May 11, 2009, 9:17 AM — Passwords have been standing guard over our computer user accounts seemingly forever; for a long while, and for most purposes, they could go it alone.
But it's no secret that passwords are no longer sufficient as the sole means of granting access to critical networks, applications, and data, particularly as the number of applications requiring passwords at any given firm has skyrocketed. Either passwords are too weak, not changed regularly enough, or users write them down in a publicly accessible (read: not very secure) place, or theyre long enough, complex enough, and changed regularly, and thus impossible to remember.
Organizations have been enacting more stringent measures to protect corporate and customer data from external and internal threats, comply with regulations, and manage information risks. One result is that enterprise security strategies have focused more sharply on managing user identities, access rights, and entitlements, driving a broader movement toward identity and access management (IAM). One of the first things firms recognize is that single-factor authentication (passwords alone) is a weak link in the security chain.
Firms looking to improve their IAM posture and clear the way to implement processes and technologies, like account and credential provisioning and life-cycle management, authorization and entitlement management, single sign-on (SSO), privileged user management, and federation, look to strong authentication as a starting point.
If IAM is analogous to allowing only those people you trust to enter your house, then strong authentication is the first step in the process: putting a lock on your door.
Deciding on a strong authentication solution is basically determining what combination of locks and keys will work best in a particular environment. But this is far from a trivial exercise: Dozens of distinct types of second-factor credentials, such as tokens, smart cards, and biometrics, dot today's marketplace; most of them provide a similar level of security.
But the main question driving the strong authentication marketplace today is not security, it's usability. Users don't like complexity, and they dont like to do something extra that affects their productivity. Companies mandating strong authentication found that employees would circumvent this burden whenever and however possible (like sharing credentials). This poses a problem for vendors and buyers alike: What will end users actually use?
With that in mind, here are three of the trends in the strong authentication market.
A broader range of authentication options. Different users have different needs, depending on whether theyre inside or outside the company network and/or its physical premises and what kinds of sensitive information they're allowed to access. Mobile, IT-savvy users needing to access IT resources via remote VPN have different demands, desires, and capabilities than office-bound administrative staff, for example. And buyers want a one-stop shop where they can get everything they need for all of their users, including a credential management back end that handles multiple credential types seamlessly.
Multipurpose, easy-to-use credentials.Hardware tokens and other physical credentials can be unwieldy to carry and use, but it really becomes annoying when carrying several of them, the "token necklace" problem. Employers have the luxury of mandating that employees use a certain token, but have less authority to extend such mandates to business partners.
Multipurpose credentials have clear benefits, even if those purposes are all internal to the company: for example, using the same card for building access and network access. And any form factor that holds credentials people can use in multiple contexts (think work, bank, eBay, etc.) will gain acceptance more easily. Small wonder, then, that smart cards and USB smart card tokens are the form factors offered by the largest number of vendors.
Collaboration on authentication standards. Several vendors have joined the effort to develop and improve open authentication standards like OATH. This will make it easier for customers to pick and choose the form factors (even from different vendors) that make the most sense for the various types of users among their employee population in terms of security, usability, and cost. Its also an important step on the path to broad-based availability of strong authentication for consumers.
What it means
The strong authentication market is maturing and expanding: Technological innovation is no longer the chief driver. Biometrics, mobile authentication, and PKI solutions are still at the technological forefront, but their bleeding-edge status is long gone. The industry used to sell and differentiate itself on technological innovation, but now reflects the broader trends in the IT and IT security marketplaces: a few major vendors dominating the landscape and filling out their portfolios via acquisition just as often as through organic growth. This is largely due to:
1) The reality of having to serve the masses. Strong authentication has moved well past the early adopter phase. Its no longer characterized by techies bragging about the length of their private key, it's a straightforward and increasingly transparent tool thats necessary to thriving in today's IT security environment. Buyers want an offering from a stable, diversified vendor whose solutions play nice with their existing IT infrastructure and which can bring a wealth of business perspective, professional services, and quality support to the table.
2) Divergent needs of the user community. "Usable" means different things to different people. As such, the market is not going to settle on any one form factor anytime soon. Quite the opposite: Many of the major vendors are adjusting their form factor and management system offerings to deal with the reality that different user populations, even within a single firm, might be better served by using different physical forms of credentials.
3) Broader trends in the IAM market. Identity management trends also affect the strong authentication market. Companies are struggling to comply with regulations, save costs, and improve their administrative efficiency, but dont yet have a strategic vision of how IAM can help improve business processes. Consolidation, bringing more IAM components under the aegis of a single vendor with a breadth of experience and expertise, is one way to dispel the notion of IAM as a disjointed set of technologies serving primarily tactical ends, and the strong authentication market is mirroring that.
This is not to say that there is no technological innovation happening in the strong authentication space. There is. But it's concentrated among smaller companies that can get CIOs excited about being on the cutting edge of technology. Many of these vendors fill gaps in the major players' product lines and will eventually be acquired by one of them as the consolidation frenzy continues; others will disappear eventually, either into their own niche or altogether.
But for now, most enterprise buyers will stick with the few remaining settled vendors, even as the market swells with small vendors looking for their piece of the authentication pie.
Bill Nagel is a Researcher at Forrester Research. Bill will present new Forrester content on strong authentication at Forrester's IT Forum, May 19-22 in Las Vegas.