Leadership Compass

Consumer Authentication

This report provides an overview of the market for Consumer Authentication products and services and provides you with a compass to help you to find the Consumer Authentication product or service that best meets your needs. We examine the market segment, vendor product and service functionality, relative market share, and innovative approaches to providing Consumer Authentication solutions.

John Tolbert

jt@kuppingercole.com

1 Introduction

eCommerce businesses and other organizations that interact directly with end-users over the web are increasingly looking for better solutions for authenticating those users. Password authentication is not only insecure, but it leads to poor consumer experiences and is costly for businesses to maintain. Knowledge-based authentication is an even worse alternative. In order to deter fraud, comply with new regional and industry-specific regulations, and improve the customer experience, organizations are adopting Consumer Identity and Access Management (CIAM) solutions or enhancing their existing customer-facing IAM solutions with modular authentication services.

Most organizations have IAM products in place already. However, many are finding that their current solutions are not able to meet consumer expectations or security requirements.

There are a number of motivations driving businesses to enhance their authentication solutions:

  • Improve consumer experiences
  • Increase security
  • Reduce fraud
  • Preserve privacy
  • Comply with regulations requiring strong or multi-factor authentication, such as AML (Anti-Money Laundering), EU PSD2, KYC (Know Your Customer), and NY CCR (New York cybersecurity law)

Consumer authentication services today are primarily leveraging mobile devices, particularly smartphones. Given the near ubiquity of these devices, it’s not a surprise. Smartphones can serve as a second factor, or the “something you have” factor in Multi-Factor Authentication (MFA) scenarios.

The Role of Mobile Devices in MFA
Figure 9: The Role of Mobile Devices in MFA

This KuppingerCole Leadership Compass provides an overview of the leading vendors in this market segment. Picking solutions always requires a thorough analysis of customer requirements and a comparison with product features. Leadership does not always mean that a product is the best fit for a customer and his requirements. However, this Leadership Compass will help identify those vendors that customers should look at more closely.

1.1 Market Segment

The Consumer Authentication market is growing, with some vendors offering mature solutions providing standard and deluxe features to support millions of users across every industrial sector. As will be reflected in this report, the solutions in this space are quite diverse. Some vendors have about every feature one could want in a consumer authentication service, while others are more specialized, and thus have different kinds of technical capabilities. For example, some smaller vendors are targeting the government-to-citizen (G2C) market as well as business-to-consumer (B2C). We sometimes see support for national e-IDs, x.509 certificates, and higher assurance authentication mechanisms in these vendors’ products compared to the rest.

Furthermore, KuppingerCole research indicates that the particular market segments that vendors choose to target often has a direct effect on the type of features available in their consumer authentication solutions. Consumer authentication product or service vendors that are primarily pursuing retail and media companies as clients tend to not have the customer-driven pressure to support high assurance authentication and complex attribute-based access controls. This Leadership Compass will examine solutions that are available for both on-premise and cloud-based deployment.

Many vendors are taking an “API-first” approach to consumer authentication, which allows organizations with in-house expertise to extend their existing IAM infrastructure to accommodate consumer use cases better. The API-first approach also permits in-house developers to easily “bolt-on” authentication services to existing or legacy Line of Business applications, without necessarily investing in a full-size CIAM solution. Identity API platforms are not always completely assembled products and services. Rather, these platforms are collections of tools, code, and templates. Identity API platforms may contain many open source elements, and generally leverage well-known standards. KuppingerCole is also producing a Leadership Compass focuses on Identity API platforms.

1.2 Delivery models

In the Consumer Authentication market, solutions are offered as SaaS, or for on-premise or in-IaaS deployment. Pure-play SaaS solutions are multi-tenant by design. On the other side, Managed Service offerings are run independently per tenant. For SaaS offerings, the licensing model is often priced per user. For on-premise deployments, licensing costs can be measured in a variety of ways, such as per-user, per-server, or per transaction.

