G01.2012 magic quadrant for user authentication

G00227026
Magic Quadrant for User Authentication
Published: 17 January 2012
Analyst(s): Ant Allan
User authentication is dominated by three well-established, wide-focus
vendors that command the majority of the market. Newer wide- and tight-
focus vendors are making significant inroads and offer enterprises sound
alternatives across a range of needs.
Strategic Planning Assumptions
By 2017, more than 50% of enterprises will choose cloud-based services as the delivery option for
new or refreshed user authentication implementations, up from less than 10% today.
By 2015, 30% of business-to-business and business-to-enterprise user authentication
implementations will incorporate adaptive access control capability, up from less than 5% today.
Market Definition/Description
A provider in the user authentication market delivers on-premises software/hardware or a cloud-
based service that makes real-time authentication decisions and can be integrated with one or more
enterprise systems to support one or more use cases. Where appropriate to the authentication
methods supported, a provider in the user authentication market also delivers client-side software
or hardware used by end users in those real-time authentication decisions.
This market definition does not include providers that deliver only one or more of the following:
1. Client-side software or hardware, such as PC middleware, smart cards and biometric capture
devices (sensors)
2. Software, hardware or a service, such as access management or Web fraud detection (WFD),
that makes a real-time access decision and may interact with discrete user authentication
software, hardware or services (for example, to provide "step up" authentication)
3. Credential management software, hardware or services, such as password management tools,
card management (CM) tools and public-key infrastructure (PKI) certification authority (CA) and
registration authority (RA) tools (including OCSP responders)
4. Software, hardware or services in other markets, such as Web access management (WAM) or
VPN, that embed native support for one or many authentication methods

A provider in the user authentication market may, of course, deliver one or more such offerings as
part of, or in addition to, its user authentication offering. Note, however, that, for the purposes of
this Magic Quadrant, offerings of Type 2, 3 and 4 are not considered to be user authentication
offerings and were not included in customer, end-user or revenue figures.
Magic Quadrant
Figure 1. Magic Quadrant for User Authentication
Source: Gartner (January 2012)
This Magic Quadrant replaces "MarketScope for Enterprise Broad-Portfolio Authentication
Vendors." There are several important changes from the previous document. The change of
document type, from MarketScope to Magic Quadrant, reflects the increasing maturity and
significance of the user authentication market and the need to more clearly differentiate among the
vendors along two axes. The Evaluation Criteria, which are detailed below, are significantly different
from those used in the MarketScope. They were changed to include tight-focus vendors and wide-
focus (or broad-portfolio) vendors. In addition, the minimum-revenue criterion no longer applies,
which avoids penalizing vendors that offer lower pricing.
Gartner sees user authentication vendors falling into four different categories with somewhat
indistinct boundaries:
Page 2 of 48 Gartner, Inc. | G00227026

1. Specialist vendors: A specialist user authentication vendor focuses on a distinctive proprietary
authentication method — either a unique method or a proprietary instantiation of a common
method — and also offers a corresponding infrastructure or a software development kit (SDK)
that will allow it to plug into customers' applications or other vendors' extensible infrastructures.
2. Commodity vendors: These vendors focus on one or a few well-established authentication
methods, such as one-time password (OTP) tokens (hardware or software) and out of band
(OOB) authentication methods. A commodity vendor may provide a basic infrastructure to
support only those few methods, and its offerings will primarily interest small or midsize
businesses (SMBs) and some small enterprises that still have narrower needs.
3. Tight-focus vendors: We characterize a commodity vendor that provides a robust, scalable
infrastructure that can meet the needs of larger enterprises and global service providers — and
sometimes augment other vendors' extensible infrastructures — as a tight-focus vendor.
4. Wide-focus (broad-portfolio) vendors: The defining characteristic of these vendors is offering
or supporting many distinct authentication methods. A wide-focus vendor may also be a
specialist vendor. It will typically offer a versatile, extensible authentication infrastructure that
can support a wider range of methods than it offers, which may be sourced through original
OEM agreements with one or more other vendors in any of these categories, or left to the
enterprise to source directly from those vendors.
The vendors included in this Magic Quadrant fall into the third and fourth of these categories.
Market Size
Gartner's estimate for revenue across all segments of the authentication market for 2011 remains
approximately $2 billion. However, the margin of error in this estimate is high, because not all the
vendors included in this Magic Quadrant provided revenue data and because of the "long tail" of
the more than 150 authentication vendors not included in it. Individual vendors included in this
Magic Quadrant that did provide revenue data reported year-over-year revenue changes ranging
from a greater than 10% decline to nearly 300% growth, with the median approximately 20% to
30% growth. More vendors — although still not all — provided customer numbers, and a majority of
vendors reported growth in the 20% to 40% range, with some smaller vendors showing far greater
growth.
We estimate the overall growth in the market by customers to be approximately 30% year over
year. Because of the shift toward lower-cost authentication solutions, we estimate the overall
growth by revenue to be approximately only 20%.
Range of Authentication Methods
Enterprise interest in OTP methods, broadly defined, remains high; however, as has already been
noted, we have seen a significant shift in preference from traditional hardware tokens to phone-
based authentication methods. Wide-focus user authentication vendors offer all these and more,
generally offering or supporting knowledge-based authentication (KBA) methods or X.509 tokens
(such as smart cards) as well. Most of the tight-focus vendors offer just phone-based authentication
Gartner, Inc. | G00227026 Page 3 of 48

methods, especially OOB authentication methods (sometimes incorporating voice recognition as an
option), with a few (none of which are included in this Magic Quadrant) offering only KBA or
biometric authentication methods.
The vendors included in this Magic Quadrant may offer any of a variety of methods across a range
of categories (see "A Taxonomy of Authentication Methods, Update"). These categories, and, where
appropriate, the corresponding categories from the National Institute of Standards and Technology
(NIST) Special Publication 800-63-1 "Electronic Authentication Guideline" (July 2011 draft), are:
■ KBA Lexical: This approach combines improved password methods and Q&A methods. An
improved password method lets a user continue to use a familiar password, but provides more
secure ways of entering the password or generating unique authentication information from the
password. A Q&A method prompts the user to answer one or more questions, with the answers
preregistered or based on on-hand or aggregated life history information. It corresponds to the
NIST "preregistered knowledge token" category.
■ KBA Graphical: KBA graphical authentication uses pattern-based OTP methods and image-
based methods. A pattern-based OTP method asks the user to remember a fixed, arbitrary
pattern of cells in an on-screen grid that is randomly populated for each login and to construct
an OTP from numbers assigned to those cells. An image-based method asks the user to
remember a set of images or categories of images and to identify the appropriate images from
random arrays presented at login. There is no corresponding NIST category.
■ OTP Token: This authentication method uses a specialized device or software application for
an existing device, such as a smartphone, that generates an OTP, either continuously (time-
synchronous) or on demand (event-synchronous), which the user enters at login. The token may
incorporate a PIN or be used in conjunction with a simple password. This category also
includes transaction authentication number (TAN) lists and grid cards for "generating" OTPs.
Note that the "OTP" category does not include "OTP by SMS" or similar methods, which
Gartner classes as OOB authentication methods. One of several algorithms may be used:
■ American National Standards Institute (ANSI) X9.9 (time- or event-synchronous or
challenge-response)
■ Initiative for Open Authentication (OATH) HMAC-based OTP (HOTP), time-based OTP
(TOTP) or OATH Challenge-Response Algorithms (OCRA)
■ Europay, MasterCard and Visa (EMV); MasterCard Chip Authentication Program (CAP); or
Visa Dynamic Passcode Authentication (DPA), also called remote chip authentication
■ A proprietary algorithm
The corresponding NIST categories are "multifactor OTP hardware token," "single-factor OTP
token" and "look-up secret token":
■ X.509 token: This X.509 PKI-based method that uses a specialized hardware device, such as a
smart card, or software that holds public-key credentials (keys or certificates) that are used in
an automated cryptographic authentication mechanism. The token may be PIN-protected,
biometric-enabled or used in conjunction with a simple password. It corresponds to NIST

categories "multifactor hardware cryptographic token," "multifactor software cryptographic
token" and "single-factor cryptographic token."
■ Other token: This category of methods embraces any other type of token, such as a magnetic
stripe card, an RFID token or a 125kHz proximity card, a CD token or proprietary software that
"tokenizes" a generic device, such as a USB NAND flash drive or an MP3 player. There is no
corresponding NIST category.
■ OOB authentication: This category of methods uses an OOB channel (for example, SMS or
voice telephony) to exchange authentication information (for example, sending the user an OTP
that he or she enters via the PC keyboard). It is typically used in conjunction with a simple
password. (Some vendors also support OTP delivery via email in a similar way; however, this is
not strictly "OOB," because the OTP is sent over the same data channel as the connection to
the server.) The corresponding NIST category is "out-of-band token."
■ Biological biometric: A biological biometric authentication method uses a biological
characteristic (such as face topography, iris structure, vein structure of the hand or a fingerprint)
as the basis for authentication. It may be used in conjunction with a simple password or some
type of token. There's no corresponding NIST category.
■ Behavioral biometric: A behavioral biometric authentication method uses a behavioral trait
(such as voice and typing rhythm) as the basis for authentication. It may be used in conjunction
with a simple password or some kind of token. There's no corresponding NIST category.
In the research for this Magic Quadrant, a vendor's range of authentication methods offered and
supported was evaluated as part of the assessment of the strength of its product or service offering.
Note that some vendors offer only one or a few authentication methods, which may limit their
position within the Magic Quadrant. Nevertheless, such a vendor could offer a solution that is ideally
suited to your needs.
Use Cases for New Authentication Methods
Many enterprises adopt new authentication methods to support one or many use cases — the most
common of which are workforce remote access, especially access to corporate networks and
applications via a VPN or hosted virtual desktop (HVD), and external-user remote access, especially
retail-customer access to Web applications. The same new authentication method may be used
across one or a few use cases, but the more use cases an enterprise must support, the more likely
it needs to support multiple authentication methods to provide a reasonable and appropriate
balance of authentication strength, total cost of ownership (TCO) and user experience in each case.
A full range of use cases is enumerated below. Vendors included in this Magic Quadrant can
typically support multiple use cases. The endpoint access use cases, however, cannot use a
vendor's authentication infrastructure, because the endpoints are not network-connected at login,
but rather demand direct integration of a new authentication method into the client OS. (Note that
Microsoft Windows natively supports "interactive smart card login" — that is, X.509 token-based
authentication.) Not all vendors have equal experience in all use cases; some may have a stronger
track record in enterprise use cases, such as workforce remote access, while others may focus on

access to retail-customer applications, especially in financial services. Not all the vendors in this
Magic Quadrant were able to break down their customer numbers on this basis.
The authentication use cases that Gartner considered in preparing this Magic Quadrant (with the
relevant subcategories) are:
Endpoint access
■ PC preboot authentication: Preboot access to a stand-alone or networked PC by any user
■ PC login: Access to a stand-alone PC by any user
■ Mobile device login: Access to a mobile device by any user
Workforce local access
■ Windows LAN: access to Windows network by any workforce user
■ Business application: Access to any individual business applications (Web or legacy) by any
workforce user
■ Cloud applications: Access to cloud applications, such as salesforce.com and Google Apps, by
any remote or mobile workforce user
■ Server (system administrator): Access to a server (or similar) by a system administrator (or
similar)
■ Network infrastructure (network administrator): Access to firewalls, routers, switches and so on
by a network administrator (or similar) on the corporate network
Workforce remote access
■ VPN: Access to the corporate network via an IPsec VPN or a Secure Sockets Layer (SSL) VPN,
by any remote or mobile workforce user
■ HVD: Access to the corporate network via a Web-based thin client (for example, Citrix
XenDesktop or VMware View) or zero client (for example, Teradici) by any remote or mobile
workforce user
■ Business Web applications: Access to business Web applications by any workforce user
■ Portals: Access to portal applications, such as Outlook Web App and self-service HR portals by
any remote or mobile workforce user
■ Cloud applications: Access to cloud apps, such as salesforce.com and Google apps, by any
remote or mobile workforce user

