Table of Contents
1. Summary
It’s critical for enterprises to manage how their resources (data, accounts, corporate controlled assets) are accessed—whether resources are local or remote. The growth of software as a service (SaaS), the increase in the number of accounts per individual, and the prevalence of remote work have combined to create a password emergency for enterprises. Employees have dozens of personal and corporate accounts and more passwords than they could possibly hope to remember. So, they record them somewhere: a note stuck to the monitor or under the keyboard, or worse, on a network file share.
That’s the core problem that password management aims to address: how to keep password storage safe and secure while still providing easy access for employees.
The basic architecture of an enterprise password management system is reflected in Figure 1.
Figure 1. Basic Architecture of an Enterprise Password Management System
There’s one vendor in this Radar report who offers data center install (noted in the product write-up). All others are SaaS-only for the server side. We use the term “service” to apply to all password management solutions.
The process flow starts when a user logs in to a local application on mobile or desktop. That login validates the user to the password management service and handles all communications with the service. The user’s data, including credentials and secrets, is always encrypted at the client level and then exchanged with the service.
The way data is encrypted is a differentiator for some products, but all of them encrypt. And while the server stores sensitive information, it’s full of encrypted data, making it a much less appealing target to attackers. When the same user logs in to a different device, their data is replicated to that device client to keep all clients up to date.
The password management service stores enough information to validate access, but in most cases, actual login is handled on the client device and encrypted before being sent to the password management service. This process means the vendor cannot reset lost login credentials. It also means that the vendor datastore is protected by the encryption at the client level—the password management service stores and replicates only encrypted data. The same principles apply to the local solution, but in the data center instead of remotely.
In this Radar report, we look at how well password management products address the need to make password storage safe and easy.
As organizations move employees away from password-only access, the importance of two-factor authentication (2FA) and multifactor authentication (MFA) has grown. This is one area we delve into closely, assessing how password management tools help organizations move to these technologies and beyond to passwordless authentication.
While we rate password managers on their ability to support 2FA and MFA, there’s a valid argument that it’s no longer 2FA/MFA if all the information is stored in the password manager and available to whoever has access to the account. Please consider your organization’s stance on this topic when reading our evaluations.
Another area where password management can offer significant advantages is secrets management. Secrets, including passwords for systems use and secure sockets layer (SSL) certificates, had long existed in business IT systems. But the growth of the internet, combined with increasing use of access keys for application programming interface (API) usage—including infrastructure as a service (IaaS) and SaaS access—caused the number of secrets to increase exponentially. We see secrets management as integral to password management, and while traditional secrets management solutions exist, the technology is the same as that required for password management. As such, we don’t have a separate secrets management Radar.
We use the following terms throughout this document when discussing support for the platforms and browsers your employees will want or need password access from:
- Expected platforms: Windows, OS/X, Android, iOS
- Expected browsers: Chrome, Microsoft Edge, Microsoft IE, Chromium derivatives
If a product in this analysis supports more (or less) than these platforms and/or browsers, we will note that in the individual write-up.
This GigaOm Radar report highlights key password management vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating Password Management Solutions,” we describe in more detail the key features and metrics that are used to evaluate vendors in this market.
How to Read this Report
This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:
Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.
GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.
Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.
2. Market Categories and Deployment Types
For a better understanding of the market and vendor positioning (Table 1), we assess how well solutions for password management are positioned to serve specific market segments.
- Cloud service provider (CSP): Solutions in this space are geared toward cloud platforms—with enhanced reporting beyond what the ultimate IT user can see, and hosting or integration with the cloud offering. We assess offerings based upon secure side-by-side multiple client installations, security features, and ease of integration with the provider’s offerings.
- Network service provider (NSP): Solutions in these spaces are geared toward an NSP—with enhanced reporting beyond what the ultimate IT user can see. We assess offerings based upon secure side-by-side multiple client installations, security features, and entire account access reset capabilities.
- Managed service provider (MSP): Solutions in these spaces are geared toward an MSP—with enhanced reporting beyond what the ultimate IT user can see. We assess offerings based upon rebranding, secure side-by-side multiple client installations, security features, entire account access reset capabilities, data services, replaceability, and scalability.
