February 15, 2012 | Updated: February 22, 2012 The Forrester

Making Leaders Successful Every Day

February 15, 2012 | Updated: February 22, 2012

The Forrester Wave™: Risk-Based Authentication, Q1 2012by Andras Cser and Eve Malerfor Security & Risk Professionals

www.forrester.com

© 2012 Forrester Research, Inc. All rights reserved. Forrester, Forrester Wave, RoleView, Technographics, TechRankings, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective owners. Reproduction or sharing of this content in any form without prior written permission is strictly prohibited. To purchase reprints of this document, please email [email protected]. For additional reproduction and usage information, see Forrester’s Citation Policy located at www.forrester.com. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

For Security & Risk Professionals

ExECUTivE SUMMARyIn Forrester’s 16-criteria evaluation of risk-based authentication vendors, we identified the six significant vendors in this category — CA Technologies, Entrust, iovation, RSA, Symantec, and ThreatMetrix — and researched, analyzed, and scored them. This report details our findings about how each vendor measures up and plots where they stand in relation to each other, to help security and risk professionals select the right solution for their authentication requirements.

TABlE oF ConTEnTSEase Of Use And Cost Of Deployment Drive Use Of Risk-Based Authentication

Risk-Based Authentication looks At login Context As An implicit Second Factor

Five Reasons Why Security And Risk Professionals Are Turning To Risk-Based Authentication

Market landscape: More Fraud Monitoring And Behavior Detection

Risk-Based Authentication Evaluation Overview

Evaluation Criteria

Evaluated vendors Have Market Presence And Success in Selected verticals

Evaluation Analysis

Vendor Profiles

leaders

Strong Performers

Supplemental Material

noTES & RESoURCESForrester conducted lab-based, hands-on evaluations in november 2011 and interviewed six vendor and 12 user companies, including: CA Technologies, Entrust, iovation, RSA, Symantec, and ThreatMetrix.

Related Research Documents“TechRadar™ For Security And Risk Professionals: Strong Authentication, Q1 2012”February 3, 2012

“Atlas Shrugged: Security Pros Must Adjust To The new Realities of A Post-RSA Breach World”november 4, 2011

“Market overview: Fraud Management Solutions”August 25, 2010

“The Forrester Wave™: identity And Access Management, Q4 2009”november 3, 2009

February 15, 2012 | Updated: February 22, 2012

The Forrester Wave™: Risk-Based Authentication, Q1 2012The Six vendors That Matter Most And How They Stack Upby Andras Cser and Eve Malerwith Stephanie Balaouras and Jessica McKee

2

5

6

8

10

www.forrester.com

http://www.forrester.com/go?docid=57314&src=58307pdf







© 2012, Forrester Research, inc. Reproduction ProhibitedFebruary 15, 2012 | Updated: February 22, 2012

The Forrester Wave™: Risk-Based Authentication, Q1 2012 For Security & Risk Professionals

2

EASE Of USE AnD COSt Of DEPlOyMEnt DRiVE USE Of RiSk-BASED AUthEntiCAtiOn

The most recent US Federal Financial Institutions Examination Council (FFIEC) regulations require banks to use stronger, two-factor authentication mechanisms in addition to techniques such as security questions and mutual authentication (training users to only enter their password if they see the image they selected at registration time). FFIEC also added requirements to evaluate the risk of login and post-login transactions.1

These requirements were added because static security questions have been weakened as a security method since fraudsters and cybercriminals can find many security answers, such as your pet’s name or the street you grew up on, in profiles for social media such as Facebook and Twitter. Although traditional strong authentication may involve looking up and supplying a secret from a printed list, typing a secret on a keyboard, or placing one’s finger on a print reader, cost and complexity can slow adoption. This is where risk-based authentication methods can help.

