Identity and Access Management (IAM) systems have continued to evolve significantly over the last two decades. Increasing security and improving usability have both been contributing factors to this evolution. Data owners and IT architects have pushed for better ways to authenticate and authorize users, based on changing business and security risks as well as the availability of newer technologies. Businesses have lobbied for these security checks to become less obtrusive and provide a better user experience (UX). Many organizations are opting to deploy these capabilities in conjunction with their Identity-as-a-Service (IDaaS) solutions or as part of a “cloud-first” strategy.
Cloud-based MFA is the process of using a SaaS solution to gather additional attributes about users and their environments and evaluate the attributes in the context of risk-based policies. The goal of Cloud MFA is to provide the appropriate risk-mitigating assurance levels for access to sensitive resources by requiring users to further demonstrate that they are who they say they are. This is usually implemented by “step-up” authentication. Different kinds of authenticators can be used to achieve this, some of which are unobtrusive to the user experience. Examples of step-up authenticators include phone/email/SMS One Time Passwords (OTPs), mobile apps for push notifications, mobile apps with native biometrics, FIDO U2F or UAF transactions, SmartCards, and behavioral biometrics. Behavioral biometrics can provide a framework for continuous authentication, by constantly evaluating user behavior to a baseline set of patterns. Behavioral biometrics usually involves keystroke analysis, mobile “swipe” analysis, and even mobile gyroscopic analysis.
Cloud MFA Solutions can use multiple authentication schemes and authentication challenges presented to a user or service according to defined policies based on any number of factors, for example the time of day, the category of user, the location or the device from which a user or device attempts authentication. The factors just listed as examples can be used to define variable authentication policies. A more advanced form of Cloud MFA uses risk-scoring analytics algorithms to first baseline regular access patterns and then be able to identify anomalous behavior which triggers additional authentication challenges. This can be referred to as dynamic Cloud MFA, yet it is difficult to categorize Cloud MFA products into dynamic or static Cloud MFA categories, since the strongest products are able to use a combination of both approaches. This is invariably a positive feature, as there are use cases where the use of either static or dynamic Cloud MFA proves the most appropriate, and both approaches are not without their limitations.
A wide variety of Cloud-based MFA mechanisms and methods exist in the market today. Examples include:
- Knowledge-based authentication (KBA)
- Strong/Two-Factor or Multi-Factor Authentication (Smart Cards, USB authenticators, biometrics)
- One-time password (OTP), delivered via phone, email, or SMS
- Out-of-band (OOB) application confirmation
- Identity context analytics, including
- IP address
- Device ID and device health assessment
- User Behavioral Analysis (UBA)
Many organizations today employ a variety of authentication methods. Consider the following sample case. Suppose a user successfully logs in to a financial application with a username and password. Behind the scenes, the financial application has already examined the user’s IP address, geo-location, and Device ID to determine if the request context fits within historical parameters for this user. Further suppose that the user has logged in from a new device, and the attributes about the new device do not match recorded data. The web application administrator has set certain policies for just this situation. The user then receives an email at their chosen address, asking to confirm that they are aware of the session and that they approve of the new device being used to connect to their accounts. If the user responds affirmatively, the session continues; if not, the session is terminated.
Going one step further in the example, consider that the user would like to make a high-value transaction in this session. Again, the administrator can set risk-based policies correlated to transaction value amounts. In order to continue, the user is sent a notification via the mobile banking app on his phone. The pop-up asks the user to confirm. The user presses “Yes”, and the transaction is processed.
Cloud-based MFA, then, can be considered a form of authorization. The evaluation of these additional attributes can be programmed to happen in response to business policies and changing risk factors. Since access to applications and data are the goal, Cloud-based MFA can even be construed as a form of attribute-based access control (ABAC).
The story above is just one possible example. Cloud-based MFA is being used today by enterprises to provide additional authentication assurance for access to applications involving health care, insurance, travel, aerospace, defense, government, manufacturing, and retail. Cloud-based MFA can help mitigate risks and protect enterprises against fraud and loss.
There are a number of vendors in the Cloud-based MFA market. Many of the vendors have developed specialized Cloud-based MFA products and services, which can integrate with customers’ on-site IAM components or other IDaaS. The major players in the Cloud-based MFA segment are covered within this KuppingerCole Leadership Compass.
Overall, the breadth of functionality is growing rapidly. Support for standard Cloud-based MFA mechanisms and the requisite identity federation are now nearly ubiquitous in this market segment; and the key differentiators have become the use of new technologies to step up the user’s authentication assurance level or to collect and analyze information about the user’s session.
1.1 Market Segment
This market segment is mature but constantly evolving, due to innovations in authenticator technology and risk analysis engines. We expect to see more changes within the next few years. However, given the surging demand of businesses and the need to provide better security, many organizations must implement either Cloud-based MFA or on-premises Adaptive Authentication if they have not already to help reduce the risk of fraud and data loss.
Picking solutions always requires a thorough analysis of customer requirements and a comparison with product features. Leadership does not always mean that a product is the best fit for a particular customer and their requirements. However, this Leadership Compass will help identifying those vendors that customers should look at more closely.