More and more organizations –driven by the vast amount of media coverage on data loss incidents –realize that the increased security requirements can not to be met by making password policies more complex. Users are already overwhelmed by the sheer number of password they have to memorize, and HelpDesks are flooded by the amount of password related calls.

Besides establishing strategic authorization management projects (see Felix´ blog for more on that), organizations tend to rid themselves of ancient UID/password schemes turning towards modern, flexible and – above all – user-friendly technologies. As the plethora of alternatives to chose from slowly became a “unübersichtlich” and a mine-field of non-interoperable point-solutions, Kuppinger Cole decided to provide insight and overview by analyzing and organizing methods, technologies and concepts into a easy-to-digest report, serving as a map to tokens and authentication technology as well as a guide what to include into a corporate authentication strategy.

The best way to tackle a subject as diverse as the authentication market is to provide a definition and classification that brings the components into order. While doing so, it quickly becomes obvious that authentication today is far more than just tokens and smartcards. Authentication has many facets, a few of which are:


  1. SmartCards and tokens for authentication including special soft-tokens
  2. Card readers for contactless and contact cards


  • Middleware in the sense of software that provides access of the client to different smartcard-OS functions
  • Management software: adding specific functionality to manage tokens, (de-)activate, reset/unlock, etc.

Centralized or server software:

  • Versatile Authentication Platforms (VAP). Combination of different strong and weaker authentication methods, providing an easy migration path and vendor-independence
  • Interfaces for VAP integration of target or source systems (such as  Windows, WebAccess, MainFrame etc.)
  • Context-based/Risk-based systems, automatically envoking VAPs to add/change authentication methods if fraud is suspecting (so-called step-up authentication)
  • Centrally managed SSO-mechanisms (with VAP support)

This compilation is neither complete nor sufficient to establish an authentication strategy but merely serves as a short glimpse of the depth and breadth of the analysis for the report, currently under way. In addition to the above mentioned topics, the increasing importance of user centric identity management schemes requires the inclusion of OpenID and CardSpace as means for authentication primarily targeted at web(-applications). These will extend their importance with the further adoption of federation technologies and the increasing numbers of managed external IDs, be it in a b2b or b2c context. If information cards close the gap and are integrated with PKI technology, this will boost the importance even more.

PKI and the certificates managed therein are experiencing a renaissance as PKI is no longer a strategic project but integrated part of the infrastructure, enabling important systems like service-oriented architectures (SOA), Information Rights Management (IRM) and Data Leakage Prevention (DLP) to be operated efficiently and in a secure manner. By including PKI into the discussion, process management and support need to be included also. Especially token lifecycle management processes and the combined issuing & management of single-token solutions for physical/logical convergence are core topics to be addressed in comprehensive authentication strategies.

Overall, each authentication strategy shall allow for simple, flexible and as secure as possible means for reaching the goals set for user and machine authentication – a task not easily solved, if user- and administrator experience are to be improved and no technology overkill is expected. The upcoming report will provide insight and orientation to properly address the obviously divergent goals of an authentication strategy.