1.3 Required Capabilities

Typical requirements seen in RFPs regarding consumer authentication include:

  • Deployment options: On-premise, cloud, or hybrid options.
  • Social logins: Allow users to login via Facebook, LinkedIn, Twitter, Google, Amazon, etc.
  • Multi-factor authentication mechanisms:
    • SMS OTP (still in use, but deprecated due to security problems)
    • Email / Phone OTP
    • Mobile push notifications
    • Mobile apps
    • Mobile SDKs that corporate customers can use to build stronger authentication into their own apps
    • Native mobile biometrics, such as Apple or Samsung implementations of fingerprint and facial recognition
    • Third-party biometrics
    • FIDO® Certified authenticators, including U2F, UAF, and 2.0
    • Wearable biometrics
    • Behavioral biometrics
    • Environmental authentication via IoT or SmartHome devices
    • USB or other hardware tokens (rare)
  • Risk adaptive authentication and authorization: Evaluation of various factors at runtime or transaction-time, according to customer set policies, to determine if transactions should proceed, require additional attributes to be collected, or denied. Examples of data points often considered in adaptive authentication and authorization scenarios include, but are not limited to
    • Geo-location
    • Geo-velocity
    • IP address
    • User attributes
    • User behavioral analysis
    • Device identity and/or fingerprint
    • Device hygiene
    • Device reputation
    • Device jailbreak or root detection
    • Fraud risk intelligence, cyber threat intelligence, and compromised credential intelligence
  • Account recovery mechanisms: Organizations needs to provide options and processes for recovering access to accounts when consumers registered authenticators are unavailable. For example, a consumer can’t remember a password, or loses a smartphone or simply gets a new one. Consumers need flexibility in these cases, but businesses also need to ensure that the authenticator de-registration and re-registration methods are secure and adhere to their own policies.

The criteria evaluated in this Leadership Compass reflect the varieties of use cases, experiences, business rules, and technical capabilities required by KuppingerCole clients today, and what we anticipate clients will need in the future. The products examined meet many of the requirements described above, although they sometimes take different approaches in solving the business problems.
When evaluating the services, besides looking at our standard criteria of

  • overall functionality and usability
  • internal product/service security
  • size of the company
  • number of tenants/customers and end-user consumers
  • number of developers
  • partner ecosystem
  • licensing models

We also considered a series of specific features. These functional areas, which are reflected in the spider charts for each company in Chapter 5 include:

  • APIs
    APIs are increasingly available in consumer authentication solutions to provide tie-ins to existing IAM or IDaaS infrastructure, as well as to security services and external analytics solutions.
  • Authenticators
    Types of authenticators supported, such as FIDO, MFA, SDKs, social logins.
  • Fraud/Threat Intel
    Capability to consume and utilize 3rd-party fraud, threat, and compromised credential intelligence. Some vendors generate their own intelligence, based on activities within their own networks and client base. Generally, in-network intelligence concerns credentials that have been compromised within the vendor’s ecosystem.
  • Mobile Security
    Since most emphasis on consumer authentication is in the mobile area, this factor quantifies the use of mobile app security features; specifically, providing secure SDKs for mobile app development, Global Platform Secure Element / Trusted Execution Environment (SE/TEE) for Android devices and Secure Enclave for iOS devices. Some vendors utilize mobile app hardening services and mobile threat analytics to raise the assurance level for their customers.
  • Risk Analytics
    Evaluation of user attributes behavioral analysis, environmental factors, fraud/threat intelligence, and other information to determine authentication and authorization levels required per transaction.
  • Scalability
    Some solutions have massive scalability while others do not. Picking the right size vendor is an important consideration in RFPs. Not everyone needs the biggest and most scalable solutions. But if your business does, then understanding the scalability comparison and factors examined will be of paramount interest. The most scalable solutions are usually those which are based on micro-services architectures. Most are cloud-hosted, with the ability to spin-up and wind down additional virtual server instances to serve rapid increases in demand. This rating is influenced by many factors including number of customers, consumers, deployment models, multi-cloud utilization, geographic distribution, SLAs, and maximum number logins per second.

Each of the categories above will be considered in the product evaluations below. We’ve also looked at specific USPs (Unique Selling Propositions) and innovative features of products which distinguish them from other offerings available in the market. Features that are considered innovative are listed below.

  • Support for standards such as GSMA Mobile Connect, FIDO Alliance, and Global Platform Secure Element (SE) and Trusted Execution Environment (TEE) standards.
  • A comprehensive and consistent set of REST-based APIs for integrating with current IAM infrastructure.
  • Advanced support for authentication mechanisms, especially mobile biometrics.
  • Mobile app integration capabilities (SDKs).
  • Integration with national e-IDs and passports.

Please note that we only listed a sample of features, and we consider other capabilities per solution as well when evaluating and rating the various consumer authentication solutions.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.