External users
■ VPN: Access to back-end applications via IPsec or SSL VPN by any business partner, supply
chain partner or other external user
■ HVD: Access to the corporate network via a Web-based thin client (for example, Citrix
XenDesktop or VMware View) or zero client (for example, Teradici) by any business partner,
supply chain partner or other external user
■ Business Web applications: Access to Web applications by any business partner, supply chain
or other external user (except retail customers)
■ Retail customer applications: Access to customer-facing Web applications
For each use case, the enterprise must identify the methods, or combinations of methods, that fit
best, considering at least authentication strength, TCO and user experience (see "How to Choose
New Authentication Methods").
Note that some vendors have a particular focus on one use case or a few use cases, which may
limit their position within the Magic Quadrant. Nevertheless, such a vendor could offer a solution
that is ideally suited to your needs.
Market Trends and Other Considerations
Versatile Authentication Servers (VASs)
A VAS is a single product or service that supports a variety of open and proprietary authentication
methods in multiplatform environments. It may be delivered as server software, as a virtual or
hardware appliance, or as a cloud-based service, typically with a multitenanted architecture.
A VAS typically supports OTP tokens and OOB authentication, and may also support one or more of
the following: KBA methods, X.509 tokens and biometric authentication methods. A VAS must, at
minimum, support one or more standards-based authentication methods — most commonly, OTP
tokens using algorithms developed by the OATH — or have an extensible architecture to enable
third-party authentication methods to be "plugged in" as required, without the need for a discrete
third-party server or service.
A VAS vendor is likely a wide-focus authentication vendor, but not all wide-focus authentication
vendors are VAS vendors. Even if a vendor supports a wide range of methods, its authentication
infrastructure does not properly qualify as "versatile" if it supports only the vendor's proprietary
methods or those licensed from another vendor. (RSA, The Security Division of EMC, is the most
notable example of such a vendor.) Nonetheless, if the vendor can offer a wide-enough range of
authentication methods, it may still be able to deliver much of the value of a true VAS. However,
enterprises must consider the impact of vendor lock-in, particularly when it may restrict the future
adoption of fit-for-purpose authentication methods.
Most wide-focus vendors are now VAS vendors. With few exceptions, VASs are the only
authentication infrastructure they offer (although with different delivery options). Thus, even if a

customer is adopting only one kind of authentication method from such a vendor, it will be
implementing a VAS that gives it the flexibility to change or add methods to support future needs.
Tight-focus vendors are necessarily not VAS vendors.
Cloud-Based Authentication Services
Several included vendors offer cloud-based authentication services — either traditional managed
(hosted) services or new multitenanted cloud-based services — or partner with third-party managed
security service providers (MSSPs) ranging from global telcos to smaller, local firms (for example,
Sygnify, Tata Communications and Verizon Business). A cloud-based service can be a VAS, but
most MSSPs to date have focused on supporting only a small range of methods — typically OTP
hardware tokens and sometimes OOB authentication methods. However, we are also seeing some
interest in smart cards as a service offering, especially among U.S. federal government agencies
seeking to leverage the Personal Identity Verification (PIV) cards mandated by Homeland Security
Presidential Directive 12 (HSPD-12).
Historically, cloud-based authentication services have had the most traction among SMBs —
companies with fewer than 1,000 employees — and in public-sector verticals (government and
higher education). Costs, resources and around-the-clock support considerations make a service
offering appealing to these customers.
However, adoption of cloud-based authentication services among private-sector enterprises is
increasing, although not because they are explicitly seeking this delivery option. Gartner sees
several vendors successfully offering only a cloud-based service (or promoting such a service over
any on-premises offering), and enterprises are choosing such solutions based on their overall value
proposition. (Of course, the cost advantages of cloud-based services are implicitly part of that value
proposition.)
We expect greater adoption of cloud-based services among enterprises as multitenanted cloud-
based services mature and as cloud computing becomes more widely adopted as a way of
delivering business applications and services generally. Gartner predicts that, by 2017, more than
50% of enterprises will choose cloud-based services as the delivery option for new or refreshed
user authentication implementations, up from less than 10% today. However, it is likely that on-
premises solutions will persist, especially in more risk-averse enterprises that want to retain full
control of identity administration, credentialing and verification.
Adaptive Access Control
A number of the vendors included in this Magic Quadrant have WFD tools (see "Magic Quadrant for
Web Fraud Detection") that are primarily aimed at financial services providers but have attracted
interest from enterprises in other sectors, notably government and healthcare. WFD tools provide
adaptive access control capabilities; several vendors use the term "risk-based authentication," but
the scope of these solutions goes beyond authentication alone (see "Adaptive Access Control
Emerges").
Adaptive access control uses a dynamic risk assessment based on a range of user and asset
attributes, and other contextual information — for example, transaction value, endpoint identity and

status, IP reputation, IP- or GPS-based geolocation, and user history and behavior — to make an
access decision. Above a defined risk threshold, the tool can be set to deny a transaction, allow it
but alert, prompt for reauthentication or authentication with a higher-assurance method, prompt for
transaction verification, and so on. This capability provides an essential component in a layered
fraud prevention approach (see "The Five Layers of Fraud Prevention and Using Them to Beat
Malware").
In typical enterprise use cases, adaptive access control capability can minimize the burden of
higher-assurance authentication on the user by limiting its use to those instances where the level of
risk demands it. For example, if a user accesses a VPN or Web application from a known endpoint
and location, then a legacy password alone may suffice; however, if the endpoint is unknown or the
location is unusual, then the user would, for example, be prompted to use OOB authentication.
Gartner projects that, during the next two to three years, such capability will become more
important over a wider range of use cases and will be more widely supported among mainstream
user authentication products and services, especially among wide-focus vendors. By 2015, 30% of
business to business (B2B) and business to enterprise (B2E) enterprise user authentication
implementations will incorporate adaptive access control capability, up from less than 5% today.
X.509 Tokens
Unlike OTP tokens and OOB authentication offerings, "authentication using X.509 tokens" does not
represent a complete product of fully integrated components provided by a single vendor, but
rather an ensemble of discrete components from two or more vendors. Thus, X.509 token projects
can be significantly more complex than they may appear at first. Enterprises must identify
combinations of the different components that are interoperable, as demonstrated through true
technology partnerships, rather than simply through comarketing and coselling agreements, and
should demand multiple reference implementations.
Among the vendors included in this Magic Quadrant, some (such as ActivIdentity, Gemalto and
SafeNet) provide only the smart cards, middleware and CM tools. Others (such as Symantec)
provide only the PKI components. For many enterprises, the PKI tools embedded in Microsoft
Windows Active Directory will be good enough, so any of the former vendors may be sound
choices. Where enterprises have a need for richer functionality in their PKI components, both types
of vendor are needed.
It is important to note, however, that this "incompleteness" is a market reality for X.509-based
authentication, and vendors offering smart tokens and supporting X.509-based authentication in
their authentication infrastructure products were not penalized for lacking PKI tools in the
development of this Magic Quadrant. Moreover, X.509-based authentication for Windows PC and
network login is natively supported, so it does not need an authentication infrastructure, such as
those offered by the vendors included in this Magic Quadrant. Enterprises seeking to support this
can consider other vendors offering smart tokens (for example, G&D, Morpho and Oberthur
Technologies), PC middleware (from the smart token vendors or others, such as charismathics) and
CM tools (from the smart token vendors or others, such as Bell ID and Intercede).

Pricing Scenarios
For this Magic Quadrant, vendor pricing was evaluated across the following scenarios:
■ Scenario 1 — Communications (publishing and news media): Small enterprise (3,000
employees) with 3,000 workforce users of "any" kind. Usage: Daily, several times per day.
Endpoints: PC — approximately 60% Windows XP and Vista (AD), and 40% Mac OS X
(OpenLDAP). Endpoints owned by: Company. User location: Corporate LAN. Access to: PC and
LAN, downstream business and content management applications, mixture of internal and
external Web and legacy. Sensitivity: Company- and customer-confidential information. Notes:
The company also plans to refresh its building access systems and may be receptive to a
"common access card" approach. The average (median) price for this scenario was
approximately $125,000.
■ Scenario 2 — Retail ("high street" and online store): Large enterprise (10,000 employees)
with 50 workforce users, limited to system administrators and other data center staff. Usage:
Daily, several times per day. Endpoints: PC — mixture of Windows XP and Vista. Endpoints
owned by: Company. User location: Corporate LAN. Access to: Windows, Unix, and IBM i and z
servers, Web and application servers, network infrastructure. Sensitivity: Business-critical
platforms. Notes: Users have personal accounts on all servers, plus use of shared accounts
mediated by shared account password management (SAPM) tool (for example, Cyber-Ark
Software and Quest Software). Users also need contingency access to assets via an SSL VPN
from PCs ("any" OS). The company has already deployed 1,500 RSA SecurID hardware tokens
for remote access for its mobile workforce. It must comply with the U.S. Sarbanes-Oxley Act,
PCI Data Security Standard (DSS) and other requirements as appropriate to targets accessed.
The average (median) price for this scenario was approximately $7,000.
■ Scenario 3 — Healthcare (teaching hospital): Large enterprise (10,000 employees) with 1,000
external users, comprising doctors and other designated staff in doctors' practices. Usage:
Daily, several times per day. Endpoints: PC — mixture of Windows XP and Vista, some
Windows 7 and Mac OS X, and maybe others. Endpoints owned by: Doctors' practices. User
location: On LANs in doctors' practices. Access to: Electronic health record applications;
mixture of Web and legacy (via SSL VPN). Sensitivity: Patient records. Notes: Enterprise must
comply with the U.S. Health Insurance Portability and Accountability Act (HIPAA) and the Health
Information Technology for Economic and Clinical Health (HITECH) Act requirements. PCs may
be shared by doctors and other staff in doctors' practices. The average (median) price for this
scenario was approximately $70,000.
■ Scenario 4 — Utilities (power): Large enterprise (20,000 employees) with 5,000 users
comprising traveling workforce and a "roaming" campus workforce. Usage: Daily, several times
per day to several times per week. Endpoints: PC (mainly Windows XP), smartphones (mainly
BlackBerry) and some other devices. Endpoints owned by: The company. User location: Public
Internet and corporate WLAN. Access to: Business applications, mixture of internal Web and
legacy, via SSL VPN or WLAN. Sensitivity: Company- and customer-confidential information,
financial systems (some users), information about critical infrastructure (some users). Notes:
Must comply with U.S. Federal Energy Regulatory Commission (FERC), North American
Electrical Reliability Corporation (NERC) and other regulatory and legal requirements. The

company is also investigating endpoint encryption solutions for its traveling workforce's PCs.
The average (median) price for this scenario was approximately $200,000.
■ Scenario 5 — Financial services (retail bank): Large enterprise (20,000 employees) with 1
million external users, all retail banking customers. Usage: Variable, up to once every few
months. Endpoints: PC — mixture of Windows XP and Vista, some Windows 7 and Mac OS X;
smartphones (including Android and iOS) and tablets (mainly iOS). Endpoints owned by:
Customers, Internet cafes and others, possibly also customers' employers. User location:
Public Internet, sometimes worldwide; possibly corporate LANs. Access to: Web application.
Sensitivity: Personal bank accounts, up to $100,000 per account. Notes: Most customers are
based in metropolitan and urban areas, but approximately 10% are in areas without mobile
network coverage. The average (median) price for this scenario was approximately $1.9 million.
Note that these pricing scenarios do not reflect any discounts that a vendor may offer particular
customers or prospects, and they do not reflect other considerations that contribute to the TCO of a
user authentication solution (see "Gartner Authentication Method Evaluation Scorecards, 2011:
Total Cost of Ownership").
Vendor Strengths and Cautions
ActivIdentity
ActivIdentity, based in Fremont, California, was formed by the 2005 merger of ActivCard (which had
acquired A-Space in 2004, giving it the 4TRESS product, focused on authentication in financial
services) and Protocom (an enterprise single sign-on [ESSO] vendor). ActivIdentity was purchased
by Assa Abloy in December 2010 and made part of its HID Global unit. The company has a long
history in authentication and adjacent markets. Its current focus is on authentication and credential
management across multiple market segments. As part of HID Global, ActivIdentity now has a
stronger focus on common access cards for physical security, as well as for enterprise PC and
network login.
ActivIdentity offers 4TRESS Authentication Server as a hardware appliance, aimed at enterprise and
online banking or other external user implementations, or a software appliance aimed at enterprises
and SMBs, as well as an SDK for direct integration in banking (or other) applications. It also offers
4TRESS AAA Server, with support for a small range of authentication methods (OTP tokens), as
software for enterprises and SMBs.
Strengths
■ 4TRESS Authentication Server has one of the widest ranges of supported authentication
methods, and ActivIdentity offers one of the widest ranges of authentication methods. Overall,
ActivIdentity has one of the strongest product or service offerings.
■ ActivIdentity demonstrated a strong sales strategy.
■ ActivIdentity came out very well in the pricing scenarios and was among the lowest-cost
options for Scenario 5.

