KuppingerCole Identifies Leaders in Consumer Authentication

Good morning and good afternoon. I'm John Tolbert, a lead Analyst here at Cole and today's webinar. I'm gonna talk about the results from the leadership compass on consumer authentication that was published within the last month or so. So before we get into that a little bit about us keeping our cold, we're a global Analyst firm. We specialize in identity and access management, cybersecurity and artificial intelligence topics. And we do research and publish that research. We also do events and webinars like this one, and we do advisory work for clients as well. For research, we have four major report types leadership compass, like we're gonna talk about today, which is a comparison of all the major products in a given market, excuse me, executive views. These are smaller four or five page papers that are overviews of a given product or service. And we always end them with an objective strengths and challenges.
Section advisory notes are more pure research papers that are focused on specific topics. They're not really about any given product, but you know, about specific topics in I am or cybersecurity or AI. They're a little bit longer form. And then leadership briefs are two page or thereabouts, smaller versions of the research papers that again, aren't about any particular product, but about the given kind of technology or maybe a specific problem in the field. We're trying to address with regard to advisory. We've got several different kinds of advisory services that we offer a strategy compass that we do assessments and help customers come up with strategies again on our three major subject areas and produce roadmaps. And the timelines, a portfolio compass also involves requirements analysis, and really looking at the portfolio of products and services that customer may already have, and then figuring out what may be missing and then helping them to transition to that. A tech compass is a more in depth and detailed look at how to achieve their roadmap goals. And this also usually involves something like tools, choice, or helping with RFPs. And then lastly, a project compass. This is having an Analyst Analyst on CI for short period of time to help execute on, on the tech compass or the portfolio compass.
We recently launched what we call KC plus it's new content and research platform it's designed to be easily searchable. All of our content is, is online. It's directly available to subscribers. You don't have to download PDF files, it's all searchable. And then last but not least, it's an easy subscription model for 800 euros a year. You get full access to all of our various research products, including the leadership compasses regarding events. We have several interesting events coming up. In fact, next week in Berlin, we have the cybersecurity leadership summit and concurrent cyber access summit. Hope you can join us for that. Then we also have AI impact at the end of November and Munich cybernetics world, a new conference that will be at the end of next year. And then of course our flagship event is EIC the European identity and cloud conference, which is in Munich in may. So about the webinar everyone's muted centrally we'll take care of the meeting and unmuting. We are recording and the slides and the recording should be available tomorrow. And then we'll do Q and a at the end. And if you look at the go to webinar control panel on the side, there, there's a blank where you can enter questions at any time. So feel free to enter questions and we'll address that at the end.
So I'll, it's just me today. So I will go through what I see as the market drivers and then their results of the leadership compass. So market drivers, you know, we've seen a lot of interest in this specific report, lots of clients, lots of vendors are interested in, you know, how do various solutions stack up because many companies today are interested in either replacing or augmenting what they have in IAM or consumer IAM with regard to consumer authentication. And why might they be interested in doing that five major reasons that I've been able to discern by talking to vendors and customers? Number one, people are really needing better alternatives to just password authentication. So it can be a major usability improvement for your site. If you're a consumer facing business, to be able to offer different kinds of authentication technologies, rather than just passwords with knowledge based authentication resets, I would say that's probably driver number one.
And then the other reasons are, are very closely tied to the security aspect of that. So again, being able to increase authentication assurance levels and overall security, we've all probably heard many times over the password breaches or one of the major causes or vectors for fraud and, and data loss. So many companies are both interested in increasing usability, but also increasing the overall security on their sites. If they're consumer facing fraud, fraud is a big risk, especially given all the innovations in fraud we've seen in the last couple of years. So being able to reduce that even by what might seem a small amount could be a significant cost savings for consumer facing businesses.
Then we also encounter companies that are interested in adding kind of a layer of risk adaptive authentication, and or authorization to be able to meet complex use cases. Maybe that, you know, this might be a case of, you know, doing step up authentication or being able to do continuous authentication, looking at a variety of different factors and attributes at the time of the transaction to determine whether or not you believe it's the, the actual registered user on the other end of the line, or if it's a fraudster. So being able to add in these extra capabilities, like looking at, you know, geolocation, geo velocity, user behavioral analysis, those kinds of features are becoming increasingly important for various consumer businesses. Obviously finance would be an industry that would be very interested in, but so is retail and, and insurance and healthcare. We see increasing interest from really all the different consumer facing industry sectors.
