Cloud-based MFA Solutions
This report provides an overview of the market for Cloud-based Multi-Factor Authentication (MFA) Solutions and provides you with a compass to help you to find the service that best meets your needs. We examine the market segment, vendor service functionality, relative market share, and innovative approaches to providing Cloud-based MFA Solutions.
Identity and Access Management (IAM) systems have continued to evolve significantly over the last two decades. Increasing security and improving usability have both been contributing factors to this evolution. Data owners and IT architects have pushed for better ways to authenticate and authorize users, based on changing business and security risks as well as the availability of newer technologies. Businesses have lobbied for these security checks to become less obtrusive and provide a better user experience (UX). Many organizations are opting to deploy these capabilities in conjunction with their Identity-as-a-Service (IDaaS) solutions or as part of a “cloud-first” strategy.
Cloud-based MFA is the process of using a SaaS solution to gather additional attributes about users and their environments and evaluate the attributes in the context of risk-based policies. The goal of Cloud MFA is to provide the appropriate risk-mitigating assurance levels for access to sensitive resources by requiring users to further demonstrate that they are who they say they are. This is usually implemented by “step-up” authentication. Different kinds of authenticators can be used to achieve this, some of which are unobtrusive to the user experience. Examples of step-up authenticators include phone/email/SMS One Time Passwords (OTPs), mobile apps for push notifications, mobile apps with native biometrics, FIDO U2F or UAF transactions, SmartCards, and behavioral biometrics. Behavioral biometrics can provide a framework for continuous authentication, by constantly evaluating user behavior to a baseline set of patterns. Behavioral biometrics usually involves keystroke analysis, mobile “swipe” analysis, and even mobile gyroscopic analysis.
Cloud MFA Solutions can use multiple authentication schemes and authentication challenges presented to a user or service according to defined policies based on any number of factors, for example the time of day, the category of user, the location or the device from which a user or device attempts authentication. The factors just listed as examples can be used to define variable authentication policies. A more advanced form of Cloud MFA uses risk-scoring analytics algorithms to first baseline regular access patterns and then be able to identify anomalous behavior which triggers additional authentication challenges. This can be referred to as dynamic Cloud MFA, yet it is difficult to categorize Cloud MFA products into dynamic or static Cloud MFA categories, since the strongest products are able to use a combination of both approaches. This is invariably a positive feature, as there are use cases where the use of either static or dynamic Cloud MFA proves the most appropriate, and both approaches are not without their limitations.
A wide variety of Cloud-based MFA mechanisms and methods exist in the market today. Examples include:
- Knowledge-based authentication (KBA)
- Strong/Two-Factor or Multi-Factor Authentication (Smart Cards, USB authenticators, biometrics)
- One-time password (OTP), delivered via phone, email, or SMS
- Out-of-band (OOB) application confirmation
- Identity context analytics, including
- IP address
- Device ID and device health assessment
- User Behavioral Analysis (UBA)
Many organizations today employ a variety of authentication methods. Consider the following sample case. Suppose a user successfully logs in to a financial application with a username and password. Behind the scenes, the financial application has already examined the user’s IP address, geo-location, and Device ID to determine if the request context fits within historical parameters for this user. Further suppose that the user has logged in from a new device, and the attributes about the new device do not match recorded data. The web application administrator has set certain policies for just this situation. The user then receives an email at their chosen address, asking to confirm that they are aware of the session and that they approve of the new device being used to connect to their accounts. If the user responds affirmatively, the session continues; if not, the session is terminated.
Going one step further in the example, consider that the user would like to make a high-value transaction in this session. Again, the administrator can set risk-based policies correlated to transaction value amounts. In order to continue, the user is sent a notification via the mobile banking app on his phone. The pop-up asks the user to confirm. The user presses “Yes”, and the transaction is processed.
Cloud-based MFA, then, can be considered a form of authorization. The evaluation of these additional attributes can be programmed to happen in response to business policies and changing risk factors. Since access to applications and data are the goal, Cloud-based MFA can even be construed as a form of attribute-based access control (ABAC).