- Small-to-medium business (SMB): In this category we assess solutions on their ability to meet the needs of organizations ranging from small businesses to medium-sized companies. Also assessed are departmental use cases in large enterprises, where ease of use and deployment are more important than extensive management functionality, data mobility, and feature set.
- Large enterprise: Here, offerings are assessed on their ability to support large and corporate-wide deployments. Optimal solutions in this category will have a strong focus on flexibility, performance, data services, and features to improve security and data protection. Scalability is another big differentiator, as is the ability to deploy the same service in different environments.
- Public sector: Governments have their own sets of requirements that will often echo those of the private sector but are unique in several ways. Pricing flexibility, multiyear contracts, ability to prove that protection is “good enough,” and massive logging capabilities are all more important in public sector work. Ability to interoperate with older software, while not limited to the public sector, is more common in this environment.
In addition, we recognize the following five deployment models for solutions in this report:
- Physical appliance: This is a box that the user can deploy on their network and either the user or the vendor can manage. The benefit of this option is that the customer architecture can be used to deploy and, if desired, the customer can manage the instance. It’s also physically separate, making removal or replacement somewhat cleaner, if needed.
- Virtual appliance: This refers to a software instance—virtual machine (VM) or container—that the user can deploy and either the user or the vendor can manage. The benefit of this option is that the customer architecture can be used to deploy and, if desired, the customer can manage the instance.
- Cloud image: These solutions are meant to be installed in the cloud, allowing them to build cloud or multicloud infrastructures. Either the customer or the vendor could manage the solution from the cloud. The benefit of this model is that the customer has the solution in the same cloud architecture as other instances run in and, if desired, the customer can manage the instance using the shared responsibility model.
- Software-only: This is software that can use the normal operating system installation process to install. This model is the most flexible of those available since it can be installed anywhere that the user wishes to suit their architecture. For this market space, software and SaaS are the two primary modes of installation, with either the vendor installing and managing it on their network or the user doing so in theirs.
- SaaS: Often designed, deployed, and managed by the service provider, these solutions are available only from that specific provider. The big advantages of this type of solution are its integration with other services offered by the service provider (functions, for example) and its simplicity.
Table 1. Vendor Positioning
Market Segment |
Deployment Model |
||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| CSP | NSP | MSP | SMB | Large Enterprise | Public Sector | Physical Appliance | Virtual Appliance | Public Cloud Image | Software-Only | SaaS | |
| 1Password | |||||||||||
| CyberFOX Password Boss | |||||||||||
| Dashlane | |||||||||||
| Keeper Security | |||||||||||
| LastPass | |||||||||||
| NordPass | |||||||||||
| RoboForm | |||||||||||
|
Exceptional: Outstanding focus and execution |
|
Capable: Good but with room for improvement |
|
Limited: Lacking in execution and use cases |
|
Not applicable or absent |
3. Key Criteria Comparison
Building on the findings from the GigaOm report “Key Criteria for Evaluating Password Management Solutions,” Table 2 summarizes how each vendor included in this research performs in the areas that we consider differentiating and critical in this sector. Table 3 follows this summary with insight into each product’s evaluation metrics—the top-line characteristics that define the impact each will have on the organization.
The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.
