5 Assessments Of Third-Generation Authentication Solutions (Cont.)
Source: Forrester Research, Inc.109861
Solution assessments (Cont.)5-2
Almost meets criterion =Meets criterion =*This vendor did not participate in this research; Forrester assessed this solution based on publicly available information and client feedback.
Solution criterion Dire
ctR
M In
visi
ble
Toke
n
inW
ebo
Ent
erp
rise
Clo
ud T
oken
Pin
dro
p F
raud
Det
ectio
nS
yste
m
Cle
f
Duo
Pus
h
Enc
ap
Toop
her
Yub
ico
Yub
iKey
NE
O*
S1: Resilient-To-Physical-Observation
S2: Resilient-To-Targeted-Impersonation
S3: Resilient-To-Throttled-Guessing
S4: Resilient-To-Unthrottled-Guessing
S5: Resilient-To-Internal-Observation
S6: Resilient-To-Leaks-From- Other-Verifiers
S7: Resilient-To-Phishing
S8: Resilient-To-Theft
S9: No-Trusted-Third-Party
S10: Requiring-Explicit-Consent
S11: Unlinkable
Security
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 26
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Biometric authentication: solutions Based On “something you are”
Traditional biometrics mostly have niche use cases, but emerging biometric solutions have a bright future. Forrester expects several new software-based, mobile-fueled biometrics — such as mobile apps for camera-enabled fingerprint recognition — to become available in the next 12 to 18 months. And if the standards being produced by the new Fast IDentity Online (FIDO) Alliance organization live up to their promise, they could play a key role in biometric-based authentication device interoperability. We assessed four sample biometric-focused solutions, which span authentication generations but reflect a preponderance of voice biometrics (see Figure 6).
Many biometrics have common challenges around the universality of the authenticator data (affecting S6), privacy (affecting S6 and S11), and false positives and negatives due to partial matches (affecting U7). Deployers must not depend on such a method as the sole authentication factor for sensitive resource access.
Figure 6 Assessments Of Biometric Authentication Solutions
Source: Forrester Research, Inc.109861
Solution descriptions6-1
EquifaxAnakam.TFA VoiceBiometrics
Voice biometric matching involving initialvoiceprint enrollment.
Web
Mobile
Voice
Onboard
Log in
Step up
Recover
x xx x x
Applicable channels Applicable tasks
SolutionFirst-generation
Verint Impact 360Authen-tication
Voice biometric and predictive analytics fora customer-chosen mix of fraud prevention andrisk-based authentication and decisioning,using ordinary conversational speech. The fullfeature set is assessed here.
x xx
EyeVerifyEyeprint
Software-based eyeprint verification integratedin-app, using existing cameras on smartphonesto image- and pattern-match the blood vesselsin the whites of the eye. The biometric templateand matching process is on-device.
xx x x
xxx x x
Third-generation
ValidSoftSMART
Voice biometric matching and in-depth RBA andfraud detection system for mobile deviceplatforms. Voiceprint enrollment is incremental,starting with one spoken phrase over thedevice’s data channel. The biometric enginecan be applied to direct voice channels as well.
Description and scope
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 27
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 6 Assessments Of Biometric Authentication Solutions (Cont.)
Source: Forrester Research, Inc.109861
Deployability
Usability
Solution assessments6-2
U1: Memorywise-Effortless
U2: Scalable-For-Users
U3: Nothing-To-Carry
U4: Physically-Effortless
U5: Easy-To-Learn
Solution criterion Eq
uifa
x A
naka
m.T
FAVo
ice
Bio
met
rics
Verin
t Im
pac
t 36
0 A
uthe
ntic
atio
n
Eye
Verif
y E
yep
rint
Valid
Sof
t S
MA
RT
U6: Efficient-To-Use
U7: Infrequent-Errors
U8: Easy-Recovery-From-Loss
D1: Accessible
D2: Negligible-Cost-Per-User
D3: Server-Compatible
D4: Nothing-To-Provision-To-User
D5: Mature
D6: Multiple-Purposes
D7: Available-Offline
Almost meets criterion =Meets criterion =
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 28
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 6 Assessments Of Biometric Authentication Solutions (Cont.)
