Market Overview: Employee And · 2016-02-09 · For Security & riSk ProFeSSionalS Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 4 2014, Forrester

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA

Tel: +1 617.613.6000 | Fax: +1 617.613.5000 | www.forrester.com

Market Overview: Employee And Customer Authentication Solutions In 2013, Part 2 Of 2by Eve Maler and Andras Cser, February 24, 2014

For: Security & Risk Professionals

Key TaKeaways

It’s No Longer Possible To Overlook Usability In authentication ProcessesWhen you’re authenticating employees, productivity and job satisfaction ride on the outcome. And in the age of the customer, the success of the business may depend on security and risk pros working closely with customer experience and eBusiness pros to get authentication processes right.

authentication solutions are Morphing againFirst-generation strong authentication was all about security. The second generation improved usability and security by leveraging mobile devices, but authentication demands continued to increase. A massive third generation of innovation centers on smart mobile devices and contextual checks, and covers many more populations and scenarios.

Biometrics are Becoming a Lot More Interesting But aren’t a PanaceaTraditional biometrics mostly have niche use cases, but emerging biometric solutions have a bright future. Forrester expects several new software-based, mobile-fueled biometrics to become available in the next 12 to 18 months. Wield biometric-based solutions with care and never alone; many have subtle security and privacy challenges.

www.forrester.com

© 2014, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To purchase reprints of this document, please email [email protected]. For additional information, go to www.forrester.com.

For Security & riSk ProFeSSionalS

why Read ThIs RePORT

Part 1 of this report captured what you need to know about the seven important trends in the frothy authentication market, which spans three generations of technology. Part 2 dives into the usability, deployability, and security characteristics of dozens of traditional and emerging authentication-related solutions and assesses their suitability for different populations, authentication stages, and user interaction channels.

table of contents

assess authentication solutions’ Usability, deployability, and security

solution assessments

First-Generation authentication: Hardcore Solutions For traditional Security Scenarios

Second-Generation authentication: Solutions responding to the Mobile era

third-Generation authentication: Solutions that add contextual nuance

Biometric authentication: Solutions Based on “Something you are”

user onboarding: Solutions Suitable For enrollment and Verification

supplemental Material

notes & resources

Forrester conducted research with over three dozen vendors and several it end user companies and experts. See the end of this document for a list. Forrester based the authentication assessment framework used in this report on the one proposed in “the Quest to replace Passwords: a Framework for comparative evaluation of Web authentication Schemes,” Proc. ieee Symp. on Security and Privacy, 2012 by Joseph Bonneau, cormac Herley, Paul c. van oorschot, and Frank Stajano. the authors have not endorsed the Forrester framework.

related research Documents

Market overview: employee and customer authentication Solutions in 2013, Part 1 of 2December 30, 2013

introducing the customer authentication assessment FrameworkJune 12, 2013

the Forrester customer authentication assessment FrameworkJune 12, 2013

Market Overview: employee and Customer authentication solutions In 2013, Part 2 Of 2three Generations of Vendor Solutions tackle Various challengesby eve Maler and andras cserwith Stephanie Balaouras and Jennie Duong

2

11

32

FeBruary 24, 2014

www.forrester.com

http://www.forrester.com/go?objectid=RES107301






http://www.forrester.com/go?objectid=BIO2681




Market overview: employee and customer authentication Solutions in 2013, Part 2 of 2 2

© 2014, Forrester Research, Inc. Reproduction Prohibited February 24, 2014

assess aUTheNTICaTION sOLUTIONs’ UsaBILITy, dePLOyaBILITy, aNd seCURITy

If you could ever overlook the usability implications of authentication processes, it’s no longer possible. When you’re authenticating employees, productivity, efficiency, and even job satisfaction ride on the outcome. And in the age of the customer, the very success of the business may depend on security and risk pros working closely with customer experience and eBusiness pros to get authentication processes right: While you’re managing fraud rates by catching bad guys, remember that you must also enable streamlined, higher-value transactions and better experiences for legitimate customers.1

Forrester uses a 26-criteria framework for assessing the usability, deployability, and security characteristics of different authentication-related solutions (see Figure 1). This framework builds on one proposed by academic researchers in a paper called “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes.”2 In using Forrester’s framework, be mindful that:

■ An assessment is not the last word on the solution’s suitability for a task. Each assessment describes: 1) the primary task-interaction channels supported by the solution; 2) authentication stages assisted by the solution; 3) the solution’s scope and assumptions; and 4) whether the solution fully meets, almost meets, or does not meet each of the criteria: eight for usability, seven for deployability, and 11 for security. This approach enables you to apply best practices, along with compensating controls as required, to strengthen your use of a solution, and even perform your own solution assessments. But most solutions let you configure a variety of deployment variables to address different sweet spots — and even a 100-criteria assessment won’t substitute for understanding your own scenario, population, and risks (see Figure 2).3

■ A solution’s “footprint” in the lives of real users makes a big difference. Some solutions provide generic authentication servers that support a variety of actual authentication methods, and many solutions offer a backup method that works when the primary one is impractical or unavailable, such as enabling a soft token when the user has lost his or her hard token. In most cases we focus on a single primary method; see each solution’s description for nuances.

■ In 2014, no list of authentication-related solutions is likely to be complete. The market is highly competitive. We estimate the market to include 100 to 200 authentication vendors. Ultimately we assessed 40 solutions, representing all three generations of authentication technology and many exemplars of the seven trends identified in the first part of this report. However, don’t assume every vendor, variation on a theme, or product from a vendor appearing here is represented. For example, we assessed only a few solutions in the largely commoditized space for one-time passwords (OTPs) sent through short message service (SMS) text messages.

