KuppingerCole has published two related Leadership Compasses on Adaptive Authentication and Cloud-based Multi-Factor Authentication solutions. We define adaptive authentication (AA) as the on-premises deployments, whereas Cloud-based MFA is SaaS-delivered. For both AA and Cloud MFA, many organizations need to gather additional attributes about users and their environments and evaluate the attributes in the context of risk-based policies. The goal of AA & Cloud MFA is to provide the appropriate risk-mitigating assurance levels for access to sensitive resources by requiring users to further demonstrate that they are who they say they are. This is usually implemented by “step-up” authentication or transactional authorization. Examples of step-up authenticators include phone/email/SMS One Time Passwords (OTPs), mobile apps for push notifications, mobile apps with native biometrics, FIDO U2F/UAF/2.0, SmartCards, and behavioral biometrics.
In this webinar, John Tolbert, Lead Analyst at KuppingerCole, delves into these features in more detail, as they pertain to both on-premises and SaaS deployments. He also describes our Leadership Compass methodology, the criteria used for analyzing products and services in these fields, and shows selected results from the Leadership Compass reports.
We do advisory work, which is what I'd call more high level consulting. This way we can provide best in class trust advisory partner services to businesses around the world and provide customers with the most current advice in the era of digital transformation, a little bit more on the advisory areas. We do project guidance, benchmarking and optimization and strategy support, and then architecture and technology support. All these are generally designed to be relatively quick engagements, not on site support staffing or anything like that as for events. Our next event is actually next week in Berlin. So if you're in the area, please join us with the cybersecurity leadership summit, following that will the APAC installment of our consumer identity world November 20th through 22nd in Singapore.
So excuse me a little bit about the webinar. Everyone is muted. You don't have to mute or unmute yourself. We'll take care of that. We're recording the webinar and we'll do some Q and a at the end. And if you notice there's a little go to webinar control panel on this side and feel free to enter questions at any time during the webinar webinar. And we'll take a look at those at the end. So yeah, I'm just gonna look at what our criteria are for these two very similar leadership campuses and show the final results at the end here and take, take your questions if you have any.
So I thought I would start with just discussing some of the trends that we see in authentication and stronger is always better. In, in many cases today, there's a need for strong authentication and that's taking a number of different forms. We see an increased interest in mobile based authentication using your phone social logins at risk adaptive. And we'll define these in more detail in a minute, and then what we call continuous authentication. So on the mobile authentication side, we see still a lot of use of SMS OTP, even though it's been deprecated by N and many others, really it's very common and really many corners around the world are, are still using SMS OTP.
One of the problems is that besides having security issues, it can also be kind of expensive to operate. Then there are mobile push notifications occasions. Hold on second, you may have, may have gotten a, a mobile push notification if you've registered your phone with some online service and it can be opened up and used as a second channel, a popup that says, you know, do you authorize this transaction or something like that? There are mobile apps that are specifically designed for authentication or mobile SDKs that many of the package vendors will have provided so that their customers can develop authentication solutions that can be integrated directly with their mobile apps.
And in those cases, there are a couple of really interesting standards here. There's global platform for Android, the trusted execution environment and secure element standards. The trusted execution environment is a specification that allows for secure execution of specific mobile apps that can prevent tampering with the, the app that's running. And then secure element is the secure storage bit so that you can store keys and certificates with that being tampered with, by other apps that may be on the device and iOS, even though it has a little bit less in terms of what developers can do with augmenting security, there's a secure enclave for storing keys and certificates there. And again, if you're gonna build any kind of security oriented authentication or, or app in general, it's good to use these kinds of specifications to improve the security posture of the app itself.
Then we have mobile biometrics and we'll break these out into two major categories here, there's device native, like those iOS touch ID or face ID or Samsung fingerprint. And then there are also third party vendors that have created a number of different biometric packages that may include things like voice face, IRS fingerprint, behavioral biometrics. And we see several companies there, like non knock labs or day on or sensory Inc. And many of those support or some of those, I think I should say support phyto UAF, and 2.0 phyto UAF is the mobile authentication version for Fido in it. There are clients and servers and authenticators that can be packaged together to provide a mobile app to app or mobile app to online service authentication for UAF. And 2.0 is the latest version of Fido.