Then to scale up for digital transformation. This is a, a really big thing, you know, as more and more consumers do come online and start using services and working with different devices, companies find that sometimes their existing consumer authentication scheme based on passwords is insufficient to meet the load. So sometimes you'll see clients that are interested in maybe augmenting this with a, a separate service or overhauling, a service that they run themselves on premise or in infrastructure as a service. So this really leads to lots of different kinds of deployment models that that customers need to be able to implement.
Then lastly, excuse me, particularly in Europe, with the advent of the PSD two directive, we see lots of companies in the financial sector that are looking at ways of doing SCA or strong customer authentication because it is in fact required by PSD two, we have more publications and other webinars you can look for where we talk about PSD two specifically, but there's, there's a lot of technical growth that needs to happen yet. So that various businesses and finance could become PSD two compliant. When looking at the different vendors in the field, I think there are two major kinds of backgrounds that they have. So consumer authentication vendors are either, you know, number one, kind of an overhauled enterprise IM vendor. And you can probably imagine who many of these vendors are. They have, they they've grown up over the last 10, 15, 20 years with, you know, on-premise suites of identity, access management and various Federation functions. They're well known and well deployed in many organizations around the world. So they they've kind of evolved to cover a lot of consumer facing use cases as well. And then on the other side, we've got, excuse me, vendors that are cloud native, you know, their identity as a service or consumer identity and access management vendors. Who've been around for 3, 5, 10 years. Maybe in some cases they really do offer cloud native identity services for either enterprises or directly for, in some cases directly for certain consumer facing applications.
So some of the key criteria that I looked at when doing the research here on consumer authentication, number one, what are the account recovery mechanisms? You know, I think this is becoming increasingly important. You know, so many, so many authentication systems sort of rely as a, as a backup for either password based authentication. If you're using something more sophisticated than that, or very worst case scenario, knowledge based authentication. So that would be the, the security questions. So that's, that's usually even a worse option than password. So, you know, in the report, I try to call out the different account recovery mechanisms or the quality for each of the vendors there, API APIs, we've talked in other webinars and other reports about the, the move toward API access for many identity functions. This is becoming a, a very important and real trend. We've got leadership compass on identity APIs as well.
So in with this particular attribute, we're looking at, you know, how what's the quantity or the amount of functionality that you can manipulate via API and not necessarily have to do things over command line or for administering the system authenticators, excuse me, broad support for various kinds of authenticators, again, over and above knowledge based authentication or passwords. There are lots of biometrics, Fido, many other kinds of authenticators out there. So this is a measure of how many and what, what kind of authenticators are supported by each of the, the vendors that are reviewed fraud and threat intelligence. This is talking about using third party services in some cases, or if it's some of the larger vendors, they have a lot of in network fraud and threat intelligence they can use to help reduce risk. And this is again, looking at the different kinds of cyber threats. You know, a lot of times that boils down to things like IP addresses, networks and URLs, and the, the value of the information is, is very constrained to very limited time period. So having an up to date source of fraud and threat intelligence is very important for being able to reduce the overall risk of fraud.
Number five, here, mobile security. I'm just trying to call out those solutions that are using that offer things like secure SDKs for building mobile apps for Android solutions, those who are using things like global platform, secure elements, trusted execution environment, various app, hardening techniques and, and technologies. Again, this is we, we see probably the most interest on consumer facing businesses for implementing different kinds of mobile authenticators. So that's why I thought it, it should have its own category here to be rated risk analytics. This is, let's say, taking in that fraud and threat intelligence, and then being able to do things with it that are useful for the business. So generally this is about being able to define risk adaptive policies, being able to set your own level of, of risk tolerance and, and then have the solution work in accordance with that. And then lastly, scalability, one of the biggest differences between enterprise I am and consumer I am is that, you know, on the enterprise side, even large enterprises may have, you know, a hundred thousand couple hundred thousand and most employees or contractors that they have to authenticate and, and authorize every day.
So a few hundred thousand users, max, you know, a few million transactions per day, but on the consumer side, you know, some of the, the vendors here have upwards of a, a billion users defined. So on peak load days, there could be hundreds of millions or more transactions that that need to be looked at. So scalability factors, I think very important in consumer authentication solutions.
So about the leadership compass itself, the methodology that we used, we define a market segment. We look at who are the vendors in that market, invite them all to participate in a leadership campus. We create these rather long technical questionnaires and get those out to the vendors and then receive their responses, do briefings. Then we independently and objectively rate those responses. In addition to what we learn from the briefings. And then we write a report and after the first draft is written, we circle that back to ask for a fact check, just to make sure we didn't get anything wrong.