■ There’s an even wider world of authentication out there. This report focuses on the market for solutions feasible to deploy in a private-sector context for employees and customers using web, mobile app, and phone (both human and interactive voice response) channels. This eliminates,




for example: 1) covert biometric methods used in law enforcement; 2) methods exclusively used for physical access or access to nonmobile hardware platforms; and 3) methods targeted specifically to citizens (“eIDs”) or government employees and contractors.

Figure 1 Usability, Deployability, And Security Criteria For Assessing Solutions

Source: Forrester Research, Inc.109861

Source: Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano, “The Quest toReplace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes,” theUniversity of Cambridge Computer Laboratory, March 2012

*Called a “benefit” in the “Quest” framework.†“Quasi” in the “Quest” framework means that the scheme receives an “Almost” assessment.‡The criteria and definitions so marked, and all comments, are original Forrester content.

U2: Scalable-For-Users

U3: Nothing-To-Carry

U4: Physically-Effortless

Using the scheme for hundreds ofaccounts does not increase the burdenon the user. . . . we mean “scalable” only from the user’s perspective, looking at the cognitive load, not from a system deployment perspective, looking at allocation of technical resources.

Users do not need to carry anadditional physical object (electronicdevice, mechanical key, piece ofpaper) to use the scheme. Quasi-Nothing-To-Carry is awarded if theobject is one that they’d carryeverywhere all the time anyway, suchas their mobile phone, but not if it’stheir computer (including tablets).

The authentication process does notrequire physical (as opposed tocognitive) user effort beyond, say,pressing a button. Schemes that don’toffer this benefit include those thatrequire typing, scribbling, orperforming a set of motions. We grantQuasi-Physically-Effortless if the user’seffort is limited to speaking, on thebasis that even illiterate people find thatnatural to do.

Unlike the original researchers, we are lookingfor practical scale; assume the user willinteract with multiple solutions, some of whichmay have a cognitive load. A solution meets thecriterion only if it has no impact on cognitiveload (such as pushing an approval button) orfor onboarding solutions where the identicalauthenticator can be used for all interactionsusing this method. KBA does not meet thecriterion, nor does having a single sign-on (SSO) mode.

Multiple-choice question challenges, such as inKBA, almost meet the criterion. Voicebiometrics meet the criterion only if theyoperate on natural speech rather thanpreregistered phrases.

Criterion* Description† Comments‡

U1: Memorywise-

Effortless

Users of the scheme do not have toremember any secrets at all. We granta Quasi-Memorywise-Effortless if usershave to remember one secret foreverything (as opposed to one perverifier).

Knowledge-based authentication (KBA)solutions do not meet the criterion. One-timepassword (OTP) solutions and other solutionsthat do not explicitly mention involving secretsdo meet it. Solutions targeted primarily toemployees and partners assume mobiledevices that must be unlocked with a secretsuch as a PIN.




Figure 1 Usability, Deployability, And Security Criteria For Assessing Solutions (Cont.)





U5: Easy-To-Learn

U6: Efficient-To-Use

U7: Infrequent-Errors

U8: Easy-Recovery-From-Loss

D1: Accessible

Users who don’t know the scheme canfigure it out and learn it without toomuch trouble, and then easily recallhow to use it.

The time the user must spend for eachauthentication is acceptably short. Thetime required for setting up a newassociation with a verifier, althoughpossibly longer than that forauthentication, is also reasonable.

The task that users must perform to login usually succeeds when performed bya legitimate and honest user. In otherwords, the scheme isn’t so hard to useor unreliable that genuine users areroutinely rejected.

A user can conveniently regain theability to authenticate if the token is lostor the credentials forgotten. Thiscombines usability aspects such as lowlatency before restored ability; low userinconvenience in recovery (e.g., norequirement for physically standing inline); and assurance that recovery willbe possible, for example via built-inbackups or secondary recoveryschemes. If recovery requires someform of re-enrollment, this benefit ratesits convenience.

Users who can use passwords are notprevented from using the scheme bydisabilities or other physical (notcognitive) conditions.

Risk-based authentication (RBA) solutionsmeet the criterion because the user is unawareof them, and solutions that involve usertranscription of an OTP almost meet thecriterion. Solutions requiring multiple orcomplex steps, such as using a mobile device’scamera or retrieving a smart card andpositioning it in a reader, do not meet thecriterion unless they are used for onboardingonly.

Solutions with a relatively high false rejectionrate experienced by users, such as KBA, donot meet the criterion. Solutions with provenrates in the 1% range almost meet it, as doRBA schemes, because marginal risk scoresare often false positives that force step-up.OTP-based solutions do meet the criterion,but passwords only almost meet it because ofthe frequency of forgotten secrets.

If a solution that otherwise would have highlatency offers at least a second-generationsolution as a backup method, it meets thecriterion; security challenge questions foraccount recovery don’t count. Solutions focusing on onboarding and RBA “meet” thecriterion because it’s moot.

Solutions involving generic mobile and desktopplatforms on which users can enableaccessibility features, such as voice-activatedscreen button clicks, and screen readers, meetthe criterion. Hard tokens, smart cards, andcamera-dependent methods do not, but thevarious “soft” OTPs do. Solutions completelyunavailable to the blind or speech-impairedwith no backup method do not meet thecriterion.









D2: Negligible-Cost-Per-User

D3: Server-Compatible

D4: Nothing-To-Provision-To-

User‡

D5: Mature

The total cost per user of the scheme,adding up the costs at both the prover’send (any devices required) and theverifier’s end (any share of theequipment and software required) isnegligible. The scheme is plausible forstartups with no per-user revenue.

At the verifier’s end, the scheme iscompatible with text-based passwords.Providers don’t have to change theirexisting authentication setup to supportthe scheme.