Risk-Based Authentication looks At login Context As An implicit Second factor

Risk-based authentication (RBA) methods observe users’ actions and transaction context silently in order to form a risk score. RBA frequently leads to “stepping up” to a stronger form authentication that the user must explicitly perform.2 Users all over the world, especially those in North America, are frustrated with having to carry hardware tokens to authenticate, and security and risk (S&R) professionals increasingly realize that they should inconvenience a customer, business partner, or employee only if they see an elevated risk of fraud based on the user’s login and transaction context.

For example, if the user logged in 10 minutes ago from China or Eastern Europe and now is trying to log in from Canada or the US, it’s definitely a higher risk transaction. Logging in during normal business hours for the geolocation of the server is also less risky than logging in during off hours, such as 1 o’clock on a Sunday morning. Based on authentication and transaction context, you can build a risk score that estimates how much deviation there is from a “normal” transaction and what you should do (see Figure 1). Typical actions include: 1) allow the user to log in without further authentication; 2) ask for more credentials (two-factor authentication tokens, send SMS text message to the user’s mobile phone); or 3) block the user and, if the risk score is very high, lock them out, too.

© 2012, Forrester Research, inc. Reproduction Prohibited February 15, 2012 | Updated: February 22, 2012


3

figure 1 Build A Risk Score That Estimates Deviation

Source: Forrester Research, Inc.58307

User 1IP address geolocation: USBrowser locale: USTime: 10:10 a.m., TuesdayDevice: Same as always

User 1IP address geolocation: VietnamBrowser locale: VietnamTime: 10:15 a.m., TuesdayDevice: New

User 2IP address geolocation: USBrowser locale: VietnamTime: 1 a.m., SundayDevice: New

Low riskServer in US

High risk

High risk

five Reasons Why Security And Risk Professionals Are turning to Risk-Based Authentication

Why are more S&R professionals turning to RBA? It’s because RBA:

· Is easy to deploy. RBA only has server-side installation and configuration and typically only requires minimal client-side components (JavaScript, ActiveX, etc.). It doesn’t require extensive and costly software package delivery to the user’s front end.

· Works well on mobile devices. Security and risk professionals find that they must increasingly support mobile device logins and security. RBA allows for device fingerprinting on mobile devices just as easily as it does on regular desktops. For high-risk transactions, you can prompt users to authenticate using a software token that is installed on a mobile device. This significantly reduces hardware and general maintenance costs associated with tokens. Software tokens can also perform advanced functions such as transaction-signing for banking transactions.

· Is flexible to use on nonweb channels. While the primary use case of RBA today is on the web channel, given RBA’s excellent capabilities to pick up on behavior anomalies, you can easily adopt the infrastructure for channels such as kiosks, bank branches, and telephone interactive voice response.

· Is easy to use. Users’ experience matters not just for external-facing consumer applications but also for B2B and B2E use cases. Companies’ marketing departments are telling security



4

departments not to interfere with user experience unnecessarily — RBA solves this challenge easily; users don’t see much of what’s happening and their user experience is largely unchanged.

· Is cost-effective. When users use fewer tokens, you will get fewer help desk calls on password resets. Companies that we talked to also mentioned that because RBA integrates with SMS/text message-based, one-time passwords (OTPs) or software OTP tokens installed on mobile devices, they have to buy and maintain fewer physical hardware tokens. This also leads to significant costs savings (see Figure 2).

figure 2 Firms’ Motivations To Deploy Risk-Based Authentication

Source: Forrester Research, Inc.58307

5. Easy to deploy

4. Mobile is everywhere

3. Flexible

2. Easy-to-use

1. Cost-e�ective

One-Time Password

368448

Generate

One-Time Password

173046

Generate

Market landscape: More fraud Monitoring And Behavior Detection

Forrester observes that RBA solutions increasingly integrate with back-end fraud monitoring systems, such as Actimize, Accertify, Retail Decisions, CyberSource, and FICO, which look at and analyze transaction details (amounts, locations, addresses, etc.). This helps better coordinate fraud detection at the time of the login and at the time a user performs the transaction.