The story above is just one possible example. Cloud-based MFA is being used today by enterprises to provide additional authentication assurance for access to applications involving health care, insurance, travel, aerospace, defense, government, manufacturing, and retail. Cloud-based MFA can help mitigate risks and protect enterprises against fraud and loss.
There are a number of vendors in the Cloud-based MFA market. Many of the vendors have developed specialized Cloud-based MFA products and services, which can integrate with customers’ on-site IAM components or other IDaaS. The major players in the Cloud-based MFA segment are covered within this KuppingerCole Leadership Compass.
Overall, the breadth of functionality is growing rapidly. Support for standard Cloud-based MFA mechanisms and the requisite identity federation are now nearly ubiquitous in this market segment; and the key differentiators have become the use of new technologies to step up the user’s authentication assurance level or to collect and analyze information about the user’s session.
1.1 Market Segment
This market segment is mature but constantly evolving, due to innovations in authenticator technology and risk analysis engines. We expect to see more changes within the next few years. However, given the surging demand of businesses and the need to provide better security, many organizations must implement either Cloud-based MFA or on-premises Adaptive Authentication if they have not already to help reduce the risk of fraud and data loss.
Picking solutions always requires a thorough analysis of customer requirements and a comparison with product features. Leadership does not always mean that a product is the best fit for a particular customer and their requirements. However, this Leadership Compass will help identifying those vendors that customers should look at more closely.
1.2 Delivery models
In this Leadership Compass, we consider cloud-based solutions only. See the recently released KuppingerCole Leadership Compass on Adaptive Authentication for similar solutions available for on-site deployment.
1.3 Required Capabilities
Various technologies support all the different requirements customers are facing today. The requirements are
- Support multiple authenticators such as;
- Smart Cards, USB tokens
- Mobile apps and push notifications
- OTP: phone, email, and SMS
- Integrate with IAM systems
- Perform real-time risk analysis of behavioral and environmental factors
- Support federation via OAuth2, OIDC, and SAML
- Facilitate compliance with existing and emerging regulatory frameworks, particularly EU GDPR and PSD2 (Revised Payment Service Directive)
- Adhere to policy-based access controls model so that IT departments and Line of Business application owners can define risk appropriate authentication rules
- Integrate with security intelligence and forensic systems
- Provide administrators with management dashboards and configurable reporting
- Allow for delegated and role-based administration
- Consider threat intelligence: subscription to 3rd party services that identify malicious IP addresses, URLs, patterns of fraud, and compromised credentials
Cloud-based MFA is an evolution of yesterday’s IAM systems. Many organizations are feeling and responding to the pressure to move away from just using usernames and passwords for authentication. While many strong authentication options have existed for years, such as SmartCards, it is not often feasible from an economic perspective to deploy SmartCards or other hardware tokens to every possible user of a system. Moreover, hardware tokens continue to have usability issues. The mix of authenticators and associated user attributes that most commercial Cloud-based MFA systems present are increasingly sufficient to meet the needs of higher identity assurance for access to sensitive digital resources and high-value transactions.
It is important to understand the primary use cases that drive the requirements for Cloud MFA and AA products, as most of the major market players in this space tend to develop solutions tailored for consumer or employee use cases. Some offerings are geared towards specific industry verticals.
A good Cloud MFA solution needs to balance integration flexibility with simplicity. Today’s newest offerings in this area provide multiple authentication mechanisms, including many mobile options; risk engines which evaluate numerous definable factors which can be gathered at runtime and compared against enterprise policies; and out-of-the-box (OOTB) connectors for the majority of popular on-premise and cloud enterprise applications.
Integration with existing IAM platforms should be a primary factor in selecting a suitable product. The advantages of taking a single-vendor approach are primarily due to the potential licensing cost savings that arise from negotiating product bundle discounts. The advantages gained from the imagined greater ease of integrating disparate products from the same vendor rarely offer the reduced complexity promised by sales. All Cloud MFA solutions, almost by definition, require and support identity federation. While adaptive and multi-factor authentication may mitigate many authentication risks, no security solution is impenetrable. It is important to plan for rapid response measures when security breaches do occur. Even the best defensive systems can suffer breaches.