The verifier delivers a secret or otherauthentication method to users throughan out-of-band device, app, and/orcommunications channel the usersalready have, with no need to provisionany hardware or software at all, simplya need to register the channel inquestion (also called “bring your owntoken” or BYOT). The commonestmethod is to send an OTP by shortmessage service (SMS) to a mobilephone. An OTP that arrives throughunprotected third-party channels opensitself to man-in-the-middle attacks.‡

The scheme aligns roughly withForrester’s TechRadar™ ecosystemphase definitions: Creation phasetechnologies do not meet the criterion.Survival phase technologies aregranted an Almost. Growth, Equilibrium,and Decline phase technologies aregranted a Yes. Schemes related tospecific implementations, products, orvendors may be demoted if they have atenuous business value, but neverpromoted.‡

Solutions with a dedicated per-user hardwarecomponent that must be purchased orotherwise cost the equivalent of more than$1 per user per month at typicallydeployed scale do not meet the criterion.Solutions without dedicated hardware that costunder $1 per user per month at typicalscale almost meet it. Solutions that are free orcost pennies per user per month at scale domeet it.

Solutions with a cloud-based servercomponent where integration consists only ofweb-based configuration with no coding meetsthe criterion, as do on-premises solutions thatwork within the constraints of existingpassword-handling systems. On-premisessolutions that support a named list of IAMsuites almost meet the criterion, as do cloud-based solutions that require integration withAPIs.

Browser-resident zero-install apps meet thecriterion, as do solutions integrated directly intothe user’s primary app through a softwaredevelopment kit (SDK). Solutions that enablechoice per population among mobile apps andBYOT methods almost meet it.

First-generation and most second-generationsolutions are mature; most third-generationsolutions are less so.









D6: Multiple-Purposes‡

D7: Available-Offline‡

S1: Resilient-To-Physical-

Observation

S2: Resilient-To-Targeted-

Impersonation

The scheme has auxiliary purposes, or ithas a main nonauthentication purposethat can be combined with an auxiliaryauthentication purpose. Examples areUSB keys that can be used forencrypted storage, or SMS or pushnotification channels that can be usedfor transaction confirmations, customeralerts, BC/DR alerts, and other uses.‡

The authenticator works without a needfor network connectivity on asecondary channel. A password isavailable offline since it can beremembered (or looked up on paper). Atime-based token is available offline. AnOTP delivered over email or SMS is notavailable offline.‡

An attacker cannot impersonate a userafter observing them authenticate oneor more times. We grant Quasi-Resilient-To-Physical-Observation if thescheme could be broken only byrepeating the observation more than,say, 10 to 20 times. Attacks includeshoulder surfing, filming the keyboard,recording keystroke sounds, or thermalimaging of keypad.

It is not possible for an acquaintance (orskilled investigator) to impersonate aspecific user by exploiting knowledge ofpersonal details (birth date, names ofrelatives, etc.). Personal knowledgequestions are the canonical schemethat fails on this point.

Identity verification and authentication are notconsidered two distinct purposes.

If there’s at least a second-generation offlinebackup method for a scheme that normallyrequires an online channel, the solution almostmeets the criterion. Solutions that are trulysingle-channel because the primary interactionis assumed to have connectivity “meet” thecriterion because it’s moot.

KBA solutions almost meet the criterionbecause the specific secrets tend to vary(versus passwords). Solutions where additionalfactors prevent use of the observedauthenticator meet it.

The prevalence of consensual impersonationthrough password-sharing leads us to considerpasswords and PINs not to meet this criterion.









S3: Resilient-To-Throttled-Guessing

S4: Resilient-To-Unthrottled-

Guessing

An attacker whose rate of guessing isconstrained by the verifier cannotsuccessfully guess the secrets of asignificant fraction of users. Theverifier-imposed constraint might beenforced by an online server, a tamper-resistant chip, or any other mechanismcapable of throttling repeated requests.To give a quantitative example, wemight grant this benefit if an attackerconstrained to, say, 10 guesses peraccount per day could compromise atmost 1% of accounts in a year. Lack ofthis benefit is meant to penalize schemes in which it is frequent foruser-chosen secrets to be selectedfrom a small and well-known subset(low min-entropy).

An attacker whose rate of guessing isconstrained only by availablecomputing resources cannotsuccessfully guess the secrets of asignificant fraction of users. We mightfor example grant this benefit if anattacker capable of attempting up to240 or even 264 guesses per accountcould still only reach fewer than 1% ofaccounts. Lack of this benefit is meantto penalize schemes where the spaceof credentials is not large enough towithstand brute force search (includingdictionary attacks, rainbow tables, andrelated brute force methods smarterthan raw exhaustive search, ifcredentials are user-chosen secrets).

Solutions that can be configured to lock orfreeze accounts on a certain number of failedattempts meet this criterion.

Solutions with a high-entropy secret and thosethat can be configured to lock or freezeaccounts on failed attempts meet the criterion.









S5: Resilient-To-Internal-

Observation

S6: Resilient-To-Leaks-From-

Other-Verifiers

An attacker cannot impersonate a userby intercepting the user’s input frominside the user’s device (e.g., bykeylogging malware) or eavesdroppingon the clear text communicationbetween prover and verifier (we assumethat the attacker can also defeat TLS ifit is used, perhaps through the CA). Aswith Resilient-To-Physical-Observationabove, we grant Quasi-Resilient-To-Internal-Observation if the schemecould be broken only by interceptinginput or eavesdropping cleartext morethan, say, 10 to 20 times. This penalizesschemes that are not replay-resistant,whether because they send a staticresponse or because their dynamicresponse countermeasure can becracked with a few observations. Thisbenefit assumes that general-purposedevices like software-updatablepersonal computers and mobile phonesmay contain malware, but that hardwaredevices dedicated exclusively to thescheme can be made malware-free. Wegrant Quasi-Resilient-To-Internal-Observation to two-factor schemeswhere both factors must be malware-infected for the attack to work. If infecting only one factor breaks thescheme, we don’t grant the benefit.