In this dynamic and emerging market, most legacy OTP and web single sign-on vendors have offerings in this space, and many device fingerprinting companies offer RBA features. Vendors have been concentrating on: 1) creating reliable device fingerprints for not only desktops but also mobile devices; 2) creating self-learning systems to detect behavioral anomalies; and 3) combining statistical models with rules to establish a risk score.



5

RiSk-BASED AUthEntiCAtiOn EVAlUAtiOn OVERViEW

To assess the state of the RBA market and see how the vendors stack up against each other, Forrester evaluated the strengths and weaknesses of top RBA vendors.

Evaluation Criteria

After examining past research, user need assessments, and vendor and expert interviews, we developed a comprehensive set of evaluation criteria. We evaluated vendors against 16 criteria, which we grouped into three high-level buckets:

· Current offering. Each vendor’s position on the vertical axis of the Forrester Wave graphic indicates the strength of its current product offering. After the vendor’s demonstration of the solution, Forrester requested unfettered access to an online demonstration environment of the solution. Forrester looked at how easy it would be for administrators to manage policies as well as what kind of login and transaction (payment, account creation, etc.) templates existed in the solution. Forrester investigated how the vendor calculates device fingerprints and what kinds of strong authentication methods, web access management, and fraud management solutions the RBA vendor provides and/or integrates with. Finally, Forrester looked at how the solution provides capabilities for fraudulent case management.

· Strategy. A vendor’s position on the horizontal axis indicates the strength of its go-to-market strategy. Forrester looked at how many engineers are developing the solution and how many salespeople are selling it. Forrester also evaluated how differentiated the vendor’s future plans are, customer satisfaction with the vendor’s solution based on actual customer interviews, and IT inquiries. Forrester also placed emphasis on the vendor’s mobile strategy and the available delivery methods (on-premises versus cloud).

· Market presence. The size of the vendor’s bubble on the chart indicates its market presence. Forrester estimated the vendor’s product revenue (excluding implementation services) and measured the solution’s installed base and its growth in terms of number of production customer organizations.

Evaluated Vendors have Market Presence And Success in Selected Verticals

Forrester included six vendors in the assessment: CA Technologies, Entrust, iovation, RSA, Symantec, and ThreatMetrix. Each of these vendors has (see Figure 3):

· Product revenues greater than $2 million. Forrester evaluated vendors that generate more than $2 million annually from selling product. We excluded consulting revenue related to custom and specialized solutions.

· General viability in selected verticals. The solution must have an install base with credible, named references in financial services, healthcare, insurance, public sector, and retail.



6

· Mindshare among our clients. Forrester included vendors whose solutions we regularly hear about in client inquiries in an unsolicited fashion (our clients looked at these vendors on their own and had questions about them, our clients have included these vendors in RFPs on their own, etc.).

Forrester also invited Oracle and 41st Parameter to participate in this survey, but they declined to participate.

figure 3 Evaluated vendors: Product information And Selection Criteria

Source: Forrester Research, Inc.

Vendor

CA Technologies

Entrust

Iovation

RSA

Symantec

ThreatMetrix

Product evaluated

CA RiskMinder (formerly CA Arcot RiskFort)

IdentityGuard

ReputationManager 360

Adaptive Authentication

VIP Fraud Detection Service

ThreatMetrix Prevention Platform

Versionevaluated

v. 2.2.6

v. 10

v. 3.34

v. 6.0.2.1 SP3

v. 4.0

v. 2.3

Versionrelease date

September 2010

June 2011

November 2010

December 2010

April 2011

March 2011

Vendor selection criteria

Product revenues greater than $2 million. Forrester evaluated vendors that generate more than $2 million annually from selling product. We excluded consulting revenue related to custom and specialized solutions.

General viability in selected verticals. The solution must have an install base with credible, named references in financial services, healthcare, insurance, public sector, and retail.

Mindshare among our clients. Forrester included vendors whose solutions we regularly hear about in client inquiries in an unsolicited fashion (our clients looked at these vendors on their own and had questions about them, our clients have included these vendors in RFPs on their own, etc.).