So there are nine major dimensions that we cover in each leadership compass, number one, security. And by this, we mean what's the internal security of the product, like, is it doing, can you require strong authentication for administrators? Can you have role based and delegated access control for administrators solve the data, the underlying data encrypted, are you using hardening practices for your applications? This is what we mean by security. In this context, then functionality is the product feature complete. Does it have everything that we would expect a product in this market to contain integration? This is where you may have multiple products as part of a suite, and maybe, you know, this particular product that we're analyzing covers a certain set of functions, but in order to get full functionality, you have to license the entire suite. How well integrated is it, which is different from interoperability, interoperability, where we're really looking for support for standards. Can it play well with other products in the space? Let's say it's a security product. Can, can it output log data to, to SIM and S log format or something like that? Usability, how easy is it to use? Not just from, in this case, the consumer perspective, but from the administrator perspective, what does it look like to be an administrator of the product? How easy is it to do the things that you commonly have to do as an administrator?
Then we also consider innovation. Does the product deliver, you know, new features? How do they rate compared to others in the field? And then also, how, how do they all match up to what we think is as Analyst? What we think that a product in the field should be able to do. So obviously there are some companies that are, you know, on the leading edge and others that are essentially playing catch up market. This is a combination of factors. How many customers of the product, how many consumers are served by how many total managed identities, which industries do they go after specifically, and then which regions of the world are using it because in order to be, you know, a really, really large, you know, to win in the market leadership category, you have to be able to serve large numbers of customers in, in all the regions of the worlds ecosystem is closely related to that. That's how many partners or ISVs or value added resellers and then support personnel around the globe. Does it given vendor have, and then lastly, financial strength is the company profitable? Is it a startup, or is it a, you know, an advanced startup with good funding sources? These are things that many companies really need to be able to evaluate before they can pick a solution.
So then we have four different categories of leadership. We do product leadership. And again, that's like the, how complete is a product. Is it market leadership number in geographic distribution of customers and the support ecosystem, innovation leadership who's on top in terms of being able to deliver those innovative features and who's, who's lagging a bit. And then we take all three of those and come up with a combined or overall leadership category. So there's graphics for each one of these inside the report. We do usually about a one page on each of the vendors, in addition to producing the graphics. So in the, in the one page sections, we also have spider graphs where we look at these various categories that it described earlier. So you'll, you'll find this kind of layout where we're looking specifically here at APIs, authenticators fraud, threat intelligence, mobile support, risk analytics, and scalability.
And you can see what the, the required features are there for each one. Again, API, that would be, you know, how many and what kinds of functions are available over APIs authentic. This includes all the various forms of Fido, especially 2.0 and the web authentic things like mobile apps or mobile push notifications, having an SDK, maybe supporting mobile connect, GSMA, mobile connect, fraud, and threat, and tell again, that's a lot of things about network specific or device specific, maybe being able to, to manage bots when they're discovered compromise credential, intelligence, mobile, supporting it as mobile app hardening use of global platform standards or secure enclave for iOS, if you're storing certificates or keys or something, risk analytics, being able to, to rate the factors, yourself, being able to have that ability to decide what's important to your organization and how to design the risk adaptive policies yourself, some of the solutions you'll see, don't allow for that much granular selection. So that's where this particular point on the spider graph will come from. And scalability, you know, is it cloud hosted? Is it containerized microservices? The, these are, these are things again that are of particular interest to companies that have massive scalability needs.
So I won't read the whole list of companies here, but we had a really, really good response to this leadership compass. So lots of companies ranging in, you know, from size of really large to some regional vendors too, where you'll see, and this is something else we've noticed in consumer identity and access management leadership campuses. There are, you know, large vendors. And then there are also some very regional specific vendors that deal with regional regulations or being able to use national or, or bank IDs from certain regions. So a big mix of different kinds of vendors that we see in both consumer authentication and then consumer I, and now for the graphics. So the overall leader in consumer authentication, you'll see interest data card for drop secure off a I P IBM and log in radius. And again, these, the slides and the webinar will be available by tomorrow.
So we won't linger on these, but you can come back and tackle up on the product leader side again, pretty similar distribution. These are, again, the companies that have the, the most complete products in terms of features that we would expect to see here. We've got interest data cards, secure off cloud density parade for rock login, radius, Akai IBM and ping identity. And you know, this is a pretty mature field. You see all the companies here are actually doing pretty well in terms of being above the, the midpoint. So this to me says, there are not only lots of vendors out there, but most of them are, are, are meeting what we consider baseline features that that need to be present. So a really interesting report and really interesting category. I believe leaders in innovation, you know, this can take many forms. It was looking at things like, again, the ability to consume fraud and threat intelligence, the use of Fido being able to support multiple advanced and secure authenticators.