■ Reference customers typically cited functional capabilities, the pricing model or TCO as
important decision factors.
Cautions
■ ActivIdentity has a small market share by customer numbers in comparison with other vendors
in this research. However, overall, it is used by approximately 10 million end users.
■ Reference customer comments raised concerns about ActivIdentity's customer support, the
reliability of the software and target system integration. Overall, reference customers were
ambivalent about the company's customer support.
Authentify
Authentify, based in Chicago, was established in 1999. It offers OOB authentication services and
has multiple OEM relationships (which include other vendors discussed in this Magic Quadrant).
Authentify has a strong market focus on financial services, and tailors its offerings to banks' and
others' need for layered security and fraud prevention measures.
In 2001, Authentify launched its multitenanted, cloud-based service providing OOB authentication
by voice modes, adding SMS modes in 2007 and transaction verification for electronic funds
transfer by voice modes in 2008. In voice modes, additional assurance can be provided by
biometric voice (speaker) recognition. Authentify has recently launched 2CHK, a desktop and
mobile app, activated by an OOB voice call or SMS exchange, that provides more robust
transaction verification.
About half of Authentify's customers come from its channel partners, which include DocuSign,
Entrust, FIS, RSA and Symantec. Direct customers come mainly from financial services, including
major banks and insurance companies, but can also be found in healthcare, technology and service
provider verticals.
Strengths
■ Although it has negligible market share by customer numbers, across its own and partner
implementations, Authentify is likely used by hundreds of millions of end users.
■ Authentify clearly articulated a good market understanding and demonstrated a good
geographic strategy.
■ Direct SS7 layer monitoring enables Authentify to detect call forwarding in many areas,
defeating one type of attack against OOB authentication by voice.
■ Authentify came out fairly well in the pricing scenarios, and was among the lowest-cost options
for Scenario 5, which represents its target market segment. Although it was the highest-cost
option for Scenario 4 by a huge margin, this use case is not representative of its target market
segment.

Cautions
■ Authentify offers only OOB authentication. Furthermore, a majority of Authentify's clients use its
OOB authentication for "transactional" systems, rather than as a primary authentication method
for login — for example, registration confirmation, password change or recovery, real-time PIN
delivery, credential activation, login from unknown machine or location (in the context of WFD or
adaptive access control), transaction verification for funds withdrawal or transfer (often in the
context of WFD or adaptive access control). However, these use cases map well to the wants
and needs of Authentify's target market segment.
■ Authentify's offerings lack Security Assertion Markup Language (SAML) integration to cloud-
based applications and services.
■ Authentify did not clearly articulate a strong sales or marketing strategy in comparison with
other vendors in this research, nor did it demonstrate strong sales execution. However, Gartner
notes that Authentify performs strongly within its target market segment.
CA Technologies
CA Technologies' history dates back to the 1970s, and the company has a history of growth
through mergers and acquisitions, as well as internal product development. In 2010, CA
Technologies acquired Arcot Systems, with which it already had an important strategic partnership.
With its WebFort and RiskFort products, Arcot had made inroads into the WFD and online customer
authentication markets (as well as for card issuers authorizing e-commerce payments) and, more
recently, in the enterprise authentication market. The integrated products are now offered under the
CA Advanced Authentication name, as hosted managed services, server software and SDK/APIs for
direct integration into target systems, and CA AuthMinder as-a-Service (formerly Arcot A-OK) as a
multitenanted cloud-based service. One of CA Technologies' distinctive features is ArcotID, a
proprietary X.509 software token technology that protects the credentials on the endpoint device
and binds them to the device.
The ex-Arcot portfolio also includes e-payment card authentication, secure electronic notification
and delivery, and digital signature integrated with Adobe Acrobat. The acquisition also gave CA
Technologies an established cloud services infrastructure and expertise for cloud delivery of other
identity and access management (IAM) offerings.
CA Technologies offers OTP hardware tokens from Gemalto and others. (Like other OATH-
compliant vendors, it can support other OATH-compliant tokens.)
Strengths
■ Overall, CA Technologies has one of the strongest product or service offerings. CA Advanced
Authentication tightly integrates the adaptive access control capabilities of its WFD tool, CA
Arcot RiskFort, its WFD tool, with the authentication component, CA Arcot WebFort (soon to be
renamed CA AuthMinder).

■ CA Technologies clearly articulated good market understanding and product/service strategy,
as well as market, sales and geographic strategies. (This is where Arcot's acquisition by CA
Technologies has had the most significant impact on the vendor's position in the market.)
■ Although it has a very small market share by customer numbers in comparison with other
vendors in this Magic Quadrant, CA Technologies is used by more than 100 million end users.
■ CA Technologies came out well in the pricing scenarios, and was among the lowest-cost
options for Scenarios 2, 3, 4 and 5. Notably, it offers zero-cost OTP software tokens for mobile
phones.
■ Reference customers typically cited functional capabilities and good feedback from reference
implementations as important decision factors. (However, some were unsure about
recommending CA Technologies to their peers.) Reference customers were fairly satisfied with
CA Technologies' customer support.
Cautions
■ CA Technologies is not as well-suited for SMBs, because its direct sales force typically does
not do deals with an end-user count below 1,000.
■ The majority of CA Technologies' customers are in the Americas (with the bulk likely in North
America).
■ Reference customer comments raised concerns about technical integration with existing
infrastructure components and other implementation issues.
Cryptocard
Cryptocard, based in Ottawa, Canada, and Bracknell, U.K., has focused on the enterprise
authentication market since 1989, often positioning itself as the lower-cost alternative to the market
leaders. In 2006, Cryptocard merged with WhiteHat Consulting, adding a managed authentication
service to its portfolio.
Cryptocard now offers three core products and services: Blackshield Cloud, a multitenanted cloud-
based service; Blackshield Server, application software intended to run on one or more server
instances; and Blackshield Service Provider Edition, a software application that service providers
can use to create their own hosted versions of Blackshield Cloud.
Strengths
■ Cryptocard clearly articulated a good product/service strategy, coupled with strong technical
innovation, as well as strong marketing, vertical industry and geographic strategies. It also
demonstrated good market responsiveness.
■ Cryptocard came out fairly well in the pricing scenarios, and was among the lowest-cost
options for Scenario 2.

■ Reference customers typically cited functional capabilities and expected performance and
scalability as important decision factors. They liked Cryptocard's Active Directory
synchronization and broad range of "token" form factors (including OOB authentication
options). In addition, they were fairly satisfied with Cryptocard's customer support.
Cautions
■ Cryptocard has few customers in the Asia/Pacific region.
■ Reference customer comments raised concerns about ease of migration from Crypto-MAS to
the Blackshield cloud-based service.
DS3
Founded in 1998 as RT Systems, this Singapore-based company changed its name to Data
Security System Solutions (DS3) in 2001 to better reflect its market focus. In 2010, it raised
institutional funding to expand and execute on its vision to provide solutions that will meet the user
and data authentication requirements for different customer segments, different industries and
different use cases.
DS3 offers DS3 Authentication Server as a hardware or software appliance for large-scale B2B/B2C
deployments (launched in 2004); DS3 Authentication Security Module as a hardware appliance for
smaller enterprise intranet implementations; DS3 Authentication Toolkit, an SDK/APIs for direct
integration in banking (or other) applications (2009); and a hosted authentication service (2011). DS3
has a global partnership with IBM Security Services, which offers the DS3 Authentication Server
worldwide under the name "IBM Identity and Access Management Services — total authentication
solution."
DS3 offers OTP and X.509 hardware tokens from RSA, SafeNet, Vasco and others. DS3's partners
benefit by being able to sell large volumes of tokens without the overheads of selling and
supporting their own authentication infrastructure products.
Strengths
■ DS3 clearly articulated a good sales strategy and demonstrated good market responsiveness.
Notably, DS3 responded positively to the financial crisis in 2008, when sales to banks slowed
significantly, by expanding into other vertical industries, with some success.
■ DS3 Authentication Server has one of the widest ranges of supported authentication methods,
including support for multiple OTP token types, and DS3 offers a wide range of authentication
methods. DS3's broad OTP token support is also an advantage for an enterprise migrating from
another vendor's offering, because it allows the continued use of that vendor's tokens for their
remaining lifetime without the need to maintain that vendor's authentication server in parallel.
■ DS3's solutions are very scalable, which Gartner believes was an important factor in DS3's
winning Singapore's National Authentication Framework for a countrywide authentication
service.

■ DS3 came out very well in the pricing scenarios, and was among the lowest-cost options for
Scenarios 1, 2, 4 and 5.
■ Reference customers in financial services typically cited DS3's industry experience and
reputation as important decision factors. Most found that DS3 responds to support requests
fully and promptly. Overall, they were satisfied with DS3's customer support.
Cautions
■ DS3 has a negligible market share by customer numbers. However, it is already used by the
Singapore government and many banks in the region, giving DS3 total end-user numbers of
more than 5 million.
■ The majority of DS3's customers are in the Asia/Pacific region, although its partnership with
IBM has begun to yield a few significant global sales, such as ING Bank in the Netherlands.
■ DS3 did not clearly articulate a strong market understanding or marketing strategy in
comparison with other vendors in this research, or demonstrate strong marketing execution.
■ DS3's offerings lack SAML integration with cloud-based applications and services.
■ Reference customer comments raised minor concerns about the stability of features and
customizability.
Entrust
Entrust, headquartered in Dallas, Texas, is a well-established security vendor offering fraud
detection, citizen e-ID and data encryption tools, in addition to its authentication portfolio. Entrust's
core authentication infrastructure, Entrust IdentityGuard, supports a much broader range of
authentication method than the OTP grid cards that first bore that name. Entrust, a public company
since 1997, was taken private in 2009 by the private equity investment firm Thoma Bravo.
Since 2005, Entrust has offered IdentityGuard Authentication Server as server software. Entrust
offers OOB authentication through a partnership with Authentify.
Strengths
■ Overall, Entrust has one of the strongest product or service offerings in the user authentication
market. IdentityGuard incorporates some adaptive access control capabilities natively and can
be coupled with TransactionGuard for full-blown WFD functions.
■ Entrust was among the lowest-cost options for Scenarios 4 and 5, but its pricing for Scenario 2
was second-highest. We also note that SAML integration to cloud-based applications and
services for IdentityGuard requires a discrete "Federation Module" at an additional cost.
■ Reference customers typically cited functional capabilities and expected performance and
scalability as important decision factors.