Nothing that a verifier could possiblyleak can help an attacker impersonatethe user to another verifier. Thispenalizes schemes where insider fraudat one provider, or a successful attackon one back end, endangers the user’saccounts at other sites.

Solutions where the user inputs a static sharedsecret into the primary channel and where noother elements mitigate this threat do not meetthe criterion. Nor do other types of solutions resident in software, even if given extra protection, versus a hardware security module. Solutions based on OTPs generally meet it.

This penalizes any secrets that are used acrossdifferent verifiers. Biometrics and KBAsolutions based on public data will tend not tomeet the criterion. Nor will passwords, whichusers tend to reuse to achieve “faux SSO.”








S7: Resilient-To-Phishing

S8: Resilient-To-Theft

S9: No-Trusted-Third-Party

S10: Requiring-Explicit-Consent

An attacker who simulates a validverifier (including by DNS manipulation)cannot collect credentials that can laterbe used to impersonate the user to theactual verifier. This penalizes schemesallowing phishers to get victims toauthenticate to look-alike sites andlater use the harvested credentialsagainst the genuine sites. It is notmeant to penalize schemes vulnerableto more sophisticated real-time man-in-the-middle or relay attacks, in whichthe attackers have one connection tothe victim prover (pretending to be theverifier) and simultaneously anotherconnection to the victim verifier(pretending to be the prover).

If the scheme uses a physical object forauthentication, the object cannot beused for authentication by anotherperson who gains possession of it. Westill grant Quasi-Resilient-To-Theft if theprotection is achieved with the modeststrength of a PIN, even if attempts arenot rate controlled, because the attackdoesn’t easily scale to many victims.

The scheme does not rely on a trustedthird party (other than the prover andthe verifier) who could, upon beingattacked or otherwise becominguntrustworthy, compromise the prover’ssecurity or privacy.

The authentication process cannot bestarted without the explicit consent ofthe user. This is both a security and aprivacy feature (a rogue wireless RFID-based credit card reader embedded ina sofa might charge a card without userknowledge or consent).

KBA solutions almost meet the criterionbecause the specific secrets tend to vary(versus passwords). Solutions where additionalfactors prevent use of the observedauthenticator meet it.

Mobile-fueled solutions targeted primarily toemployees and partners almost meet thecriterion because organizations have the optionto enforce locking of mobile devices.

Solutions that can be installed on-premises anddon’t involve third-party communicationschannels meet the criterion. Cloud-onlydeployability is incompatible with this criterion,but some solutions offer a choice ofdeployment options.










S11: Unlinkable Colluding verifiers cannot determine,from the authenticator alone, whetherthe same user is authenticating to both.This is a privacy feature. To rate thisbenefit we disregard linkabilityintroduced by other mechanisms (sameuser ID, same IP address, etc.).

Due to the contextual nature of modernauthentication, we must consider some“other mechanisms” to break unlinkability. KBAsolutions based on public data sources do notmeet the criterion, nor do solutions thatcommunicate with the user solely through aphone number or email address. KBA solutionsbased on private data sources and biometricswith proprietary storage models almost meet it.

Figure 2 The Forrester Customer Authentication Assessment


The spreadsheet associated with this �gure contains additional data.




sOLUTION assessMeNTs

The solution assessments are organized into five categories: 1) first-generation; 2) second-generation; 3) third-generation; 4) biometric; and 5) user onboarding. Pay close attention to each assessment’s

“description and scope” field; it captures key assumptions that informed our assessment. Be prepared to revise assessments as you make your own solution and deployment choices.

First-Generation authentication: hardcore solutions For Traditional security scenarios

First-generation strong authentication was all about security. This category includes solutions such as smartcards and hard tokens. Its population focus is employees, contractors, business partners, and, occasionally, individual high-net-worth banking customers and serious online gamers. We assessed nine sample solutions in this category, including the incumbent method: web passwords (see Figure 3). A notable additional vendor with solutions in this space (as well as in later generations of authentication) is Entrust (recently acquired by Datacard Group).

The assessments support the following observations: 1) Hard tokens and smartcards shore up password security weaknesses, but they have usability and deployability challenges of their own, and 2) risk-based authentication (RBA) solutions serve as an excellent “booster shot” because they have both usability and security strengths, but they show weakness around privacy-related security areas (S10 and, often, S11). Notable vendors with additional solutions in this space, as well as in later generations of authentication, include Entrust (recently acquired by Datacard Group) and CA Technologies (which also has an RBA solution).4




Figure 3 Assessments Of First-Generation Authentication Solutions


Solution descriptions3-1

Webpassword

User-chosen password conforming to a typicalpassword format policy, with at least an OTPlink sent over email or similar for accountrecovery but with no lockout limit.

Web

Mobile

Voice

Onboard

Log in

Step up

Recover

x x x

Applicable channels Applicable tasks

SolutionPasswords

CA ArcotIDPKI

Software client enabling the user to use anapplication password in the normal fashion,using a protected software-resident digitalcertificate to sign responses to a server-sidechallenge without sending the password. A“roaming” credential without additionalpassword protection is assessed.

x x xx

Certificates

EquifaxAnakam.TFA HardTokens

Time-based Initiative for Open Authentication(OATH)-compatible OTP in a hard token formfactor usable by any bearer. Solution istargeted primarily to employees.

x x x xx

RSA Auth-enticationManager(SecurIDhard token)

Time-based proprietary OTP in a hard tokenform factor with seed records held by vendor.Includes some optional RBA features. Tokenrequiring PIN unlock is assessed. Solution istargeted primarily to employees.

x x xx

Hard tokens

DirectRMAuthenti-cationSmart Card

PIN-unlockable smart card that enables the userto reset the PIN directly on the card andoptionally provides payment/loyalty cardfeatures. Backup method is a site-displayedQR code.

x x x x x

x

x

GemaltoIDConfirm1000IDPrimesmart cardwith OTP

X.509-based smart card with a time-basedOATH-compatible OTP display. Assessed hereis a PIN-protected card. Backup method issecurity questions. Solution is targetedprimarily to employees.

x x xx

xSafeNetAuthenti-cationManager(smart card)

On-premises authentication platform with avariety of options preintegrated; assessed hereis the X.509-based smart card option, with RBApolicy elements incorporated, PIN unlocking,and user data storage. Solution is targetedprimarily to employees.

x x xx

Smart cards

Description and scope

x

x




Figure 3 Assessments Of First-Generation Authentication Solutions (Cont.)