So why mobile devices are important for multifactor authentication? It's sort of, it can combine a couple of the, something. You have something, you know, something you are. So in the case of using a pin to something on your phone, that's something you have plus something, you know, or if you use biometrics on the phone, that's something you are and something you have. So it, it does meet the criteria for strong authentication, social logins using Facebook, Google, Microsoft, LinkedIn, Twitter, any of those large social network providers for authentication services. Most of those are based on O I D C standards. They can also be used for registrations. So that makes them pretty easy to use. If you have a consumer facing site, let's say, and you wanna offer an easy registration process, you've probably seen click here to use Google or Microsoft or Facebook to create your account link your account. And for GDPR purposes, many of these will now also allow you to granularly select which attributes can be passed from the social network provider to the, the consuming or relying party application.
One of the positive sides of using social logins is most of these social network providers are incorporating elements of risk adaptive and continuous authentication in their underlying design. So you get a little bit of protection from their side by using those services for risk adaptive authentication. There are many different kinds of factors that can be evaluated. I thought I'd just pull out some of the more critical ones I think. And some of the solution providers that we reviewed can process over a hundred in some cases, close to 200 different risk factors, but here are the ones that I think are really key for building good access control policies.
We'll start with geolocation where you are in the world, geo velocity, that's a measuring an impossible journey. Sometimes vendors will call it impossible journey and that's, you know, did you log in from Australia? And then, you know, an hour later try to log in from the UK. It's we know that's physically impossible, so we should try to shut that connection down. And to me, that's one of the more basic forms of risk adaptive factor that should be considered and not every one of the vendors can provide that. So I did call that out in the text part of the report, who can can't do a lot of these individual risk factors.
There's geofencing limiting to certain IP addresses or ranges time of day, time of week device ID or fingerprint that can be looking at a number of different attributes on the phone or device itself and hashing it, making an individual fingerprint that can be tracked. There's a device health assessment looking at, you know, whether or not the device is up to date on its patches. Does it have some sort of mobile device management or enterprise security software installed? Is it coming from a known bad IP user attributes is the user part of the right group for access user history and behavioral analytics are, is the current request within the context of previous requests. I think that's a, a really good things to know. And there's a lot of differentiation in the products that we reviewed. Some, some have more sophisticated user behavioral analytics built into the adaptive of authentication than others.
There's the user on a new device check is the device gel broken or rooted are the credentials that are trying to be used, known to be compromised? You know, you can check, have I been phoned or there are other services out there as well for looking at, you know, the validity of individual, especially consumer facing credentials. And they're also known patterns of fraud that can be looked for by risk adaptive authentication solutions. So this is a pretty good subset of some of the things that you might want to use for building authentication and access control policies.
And I thought I would just kinda give an example of, you know, a flow chart, several different scenarios. You know, you may start off with a smart card authentication and in order to get to look at say, company financials, you know, you need a really high authentication assurance level. So the risk engine evaluates all those different environmental factories and accordance with factors in accordance with policies and says, okay, you're good. You can get in, you can and have access to it. But you know, another instance might be, you've used a username password to authenticate to look at. Let's say someone else's PI it's part of your job. Well, you still need a pretty high authentication level to do that. And username password certainly doesn't cut it. So let's force a step up authentication with a mobile app and pending that being done properly, then you can get access.
So then another example might be using a social login to get access to let's say your own health records. Well, that's good, but you know, depending on the sensitivity of the record itself, maybe you want to require any even higher assurance level to get access to the record. So again, you might do some sort of mobile biometrics to allow the person to look at the record. So here's just a, you know, a few examples of how adaptive authentication policies might be written. There are many, many different kinds of scenarios that you could use to sort of fill in the blanks here for your own business needs, continuous authentication. This I look at as, you know, risk variance across time. So many of the solution providers here for the MFA packages will allow you to do some form of continuous authentication. You know, and in this example, maybe, you know, you start high with a initial authentication, maybe you require biometrics or smart card or USB key or something else to, to get going. And then there's this evaluation across time. Every time you interact with the system, it's collecting information, those background and learn mental attributes and, you know, computing, whether or not there's been a significant deviation from your baseline. And as you go through your day or through your week or your month, as long as there are no environmental major environmental changes, you theoretically wouldn't be asked to reauthenticate.