Cautions
■ Entrust did not clearly articulate a good market understanding or demonstrate strong market
responsiveness or customer experience in comparison with other vendors in this research.
■ Entrust has a very small market share by customer numbers in comparison with other vendors
in this research. However, it is used by an installed base of approximately 40 million end users.
■ There is no appliance or cloud-based version of IdentityGuard. Entrust tells us that it will be
introducing a cloud-based version early in 2012.
Equifax
Equifax, based in Atlanta, Georgia, has a long history in identity, going back to 1899. It entered the
user authentication market in 2010 with its acquisition of Anakam, a wide-focus authentication
vendor with a market focus on healthcare and government.
Equifax's core offering in this market is the Anakam.TFA Two-Factor Authentication server software,
launched in 2005, which is complemented by tools for identity proofing, risk assessment and
credentialing. In 2011, it launched Anakam.ODI On-Demand Identity, a multitenanted, cloud-based
service that integrates its product offerings with SAML-based federated single sign-on (SSO).
Strengths
■ Although it has negligible market share by customer numbers, Equifax is used by more than 100
million end users.
■ Equifax clearly articulated a good vertical industry strategy and demonstrated its overall
viability.
■ Reference customers in healthcare typically cited Equifax's industry experience and
understanding of their business needs as important decision factors. Reference customers were
satisfied with Equifax's customer support.
Cautions
■ A significant majority of Equifax's customers are in North America, although the company does
have a presence in Latin America and Europe.
■ Equifax did not clearly articulate a strong product/service strategy, strong technical innovation
or a strong sales strategy in comparison with other vendors in this research.
■ Only Equifax's Anakam.ODI On-Demand Identity offering provides SAML integration to cloud-
based applications and services.

Gemalto
Amsterdam-based Gemalto, formed in 2006 by the merger of Axalto (formerly the smart card
division of Schlumberger) and Gemplus, is a leading smart card vendor, with a strong presence in
the authentication market. It offers OTP tokens, as well as smart tokens. With the acquisitions of
Xiring's authentication portfolio and, in particular, of Todos, Gemalto has broadened the range of its
offerings in the financial services industry, which it has identified as a key market. Other recent
acquisitions relevant to its authentication portfolio include Trusted Logic (a provider of open, secure
software for consumer devices and digital services), Valimo (a pioneer in mobile digital ID, with
solutions that enable secure authentication, digital signatures and transaction verification) and
Multos International (originator of the Multos smart card OS).
Gemalto's core infrastructure products are Protiva Strong Authentication Server (server software)
and Protiva Strong Authentication Service (a hosted managed service), as well as the Ezio System
(server software for financial services and e-commerce) from the Todos acquisition.
Strengths
■ Gemalto came out well in the pricing scenarios, and was among the lowest-cost options for
Scenarios 1, 3 and 5. (However, it did not provide a quotation for Scenario 2.)
■ Gemalto demonstrated significant growth in its OTP token product lines, and has established
itself as a credible provider of these authentication methods.
■ Reference customers were fairly satisfied with Gemalto's customer support, and their
comments about the products were generally positive.
Cautions
■ Gemalto did not clearly articulate good marketing strategy or technical innovation.
■ Although Gemalto is widely recognized as a leading smart card vendor, the company is rarely
cited by Gartner clients in calls about authentication, generally.
i-Sprint Innovations
Singapore-based i-Sprint Innovations was founded in 2000 by ex-Citibank security professionals
and is backed by global institutional investors. It was acquired in 2011 by Automated Systems
Holdings Ltd. (ASL), a subsidiary of Teamsun. The companies are listed in the Hong Kong Stock
Exchange and Shanghai Stock Exchange respectively. The purchase bodes well for the expansion
of i-Sprint's offerings into the Chinese market, given the Multi-Level Protection Scheme (MLPS) in
China, which obliges companies to use only domestic security solutions.
Its AccessMatrix Universal Authentication Server (UAS), launched in 2005, is part of an integrated
set of server software products, which also includes ESSO, WAM and SAPM tools.
i-Sprint offers OTP hardware tokens from ActivIdentity, Gemalto, SafeNet, Vasco and others. (Like
other OATH-compliant vendors, it can support other OATH-compliant tokens.)

Strengths
■ AccessMatrix UAS has one of the widest ranges of supported authentication methods,
including support for multiple OTP token types, and i-Sprint offers a wide range of
authentication methods.
■ i-Sprint clearly articulated a good product/service strategy, coupled with strong technical
innovation, and it demonstrated good customer experience. Reference customers were very or
extremely satisfied with i-Sprint's customer support.
■ i-Sprint was among the lowest-cost options for Scenarios 4 and 5.
■ Reference customers in financial services typically cited i-Sprint's industry experience,
conformity to technical standards, and pricing model or TCO as important decision factors.
They praised the robustness, maturity and sophistication of the product.
Cautions
■ i-Sprint has a negligible market share by customer numbers (although it is used by several
million end users).
■ i-Sprint did not clearly articulate a strong market understanding or sales strategy in comparison
with other vendors in this research.
■ The majority of i-Sprint's customers are in Asia/Pacific. Although its acquisition by ASL and
likely future growth in China will only reinforce this bias, ASL may well provide the resources to
enable significant overseas growth.
■ Reference customer comments raised some concerns about the complexity of UAS's
administration interface and the suitability of audit reports for business users.
Nordic Edge
Sweden-based Nordic Edge was founded in 2001 and acquired by Intel in early 2011. Nordic Edge
provides a broad range of IAM solutions, from provisioning of user information and SSO to software
as a service (SaaS), as well as its wide-focus authentication offering.
Nordic Edge's core product is the Nordic Edge One Time Password Server, which can be delivered
as server software, an SDK/API for Java and .NET/COM, and an on-demand Web service. Nordic
Edge Opacus is also offered to service providers for them to offer a cloud-based authentication
service as part of ERP, CRM and business intelligence cloud services, and this approach represents
approximately 5% of its customers.
Nordic Edge offers OTP hardware tokens from Feitian Technologies and Yubico. (Like other OATH-
compliant vendors, it can support other OATH-compliant tokens.)

Strengths
■ Nordic Edge was among the lowest-cost options for Scenarios 2, 4 and 5. Notably, OTP
software tokens for mobile phones are included in its OTP Server offering.
■ Reference customers typically cited Nordic Edge's industry experience, conformity to technical
standards, and expected performance and scalability as important decision factors. Some
reference customers highlighted Nordic Edge's flexibility, scalability and ease of installation.
■ Reference customers were, on average, very satisfied with the vendor's customer support, and
noted that it always dealt with technical support requests fully and promptly.
Cautions
■ Nordic Edge has a negligible market share by customer numbers. (However, it is used by more
than 1 million end users.)
■ Nordic Edge did not clearly articulate a strong marketing strategy or demonstrate strong market
responsiveness in comparison with other vendors in this research.
■ The majority of Nordic Edge's deployments are in companies with fewer than 1,000 users.
PhoneFactor
PhoneFactor, based in Overland, Kansas, and established in 2001 as Positive Networks, has offered
its multitenanted, cloud-based OOB authentication service since 2007. PhoneFactor provides
agents for target system integration to VPNs, HVDs, Web applications and other systems, and an
SDK/API for integration with Web application login and transaction processes. In conjunction with a
third-party WFD tool, PhoneFactor can be used to authenticate high-risk logins or for transaction
verification.
Strengths
■ PhoneFactor is the OOB authentication vendor most frequently cited by Gartner clients.
■ PhoneFactor is one of the few OOB authentication vendors that does not pass an OTP over the
data channel in either direction, with all authentication information being exchanged over the air
by the voice or SMS channel, making it less vulnerable to man-in-the-middle attacks.
■ PhoneFactor was among the lowest-cost options for Scenarios 2 and 5.
■ Reference customers typically cited PhoneFactor's functional capabilities and expected
performance and scalability as important decision factors. PhoneFactor's ease of
implementation and management were explicitly mentioned. Reference customers were very
satisfied with the vendor's customer support, and noted that it always dealt with technical
support requests fully and promptly.
■ Phone Factor offers a free version of its service, restricted to 25 users for one or two
applications, with no time limit. This may provide a complete solution for some SMBs, but it
also offers a low-risk proof of concept for any company seeking a larger implementation.

Clients tell us that nearly all proof-of-concept implementations are converted to full enterprise
licenses.
Cautions
■ PhoneFactor offers only phone-based authentication (OOB authentication, as well as a software
token using push notification that was released in late 2011).
■ The company has very small market share by customer numbers in comparison with other
vendors in this research (but is one of the larger pure-play, phone-based authentication
vendors).
■ PhoneFactor did not clearly articulate good market understating, product/service strategy or
marketing, vertical industry or geographic strategies, nor did it demonstrate strong market
responsiveness in comparison with other vendors in this research.
■ Reference customer comments raised some concerns about technical integration with some
existing infrastructure components.
Quest Software
Quest Software, based in Aliso Viejo, California, offers a wide range of Windows, application,
database and virtualization management tools. It has recently strengthened its IAM offerings with
the acquisition of Voelcker Informatik. Its authentication offering is the Defender product line
(offered in succession since 1995 by AssureNet Pathways, Axent Technologies, Symantec and
PassGo Technologies).
The company's core infrastructure product is Quest Defender Security Server, delivered as security
software. Defender offers OTP hardware tokens from ActivIdentity, SafeNet, Vasco, Yubico and
others. (Like other OATH-compliant vendors, it can support other OATH-compliant tokens.)
Strengths
■ Quest Software has relationships with several of the leading token manufacturers, which enable
it to support one of the widest selections of OTP hardware tokens, as well as OTP software
tokens and other methods. This is an advantage for an enterprise migrating from another
vendor's offering, because it enables the continued use of that vendor's tokens for their
remaining lifetime, without the need to maintain that vendor's authentication server in parallel.
■ Quest Software clearly articulated a good marketing strategy and demonstrated good
marketing execution.
■ Quest Software was among the lowest-cost options for Scenarios 2 and 4. Some reference
customers indicated that its TCO can be significantly lower than its major competitors', owing
to, for example, reduced infrastructure requirements.
■ Reference customers typically cited Defender's functional capabilities and pricing model or
TCO as important decision factors. Reference customers were very satisfied with the vendor's

customer support, and noted that it always dealt with technical support requests fully and
promptly.
Cautions
■ Quest has negligible market share by customer numbers and is used by fewer than 200,000 end
users. The majority of Quest Software's deployments are in companies with fewer than 1,000
users.
■ Quest Software did not clearly articulate a strong product/service strategy or geographic
strategy, nor did it demonstrate strong market responsiveness in comparison with other
vendors in this research.
■ Defender Security Server lacks SAML integration with cloud-based applications and services.
■ Quest Software offers no appliance or cloud-based delivery options.
RSA, The Security Division of EMC
RSA, The Security Division of EMC, which is based in Bedford, Massachusetts, has a long history in
the authentication market. Security Dynamics was founded in 1984, and began shipping its SecurID
tokens in 1986. Security Dynamics acquired RSA Data Security in July 1996, to form RSA Security.
In 2006, RSA was acquired by EMC. Other acquisitions have provided RSA with a broad portfolio of
access and intelligence products.
RSA's flagship infrastructure product is RSA Authentication Manager (formerly ACE/Server), which
is now offered as either server software or a hardware appliance. It also offers RSA SecurID
Authentication Engine, a Java/C++ SDK/API for direct integration into applications and portals.
From its acquisitions of Cyota (2005) and PassMark Security (2006), RSA has a WFD product, RSA
Adaptive Authentication. It also offers RSA Adaptive Authentication for the enterprise, which can be
used as part of an enterprise's layered authentication approach. The risk engine from RSA Adaptive
Authentication is combined with RSA SecurID on-demand OOB authentication in the RSA
Authentication Manager Express hardware appliance, launched in 2010 and targeted at remote
access use cases in SMBs or small deployments in enterprises.
From its acquisition of Verid (2007), RSA Identity Verification provides identity proofing for new
account registration, but can also be used for authentication of infrequent users (who would be
unlikely to remember legacy password) and call center caller verification.
RSA offers OOB authentication through a partnership with Authentify.
The Impact of the RSA Breach
In March 2011, RSA was successfully attacked by what Gartner believes to have been two China-
based hacking groups, at least one of which has a history of going after U.S. defense companies.
We have inferred that the breach exposed the token records of all then-extant RSA SecurID
hardware tokens, including the seed values used to generate the OTPs, allowing the attackers to