The criteria evaluated in this Leadership Compass reflect the varieties of use cases, experiences, business rules, and technical capabilities required by KuppingerCole clients today, and what we anticipate clients will need in the future. The products examined meet many of the requirements described above, although they sometimes take different approaches in solving the business problems.
When evaluating the services, besides looking at the aspects of
- overall functionality
- size of the company
- number of customers
- number of developers
- partner ecosystem
- licensing models
- core features of Cloud-based MFA technology
We thus considered a series of specific features. These functional areas, which are reflected in the spider charts for each company in Chapter 5 include:
- Basic Authenticators
Username/password: the most basic form, not recommended. Knowledge-based authentication (KBA): Security questions and answers that are determined at registration time. KBA is sometimes used in cases where users have forgotten their passwords, and need to have them reset, or as a step-up authentication method. KBA is not recommended, as many of the answers to common questions chosen are not secrets.
OATH One Time Passwords (OTP): OATH standardizes the use of randomized, single use passwords based on cryptographic hashes. OTP delivery methods can be phone calls, email, or SMS (text) messages. As a more secure variation, OATH specifies time-limited OTPs, sometimes expressed as TOTP. Due to the fact that SMS OTP implementations are not truly random, and attackers have discovered ways to circumvent SMS OTP, some organizations such as US NIST have deprecated the use of SMS OTP as a primary or step-up authentication method.
- Advanced Authenticators
FIDO 2.0, U2F, and UAF: The FIDO Alliance has defined two standards for mobile and two-factor authentication. U2F applies to various hard token generators, whereas UAF works in conjunction with mobile devices, such as smartphones. The FIDO framework allows device and software manufacturers to utilize different technologies as the basis for authentication events, such as PINs, biometrics, and cryptography. FIDO 2.0 is the latest iteration and will likely surpass U2F and UAF in adoption in the years ahead.
SmartCards have small processors and secure storage devices that contain digital certificates and various user attributes. SmartCards can be used to facilitate the highest levels of authentication assurance. SmartCards are used for not only authentication, both as primary and adaptive authentication methods, but also for physical access and digital signatures. Other types of hardware tokens employ similar technologies in different form factors, such as RSA SecurID and Yubikeys.
Biometrics is the term applied to any security technology, usually employed for authentication and authorization, which functions by comparing registered measurements to run-time measurements. Examples of biometrics include fingerprint, face, voice, iris, and behavioral. Biometrics can be used as primary authenticators or as policy-invoked adaptive authentication mechanisms.
- Mobile support
Service providers are increasingly building their own mobile apps for authentication and authorization. Mobile apps can offer a variety of authentication methods, from simple screen swipes to including biometrics (see below). Push notifications are a different type of mobile app which can be used as a second factor in authentication or to authorize transactions out-of-band. The ratings for mobile support include whether or not a product adheres the Global Platform Secure Element (SE) and Trusted Execution Environment (TEE) for Android, and whether or not the product utilizes Secure Enclave in iOS.
- Risk Analysis
Factors such as IP address, device fingerprints, device health assessment geo-location, geo-velocity, integration of 3rd-party threat intelligence, user behavior profiling
- Threat Intelligence
Subscriptions to real-time feeds of known bad IP addresses, locations, proxies, malicious URLs, and compromised credentials
Single sign-on, generally to on-premise or LOB applications, using federation standards
- SaaS integration
Use of federation technologies such as OAuth, OIDC, and SAML to allow authenticated users to seamlessly access popular SaaS applications.
Each of the categories above will be considered in the product evaluations below. We’ve also looked at specific USPs (Unique Selling Propositions) and innovative features of products which distinguish them from other offerings available in the market.
Please note that we only listed major features, but also considered other capabilities as well when evaluating and rating the various Cloud-based MFA products.