Table 2. Key Criteria Comparison
Key Criteria |
||||||
|---|---|---|---|---|---|---|
| Two-Factor & Multifactor Authentication | Employee Provisioning & Deprovisioning | Password Policy Management | Secrets Automation | Advanced Password Sharing | Single Sign-On Integration | |
| 1Password |
|
|
|
|
|
|
| CyberFOX Password Boss |
|
|
|
|
|
|
| Dashlane |
|
|
|
|
|
|
| Keeper Security |
|
|
|
|
|
|
| LastPass |
|
|
|
|
|
|
| NordPass |
|
|
|
|
|
|
| RoboForm |
|
|
|
|
|
|
|
|
Exceptional: Outstanding focus and execution |
|
|
Capable: Good but with room for improvement |
|
|
Limited: Lacking in execution and use cases |
|
|
Not applicable or absent |
Table 3. Evaluation Metrics Comparison
Evaluation Metrics |
||||
|---|---|---|---|---|
| Flexibility | Stability & Recoverability | TCO & ROI | Security | |
| 1Password |
|
|
|
|
| CyberFOX Password Boss |
|
|
|
|
| Dashlane |
|
|
|
|
| Keeper Security |
|
|
|
|
| LastPass |
|
|
|
|
| NordPass |
|
|
|
|
| RoboForm |
|
|
|
|
|
|
Exceptional: Outstanding focus and execution |
|
|
Capable: Good but with room for improvement |
|
|
Limited: Lacking in execution and use cases |
|
|
Not applicable or absent |
By combining the information provided in the tables above, the reader can develop a clear understanding of the technical solutions available in the market.
4. GigaOm Radar
This report synthesizes the analysis of key criteria and their impact on evaluation metrics to inform the GigaOm Radar graphic in Figure 2. The resulting chart is a forward-looking perspective on all the vendors in this report based on their products’ technical capabilities and feature sets.
The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrow that projects each solution’s evolution over the coming 12 to 18 months.
Figure 2. GigaOm Radar for Password Management Solutions
As you can see in the Radar chart in Figure 2, this market is rather competitive, with most vendors falling into the Challengers circle. The increase in need has boosted development, so established companies are seen as innovative simply because they’re not resting on their laurels but expanding the product and its features. There’s a refreshing distribution of products from Maturity to Innovation and from Feature Play—products that are sold as a solution to this specific problem—to Platform Play—products that are making this product as part of a larger offering.
1Password is a Leader in the space, offering a strong product that will fit the needs of the average enterprise while offering secrets automation and 2FA that are above the bar. 1Password’s single sign-on (SSO) support is not the best at this time, so that’s a counter-consideration, but not enough to keep them out of the Leader circle. Keeper Security is a Leader in the space at this time, and its product offerings, along with improvements in the works, should be seen as a blueprint for other vendors to follow to move toward the Leader circle—where we have no doubt, based upon the information available to our analysis, some will be joining 1Password and Keeper Security over the next 18 to 24 months.
Inside the GigaOm Radar
The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.
The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.
The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.
Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.
5. Vendor Insights
1Password
1Password is an SaaS-hosted service that offers several integrated products:
- 1Password System for cross-domain identity management (SCIM)
- Bridge for connection to SSO/identity vendors
- 1Password Events Reporting that integrates with popular security information event management (SIEM) tools and provides a REST API
- 1Password Connect–a secrets automation API
- 1Password CLI for scripting access
Combined with integrations to third-party solutions for privacy and MFA, this is a rather comprehensive solution set.
We found the secrets automation product—best-of-breed at the time of this analysis—to be the most forward looking one in the 1Password portfolio, with the ability to store, protect, automate, and provide API access to the ever-increasing number of secrets that enterprise IT must manage. While all vendors have taken steps to address offline availability, backup, and recovery, 1Password is particularly strong in this area. 1Password automatically backs up locally, then allows the user to backup to the cloud and the user or administrator to issue a recovery command. Like most solutions, when the user or device is offline, the local copy is used while waiting for service to return.
1Password’s 2FA integration is solid. This is an odd area for these products because it requires relatively deep integration of outside products. 1Password manages it well, allowing multiple venues to enter 2FA data and autofilling if required.
1Password didn’t support SSO at the time of this analysis, but the release was close enough for us to mention here. Those considering the product should look at the quality of SSO support that’s available. It also doesn’t include robust policy for passwords that users place in the vault: 1Password allows IT to set a variety of policies for the password used to log in to the 1Password system, but a far smaller subset for passwords actually stored within the system. This isn’t a showstopper, however, as password policy importance is very much an organizational question. But if these (SSO and policy for passwords stored in the vault) are important to your organization, other vendors are likely a better choice. One vendor told us, “If users still use a weak password and just refuse to store it in our system to get around strong policies, we’ve still failed.”