successfully masquerade as legitimate users. We believe that this formed the basis of the
subsequent (unsuccessful) attack against Lockheed Martin. That attack prompted RSA to offer
replacement hardware or software tokens to its customers — all hardware tokens shipped after a
brief hiatus following the attack are not compromised, and software tokens were never exposed —
and we understand that many customers have replaced their tokens. (RSA tells us, however, that a
"significant majority" have not.) The cost to RSA of replacing these tokens is estimated at $60
million. However, RSA has been impacted by the breach in other ways.
Since the breach, many Gartner clients have told us that they are looking at alternatives to RSA
SecurID hardware tokens, but this is only sometimes because of the security concerns. In the
majority of cases, the breach has prompted the company to review its historical decision to adopt
RSA SecurID, leading the company to seek alternatives that offer a similar, or sometimes lower,
level of assurance with lower TCO or better user experience — something that has long been a
popular topic in client inquiries. Furthermore, we believe that RSA has lost much goodwill among
some of its customers because of poor communication regarding the nature and impact of the
breach (even though they might understand why RSA has focused its attention on its defense
customers, which it believed were most at risk), the time RSA took to offer replacement tokens
(although we believe that RSA would not have had the manufacturing capacity to do this any earlier)
and to fulfill replacement requests (with several clients receiving their replacements over a period of
months), and the contractual terms for the replacements (although we understand that RSA cannot
provide free replacements under U.S. General Services Administration rules). These customers are
likely to be looking hard at alternatives to RSA in the coming years. Nonetheless, it is highly likely
that customer attrition will remain relatively small, given the "stickiness" of RSA SecurID
deployments (because of the breadth of technical integration RSA offers) and, increasingly, a shift
toward RSA SecurID software tokens and adaptive access control (especially if and when RSA
integrates its risk engine into RSA Authentication Manager).
Strengths
■ Gartner estimates that RSA has a market share by customer numbers of about 25%, although
this is appreciably lower than the previous year. (Note that this market share is based on 2010
numbers, and does not reflect any impact of the breach discussed above.) Overall, RSA is used
by tens of millions of end users.
■ RSA is seen as the principal competitor by the majority of vendors in this research and has
strong mind share among Gartner clients.
■ RSA demonstrated good overall viability (among the strongest of the vendors discussed in this
research) and good marketing execution.
■ Reference customers in financial services typically cited RSA's industry experience as an
important decision factor. All references also cited the functional capabilities, and some the
expected performance and scalability, of RSA's products. Reference customers noted that the
company generally dealt with technical support requests fully and promptly. Although reference
customers were, on average, fairly satisfied with RSA's customer support, the rankings were
widely spread.

Cautions
■ Although RSA offers a market-leading WFD tool, RSA Adaptive Authentication, and we see
significant enterprise interest in RSA Adaptive Authentication for the Enterprise, these products
are only loosely coupled with RSA Authentication Manager. RSA now offers RSA Authentication
Manager Express, which is aimed at the SMB market and combines the risk engine from RSA
Adaptive Authentication with OOB authentication (RSA SecurID On-demand). However, RSA
Authentication Manager still lacks this integration.
■ The majority of RSA's customers are in the Americas (with the bulk likely in North America).
■ RSA Authentication Manager and RSA Authentication Manager Express lack SAML integration
to cloud-based applications and services.
■ Reference customer comments raised some concerns about ease of user management in RSA
Authentication Server (which was often echoed by other vendors' reference customers' reasons
for deciding against RSA).
■ A frequently mentioned reason among other vendors' reference customers for deciding against
RSA Authentication Manager/RSA SecurID was its high cost. In fact, RSA was average or worse
in most of the pricing scenarios, and was the highest-cost option for Scenario 5 by a wide
margin. Although there is certainly a bias because of RSA's presence in the market, a significant
number of client inquiries ask about "lower-cost alternatives to RSA."
SafeNet
SafeNet, based in Baltimore, Maryland, was established in 1983 as Industrial Resource Engineering
and changed its name in 2000. In 2007, SafeNet was acquired by Vector Capital, which also
acquired Aladdin Knowledge Systems two years later. Both firms now trade under the SafeNet
name. Common ownership brings SafeNet's authentication offerings (from the 2004 to 2008
acquisitions of Rainbow Technologies and Datakey) together with those of Aladdin, which had a
much stronger presence in that market segment with its legacy eToken offerings, as well as those
from its acquisitions in 2008 of Eutronsec and the SafeWord product line from Secure Computing
(one of the oldest lines of OTP tokens). SafeNet's other major product lines focus on software rights
management and cryptography for data protection, including hardware security modules (HSMs).
SafeNet has two server software offerings: SafeNet Authentication Manager (SAM), which was
formerly Aladdin's Token Management System, and SafeNet Authentication Manager Express,
which was formerly SafeWord 2008. The latter supports a restricted set of authentication methods
(OTP tokens and OOB authentication via SMS). SAM also provides CM capabilities and federated
SSO to cloud-based applications. SafeNet also offers SafeNet OTP Authentication Engine, an SDK
and API for direct integration of OTP authentication into target systems.
Strengths
■ SafeNet offers a wide range of authentication methods. Overall, SafeNet has one of the
strongest product or service offerings in the market.

■ Gartner estimates that SafeNet has a market share by customer numbers of approximately
20%. Overall, SafeNet is used by tens of millions of end users.
■ SafeNet clearly articulated its technical innovation, as well as good marketing, industry vertical
and geographic strategy, and demonstrated good customer experience. It also demonstrated
good overall viability, market responsiveness and market execution, as well as good customer
experience. Reference customers were very satisfied with SafeNet's customer support (one
remarking that SafeNet had "gone to great lengths") and noted that it generally dealt with
technical support requests fully and promptly.
■ SafeNet came out quite well in the pricing scenarios, and was among the lowest-cost options
for Scenarios 2, 3 and 4; however, it was one of the higher-cost options for Scenario 5.
■ Reference customers' comments about the products were generally positive.
Cautions
■ SafeNet lacks any adaptive access control capability. Gartner sees this as a significant caution
for a vendor with such a strong focus on the financial services market. SafeNet tells us that this
capability is in development and will be released in 2Q12.
■ Although SafeNet has good mind share among Gartner clients, this still attaches to the
SafeWord and (now defunct) Aladdin brand names, rather than to the SafeNet name itself.
Gartner sees this as a continuing marketing challenge for SafeNet in the near term.
SecureAuth
Formed in 2005 as MultiFactor Corporation, this Irvine, California-based vendor changed its name
to SecureAuth in 2010. SecureAuth IEP, which is delivered as a hardware or software appliance,
combines its authentication infrastructure with the SSO capability of a WAM and support for
federation using multiple protocols (see "MarketScope for Web Access Management").
Strengths
■ During the past year, SecureAuth has been one of the authentication vendors most frequently
cited by Gartner clients, typically because of its low cost or ease of installation or because of its
"tokenless" authentication method.
■ SecureAuth IEP is a single platform that integrates user authentication with federated SSO to
cloud-based and Web applications, as well as VPNs. However, Gartner clients rarely cite this as
a decision factor in choosing SecureAuth, and the company's lead with this approach may be
somewhat eroded as other vendors roll out their support for SAML to provide similar federated
SSO capabilities.
■ SecureAuth clearly articulated a good vertical/industry strategy.
■ SecureAuth was among the lowest-cost options for Scenarios 1 and 5, and SecureAuth IEP can
cost less than some stand-alone solutions for federated SSO or user authentication.

Cautions
■ SecureAuth's primary authentication method is a kind of X.509 software token. This is not
something Gartner sees widely used in practice, although SecureAuth does provide simple
implementation of this method, without the constraints of legacy PKI approaches. Although
SecureAuth offers KBA and OOB authentication methods (with out-of-the-box support for
YubiKey and OATH-compliant tokens planned for 1Q12), and provides a flexible way of linking
together multiple methods, relatively few of its customers use any of these other methods as
their primary authentication methods.
■ SecureAuth does not provide high-assurance authentication methods, although it can integrate
third-party methods such as X.509 hardware tokens (for example, PIV cards) to support high-
assurance needs.
■ The vendor has negligible market share by customer numbers. Year-over-year growth has,
however, been exceptionally strong. In this respect, SecureAuth is outperforming most larger
■ SecureAuth did not clearly articulate a strong sales strategy or geographic strategy in
comparison with other vendors considered in this research. Neither did it clearly articulate a
strong market understanding in line with Gartner's view of enterprises' wants and needs across
the market as a whole. Nevertheless, SecureAuth's growth demonstrates that it is addressing
the wants and needs of a segment of the market.
SecurEnvoy
U.K.-based SecurEnvoy, formed in 2003, was one of the first vendors to offer OOB authentication
solutions.
SecurEnvoy offers two server software products that meet the market definition for this Magic
Quadrant: SecurAccess, launched in 2004 and aimed primarily at workforce remote access use
cases, and SecurICE, launched in 2006, which supports secure remote access in the event of a
disaster or other contingency. (Several other vendors support this as part of their standard user
authentication product offering.) In 2009, SecurEnvoy launched SecurCloud, a program for resellers
to deploy an authentication service based on the SecurEnvoy product suite as part of a wider cloud
offering.
In addition, the company offers SecurMail, a simple email encryption tool, and SecurPassword,
which allows secure self-service password reset for Windows using OOB techniques.
Strengths
■ SecurEnvoy clearly articulated a good vertical industry strategy.
■ The vendor provides a range of configuration options for OOB authentication via SMS modes
that enable an enterprise to address operational issues (such as latency and lack of signal) and
balance user experience against a desired level of security.

■ SecurEnvoy came out well in the pricing scenarios, and was among the lowest-cost options for
Scenarios 2, 3 and 4.
Cautions
■ SecurEnvoy has small market share by customer numbers in comparison with other vendors in
this research (but is one of the larger pure-play, phone-based authentication vendors).
■ A significant majority of SecurEnvoy's customers are in Europe. However, a majority of its larger
customers use SecurEnvoy globally.
■ In comparison with the other vendors in this Magic Quadrant, SecurEnvoy did not clearly
articulate a strong geographic strategy, nor did it demonstrate strong overall viability, marketing
execution or customer experience (although no reference customers raised specific concerns).
■ SecurEnvoy's offerings lack SAML integration to cloud-based applications and services.
SecurEnvoy tells us that SAML will be supported via Active Directory Federation Services early
in 2012.
■ SecurEnvoy has no appliance- or cloud-based delivery options; however, these are available
through some channel partners. SecurEnvoy also supports authentication as part of third-party
cloud-based services via its SecurCloud offering.
SMS Passcode
Denmark-based SMS Passcode was established in 1999 as Conecto A/S, a consulting operation
implementing mobile solutions. SMS Passcode OOB authentication, delivered as server software,
was launched in 2005. At the end of 2009, the company sold off its consulting business and
adopted the name of the product.
Strengths
■ SMS Passcode was among the lowest-cost options for Scenario 2.
■ Reference customers typically cited SMS Passcode's functional capabilities as an important
decision factor. Expected performance and scalability, an understanding of business needs,
and pricing model or TCO were often cited as well.
■ Reference customers were mostly extremely satisfied with SMS Passcode's customer support,
and noted that it always dealt with support requests fully and promptly.
Cautions
■ SMS Passcode has a small market share by customer numbers in comparison with other
vendors in this research (but is one of the larger pure-play, phone-based authentication
vendors).