So the leader list here is interest data card secure off for rock IBM, cloud identity, ping identity login radius, Akai. I Iovation off zero knock knock labs. And a and again, this is very encouraging because this is an area where given the amount of interest that we see in the consumer authentication space. It's great to see so many companies that are innovating to this level and then market leaders. This is again, you know, how many total customers, how many consumer identities under management, and then how scalable what's the partner ecosystem. And then financial strength gets figured into this as well. So here we see Microsoft on top Akamai SAP, Broadcom paying identity interest, state card, and for drop of leaders here.
So with that, we'll move to the question and answer session. First question I see is which ones are more geared to B2B business rather than B2C? You know, I think with given the number of vendors in the report, it'd probably be better to have an offline discussion about that. Many of them have, again, that sort of enterprise I am to consumer, I am background. And in that case, you know, their, they understand how to handle not only employee relat ships, but customers, contractors, B2B, customers, that sort of thing. But you know, it, a lot of it depends on what the particular use cases are. Do you need to be able to authenticate users, you know, with high assurance? So it would probably be something that we should discuss bulk authentication and IPS.
Yeah. I'm not, yeah. Let's, let's take that offline. I'll have a discussion via email or something. Do we also do price based analysis? You know, we do often ask about prices, but, you know, I, I know from previous experience when you're negotiating a contract with any vendor in the software space, the, the price that you're presented is probably gonna be different than the price that your competitor or some other company and a different industry might be presented with. So I, I think it's interesting to find out what list prices are, but that doesn't always tell you what you're gonna wind up getting when you go through an RFP. And then there are some specific questions about individual vendors, and I think it'd be best to take a look at the report and then get in touch with me about a, any questions that you've got on specific vendors.
Let's see. Next one. Do you foresee more merger and acquisition activity and consumer IM I think this is probably referring to, you know, in the last couple of years we saw giga get purchased by SAP and then January get, get purchased by Akamai. You know, I think the answer to that would be, yes, you know, these companies, especially the ones that are focused on consumer authentication are, are meeting a different need in the market. So most likely larger vendors, or sometimes vendors with other enterprise platform kinds of applications, as you can see, might be interested in augmenting the technical capabilities that they've got. So, yeah, I would imagine I don't have any specific information about upcoming mergers or acquisitions, but I think that it's entirely likely that we'll see more merger and acquisition activity in the consumer authentication space.
Let's see. Do you categorize the pro categorize the products based on the user base level or based upon the number of users we do take into account the, the types of customers that individual vendors are going after? I mean, we do ask questions about, are you targeting specific industries? Are you targeting, you know, large enterprises versus small to medium sized business, but you know, most of the companies in the space are, are kind of making a play for both SMB or enterprise business. You know, if you talk to them, they'll tell you things like, you know, they're looking at the global 2000 as a customer base. So, you know, obviously lots of different kinds of companies would be in that list.
Let's see.
Also, I have a couple of more questions about specific vendors. Yeah. I think it would be better to take discussions about specific vendors offline, feel free to contact me afterward if you'd like, and we can set up a time to talk. Let's see. Do you see companies that are using open standards more and how does that play into the rating? Yeah. You know that, again, that, that kind of goes in the interoperability rating. So in, in chapter four, there are tables to look at those nine different categories that I was talking about. Interoperability, integration, security functionality, market strength. So you, yeah. You can see how each company is rated in those tables in chapter four and interoperability is, is really all based on open standards. That's probably one of the most important determining factors there again, another question about specific products. Yeah. Yeah. So there's, we could definitely talk about specific products, but it would be something I'd want, do offline.
Do we consider open source providers? Yes. Yes. We definitely do look at open source providers depending on, on the market segment. That would be something you could look at in, in, in the reports themselves, which vendors are using open source methodologies. Do we advise using them in the CIM space? Again? I think that's very specific to the kinds of business that you're in the use cases that you need to support, which, which kinds of authentication or maybe regulatory compliance features does a given product have, again, that needs to kind of be tailored to your particular area in business. It's not something that can be easily answered in a webinar.
So yeah, lots of, lots of good questions here today. Great. Well, I think we've slowed down or stopped on receiving questions. So we'll go ahead and close it out. But again, if you, you do have other questions and wanna get in contact with us later, the, both the webinar and the slides will be available by tomorrow. So feel free to take a look at that and then, and then contact us and, and maybe we'll be able to discuss further then. So again, I don't see any additional questions coming in, so thanks everyone for your time. Thanks for your participation and talk to you later.