Strengths: 1Password’s secrets management and command line tool offer enterprises what they need to keep passwords and secrets out of scripts and source code. As mentioned above, 2FA is a big plus for the product because the default setup (in the browser) is simple and use is automatic.
Challenges: Some enterprises will find the lack of SSO support problematic. If your organization has invested in SSO, another product should be chosen. While policy for what password strengths can be stored in the vault can create its own problems, a reporting tool allowing IT to consider the strength of passwords at the user, group, and enterprise levels aids in increasing password security.
CyberFOX Password Boss
Password Boss is CyberFOX’s SaaS offering originally aimed at the MSP market. While it still serves MSPs, end users and businesses also can purchase the product. Password Boss supports the expected platforms and browsers, with apps for the required operating systems, and it has a nice guide for getting the password manager autofill to work with Windows desktop applications.
Password Boss has some of the best 2FA/MFA integration in the market, with short and simple steps to add 2FA to a given entry in the vault, and a nice add-on to work with sites that require an 8-digit one-time password (OTP) rather than 6-digit. Overall, the system is designed to make 2FA easy, which is the reason for integrating 2FA into a password manager. For organizations that believe storing both password and secondary authentication in the same place is a bad idea, this will not be a strength. Those organizations can simply not offer the option to store them together.
Password Boss offers Active Directory and Azure ADS integration, but other options for managing users are absent. For organizations using Microsoft ADS, this will work fine, but other organizations should be aware that SSO and ADFS functionality is not available. Password Boss does not support secrets automation in any meaningful way. Like other products that lack this functionality, secrets automation can be done, but the work and process management is 100% up to the customer to provide.
One feature that Password Boss has that most other products do not is emergency access. If enabled by IT, a user can designate another person to access their account. While this can be done manually in other solutions (via “Here’s my master password, don’t lose it.”), we think a built-in solution is better for succession management as an answer to the question, “What if you get hit by a bus?”.
Strengths: MFA and 2FA stand out as Password Boss’s biggest strength. Others offer this functionality, but Password Boss excels at it. The emergency access option is also a strength that stands out in the market, and the ability to turn it on or off at the corporate level makes it all plus and no minus.
Challenges: While ADS support is all most organizations need to automate onboarding and offboarding users, moving forward, other options are going to grow in importance (as in the case of pure Microsoft shops, ADFS, and Azure AD). Password Boss will need to build this support moving forward. This extends into SSO, with no support built into the product at the time of this analysis.
Dashlane
Dashlane is an SaaS solution that stores login information in a secured remote environment. Dashlane for business adds the tools required for IT to manage and monitor users and passwords, and so provides onboarding and offboarding functionality, directory integration, limited 2FA/MFA functionality, and reporting.
The system stores a copy of login data on devices associated with a given account, so if connectivity to the Dashlane system is lost, login to other systems is still available. Users are also provided with backup and recovery tools.
Dashlane has consumer roots, and ease of use is important. While it’s not the only product with consumer roots, Dashlane remains focused on making certain that users, be they technical or not, can access their passwords without difficulty.
The Dashlane approach to password policy is that organizations purchase the product for Dashlane’s domain knowledge, so they should not have to worry about password policy once Dashlane is in place. This is a reasonable approach but depends upon an organization’s agreement with the product’s policy choices. For example, when entering a password into the system for the first time, ZXCVBN will scan the password and suggest changes to make it more secure. This approach contrasts with other vendors that allow IT to set a password complexity policy. IT has no say in the strength requirements and must trust the algorithm to force strong enough passwords to protect corporate resources. Some organizations may want to use the ZXCVBN algorithm to generate passwords, while others will not want to use ZXCVBN for generation. This pushes Dashlane lower in the rating for password policy management, but if the specific functionality meets your organization’s needs, that lower rating can be safely ignored.
Dashlane does not support secrets automation at this time. If this functionality is important to an organization, we suggest seeking an alternate secrets automation solution independent of password management.
From an enterprise perspective, onboarding and offboarding employees is universally important. Reducing the amount of time required for IT to get employees access to all the accounts they need, and lock them out of those accounts should it become necessary, is on every IT department’s wishlist. Organizations that have SSO deployed will also want integration with password management. Both of these items are available via SCIM provisioning, implemented in Dashlane with its established focus on ease of use for the end user.