EVAlUAtiOn AnAlySiS

The evaluation uncovered a market in which (see Figure 4):

· RSA and CA Technologies lead the pack. RSA dominated this Forrester Wave because it has a huge customer base that dwarfs other vendors and has been striving to provide customers with a wide selection of authentication methods and tokens and well-rounded case management. RSA also offers a leading data aggregator’s data sources for identity vetting and proofing for out-of-wallet security questions to help organizations meet FFIEC compliance mandate requirements. CA’s acquisition of Arcot signals that it’s evolving from a traditional IAM vendor into not only RBA but fraud management. CA Technologies also offers IDology data sources



7

for identity vetting and proofing for out-of-wallet security questions. CA Technologies offers a single administrative console that manages both the risk-based authentication and strong authentication credentials.

· Symantec, Entrust, ThreatMetrix, and iovation offer competitive options. Entrust has long been a credible RBA and OTP vendor in the government and financial services verticals and has a solid, well-integrated solution. Symantec’s acquisition of the VeriSign Fraud Detection Services, and its integration with the VeriSign Identity Protection authentication-as-a-service and the Symantec Endpoint Protection portfolio, is a promising offering for many organizations trying to meet FFIEC compliance mandate requirements. ThreatMetrix and iovation both have a device fingerprinting and reputation background that they are rapidly expanding into risk-based authentication.

This evaluation of the RBA market is intended to be a starting point only. We encourage readers to view detailed product evaluations and adapt the criteria weightings to fit their individual needs through the Forrester Wave Excel-based vendor comparison tool.

figure 4 Forrester Wave™: Risk-Based Authentication, Q1 ‘12


Go online to download

the Forrester Wave tool

for more detailed product

evaluations, feature

comparisons, and

customizable rankings.

Risky Bets Contenders Leaders

Strong Performers

Strategy Weak Strong

Currentoffering

Weak

Strong

Market presence

CA

Symantec

RSAEntrust

iovation

ThreatMetrix



8

figure 4 Forrester Wave™: Risk-Based Authentication, Q1 ‘12 (Cont.)


CA

Entr

ust

iova

tion

RSA

CURRENT OFFERING Policy administration auditing and rules Templates Login context and device profiling Statistical risk models Two-factor authentication provided Web single sign-on Fraud intelligence integration and information networks Case management

STRATEGY Personnel Future plans Customer satisfaction Mobile strategy Hosted offering Verticals

MARKET PRESENCE Product revenue Installed base

Forr

este

r’sW

eigh

ting

50%10%15%15%15%15%10%10%10%

50%25%20%15%10%15%15%

0%50%50%

3.253.004.003.002.004.004.001.005.00

3.804.003.003.004.005.004.00

4.004.004.00

3.002.003.004.001.004.004.003.003.00

2.853.003.003.003.001.004.00

4.003.005.00

2.403.002.005.003.000.000.005.001.00

3.000.005.005.005.002.003.00

3.003.003.00

3.153.003.003.004.003.003.003.003.00

4.405.004.003.004.005.005.00

5.005.005.00

Sym

ante

c

Thre

atM

etrix

3.053.003.003.005.002.000.004.004.00

3.403.005.003.003.003.003.00

1.502.001.00

2.755.003.005.001.000.000.005.004.00

2.550.004.004.004.002.003.00

3.002.004.00

All scores are based on a scale of 0 (weak) to 5 (strong).

VEnDOR PROfilES

leaders

· RSA extends OTP token market domination to RBA. RSA was able to overcome the fallout of its breach earlier this year and offers a credible and solid RBA product to its customers. The solution offers specific and self-learning models for each protected channel with the solid case management that provides feedback to the statistical model. It has a good integration story with many web access management solutions and provides an SOA-based architecture for easy customer integration. RSA offers adaptive authentication as an on-premises product or hosted solution. The solution has the largest installed base and number of resources supporting it. RSA is somewhat behind others with its transaction-signing software tokens, accessibility of the statistical model to end users, and agility to meet new customer requirements.