■ Although it has customers in more than 40 countries, a significant majority of SMS Passcode's
customers are in Europe.
■ SMS Passcode offers only OOB authentication. However, despite its name, the company does
support voice modes, as well as SMS modes, through a partnership with TeleSign.
■ SMS Passcode did not clearly articulate a strong vertical industry strategy or demonstrate
strong overall viability in comparison with other vendors in this research. (The vendor's
emphasis is squarely on supporting common workforce access use cases out of the box and
horizontally across all industries.)
Swivel Secure
U.K.-based Swivel Secure was established in 2000 and launched its PINsafe product line in 2003.
Unique to Swivel's offerings is its proprietary enhanced password method, which allows a user to
generate an OTP by combining a known PIN or pattern with a security string or graphic presented
on the login pane or on a mobile phone (functioning as a token). Swivel also offers conventional
OOB authentication with SMS and voice modules.
Strengths
■ Swivel offers the broadest range of delivery options of any provider discussed in this Magic
Quadrant. PINsafe is available as a hardware or software appliance, server software, a
managed service with customer premises equipment, and a multitenanted cloud-based service.
■ Swivel was among the lowest-cost options for Scenarios 3, 4 and 5. Notably, it offers zero-cost
mobile clients (equivalent to OTP software tokens) for mobile phones.
■ Reference customers typically cited Swivel's pricing model or TCO as an important decision
factor. They were very satisfied with the vendor's customer support, and noted that it always
dealt with support requests fully and promptly.
■ Swivel is one of the few vendors in this Magic Quadrant to offer an enhanced password
method, which is popular with many SMBs that are looking for an improvement over legacy
password authentication but do not want or cannot justify "two-factor authentication." In
addition, Swivel uses the same enhanced password method with its phone-based
authentication methods, providing additional assurance compared with competing solutions
that rely on a legacy password or a simple PIN.
Cautions
■ Swivel has very small market share by customer numbers in comparison with other vendors in
this research.
■ Swivel did not clearly articulate a strong market understanding or marketing strategy, or
demonstrate strong overall viability or marketing execution in comparison with other vendors in
this research.

■ A significant majority of Swivel's customers are in Europe. However, these include some sizable
global deployments supporting users in North America and the Asia/Pacific region, as well as in
Europe.
Symantec
Symantec, based in Mountain View, California, has been a publicly traded company since 1989. It
entered the authentication market in 2010 with the acquisition of VeriSign's Identity and
Authentication business. (VeriSign had been spun off from RSA Security in 1995 to focus on PKI
offerings.) The deal allows Symantec to use the VeriSign brand for its identity and authentication
products until 2015, as well as VeriSign's "tick" icon, which has been incorporated into Symantec's
logotype. Symantec has a more coherent and better-articulated vision for Validation and ID
Protection Service (VIP) and adjacent products than VeriSign had.
Symantec VIP (formerly VeriSign Identity Protection Authentication Service) is delivered as a
multitenanted cloud-based service. Symantec also offers a WFD tool, Symantec Fraud Detection
System (FDS), as server software or a hosted managed service. The company also cites "synergies"
with its data loss prevention and encryption products, but Gartner clients are not seeking
authentication solutions in that context.
Symantec offers OTP hardware tokens from ActivIdentity, RSA, SafeNet, Vasco and others, and
OOB authentication through a partnership with Authentify. (Like other OATH-compliant vendors, it
can support other OATH-compliant tokens.)
Strengths
■ Symantec demonstrated good marketing execution, and it is one of the authentication vendors
most frequently cited by Gartner clients.
■ The vendor offers a wide range of authentication methods, including zero-cost OTP software
tokens for mobile phones. However, although Symantec VIP does support OOB authentication,
the majority of its customers use this as a backup for users who cannot use their OTP tokens,
rather than as a primary authentication method.
■ In late 2011, Symantec incorporated the adaptive access control capabilities from its FDS into
VIP to provide what Symantec calls "intelligent authentication."
■ Symantec was among the lowest-cost options for Scenarios 3, 4 and 5.
■ Reference customers typically cited Symantec's functional capabilities as an important decision
factor (one said, "everything is as advertised"). Expected performance and scalability and, for
financial services, industry experience were often cited, as well. One customer called attention
to the flexibility of VIP and the ease of extending it to meet business needs. Some clients tell us
that Symantec VIP is difficult to integrate with target systems; however, all but one of the
reference customers asserted that they had no technical implementation challenges.
■ Reference customers were very or extremely satisfied with Symantec's customer support, and
noted that it always dealt with support requests fully and promptly.

Cautions
■ Symantec has a small market share by customer numbers in comparison with other vendors in
this research. However, its offerings are used by a few million end users, and year-over-year
growth for 2009 to 2010 was exceptionally strong.
■ Symantec did not clearly articulate a strong vertical industry strategy in comparison to other
■ Symantec VIP lacks SAML integration to cloud-based applications and services. Symantec tells
us that this will be provided in the first half of 2012 as part of Symantec O3.
■ Reference customer comments raised some concerns about the reliability of the ID-1 OTP
hardware token.
Technology Nexus
Sweden-based Technology Nexus was founded as a management buyout from Saab Technologies
in 1984. In 2010, it acquired PortWise, another Swedish company, adding PortWise's authentication
portfolio, Web access management and identity federation platform, and SSL VPN tool to its own
PKI-based authentication and other offerings, giving the merged company a broader portfolio of
authentication methods and a broader customer base. (PortWise, under its former name of Lemon
Planet, was one of the first vendors to offer OOB authentication.)
Technology Nexus offers PortWise Authentication Server as server software, PortWise Virtual
Appliance as a software appliance, and Technology Nexus Safe Login as a multitenanted, cloud-
based service and a hosted managed service.
Strengths
■ Although it has only a small market share by customer numbers in comparison with other
vendors in this research, Technology Nexus is used by several tens of millions of end users.
■ Overall, Technology Nexus has one of the strongest product or service offerings in the market.
It includes adaptive access control capabilities through its Policy Service module in PortWise
Authentication Server.
■ Technology Nexus clearly articulated a good geographic strategy, and demonstrated good
customer experience. Reference customers were very satisfied with Technology Nexus'
customer support.
■ Technology Nexus came out well in the pricing scenarios, and was among the lowest-cost
options for Scenarios 1, 2 and 4.
■ Reference customers cited a variety of vendor and product characteristics as important
decision factors. One said that it was "proud" of its decision to implement PortWise
Authentication Server.

Cautions
■ Technology Nexus has relatively few customers in the Americas — less than 20% overall.
■ Technology Nexus did not demonstrate strong market responsiveness and track record in
comparison with other vendors included in this Magic Quadrant.
■ Reference customers typically cited integration into the existing infrastructure as an
implementation challenge. One cited ongoing browser compatibility issues and poor log
management with PortWise Authentication Server.
TeleSign
TeleSign, based in Marina del Rey, California, was established in 2005. It provides an OOB
authentication service — TeleSign Two-Factor Authentication, a multitenanted cloud-based service
— and has a market focus on large global service providers, especially for consumer access, and
several OEM relationships (which include other vendors discussed in this Magic Quadrant). TeleSign
also offers PhoneID, which evaluates the fraud risk of the phone being used for OOB authentication.
Strengths
■ TeleSign sends calls to more than 200 countries and in more than 85 languages. Voice prompts
are localized for native accents to optimize user experience.
■ TeleSign demonstrated good market responsiveness (for example, shifting its marketing
strategy to target large online website and service providers as fraudster activity shifted to
online arenas and social media platforms).
■ TeleSign guarantees "enterprise-level uptime" and asserts that it consistently outperforms this
level of service. TeleSign sends voice calls and SMS messages via multiple routes to ensure
deliverability. The performance and reliability of TeleSign's offering are underscored by the
experience of a major global service provider, which had been using TeleSign only for OOB in
voice mode, but switched over to TeleSign's SMS mode, as well, when it had problems with its
incumbent solution, and never went back.
■ Reference customers typically cited TeleSign's functional capabilities as an important decision
factor. Direct SS7 layer monitoring now enables TeleSign to detect call forward in many areas,
defeating one type of attack against OOB authentication by voice. Product implementation is
"smooth," and operational use is unproblematic. Reference customers were very or extremely
satisfied with TeleSign's customer support, and noted that it always dealt with support requests
fully and promptly.
■ TeleSign came out well in the pricing scenarios. It was consistently among the lowest-cost
options. (Note that this assessment is based on a pricing structure that was introduced in
mid-2011.)

Cautions
■ TeleSign offers only OOB authentication.
■ TeleSign has a small market share by customer numbers in comparison with the other vendors
in this Magic Quadrant, and a significant majority of its customers are in North America
(however, it is used by tens of millions of end users globally).
■ TeleSign did not clearly articulate a good vertical industry strategy (although this is not
necessarily a significant caution given its market focus).
Vasco
Vasco, based in Chicago, Illinois, entered the OTP token market in 1996 with the acquisition of
Digipass, and it continues to use Digipass branding for its portfolio of authentication products.
Other authentication-relevant Vasco acquisitions include Lintel Security in 1996, AOS-Hagenuk in
2005, and Able and Logico in 2006. In 2011, Vasco acquired Alfa & Ariss, enhancing its Digipass as
a Service.
The company is well-established in the financial services market globally, with a substantial
presence in retail banking outside North America, and continues to make significant inroads into
enterprise use cases globally.
Vasco acquired DigiNotar in 2011, not long before the attack that precipitated DigiNotar's
bankruptcy (see "Certificate Authority Breaches Impact Web Servers, Highlighting the Need for
Better Controls"). This has had some impact on Vasco's financial situation, but none at all on the
viability of its Digipass product line.
Vasco offers a number of products and services: Vacman Controller SDK/APIs, which provide direct
integration with online applications, especially in retail banking and online gaming; Identikey Server
as server software (the most widely deployed, by a very wide margin); aXsGuard Identifier and
aXsGuard Gatekeeper as hardware appliances, the latter aimed at SMBs; and Digipass as a
Service, a managed service with customer premises equipment. Authentication method support
varies across these offerings, with aXsGuard Gatekeeper having the most restricted set.
Strengths
■ Vasco offers one of the widest range of authentication methods. Overall, Vasco has one of the
strongest product or service offerings.
■ Vasco clearly articulated a good sales strategy and demonstrated good overall viability and
marketing execution.
■ Gartner estimates that Vasco has a market share by customer numbers of approximately 15%.
Overall, Vasco is used by approximately 10 million users.
■ Reference customers frequently cited Vasco's pricing model or TCO (but see Cautions),
functional capabilities, industry experience (in financial services), expected performance, and
scalability and conformity to technical standards as important decision factors. Several view

Vasco as a strategic partner. Most reference customers were, on average, very satisfied with
Vasco's customer support (with one outlier that was unsatisfied), and noted that it generally
dealt with support requests fully and promptly.
Cautions
■ Vasco lacks any adaptive access control capability. Gartner sees this as a significant caution for
a vendor with such a strong focus on the financial services market.
■ Although Vasco has a mature business globally, the majority of its customers are in Europe.
■ Vasco was only average across the pricing scenarios and was one of the higher-cost options for
Scenario 5 (but note the reference customer comments about pricing models and, particularly,
TCO, cited under Strengths above). We also note that SAML integration to cloud-based
applications and services for Vasco's on-premises offerings is provided by a discrete product,
Identikey Federation Server, at additional cost.
■ Reference customer comments raised some concerns about ease of integration with enterprise
remote access tools and Lightweight Directory Access Protocol (LDAP) directory services.
Yubico
Yubico, based in Stockholm, Sweden, and Palo Alto, California, was established in 2007. Yubico
offers distinctive USB hardware tokens for OTP authentication, along with open-source
infrastructure products and a new cloud-based service. It has a market focus on enterprises,
especially for workforce remote access, and several OEM relationships (which include other
vendors discussed in this Magic Quadrant).
Yubico offers YubiKey Validation Server software for Linux, the baseline open-source offering for
firms that want to build their own authentication server or service. YubiRADIUS VA is a software
appliance in Open Virtualization Format built on open-source components, YubiCloud is a
multitenanted cloud-based service, and YubiHSM is an HSM for securing server-side token keys
(seed values). The YubiKey hardware tokens have a unique, robust form factor and need no client
software, and token keys are held and managed solely by the customer.
Two-thirds of Yubico's customers and partners use the YubiCloud service, with the other third
integrating its low-level library directly into their authentication products or using OATH-compliant
YubiKeys with their existing OATH-compliant authentications systems.
Strengths
■ Gartner estimates that Yubico has a market share by customer numbers of approximately 10%.
Although a significant portion of these are very small implementations, Yubico does have large
enterprise and service provider implementations.
■ YubiKeys can be quickly integrated at a low cost. For example, one small manufacturing
company implemented YubiKeys for its 20 system administrators within one hour for $500.