RSAAdaptiveAuthenti-cation

RBA and fraud detection platform that analyzesand profiles user behavior, devices used, andfraud-related data feeds.

x x xx

RBA

RedcoreKeyVault

Password-protected mobile or PC app thatprovides a cryptographically secure connectionto a website through a hardened browser. The solution is also available as an in-app SDK.

x xx

Other

Solution descriptions (Cont.)3-1

Web

Mobile

Voice

Onboard

Log in

Step up

Recover


Solution Description and scope






Solution criterion

Deployability

Usability

Web

pas

swo

rd

CA

Arc

otID

PK

I

Eq

uifa

x A

naka

m.T

FAH

ard

Tok

ens

RS

A A

uthe

ntic

atio

n M

anag

er(S

ecur

ID h

ard

toke

n)

Dire

ctR

M A

uthe

ntic

atio

nS

mar

t C

ard

Gem

alto

IDC

onfir

m 1

000

IDP

rime

smar

t ca

rd w

ith O

TP

Saf

eNet

Aut

hent

icat

ion

Man

ager

(sm

art

card

)

RS

A A

dap

tive

Aut

hent

icat

ion

Red

core

Key

Vaul

t

U1: Memorywise-Effortless




U5: Easy-To-Learn




D1: Accessible



D4: Nothing-To-Provision-To-User

D5: Mature

D6: Multiple-Purposes

D7: Available-Offline

Solution assessments3-2






Solution assessments (Cont.)3-2

Solution criterion

SecurityW

eb p

assw

ord

CA

Arc

otID

PK

I

Eq

uifa

x A

naka

m.T

FAH

ard

Tok

ens

RS

A A

uthe

ntic

atio

n M

anag

er(S

ecur

ID h

ard

toke

n)

Dire

ctR

M A

uthe

ntic

atio

nS

mar

t C

ard

Gem

alto

IDC

onfir

m 1

000

IDP

rime

smar

t ca

rd w

ith O

TP

Saf

eNet

Aut

hent

icat

ion

Man

ager

(sm

art

card

)

RS

A A

dap

tive

Aut

hent

icat

ion

Red

core

Key

Vaul

tS8: Resilient-To-Theft



S11: Unlinkable

S1: Resilient-To-Physical-Observation

S2: Resilient-To-Targeted-Impersonation


S4: Resilient-To-Unthrottled-Guessing

S5: Resilient-To-Internal-Observation

S6: Resilient-To-Leaks-From-Other-Verifiers


Almost meets criterion =Meets criterion =




second-Generation authentication: solutions Responding To The Mobile era

Forrester defines mobile-fueled authentication as an authentication process that leverages a mobile device. The second generation of authentication improved usability and security by leveraging mobile devices, bringing an opportunity for stronger authentication to consumer populations for the first time. This category includes solutions such as sending OTPs over SMS, contacting the user by a secondary phone channel, and deploying software-based OTP tokens in the form of mobile apps. We assessed 11 sample solutions in this category (see Figure 4).

The assessments support the following observations: 1) While methods that exploit the SMS channel to send OTPs improve on passwords alone, most have security challenges around unlocked mobile device security and reliance on cellular networks; 2) soft tokens mitigate some of these challenges while facing complementary ones; 3) this era saw valuable experimentation in graphical authentication challenges; and 4) phone-based approval loops, while not a fancy new technique, show quite positive results across the board. While some first-generation solutions could be used for auxiliary purposes (criterion D6) such as physical access control, solutions in this category tend to offer features relevant to broader populations, such as secure transaction signing and customer engagement through the SMS channel.




Figure 4 Assessments Of Second-Generation Authentication Solutions



ConfidentImage-Shield for Web Security

Image-based solution integrated into a website;the user inputs an OTP by identifying displayedpictures that fit categories the user choseduring enrollment. Solution can also beintegrated into a mobile app for OOBauthentication.

Web

Mobile

Voice

Onboard

Log in

Step up

Recover

x x x x


Solution

EquifaxAnakam.TFA (basic)

OATH-compatible OTP in one of a variety ofform factors: SMS, mobile app, or phone.Multiple backup methods.

x x xx

MicrosoftWindowsAzureMulti-FactorAuthenti-cation

System that makes a phone call for userapproval, along with a mobile app that receivespush notifications for user approval. Backupmethod is a time-based soft token. Solution istargeted primarily to employees.

x x xxx

SafeNetAuthenti-cationManager(OTP)

On-premises authentication platform with avariety of options pre-integrated; assessed hereare the OTP options (desktop app, mobile softtoken app, sent over SMS, and sent over email,with RBA policy elements incorporated), withthe ability to choose options per population.

x x xxx

SafeNetAuthenti-cationService

OTP authentication platform offered as SaaSwith a variety of options pre-integrated,including desktop app, mobile soft token app,sent over SMS, and sent over email, with theability to choose options per population.

x xxx


x

*This vendor did not participate in this research; Forrester assessed this solution based on publicly availableinformation and client feedback.




Figure 4 Assessments Of Second-Generation Authentication Solutions (Cont.)