And, you know, we see this both inside and outside companies, you know, you look at again, a lot of the social network providers will do this. They don't make you reauthenticate to let's say, read your web mail. If they know you're coming from the same computer. And you're, you know, you're in a location that you're normally in only when a sufficient number of these risk factors trigger something like the need for a step up authentication event, would you then be required to enter another password or, you know, do something to prove and, and mirror a higher level of assurance. So in the example here, you know, here at, at time three, maybe you've changed wifi SSIDs to, you know, some place where you don't normally do your work from same thing. You know, maybe you've flown to another city to do some work. So you're increasing the risk level, depending on how the administrator writes the policy, you might be forced to do some sort of assurance increasing transaction, but then let's say you go home and you go back to your office and everything goes back to normal return to baseline. You wouldn't necessarily be prompted for anything new there.
So about the leadership compass itself, we start off by identifying the criteria that we wanna evaluate and the vendors that are are in the field. Then we invite those vendors to participate. We send them long, long questionnaires, lots of technical questions. We get the responses back. We read through the responses, we talk to customers. Then we write up the ratings. So we have a, a very objective method for producing the graphs that you see in, in our reports. And then we lastly write up the report. So we have nine major categories that we cover in each of the reports. There's security by this. I mean, internal product security, does it require strong authentication to get to the admin console? Can you require that? Does it support role based or attribute based access control? Does it support delegated administration, those kinds of things, functionality, you know, what can it do usability?
This is both from the end user perspective, as well as from the administrative user perspective, how easy is it to administer? How easy is it to use integration? This is, has two sides to it. So if the product is part of a suite, you know, how well integrated is this particular product with the other products or services within the suite, or does it require multiple products to achieve the functionality that we are calling out in a specific field? So in this case, you know, is it an adaptive authentication solution? Does it actually require two or more different products to be installed to, to get you this functionality, interoperability. This is where standards come into play, being able to work well with other identity management or let's say security solutions.
Then we consider, you know, how innovative is the product compared to others in the market. And then also compared to what we think the ideal should be in the market market position. You know, that that can be a measure of numbers, of customers, members of consumers, of those customers, and then geographic distribution of the customer base financial that's pretty straightforward ecosystem is the number of partners, resellers integrators that a vendor has in, in how many different locations. So this lets us produce four big graphics, product leadership, which is the functionality and completeness of vision. Does it do everything that, you know, you might expect as an end user organization, you know, in this case, does it offer all the different features that you would expect in an adaptive authentication or cloud MFA solution, market leadership, how many different customers partners, and what's the support ecosystem look like? And again, the geographic distribution for that as well, innovation, how many new features new and useful features because building features that aren't useful doesn't necessarily move the dial on, on the product innovation, but, and then lastly, these all get rolled up into an overall leadership graphic. And that's what we'll show here in just a second.
So two different reports, essentially the same questionnaires here's, who was included. We broke these out into, on premises versus cloud delivered, probably Rollos together for a future report. So again, here are the vendors we've got ad Noum CA technologies, interest data card, Ergon Evian for Dr. I global IBM, one span, RSA secure, and core security for the cloud, MFA leadership compass cover adaptive formerly Centrify interest. Gemalto I ID data web Microsoft Okta, one identity, one span, ping identity Symantec, and thread metrics. So here's a look at the overall leader graphic. We see RSA secure IBM CA for drop and entru in the leader area. And then on cloud MFA, we see Microsoft adaptive interest Symantec, threat metrics, Okta, and ping in the overall leader area. So now let's look to see if there are any questions and don't have any questions at the moment. So yeah, this, this should be recorded and up available for everyone to watch by tomorrow. If you have any other questions, feel free to contact us after the fact. And with that, I think I'll conclude the webinar. Thanks everyone for attending.
How can we help you