Yubico came out exceptionally well in the pricing scenarios, with the lowest cost for pricing
Scenarios 1, 2, 3 and 4, although it was more expensive than the majority of competitors in
Scenario 5.
■ Reference customers typically cited Yubico's functional capabilities as an important decision
factor. Expected performance and scalability, and pricing model or TCO, were often cited, as
well. The reference customers were very satisfied with the vendor's customer support, and
noted that it generally dealt with support requests fully and promptly. (However, Yubico did not
demonstrate strong frameworks for managing customer experience in comparison with other
vendors in this Magic Quadrant.)
Cautions
■ Yubico did not clearly articulate a good product/service strategy, sales strategy or geographic
strategy, nor did it demonstrate good marketing execution.
■ The vendor has few customers in the Asia/Pacific region.
■ Yubico's offerings lack SAML integration to cloud-based applications and services. The vendor
tells us that this will be available the first half of 2012.
■ Unlike traditional OTP hardware tokens, YubiKeys require a standard (Type A) USB port, so they
cannot be used with devices that lack them — easily (that is, without an adapter cable) or at all
(for example, with iOS devices). One reference customer raised this issue as a problem with
iPads. Yubico tells us that this issue will be addressed in early 2012, with YubiApp OTP
software tokens for mobile devices, and later in 2012 with YubiKey+ tokens for use with Near
Field Communication-enabled devices.
Vendors Added or Dropped
We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets
change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or
MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one
year and not the next does not necessarily indicate that we have changed our opinion of that
vendor. This may be a reflection of a change in the market and, therefore, changed evaluation
criteria, or a change of focus by a vendor.
Added
■ Authentify: A U.S.-based OOB authentication service provider with a market focus on financial
services and multiple OEM relationships (which include other vendors in this Magic Quadrant)
■ Equifax: A U.S.-based financial information services provider offering a wide-focus
authentication solution with a market focus on healthcare and government through its
acquisition of Anakam
■ i-Sprint Innovations: A Singapore-based IAM vendor with a market focus on financial services,
offering an integrated set of access products that includes ESSO, WAM and SAPM tools, as
well as a wide-focus user authentication offering

■ Nordic Edge: A Sweden-based IAM vendor, recently acquired by Intel, with a strong focus on
the cloud and a portfolio that includes provisioning of user information and SSO to SaaS, as
well as its wide-focus authentication offering
■ PhoneFactor: A U.S.-based OOB authentication service provider with a market focus on
enterprises, especially for workforce remote access
■ SecureAuth: A U.S.-based vendor offering an integrated user authentication and gateway
product providing SSO to on-premises and cloud-based target systems
■ SecurEnvoy: A U.K.-based OOB authentication service provider with a market focus on
■ SMS Passcode: A Denmark-based OOB authentication service provider with a market focus on
■ Swivel Secure: A U.K.-based authentication vendor with a market focus on enterprises,
especially for workforce remote access, that is often characterized as a phone-based
authentication vendor but has probably achieved greater traction with software-only
implementations of its PINsafe enhanced password authentication methods
■ TeleSign: A U.S.-based OOB authentication service provider with a market focus on large
global service providers, especially for consumer access, and several OEM relationships (which
include other vendors in this Magic Quadrant)
■ Yubico: A Sweden-based company with a market focus on enterprises, especially for workforce
remote access, and several OEM relationships (which include other vendors in this Magic
Quadrant) offering distinctive USB hardware tokens for OTP authentication, along with open-
source infrastructure products and a new cloud-based service
The following vendors were included in the earlier MarketScope, but their names have changed
because of a merger or acquisition:
■ Arcot Systems: now part of CA Technologies
■ PortWise: now part of Technology Nexus.
■ VeriSign: now part of Symantec (the remainder of VeriSign, which focuses on DNS business,
conducts business under the Verisign name; note the lowercase "s").
Dropped
The following vendor failed to meet the inclusion criteria for this year's Magic Quadrant, because of
its small market share by customer numbers:
■ Fujitsu Services: Finland-based Fujitsu Services, a subsidiary of Fujitsu, offers the mPollux line
of authentication products and services. Fujitsu Services supports and offers only a narrow
range of supported authentication methods and is tightly focused on local markets. Notably, it
provides a government-to-citizen authentication service, managed by the Finnish State

Treasury, that spans more than 50 municipalities and agencies. Fujitsu Services may still be an
appropriate choice for enterprises in the Nordic region with more-focused needs.
The following vendors are noteworthy, but were not rated in this Magic Quadrant:
■ AuthenWare: Based in Miami, Florida, AuthenWare offers a practicable behavioral biometric
authentication technology based on typing rhythm (also known as keystroke dynamics). Other
vendors offer this authentication method, but the AuthenWare Technology product is
differentiated by being simple to implement, scalable and robust, as well as providing good user
experience. Many Gartner clients report that they have a positive view of AuthenWare.
(AuthenWare did not meet the inclusion criteria for customer numbers.)
■ DigitalPersona: DigitalPersona, headquartered in Redwood City, California, offers a suite of
solutions that include user authentication and ESSO, as well as full-disk encryption, email/
document encryption and VPN multifactor authentication. DigitalPersona has expanded its
support for other vendors' authentication methods, and these methods integrate with
DigitalPersona's ESSO and VPN components. The company has an OEM deal with HP to
include DigitalPersona's software, rebranded as HP ProtectTools, on HP computers. Although
DigitalPersona's user authentication options can be implemented independently of its ESSO
capabilities, integration is restricted to the endpoint device. (For this reason, DigitalPersona did
not fit the market definition for this Magic Quadrant.)
■ LexisNexis: Dayton, Ohio-based LexisNexis offers InstantID Q&A, a KBA service endorsed by
the American Bankers Association and used by more than 200 financial services and other
organizations worldwide. InstantID Q&A is "powered by" RSA Identity Verification KBA
technology (formerly Verid) and exploits LexisNexis' access to billions of public records and
vast amounts of noncredit data to generate robust verification questions. (LexisNexis was
excluded, because there is no functional modification of the technology licensed from RSA.)
■ ValidSoft: Ireland-based ValidSoft, now a subsidiary of telecommunications vendor Elephant
Talk Communications, offers OOB authentication and transaction verification methods. Its
offering is technically sound, and it has a good track record in enterprise and financial services
use cases, including private and retail banking. (ValidSoft did not meet the inclusion criteria for
customer numbers.)
Inclusion and Exclusion Criteria
The following inclusion criteria apply:
■ Relevance of offering: The offering meets the user authentication market definition detailed
above.
■ Longevity of offering: The offering has been generally available since at least 1 May 2010.
■ Origination of offering: The offering is manufactured or operated by the vendor or is a
significantly modified version obtained through an OEM relationship. (We discount any software,
hardware or service that has merely been obtained without functional modification through a

licensing agreement from another vendor — for example, as part of a reseller/partner
agreement.)
■ Number of customers and end users (including customers of third-party service providers
and their end users): The vendor has either:
■ 200 or more current customers that have been using the vendor's authentication offerings
in a production environment for at least three months
■ 50 or more such customers with a total of 5 million or more end users
Vendors with minimal or negligible apparent market share among Gartner clients, or with no
currently shipping products, may be excluded from the ratings.
Evaluation Criteria
Ability to Execute
Gartner analysts evaluate technology providers on the quality and efficacy of the processes,
systems, methods or procedures that enable IT provider performance to be competitive, efficient
and effective, and to positively impact revenue, retention and reputation. Ultimately, technology
providers are judged on their ability and success in capitalizing on their vision.
Product/Service
We evaluate:
■ The current capabilities, quality and feature sets of one or more on-premises software or
hardware products or cloud-based services that make real-time authentication decisions and
can be integrated with any of a variety of enterprise systems, as well as supporting skills
■ The range and variety of user authentication methods offered or supported, along with the
client-side software or hardware used by end users in those real-time authentication decisions
■ The applicability and suitability of these offerings to a wide range of use cases across different
kinds of users and different enterprise systems
We also evaluate the capabilities, quality, and feature sets of ancillary and adjacent products and
services relevant to enterprises' user authentication needs.
Overall Viability (Business Unit, Financial, Strategy, Organization
We evaluate the organization's overall financial health, the financial and practical success of the
user authentication line of business, and the likelihood that the vendor will continue investing in and
advance the state of the art of the user authentication portfolio, and, if appropriate, will continue
offering the portfolio within the vendor's broader product portfolio.

Sales Execution/Pricing
We evaluate the vendor's capabilities in such areas as deal management, pricing and negotiation,
presales support, and the overall effectiveness of the sales channel, including value-added resellers
and third-party managed service providers.
We evaluate pricing over a number of different scenarios. Clients are increasingly price-sensitive as
they seek the optimal balance of assurance and accountability, user experience, and cost when
selecting new user authentication methods.
Market Responsiveness and Track Record
We evaluate the vendor's demonstrated ability to respond, change direction, be flexible and achieve
competitive success as opportunities develop, competitors act, customer needs evolve and market
dynamics change.
We give particular consideration to how the vendor has embraced or responded to standards
initiatives in the user authentication and adjacent market segments.
Marketing Execution
We evaluate the clarity, quality, creativity and efficacy of programs designed to deliver the vendor's
message to influence the market, promote the brand and business, increase awareness of the
products, and establish a positive identification with the product/brand and organization in the
minds of buyers. This mind share can be driven by a combination of publicity, promotional
initiatives, thought leadership, word-of-mouth and sales activities.
Customer Experience
We evaluate the vendor's relationships and services/programs — such as technical support and
professional services — that facilitate customers' successful implementations and use of the
vendor's user authentication offerings.
We consider Gartner client and reference customer feedback.
Operations
We evaluate the ability of the organization to meet its goals and commitments. Factors include the
quality of the organizational structure, including skills, experiences, programs, systems and other
vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Table 1. Ability to Execute Evaluation Criteria
Evaluation Criteria Weighting
Product/Service High
Overall Viability (Business Unit, Financial, Strategy, Organization) Standard
Sales Execution/Pricing High
Market Responsiveness and Track Record Standard
Marketing Execution Standard
Customer Experience Standard
Operations Low
Completeness of Vision
Gartner analysts evaluate technology providers on their ability to convincingly articulate logical
statements about current and future market direction, innovation, customer needs and competitive
forces, and how well they map to the Gartner position. Ultimately, technology providers are rated on
their understanding of how market forces can be exploited to create opportunity for the provider.
Market Understanding
We evaluate the vendor's understanding of buyers' needs and how it translates these needs into
offerings. Vendors that show the highest degree of vision listen and understand buyers' wants and
needs, and can shape or enhance those wants with their added vision.
Marketing Strategy
We evaluate the clarity and differentiation of the vendor's marketing messages, and the consistency
of communication throughout the organization and externally through its website, advertising,
customer programs and positioning statements.
Sales Strategy
We evaluate the vendor's strategy for selling its user authentication offerings that uses the
appropriate network of direct and indirect sales, marketing, service and communication affiliates
that extend the scope and depth of market reach, skills, expertise, technologies, services and the
customer base. In particular, we evaluate business development, partnerships with system
integrators and channel execution.