R:\eEditing\2013\12 December\109861

Solution descriptions (Cont.)4-1

Web

Mobile

Voice

Onboard

Log in

Step up

Recover


Solution Description and scope

SMSPASSCODEMulti-FactorAuthenti-cation

Hardened and reliability-enhanced delivery ofOTPs over SMS. Solution is targeted primarily toemployees.

x xxxx

SymantecVIP

Cloud-based OATH-compatible OTP authentication platform with a variety of optionspre-integrated, including hard tokens, soft tokens, mobile devices, and OTPs sent over SMS and email, with RBA options, and with theability to choose options per population. Solution is primarily targeted to employees.

x x xxx

Swivel inbrowser

Image-based solution based on the “PINsafe protocol”: The user inputs an OTP response bymaking selections out of a graphically presentedchallenge, typing elements of the challenge thatcorrespond to the digit positions representedby a PIN the user chose during enrollment. Assessed here is the in-browser form factor;also available in a variety of others, including mobile app.

x xx

VascoDIGIPASSSDK

Feature integrated in-app through an SDK toturn the device it runs on into an OTP generator,using a secure execution environment ifavailable, and connecting to an on-premisesserver or cloud service for veri�cation. Optionally applies geolocation RBA. Assessedis a user-typed OTP; the SDK enables a variety of �ows.

YubicoYubiKeyStandard*


OATH-compatible OTP in a USB token formfactor that appears to the receptive device as aUSB keyboard and requires no softwareinstallation. When the user pushes a button onthe token, it generates an OTP and passes itautomatically to the app.

x

x x x

x

tyntec Hardened and reliability-enhanced delivery ofOTPs over SMS, giving end-to-end customercontrol over the entire SMS transmission path.

x x x x x

x x x






Usability


Solution criterion





Con

fiden

t Im

ageS

hiel

d f

or

Web

Sec

urity

Eq

uifa

x A

naka

m.T

FA

(bas

ic)

Mic

roso

ft W

ind

ows

Azu

reM

ulti-

Fact

or A

uthe

ntic

atio

n

Sw

ivel

in b

row

ser

Saf

eNet

Aut

hent

icat

ion

Man

ager

(OTP

)

Saf

eNet

Aut

hent

icat

ion

Ser

vice

SM

S P

AS

SC

OD

E

Sym

ante

c V

IP

tynt

ec

Vasc

o D

IGIP

AS

S S

DK

Yub

ico

Yub

iKey

Sta

ndar

d*

U5: Easy-To-Learn



D1: Accessible




D5: Mature



Deployability









Security

Solution criterion Con

fiden

t Im

ageS

hiel

d f

or

Web

Sec

urity

Eq

uifa

x A

naka

m.T

FA

(bas

ic)

Mic

roso

ft W

ind

ows

Azu

reM

ulti-

Fact

or A

uthe

ntic

atio

n

Sw

ivel

in b

row

ser

Saf

eNet

Aut

hent

icat

ion

Man

ager

(OTP

)

Saf

eNet

Aut

hent

icat

ion

Ser

vice

SM

S P

AS

SC

OD

E

Sym

ante

c V

IP

tynt

ec

Vasc

o D

IGIP

AS

S S

DK

Yub

ico

Yub

iKey

Sta

ndar

d*






S6: Resilient-To-Leaks-FromOther-Veri�ers





S11: Unlinkable






Third-Generation authentication: solutions That add Contextual Nuance

We’re now seeing a massive third generation of innovation, centering mostly on the capabilities and contexts of smart mobile devices and fully expanding opportunities for strong authentication to every population and scenario. These are not simply “soft tokens.” Many of them take a contextual approach, combining second-generation techniques with device identification and other RBA features to improve usability without compromising security. We assessed eight sample solutions in this category (see Figure 5).

Of the third-generation solutions assessed here, the DirectRM, inWebo, and Pindrop Security ones aren’t inherently mobile-fueled, while the Clef, Duo Push, Encap, Toopher, and YubiKey NEO ones are. And Clef, Duo Push, and Toopher are notable for entirely avoiding user-memorized static shared secrets — anything that could be characterized as a password. If Apple’s foray into biometric device-unlocking with iPhone 5s Touch ID becomes commonplace, these solutions could be used as

“kill the password” methods in some cases — providing both sufficient usability for routine or step-up login and sufficient authentication strength for account recovery.




Figure 5 Assessments Of Third-Generation Authentication Solutions



DirectRMInvisibleToken

Browser/app-resident zero-install soft token that automatically passes an OTP to the app based on a per-session dynamic key initializedthrough the user’s provided password. The userenrolls once per machine with an OOB OTP, repeating on a policy-based frequency (enrollment not assessed here).

Web

Mobile

Voice

Onboard

Log in

Step up

Recover

x x x x


SolutionNon-mobile-fueled

inWeboEnterpriseCloudToken

Browser/app-resident zero-install soft token that automatically passes an OTP to the app based on a per-session dynamic key initializedthrough the user’s provided password. The userenrolls once per machine with an OOB OTP.

x xxx

PindropFraudDetectionSystem

Phone fingerprinting through detection of audiochannel characteristics, optionally withvoiceprint recognition. Used primarily for frauddetection but also for authentication.

x xx

Clef x x xxx

Duo Push

Smart mobile device app that generates andstores a key pair on the device; using thedevice’s camera to capture a graphicallydisplayed “Clef Wave” on a website enablespairing the location with the user, verifying theorigin of the message with a signature, andlogging the user in.