9

· CA Technologies has leading hosted RBA capabilities. In 2010, CA Technologies acquired Arcot to boost its security and fraud management capabilities.3 CA can provide the solution not only as an on-premises, perpetual license offering but also as a hosted SaaS solution with per-user and per-transaction pricing. The solution provides strong case management screens with case queues and extensive reporting, which it can integrate with other case management systems that clients have. While CA Technologies’ rule management shines by providing a great complement to the statistical model, only one rule can impact the risk score, which some customers accept but others find too restrictive. The solution has basic built-in link analytics based on a set of predefined dimensions such as device, IP, user, and where applicable, merchant, and can only evaluate arbitrary transaction attributes when integrated by CA Technologies Technical Services.

Strong Performers

· Entrust has a broad set of authenticators and extensive presence in financial services. Of the vendors reviewed, Entrust has the broadest set of brand name authenticators, which caters to firms that want to implement a well-integrated and full-featured RBA solution. It provides a great self-service user interface for end users to manage their tokens (“I left my token at home and want to use a grid-card today only”). Administrators can freely influence and configure what goes into a device ID and how IP addresses are factored into calculating risk scores. The solution provides no real case management today, lacks in full OATH standards support, has no link analytics, and has separate policy management interfaces for IdentityGuard and TransactionGuard.

· Symantec provides extensive statistical models and integration with VIP. The Symantec/VeriSign solution has extensive behavioral analytics modeling with a self-learning and customizable information clustering model. It also allows for dynamic blacklisting of entities and has a strong focus on payment fraud. The solution integrates with the VIP authentication framework of email, SMS, phone (Authentify) challenge mechanisms. It has a very flexible, programming language-like rule design framework and a decent fraud case management interface. The solution does not provide JavaScript collector; all client-side attribute collection is the client’s responsibility, which can lead to some integration challenges. There is no visual interface for link analytics, and using customer-built models can be expensive in terms of integration cost. The product does not provide out-of-the-box integration with commercial web access management solutions and lacks market presence in the retail vertical. The vendor also had the lowest number of customers in production.

· ThreatMetrix provides extensive client- and server-side device analytics. Coming from the device fingerprint and reputation field, the solution has a very strong device identification mechanism that is fairly configurable. The solution provides extensive templates and models for payment, account creation, and login transactions and integrates with CyberSource and Accertify’s fraud management solutions. The company grew its headcount with an acquisition



10

in December 2011. The solution is somewhat behind other vendors on authentication; standalone does not provide its own authentication tokens and does not provide productized integrations with web single sign-on solutions but integrates with ActivIdentity 4TRESS. The vendor’s road map includes identity screening, out-of-band authentication, improved mobile device identification, and an extended library for mobile application support. (Scoring does not reflect ThreatMetrix’s December 2011 acquisition of TrustDefender, an antimalware and secure browsing company).

· Iovation provides an association network and has a great network of fraud integrations. The solution comes with great delegated administration support for policy changes. As a vendor with a pedigree in device reputation, the solution provides extensive capabilities for IP address velocity checking and entity white lists and blacklists. Iovation doesn’t publish the data elements it collects for device identification, but Forrester expects that they are a combination of hardware, software, network, and browser information tags. The solution provides extensive templates for deposits, loans, logins, modify account profile, payment, signup, withdrawal, as well as customer-defined transactions. There is no end user self-service, and the vendor does not provide its own authenticators or out-of-the-box integration with commercial web access management solutions.

SUPPlEMEntAl MAtERiAl

Online Resource

The online version of Figure 4 is an Excel-based vendor comparison tool that provides detailed product evaluations and customizable rankings.

Data Sources Used in this forrester Wave

Forrester used a combination of four data sources to assess the strengths and weaknesses of each solution:

· Vendor surveys. Forrester surveyed vendors on their capabilities as they relate to the evaluation criteria. Once we analyzed the completed vendor surveys, we conducted vendor calls where necessary to gather details of vendor qualifications.