Strengths: We view ease of use as Dashlane’s biggest strength. Since every modern organization has some level of employee churn, easy on/off ramps is a plus in our opinion. Another important strength of Dashlane is its multiple approaches to backup and availability. If access to the Dashlane service is lost, logins are not, and backups of end user data can be maintained in case of a corrupted app.
Challenges: Dashlane’s approach to password policy management will be a serious negative for some organizations and should be checked out within your organization before choosing this product. Likewise, the lack of support for secrets automation will be a consideration for some organizations. Bear in mind that password managers are not the only route to secrets automation, so that factor alone should not rule the product out.
Keeper Security
Keeper Security is an SaaS offering composed of four complimentary services (plus the expected array of client apps for phones, tablets, and computers):
- Keeper Password Manager for most password functionality
- Keeper Secrets Manager for handling the secrets store and accessing them via code
- Keeper Connection Manager, a recent acquisition of Glyptodon that allows for access to RDP and SSH via browser connection
- KeeperChat for secure text conversations within the organization
Keeper Connection Manager and KeeperChat are two market differentiating products, and other offerings we analyzed do not have the functionality of these two services. Most of the Keeper solution set is SaaS with local backup; Keeper Connection Manager being the exception. As a gateway to host connections on the local network, Connection Manager is installed locally in a virtual appliance.
Keeper Password Manager makes it relatively easy to store 2FA keys along with logins. Some organizations and users are keen to have this functionality, while others are not. The argument for storing 2FA keys in password management is ease of use, while the argument against it is that if both factors are stored in a single place, then it is no longer 2FA. While both arguments have merit, most customers appreciate the capability, so we’ve rated it positively in our assessment. Customers who do not want to use this functionality can simply tell users not to store keys or OTPs in the same place as passwords.
Keeper Password Manager allows administrators to set password strength policy for both the Keeper Master Password and passwords generated by the system. Like other password managers, it does not allow for enforcing password policies on stored passwords with regard to length and complexity. It does, however, allow password strength to be set per domain, and thereafter the complexity rules will be enforced by requiring the user to generate passwords (as opposed to enforcing policy regardless of password source).
A standout feature of Keeper’s solution is password change notifications, which can use tools like Slack, SEIM, and Microsoft Teams to keep IT aware of who is changing passwords. If there has been suspicious activity on an account and password change notifications flow, this capability might allow IT the extra time required to lock the account out before an attacker can do serious damage.
Strengths: Keeper Secrets Manager is a standout solution in the market. If there’s a large need for infrastructure passwords, cloud secrets, and SSL certifications available to code but not stored in code, Keeper is a great choice. The options for password and MFA capabilities mean that enterprises can choose to implement what makes the most sense for their needs.
Challenges: While Keeper Connection Manager and KeeperChat are interesting products in their own right, we’re not convinced that either is a good fit with password management in the same way a move into privileged access management (PAM) might be. How Keeper Connection Manager is merged into the organization or product offering, and whether these two products draw attention away from the core functionality of Keeper’s offerings is something for prospective customers to be aware of.
LastPass Business
LastPass Business consists of a SaaS solution with browser plug-ins and apps for the expected platforms. In the same product family, LastPass offers an SSO solution. Like most competitors, the solution offers an offline mode for all clients that have logged in while there was a connection to their servers. That means an internet outage need not stop customers from working.
LastPass has been around longer than most of its peers and is recognized by the entire industry as one of the primary competitors in the space. Many of the things currently considered standard in password management were first implemented at LastPass. At the time of this analysis, LastPass was being spun out of GoTo into an independent company. In our opinion, this is a hopeful step because LastPass was not progressing at the rate of competitors under GoTo’s leadership. Since this spin-off occurred during our analysis, we cannot rate the status and direction of the new company at this time as evidence of such will take months to appear. Prospective customers should watch release schedules and feature plans to gauge motivation and direction as a stand-alone company.