SaaS-based authentication platform with several options preintegrated: mobile push noti�cations, time-based soft token, SMS OTP, and telephony approval. Assessed here is the Push feature. The app is provisioned with the private key from a key pair to secure service communications. Solution is targeted primarily to employees

x x xx

Mobile-fueled


x

Feature integrated in a mobile app through anSDK, which communicates with a serviceleveraging the app’s user-chosen PIN, a uniquekey pair (private key stored on client), the user’styping habits, and the device’s identity forauthentication and document signing. Backupmethod is OTP over SMS.

x x xxEncap




Figure 5 Assessments Of Third-Generation Authentication Solutions (Cont.)


x x xx

Mobile app or in-app feature that receives push notifications for user approval and enableswebsite- and geolocation-specific automatic approvals. Backup method is a time-based softtoken.

Toopher

OATH-compatible OTP in a USB and Near FieldCommunication (NFC) token form factor thatappears to the receptive device as a USBkeyboard and requires no software installation.When the user pushes a button on the token, itgenerates an OTP and passes it automaticallyto the app.

YubicoYubiKeyNEO*

x x xx x



Web

Mobile

Voice

Onboard

Log in

Step up

Recover


SolutionMobile-fueled








Almost meets criterion =Meets criterion =*This vendor did not participate in this research; Forrester assessed this solution based on publicly available information and client feedback.





U5: Easy-To-Learn



U8: Easy-Recovery- From-Loss

D1: Accessible




D5: Mature



Solution criterion Dire

ctR

M In

visi

ble

Toke

n

inW

ebo

Ent

erp

rise

Clo

ud T

oken

Pin

dro

p F

raud

Det

ectio

nS

yste

m

Cle

f

Duo

Pus

h

Enc

ap

Toop

her

Yub

ico

Yub

iKey

NE

O*

Usability

Deployability







Almost meets criterion =Meets criterion =*This vendor did not participate in this research; Forrester assessed this solution based on publicly available information and client feedback.

Solution criterion Dire

ctR

M In

visi

ble

Toke

n

inW

ebo

Ent

erp

rise

Clo

ud T

oken

Pin

dro

p F

raud

Det

ectio

nS

yste

m

Cle

f

Duo

Pus

h

Enc

ap

Toop

her

Yub

ico

Yub

iKey

NE

O*






S6: Resilient-To-Leaks-From- Other-Verifiers





S11: Unlinkable

Security




Biometric authentication: solutions Based On “something you are”

Traditional biometrics mostly have niche use cases, but emerging biometric solutions have a bright future. Forrester expects several new software-based, mobile-fueled biometrics — such as mobile apps for camera-enabled fingerprint recognition — to become available in the next 12 to 18 months. And if the standards being produced by the new Fast IDentity Online (FIDO) Alliance organization live up to their promise, they could play a key role in biometric-based authentication device interoperability. We assessed four sample biometric-focused solutions, which span authentication generations but reflect a preponderance of voice biometrics (see Figure 6).

Many biometrics have common challenges around the universality of the authenticator data (affecting S6), privacy (affecting S6 and S11), and false positives and negatives due to partial matches (affecting U7). Deployers must not depend on such a method as the sole authentication factor for sensitive resource access.

Figure 6 Assessments Of Biometric Authentication Solutions



EquifaxAnakam.TFA VoiceBiometrics

Voice biometric matching involving initialvoiceprint enrollment.

Web

Mobile

Voice

Onboard

Log in

Step up

Recover

x xx x x


SolutionFirst-generation

Verint Impact 360Authen-tication

Voice biometric and predictive analytics fora customer-chosen mix of fraud prevention andrisk-based authentication and decisioning,using ordinary conversational speech. The fullfeature set is assessed here.

x xx

EyeVerifyEyeprint

Software-based eyeprint verification integratedin-app, using existing cameras on smartphonesto image- and pattern-match the blood vesselsin the whites of the eye. The biometric templateand matching process is on-device.

xx x x

xxx x x

Third-generation

ValidSoftSMART

Voice biometric matching and in-depth RBA andfraud detection system for mobile deviceplatforms. Voiceprint enrollment is incremental,starting with one spoken phrase over thedevice’s data channel. The biometric enginecan be applied to direct voice channels as well.





Figure 6 Assessments Of Biometric Authentication Solutions (Cont.)


Deployability

Usability






U5: Easy-To-Learn

Solution criterion Eq

uifa

x A

naka

m.T

FAVo

ice

Bio

met

rics

Verin

t Im

pac

t 36

0 A

uthe

ntic

atio

n

Eye

Verif

y E

yep

rint

Valid

Sof

t S

MA

RT




D1: Accessible




D5: Mature







Figure 6 Assessments Of Biometric Authentication Solutions (Cont.)



Security











S11: Unlinkable


User Onboarding: solutions suitable For enrollment and Verification

Onboarding involves registering or provisioning authentication methods for a new employee or customer user. This process may involve linking multiple accounts or interaction channels. Because the system may never have seen this user before, it may need to perform identity verification and other forms of information checks — such as background checks — that it does not need to perform during routine login. We assessed eight sample solutions in this category, spanning the technology generations (see Figure 7). Notable additional vendors with solutions in this space are LexisNexis and TransUnion.

The assessments support the following observations: 1) Traditional identity verification solutions tend to impose a fairly heavy user experience burden, while the emerging mobile-fueled solution from Jumio seems to offer improved usability, and 2) all of the in-depth verification solutions have security and privacy “soft spots” related to the use of personal data or physical credentials that many verifiers must share.




Figure 7 Assessments Of Solutions Suitable For Onboarding



EquifaxeIDverifier

KBA and identity verification system withquestions that test out-of-wallet (OOW)knowledge about the user’s own credit historyand other history based on non-public data.