· Product demos. We asked vendors to conduct demonstrations of their product’s functionality. We used findings from these product demos to validate details of each vendor’s product capabilities.

· Independent, hands-on product testing. Forrester also requested unfettered access to vendors’ demonstration environments, where it could “play” with the product, validating its functionality and fit for Forrester’s use cases, as well as testing the user interface and its ease of use.

· Customer reference calls. To validate product and vendor qualifications, Forrester also conducted reference calls with two of each vendor’s current customers.



11

the forrester Wave Methodology

We conduct primary research to develop a list of vendors that meet our criteria to be evaluated in this market. From that initial pool of vendors, we then narrow our final list. We choose these vendors based on: 1) product fit; 2) customer success; and 3) Forrester client demand. We eliminate vendors that have limited customer references and products that don’t fit the scope of our evaluation.

After examining past research, user need assessments, and vendor and expert interviews, we develop the initial evaluation criteria. To evaluate the vendors and their products against our set of criteria, we gather details of product qualifications through a combination of lab evaluations, questionnaires, demos, and/or discussions with client references. We send evaluations to the vendors for their review, and we adjust the evaluations to provide the most accurate view of vendor offerings and strategies.

We set default weightings to reflect our analysis of the needs of large user companies — and/or other scenarios as outlined in the Forrester Wave document — and then score the vendors based on a clearly defined scale. These default weightings are intended only as a starting point, and we encourage readers to adapt the weightings to fit their individual needs through the Excel-based tool. The final scores generate the graphical depiction of the market based on current offering, strategy, and market presence. Forrester intends to update vendor evaluations regularly as product capabilities and vendor strategies evolve.

EnDnOtES1 Go to the Federal Financial Institutions Examination Council for more information about risk management

controls necessary to authenticate the identity of retail and commercial customers accessing Internet-based financial services. Source: FFIEC (http://www.ffiec.gov/pdf/authentication_guidance.pdf).

2 While security pros have always known that authentication is a prerequisite for most authorization functions, modern online life is finally demanding stronger forms of authentication than the lowly user-chosen password. To better understand the landscape and the curve of the technologies on the market, see the February 3, 2012, “TechRadar™ For Security Pros: Strong Authentication, Q1 2012” report.

3 At end of February 2012, CA Technologies plans to change the product name to CA RiskMinder v. 3.0.


Forrester Research, Inc. (Nasdaq: FORR)

is an independent research company

that provides pragmatic and forward-

thinking advice to global leaders in

business and technology. Forrester

works with professionals in 19 key roles

at major companies providing

proprietary research, customer insight,

consulting, events, and peer-to-peer

executive programs. For more than 28

years, Forrester has been making IT,

marketing, and technology industry

leaders successful every day. For more

information, visit www.forrester.com.

Headquarters

Forrester Research, Inc.

60 Acorn Park Drive

Cambridge, MA 02140 USA

Tel: +1 617.613.6000

Fax: +1 617.613.5000

Email: [email protected]

Nasdaq symbol: FORR

www.forrester.com

M a k i n g l e a d e r s S u c c e s s f u l E v e r y D a y

58307

For information on hard-copy or electronic reprints, please contact Client Support

at +1 866.367.7378, +1 617.613.5730, or [email protected].

We offer quantity discounts and special pricing for academic and nonprofit institutions.

Research and Sales Offices

Forrester has research centers and sales offices in more than 27 cities

internationally, including Amsterdam, Netherlands; Beijing, China;

Cambridge, Mass.; Dallas, Texas; Dubai, United Arab Emirates; Frankfurt,

Germany; London, UK; New Delhi, India; San Francisco, Calif.; Sydney,

Australia; Tel Aviv, Israel; and Toronto, Canada.

For the location of the Forrester office nearest you, please visit:

www.forrester.com/locations.

www.forrester.com

mailto:[email protected]

Date post:	03-Feb-2022
Category:	Documents
Upload:	others
View:	4 times
Download:	0 times