The business version of the product comes with support for SSO, 2FA, password policy, and AD/LDAP integration. SSO support is among the best in the market, with a breadth of options for an organization. Taking advantage of SSO integration varies by SSO solution–as it does with most vendors–but is solid and generally easy to set up. LastPass also offers its own SSO solution that can be integrated if an organization wants both SSO and password management.
The opposite is true of secrets management. While customers and third parties have tried to make storage and retrieval of secrets in LastPass both automated and viable, there appears to be little support for these efforts from the vendor. Specifically, the vault does not have APIs that allow direct access to stored secrets (as would be desired for systems password usage or SSL certificate management), and while users have used fields in password records to store secrets, that is not built-in.
Strengths: LastPass is an established player with a long track record in the space, and is generally stable and complete. User issues on its public boards tend to be about usability and ease of use rather than critical events. SSO is a standout strength; for organizations that need SSO integration, LastPass should be a consideration, whether it comes with the SSO solution or as an integrated feature.
Challenges: Secrets management is a hole in the product that could divert customers elsewhere. Some aspects of 2FA and MFA support feel a bit hacked in, though they work well enough. We see development attention as a potential weakness moving forward due to changes both at the company and within the solution, so prospective customers should pay attention to cadence of updates.
Nord Security NordPass
NordPass is one of several offerings in a more general security product family:
- NordVPN
- NordLayer (network access security)
- NordLocker (file encryption)
- NordPass—offers all of the expected browser extensions plus Firefox, Opera, and Safari, combined with dedicated apps for all expected platforms
If an integrated solution that also helps with network access security, VPN, and encryption is appealing, NordPass should be on your shortlist.
However, it’s important to note that NordPass doesn’t have a secrets automation solution other than manually storing secrets in login items. And for all but the Nord Security account, the same is true for 2FA/MFA at the time of this analysis. While NordPass can be used for this functionality, it would be a manual process. But if the important part of 2FA is that it protects the master password that protects all other passwords, then NordPass checks the box.
Other vendors might be a better choice for those wanting to store MFA information along with other credential information within the product. But we note again that storing 2FA information with login credentials is a dubious practice that eliminates the security value of the second factor, so for most organizations, failing to store 2FA information is not really a weakness.
NordPass handles SSO well, allowing users to connect with AD, ADFS, Google, and MFA for ADFS. The same is true for password policy, allowing administrators to set corporate-wide policy for stored credentials. Not all password management tools offer IT the ability to enforce password strength for stored passwords, but NordPass offers many strength policies (length, combination of characters, and so on) that IT can implement, so this is a noteworthy feature. Make certain through implementation of strong policies that use of this feature is not driving employees to leave weak passwords outside the system.
Strengths: Password policy management is a strength of the NordPass product. If the other solutions in the product portfolio are useful to an organization, integration of these product offerings is also a strength. NordPass supports more browsers than most of its competitors, which will be useful for organizations that do not restrict use to the most popular couple of browsers.
Challenges: NordPass does not have a secrets automation solution, and for organizations needing one, other vendors might be more appealing. There are other routes to secrets automation if it is not a core requirement. At the time of this analysis, support for 2FA/MFA on items stored in the vault is not available. Some customers will want to look elsewhere for access to this functionality.
Siber Systems RoboForm for Business
RoboForm is Siber Systems’s flagship product. Architecturally, the application is available as an SaaS solution and, unlike competitors’ offerings, is also available for an organization to install in its own data center on physical or virtual servers. Some organizations will find this differentiator compelling, and it’s certainly a stand-out in the market at the time of this analysis. A close second in the architecture space is support for Windows applications. While RoboForm is not the only solution able to autofill Windows apps, it’s one of only a couple of products we analyzed that do so as part of their initial installation.
Like with some other vendors, secrets can be stored in RoboForm, but secrets automation is not integral to the solution. While secrets management can be implemented separately, we believe it makes the most sense in password management solutions because they share a large portion of technology. Likewise, SSO is not supported at this time.