Web

Mobile

Voice

Onboard

Log in

Step up

Recover

x xx x x


SolutionFirst-generation

ExperianPrecise ID

KBA and identity verification system withquestions that test the user’s knowledge basedon public data sources, combined with RBAand fraud analytics system.

xx x x xxx

IDAnalyticsCertain ID

KBA and identity verification system withquestions that test the user’s OOW knowledgebased on non-public customer-contributedaggregate fraud data.

x x x xx

IDologyExpect ID

Basic identity verification leveraging a user-provided name, address, and optionally date ofbirth and social security number.

x xxx

IDologyExpect IDEnterprise

KBA with questions that test OOW knowledgeabout the user’s own history based on theprivate data source specific to each enterprisecustomer.

x xx

IDologyExpect IDIQ

KBA and identity verification system withquestions that test OOW knowledge about theuser’s own non-credit history based on publicdata sources.

xxx

xx

x x

x

x

IdologyExpect IDScan andVerify

Photo-based identity document capturethrough a camera on a user-controlled device,with optional verification and correlation withother identity attributes.

x x x

JumioNetverify

Feature integrated in-app through an SDK,performing photo-based identity documentcapture through a camera on a user-controlleddevice, along with data verification and optionalcorrelation with the user’s face.

xx x x

Third-generation





Figure 7 Assessments Of Solutions Suitable For Onboarding (Cont.)




Solution criterion





U5: Easy-To-Learn




D1: Accessible




D5: Mature



Eq

uifa

x eI

Dve

rifier

Exp

eria

n P

reci

se ID

ID A

naly

tics

Cer

tain

ID

IDol

ogy

Exp

ect

ID

IDol

ogy

Exp

ect

IDE

nter

pris

e

IDol

ogy

Exp

ect

ID IQ

Idol

ogy

Exp

ect

IDS

can

and

Ver

ify

Jum

io N

etve

rify

Deployability

Usability




Figure 7 Assessments Of Solutions Suitable For Onboarding (Cont.)



Solution criterion Eq

uifa

x eI

Dve

rifier

Exp

eria

n P

reci

se ID

ID A

naly

tics

Cer

tain

ID

IDol

ogy

Exp

ect

ID

IDol

ogy

Exp

ect

IDE

nter

pris

e

IDol

ogy

Exp

ect

ID IQ

Idol

ogy

Exp

ect

IDS

can

and

Ver

ify

Jum

io N

etve

rify











S11: Unlinkable

Security





sUPPLeMeNTaL MaTeRIaL

Companies Participating In Research For This Report

Agnitio

CA Technologies

Clef

Confident Technologies

Cross Match Technologies

Diamond Fortress Technologies

DirectRM

Duo Security

Encap

Entersekt

Entrust

Equifax

Exostar

Experian

EyeLock

EyeVerify

Gemalto

Gigya

Good Technology

ID Analytics

IDology

inWebo

Janrain

Jumio

LaunchKey

Microsoft

MicroStrategy

Nok Nok Labs

Pindrop Security

Redcore

RSA

SafeNet

SMS Passcode

Swivel Secure

Symantec

Toopher

TraitWare

tyntec

ValidSoft

Vasco Data Security

Verint Systems

eNdNOTes1 Three factors have conspired to put your customers on top: 1) ubiquitous information about products,

services, and prices; 2) technologies that make them visible and powerful critics; and 3) the ability to purchase from anyone at any time. Increasingly powerful customers push all institutions, especially businesses, into the age of the customer. For more information, see the October 10, 2013, “Technology Management In The Age Of The Customer” report.






2 The criteria used in this framework are based on the “benefits” proposed in the technical report, “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes,” by Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano and published by the University of Cambridge Computer Laboratory, March 2012 (http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html). The authors have not endorsed the Forrester framework.

3 The assessments in the spreadsheet tool accompanying this report can be used in combination with The Customer Authentication Assessment Framework, which provides a means for gathering and weighting requirements related to a specific customer scenario and population, and then applying it to different solutions. For more information, see the June 12, 2013, “The Forrester Customer Authentication Assessment Framework” report and see the June 12, 2013, “Introducing The Customer Authentication Assessment Framework” report.

4 RSA experienced a breach in 2011 that compromised its central repository of these shared secrets. For more information on hard token security mechanisms and this breach, see the November 4, 2011, “Atlas Shrugged: Security Pros Must Adjust To The New Realities Of A Post-RSA Breach World” report.







Forrester Research (Nasdaq: FORR) is a global research and advisory firm serving professionals in 13 key roles across three distinct client segments. Our clients face progressively complex business and technology decisions every day. To help them understand, strategize, and act upon opportunities brought by change, Forrester provides proprietary research, consumer and business data, custom consulting, events and online communities, and peer-to-peer executive programs. We guide leaders in business technology, marketing and strategy, and the technology industry through independent fact-based insight, ensuring their business success today and tomorrow. 109861

«

Forrester Focuses On Security & Risk Professionals to help your firm capitalize on new business opportunities safely,

you must ensure proper governance oversight to manage risk while

optimizing security processes and technologies for future flexibility.

Forrester’s subject-matter expertise and deep understanding of your

role will help you create forward-thinking strategies; weigh opportunity

against risk; justify decisions; and optimize your individual, team, and

corporate performance.

Sean RhodeS, client persona representing Security & Risk Professionals

About Forrestera global research and advisory firm, Forrester inspires leaders,

informs better decisions, and helps the world’s top companies turn

the complexity of change into business advantage. our research-

based insight and objective advice enable it professionals to

lead more successfully within it and extend their impact beyond

the traditional it organization. tailored to your individual role, our

resources allow you to focus on important business issues —

margin, speed, growth — first, technology second.

foR moRe infoRmation

To find out how Forrester Research can help you be successful every day, please contact the office nearest you, or visit us at www.forrester.com. For a complete list of worldwide locations, visit www.forrester.com/about.

Client SuppoRt

For information on hard-copy or electronic reprints, please contact Client Support at +1 866.367.7378, +1 617.613.5730, or [email protected]. We offer quantity discounts and special pricing for academic and nonprofit institutions.

mailto:[email protected]

www.forrester.com