Source: Forrester Research, Inc.109861
Solution assessments (Cont.)6-2
Security
S1: Resilient-To-Physical-Observation
S2: Resilient-To-Targeted-Impersonation
S3: Resilient-To-Throttled-Guessing
S4: Resilient-To-Unthrottled-Guessing
S5: Resilient-To-Internal-Observation
S6: Resilient-To-Leaks-From-Other-Verifiers
S7: Resilient-To-Phishing
S8: Resilient-To-Theft
S9: No-Trusted-Third-Party
S10: Requiring-Explicit-Consent
S11: Unlinkable
Almost meets criterion =Meets criterion =
User Onboarding: solutions suitable For enrollment and Verification
Onboarding involves registering or provisioning authentication methods for a new employee or customer user. This process may involve linking multiple accounts or interaction channels. Because the system may never have seen this user before, it may need to perform identity verification and other forms of information checks — such as background checks — that it does not need to perform during routine login. We assessed eight sample solutions in this category, spanning the technology generations (see Figure 7). Notable additional vendors with solutions in this space are LexisNexis and TransUnion.
The assessments support the following observations: 1) Traditional identity verification solutions tend to impose a fairly heavy user experience burden, while the emerging mobile-fueled solution from Jumio seems to offer improved usability, and 2) all of the in-depth verification solutions have security and privacy “soft spots” related to the use of personal data or physical credentials that many verifiers must share.
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 29
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 7 Assessments Of Solutions Suitable For Onboarding
Source: Forrester Research, Inc.109861
Solution descriptions7-1
EquifaxeIDverifier
KBA and identity verification system withquestions that test out-of-wallet (OOW)knowledge about the user’s own credit historyand other history based on non-public data.
Web
Mobile
Voice
Onboard
Log in
Step up
Recover
x xx x x
Applicable channels Applicable tasks
SolutionFirst-generation
ExperianPrecise ID
KBA and identity verification system withquestions that test the user’s knowledge basedon public data sources, combined with RBAand fraud analytics system.
xx x x xxx
IDAnalyticsCertain ID
KBA and identity verification system withquestions that test the user’s OOW knowledgebased on non-public customer-contributedaggregate fraud data.
x x x xx
IDologyExpect ID
Basic identity verification leveraging a user-provided name, address, and optionally date ofbirth and social security number.
x xxx
IDologyExpect IDEnterprise
KBA with questions that test OOW knowledgeabout the user’s own history based on theprivate data source specific to each enterprisecustomer.
x xx
IDologyExpect IDIQ
KBA and identity verification system withquestions that test OOW knowledge about theuser’s own non-credit history based on publicdata sources.
xxx
xx
x x
x
x
IdologyExpect IDScan andVerify
Photo-based identity document capturethrough a camera on a user-controlled device,with optional verification and correlation withother identity attributes.
x x x
JumioNetverify
Feature integrated in-app through an SDK,performing photo-based identity documentcapture through a camera on a user-controlleddevice, along with data verification and optionalcorrelation with the user’s face.
xx x x
Third-generation
Description and scope
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 30
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 7 Assessments Of Solutions Suitable For Onboarding (Cont.)
Source: Forrester Research, Inc.109861
Almost meets criterion =Meets criterion =
Solution assessments7-2
Solution criterion
U1: Memorywise-Effortless
U2: Scalable-For-Users
U3: Nothing-To-Carry
U4: Physically-Effortless
U5: Easy-To-Learn
U6: Efficient-To-Use
U7: Infrequent-Errors
U8: Easy-Recovery-From-Loss
D1: Accessible
D2: Negligible-Cost-Per-User
D3: Server-Compatible
D4: Nothing-To-Provision-To-User
D5: Mature
D6: Multiple-Purposes
D7: Available-Offline
Eq
uifa
x eI
Dve
rifier
Exp
eria
n P
reci
se ID
ID A
naly
tics
Cer
tain
ID
IDol
ogy
Exp
ect
ID
IDol
ogy
Exp
ect
IDE
nter
pris
e
IDol
ogy
Exp
ect
ID IQ
Idol
ogy
Exp
ect
IDS
can
and
Ver
ify
Jum
io N
etve
rify
Deployability
Usability
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 31
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
Figure 7 Assessments Of Solutions Suitable For Onboarding (Cont.)