Roboform’s support for 2FA/MFA is among the best in this review, set up to be an authenticator or a time-based one-time password (ToTP) storage application. For those wanting enforcement of password strength policies, it’s less appealing. The master password can have comprehensive policies applied, while items stored in the vault cannot. Most vendors make up for not enforcing policy by providing robust reporting to IT about password strengths. RoboForm’s reporting is being reworked, so we cannot comment on how robust it will be and strongly advise evaluators to focus on new reporting functionality moving forward.
One bit of reporting that’s not set to change is group-usage reporting. While it’s likely that other vendors support comprehensive reporting on groups data, we were impressed with the RoboForm implementation; administrators can see both usage and modification information for shared folders and the items in them. This means that if someone in a shared group gets hacked or goes rogue and starts modifying passwords, IT will know quickly who is responsible and what is happening.
Active Directory integration is not as robust as other products in this review, and onboarding is not enabled by AD feeds. This is a significant issue in our evaluation. In other products, the ability to say “Here is a new user; get their groups and core information from Active Directory” is useful both on initial implementation and for ongoing maintenance as employees come and go.
RoboForm is one of the few products in this analysis that supports emergency access; assigning another user to your account for recovery if needed, or as insurance in case you can no longer access your passwords.
Strengths: For organizations that require this functionality, the ability to deploy the RoboForm solution locally to their data center will make this the top choice. No other vendor offers that option at this time. Support for emergency access is also a strength. Few competitors offer emergency access, but this will likely soon change.
Challenges: It has ADS integration but does not allow for auto-provisioning, which creates additional onboarding and offboarding steps. The impact and importance of this extra work should be considered by any evaluators. Organizations that require robust password policies for items stored in the system will likely want to look elsewhere, and those that require SSO should not consider this solution.
6. Analyst’s Take
This market in general is mature. Password management has been around for decades, and so have some of the offerings in this report. That does not mean the offerings available today are unchanged. The market has moved toward supporting critical business functions like ADS/LDAP integration, and then moved on again to 2FA/MFA support, and is now clearly headed to supporting passwordless authentication.
In general, the products we looked at are all suitable for basic tasks and should not be dismissed out of hand. It’s easy to assume that the Radar Leaders are always the best solutions, but each product brings strengths and weaknesses that we discuss in detail and should be considered based on your organizational needs.
During our analysis, Google and Microsoft announced that they were “going passwordless” with a new standard. We have been through this “it’s the end of passwords!” story before, and while Google and Microsoft certainly add weight to this theme, a passwordless solution requires the participation of sites that require passwords.
This market is not a panacea, and passwordless protection and access is unlikely to take over the world any time soon. At a minimum, there will be a delay as Google and Microsoft convince others to implement their new standard and those implementations are completed. This market is still the place to look for password, and eventually passwordless, solutions, and it bridges the gap between the reality of passwords and the dream of a passwordless environment very well.
Speaking of a panacea, evaluators need to be aware of the shortcomings of password management in general. While most of us start by looking at security and the protection of our account data, these vendors have conquered this topic soundly, or they would not be in this analysis. The real issues are at the edges of their control. Once a password is shared, even if it is marked as “recipient cannot see or change password,” the recipient can often see and change the password on the target site or in the target app. Clearly, the password manager does not control the password mechanisms of a target site. For systems where IT has complete control, passwords can be more thoroughly protected. But for the broader internet, this just isn’t possible. And employees have accounts across the broader internet.
Still, the level of added protection and management is worth the price of products in this market. Prices are reasonable and so close among products analyzed here that we did not generally consider cost as a TCO and ROI differentiator. That means evaluators can focus on the functionality required for their organization and not on what is in the budget.
7. About Don MacVittie
Don MacVittieDon MacVittie has more than 25 years of technology industry experience, working in nearly every IT position in a wide variety of organizations – from tax software developer to insurance industry strategic architect and IT manager at a utility. Don has been an analyst for the last decade, is named on two networking patents, and has co-authored ANSI and ISO standards in geographic information systems. His love is learning about technology, and he will happily discuss technology with anyone.
8. About GigaOm
GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.
GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.
GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.
9. Copyright
© Knowingly, Inc. 2022 "GigaOm Radar for Password Management" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.