Offering (Product) Strategy
We evaluate the vendor's approach to developing and delivering its user authentication offerings
that emphasizes differentiation, functionality, and feature sets as they map to current and future
requirements for enterprises across multiple use cases — differentiated not only by level of risk, but
also by business needs and technical, logistical and other constraints.
We consider support for open standards and extensibility to support proprietary authentication
methods offered by other vendors. We also consider support for mobile devices as endpoints and
for access to cloud-based applications and services.
Business Model
We evaluate the soundness and logic of the vendor's underlying business proposition.
Vertical/Industry Strategy
We evaluate the vendor's strategy to direct resources, skills and offerings to meet the specific
needs of individual market segments, including SMBs and vertical industries. We consider the
vendor's focus on supporting different use cases, and if and how it can deliver adjacent products
and services, that are important to different market segments.
Innovation
We evaluate the vendor's continuing track record in market-leading innovation, including early
standards and technology adoption, how well it anticipates and adjusts to changes in market
dynamics and customer and end-user needs, and the provision of distinctive products, functions,
capabilities, pricing models and so on.
Geographic Strategy
We evaluate how the vendor directs resources, skills and offerings to meet the specific needs of
geographies outside its home geography — either directly or through partners, channels and
subsidiaries — as appropriate for each geography and market.

Table 2. Completeness of Vision Evaluation Criteria
Evaluation Criteria Weighting
Market Understanding Standard
Marketing Strategy Standard
Sales Strategy Standard
Offering (Product) Strategy High
Business Model Standard
Vertical/Industry Strategy Standard
Innovation High
Geographic Strategy Standard
Quadrant Descriptions
Leaders
Leaders in this Magic Quadrant are vendors with a wide-focus user authentication offering with a
solid track record and typically a significant presence in the market. They have a clearly articulated
vision that is in line with the market trends, which is typically backed by solid technical innovation.
Their business strategy and execution are very sound. Vendors in this quadrant can provide a
strong solution for many enterprises across one or many use cases, typically including emerging
needs.
Challengers
Challengers in this Magic Quadrant are vendors with a wide-focus user authentication offering, a
solid track record and typically a significant presence in the market. Their business execution is
generally very sound, although their strategy may not be as strong. They may lack or may not
clearly articulate a vision that is in line with the market trends, although technical innovation may be
sound. Vendors in this quadrant can provide a strong solution for many enterprises across one or
many use cases.
Visionaries
Visionaries in this Magic Quadrant are vendors with a clearly articulated vision that is in line with the
market trends, which is typically backed by technical innovation and a solid business strategy. They

may have a broad- or tight-focus user authentication offering with a steady track record, an
appreciable presence in the market and acceptable business execution. Vendors in this quadrant
can typically provide a quite satisfactory solution for many enterprises across one or many use
cases, typically including emerging needs, or a strong solution focused on one or a few particular
use cases.
Niche Players
Niche Players in this Magic Quadrant are vendors with a broad- or tight-focus user authentication
offering with a steady track record and appreciable presence in the market. They may lack or may
not clearly articulate a vision that is in line with the market trends, although, technically, innovation
may be sound. Their business strategy and execution are acceptable. Vendors in this quadrant can
typically provide a quite satisfactory solution for many enterprises across one or often many use
cases. In this market in particular, it is worth stressing that any Niche Player could offer a solution
that is ideally suited to your needs.
Context
Gartner defines "user authentication" as the real-time corroboration of a claimed identity with a
specified or understood level of confidence. This is a foundational IAM function, because without
sufficient confidence in users' identities, the value of other IAM functions — for example,
authorization and intelligence (audit and analytics) — is eroded. User authentication is provided by a
range of authentication methods and in a variety of ways. It may be natively supported in an OS or
application, or in a directory or access management tool, such as a WAM tool, that spans multiple
applications. Or it may be added to one or more target systems, including OSs and access
management tools, via a third-party component (an API or SDK) that allows it to be embedded
directly in each system, or a discrete authentication infrastructure, either on-premises software or
hardware or increasingly a cloud-based service, which can be integrated with multiple target
systems via standard protocols, such as LDAP, RADIUS or SAML, or proprietary software agents.
This Magic Quadrant evaluates the major vendors that provide such authentication infrastructures,
some of which also provide APIs, SDKs or components (such as smart cards) that can be
consumed by natively supported authentication methods. Many enterprises adopt such tools to
support one or more — sometimes many — use cases, the most common of which are workforce
remote access, especially access to corporate networks and applications via VPN or HVD, and
external-user remote access, especially retail-customer access to Web applications. The same new
authentication method may be used across one or a few use cases; however, the more use cases
an enterprise must support, the more likely it is to need to support multiple authentication methods
to provide a reasonable and appropriate balance of authentication strength, TCO and user
experience in each use case.
Gartner's previous research on this market considered only those user authentication vendors that
offered or supported a wide range of authentication methods, catering to enterprises seeking to
support multiple use cases with a single authentication infrastructure. However, many of those
vendors' customers continue to use their solutions to provide a single authentication method in only

one or a few use cases. Moreover, Gartner client inquiries show that a significant number of
enterprises remain interested in vendors that have a tighter focus — that is, vendors that offer or
support only one type of authentication method. The most significant of these vendors have been
included in this Magic Quadrant.
Enterprise interest in OTP methods, broadly defined, remains high; however, during the past few
years, we have seen a significant shift in preference from traditional hardware tokens to phone-
based authentication methods. Wide-focus user authentication vendors offer all these approaches
and more — typically offering or supporting KBA methods or X.509 tokens (such as smart cards) as
well. Most of the tight-focus vendors offer only phone-based authentication methods, especially
OOB authentication methods.
The 23 user authentication vendors included in this Magic Quadrant are those that have the largest
presence in the market by number of customers or number of end users served. Gartner is aware of
more than 175 user authentication vendors worldwide, but the market is dominated by a far smaller
set of vendors. Just three — RSA, the Security Division of EMC; SafeNet; and Vasco — account for
more than three-fifths of the market by customer numbers. Some of the other vendors are poised to
challenge the major players, but most are essentially "me too" commodity vendors, offering
technically similar solutions and competing more on price than on quality or experience, while
others focus on particular market niches or innovative technologies that may be licensed to major
vendors.
Market Overview
Customer wants and needs for user authentication continue to mature. Enterprises increasingly
recognize the need for authentication with higher assurance than legacy passwords can provide,
across a broader range of use cases, and are addressing that need. Moreover, enterprises are
increasingly aware of the need to find a reasonable and appropriate balance of authentication
strength (assurance and accountability), TCO and user experience in each use case. These factors
are driving the adoption of alternatives to traditional token-based authentication methods that offer
higher levels of assurance, but at a higher cost and with relatively poor user experience.
Although some of the growth in these alternative methods arises from enterprises replacing
incumbent tokens, many enterprises are implementing such methods in one or many use cases for
the first time. These wants and needs are also driving the adoption of authentication methods other
than the few that are typically natively supported (for example, in OSs, applications and WAM tools)
and demand proprietary authentication infrastructures. Although a majority of enterprises remain
focused on one or a few use cases that may be met by a single authentication method from any
kind of vendor, we continue to see modest growth in the number of enterprises taking a strategic
view of authentication and seeking to address a wider range of use cases that demand different
authentication methods with a single versatile, flexible infrastructure.

Recommended Reading
Some documents may not be available as part of your current Gartner subscription.
"Adaptive Access Control Emerges"
"Certificate Authority Breaches Impact Web Servers, Highlighting the Need for Better Controls"
"The Five Layers of Fraud Prevention and Using Them to Beat Malware"
"How to Choose New Authentication Methods"
"Gartner Authentication Method Evaluation Scorecards, 2011: Total Cost of Ownership"
"Good Authentication Choices for External User Access"
"Good Authentication Choices for Workforce Local Access"
"Good Authentication Choices for Workforce Remote Access"
"Magic Quadrant for Web Fraud Detection"
"Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors Within a Market"
"MarketScope for Web Access Management"
"A Taxonomy of Authentication Methods, Update"
"Where Strong Authentication Fails and What You Can Do About It"

Acronym Key and Glossary Terms
ANSI American National Standards Institute
ASL Automated Systems Holdings Ltd.
B2B business to business
B2E business to enterprise
CA certification authority
CAP Chip Authentication Program
CM card management
DPA Dynamic Passcode Authentication (Visa)
DSS Data Security Standard (PCI)
EMV Europay, MasterCard and Visa
ESSO enterprise single sign-on
FDS Fraud Detection System (Symantec)
FERC Federal Energy Regulatory Commission (U.S.)
HIPAA Health Insurance Portability and Accountability Act (U.S.)
HITECH Health Information Technology for Economic and Clinical Health
HMAC Hash-based Message Authentication Code
HOTP HMAC-based OTP
HSM hardware security module
HSPD-12 Homeland Security Presidential Directive 12
HVD hosted virtual desktop
IAM identity and access management
KBA knowledge-based authentication
LDAP Lightweight Directory Access Protocol

MLPS Multi-Level Protection Scheme (China)
MSSP managed security service provider
NERC North American Electrical Reliability Corporation
NIST National Institute of Standards and Technology
OATH Initiative for Open Authentication
OCRA OATH Challenge-Response Algorithms
OOB out of band
OTP one-time password
PIV Personal Identity Verification
PKI public-key infrastructure
RA registration authority
SAML Security Assertion Markup Language
SaaS software as a service
SAM SafeNet Authentication Manager
SAPM shared account password management
SDK software development kit
SMB small or midsize business
SSL Secure Sockets Layer
SSO single sign-on
TAN transaction authentication number
TCO total cost of ownership
UAS Universal Authentication Server (i-Sprint)
TOTP time-based OTP
VAS versatile authentication server

WAM Web access management
VIP Validation and ID Protection Service
WFD Web fraud detection

Regional Headquarters
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096
Japan Headquarters
Gartner Japan Ltd.
Aobadai Hills, 6F
7-7, Aobadai, 4-chome
Meguro-ku, Tokyo 153-0042
JAPAN
+81 3 3481 3670
European Headquarters
Tamesis
The Glanty
Egham
Surrey, TW20 9AW
UNITED KINGDOM
+44 1784 431611
Latin America Headquarters
Gartner do Brazil
Av. das Nações Unidas, 12551
9° andar—World Trade Center
04578-903—São Paulo SP
BRAZIL
+55 11 3443 1509
Asia/Pacific Headquarters
Gartner Australasia Pty. Ltd.
Level 9, 141 Walker Street
North Sydney
New South Wales 2060
AUSTRALIA
+61 2 9459 4600
© 2012 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
publication may not be reproduced or distributed in any form without Gartner’s prior written permission. The information contained in this
publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or
adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication
consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions expressed
herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not
provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its
shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of
Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization
without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner
research, see “Guiding Principles on Independence and Objectivity” on its website, http://www.gartner.com/technology/about/
ombudsman/omb_guide2.jsp.

G01.2012 magic quadrant for user authentication

More Related Content

Similar to G01.2012 magic quadrant for user authentication (20)

More from Satya Harish (20)

Recently uploaded (20)

G01.2012 magic quadrant for user authentication