Source: Forrester Research, Inc.109861
Solution assessments (Cont.)7-2
Solution criterion Eq
uifa
x eI
Dve
rifier
Exp
eria
n P
reci
se ID
ID A
naly
tics
Cer
tain
ID
IDol
ogy
Exp
ect
ID
IDol
ogy
Exp
ect
IDE
nter
pris
e
IDol
ogy
Exp
ect
ID IQ
Idol
ogy
Exp
ect
IDS
can
and
Ver
ify
Jum
io N
etve
rify
S1: Resilient-To-Physical-Observation
S2: Resilient-To-Targeted-Impersonation
S3: Resilient-To-Throttled-Guessing
S4: Resilient-To-Unthrottled-Guessing
S5: Resilient-To-Internal-Observation
S6: Resilient-To-Leaks-From-Other-Verifiers
S7: Resilient-To-Phishing
S8: Resilient-To-Theft
S9: No-Trusted-Third-Party
S10: Requiring-Explicit-Consent
S11: Unlinkable
Security
Almost meets criterion =Meets criterion =
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 32
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
sUPPLeMeNTaL MaTeRIaL
Companies Participating In Research For This Report
Agnitio
CA Technologies
Clef
Confident Technologies
Cross Match Technologies
Diamond Fortress Technologies
DirectRM
Duo Security
Encap
Entersekt
Entrust
Equifax
Exostar
Experian
EyeLock
EyeVerify
Gemalto
Gigya
Good Technology
ID Analytics
IDology
inWebo
Janrain
Jumio
LaunchKey
Microsoft
MicroStrategy
Nok Nok Labs
Pindrop Security
Redcore
RSA
SafeNet
SMS Passcode
Swivel Secure
Symantec
Toopher
TraitWare
tyntec
ValidSoft
Vasco Data Security
Verint Systems
eNdNOTes1 Three factors have conspired to put your customers on top: 1) ubiquitous information about products,
services, and prices; 2) technologies that make them visible and powerful critics; and 3) the ability to purchase from anyone at any time. Increasingly powerful customers push all institutions, especially businesses, into the age of the customer. For more information, see the October 10, 2013, “Technology Management In The Age Of The Customer” report.
For Security & riSk ProFeSSionalS
Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 33
© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014
2 The criteria used in this framework are based on the “benefits” proposed in the technical report, “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes,” by Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano and published by the University of Cambridge Computer Laboratory, March 2012 (http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html). The authors have not endorsed the Forrester framework.
3 The assessments in the spreadsheet tool accompanying this report can be used in combination with The Customer Authentication Assessment Framework, which provides a means for gathering and weighting requirements related to a specific customer scenario and population, and then applying it to different solutions. For more information, see the June 12, 2013, “The Forrester Customer Authentication Assessment Framework” report and see the June 12, 2013, “Introducing The Customer Authentication Assessment Framework” report.
4 RSA experienced a breach in 2011 that compromised its central repository of these shared secrets. For more information on hard token security mechanisms and this breach, see the November 4, 2011, “Atlas Shrugged: Security Pros Must Adjust To The New Realities Of A Post-RSA Breach World” report.
Forrester Research (Nasdaq: FORR) is a global research and advisory firm serving professionals in 13 key roles across three distinct client segments. Our clients face progressively complex business and technology decisions every day. To help them understand, strategize, and act upon opportunities brought by change, Forrester provides proprietary research, consumer and business data, custom consulting, events and online communities, and peer-to-peer executive programs. We guide leaders in business technology, marketing and strategy, and the technology industry through independent fact-based insight, ensuring their business success today and tomorrow. 109861
«
Forrester Focuses On Security & Risk Professionals to help your firm capitalize on new business opportunities safely,
you must ensure proper governance oversight to manage risk while
optimizing security processes and technologies for future flexibility.
Forrester’s subject-matter expertise and deep understanding of your
role will help you create forward-thinking strategies; weigh opportunity
against risk; justify decisions; and optimize your individual, team, and
corporate performance.
Sean RhodeS, client persona representing Security & Risk Professionals
About Forrestera global research and advisory firm, Forrester inspires leaders,
informs better decisions, and helps the world’s top companies turn
the complexity of change into business advantage. our research-
based insight and objective advice enable it professionals to
lead more successfully within it and extend their impact beyond
the traditional it organization. tailored to your individual role, our
resources allow you to focus on important business issues —
margin, speed, growth — first, technology second.
foR moRe infoRmation
To find out how Forrester Research can help you be successful every day, please contact the office nearest you, or visit us at www.forrester.com. For a complete list of worldwide locations, visit www.forrester.com/about.
Client SuppoRt
For information on hard-copy or electronic reprints, please contact Client Support at +1 866.367.7378, +1 617.613.5730, or [email protected]. We offer quantity discounts and special pricing for academic and nonprofit institutions.