Professional Documents
Culture Documents
Additional Perspectives
Overview
Key Findings
■ Access management (AM) vendors are the preferred authentication providers in
cloud-first organizations. Those AM vendors able to meet legacy needs may displace
incumbent authentication-specific vendors, but authentication specialists may
succeed where they can provide added value.
■ User authentication more and more closely aligns with identity proofing and
affirmation (IPA), online fraud detection (OFD) and other analytics. These tools
enrich adaptive access approaches that can optimize both risk mitigation and UX.
Thus convergence within AM-centric platforms is likely.
■ Simplify their user authentication portfolios, to lower costs and provide a more
consistent UX for employees and customers, by exploiting the native capabilities of
their AM tools across as many use cases as possible.
Market Definition
User authentication provides real-time corroboration of an identity claim by a person
accessing an organization’s assets. It is foundational to network, application and data
security, because it reduces fraud, mitigates account takeover (ATO) and other identity
risks, and addresses regulatory requirements.
The user authentication market is not discrete. It overlaps with other technology markets
and capabilities (see Figure 2).
BYOI = bring your own identity; DCI = decentralized identity; IAM = identity and access
management; IGA = identity governance and administration; PAM = privileged access
management; SSE = security service edge; WAAP = web application and API protection
Tools in each area overlapped by “User Authentication” in Figure 2 can provide some user
authentication capability. This may be via a complete tool able to render an
authentication outcome (a decision or a “trust score” for adaptive access) or a tool that
provides signals that can be consumed by another tool.
Nonpassword knowledge (“type 1”) and third-party biometric (“type 3”) methods are less
well represented.
Some vendors offer software and hardware components to support native authentication
logic in operating systems and other platforms (for example, for Microsoft Windows
interactive smart card login). These vendors may be distinguished as authenticator
vendors, when they lack their own authentication decision engine.
Many vendors have now added business policy decision capabilities, ranging from simple
conditional rules to machine learning (ML) models, to consume and score recognition,
affirmation and risk signals. This shift toward signals has created opportunities for other
vendors that focus on signal analytics.
Stand-alone IPA tools can also be used in an authentication flow, but few vendors
explicitly target user authentication use cases. The need for IPA for onboarding and
identity recovery continues to increase, particularly in customer use cases where attackers
can readily outsmart traditional reset processes.
Vendors in other markets — most notably, AM (which we say more about in the following
section) — also offer user authentication capabilities, either natively within their primary
offering or as a discrete component within an integrated portfolio.
Vendors in any market might offer fully independent, stand-alone tools that fall wholly
within the “user authentication” space. For example, some document-centric identity
proofing (DCIP) vendors offer discrete biometric authentication tools using the same face
recognition capability that they employ for identity proofing.
Market Direction
Access Management: Access to Microsoft 365 and other SaaS applications dominates
Gartner clients’ inquiries about user authentication, fueled by concerns about how the
shift to the cloud has increased the attack surface and exposed organizations to ATO and
other risks. In many cases, the client has been successfully attacked.
Some IAM leaders will seek other user authentication tools when these provide easier
management, more granular control or a better UX; integrate better with legacy systems or
better address specific use cases or user constituencies; or provide other methods or
functionality (such as transaction authorization).
Gartner predicts that FIDO2 methods will dominate in the midterm, with more than 25%
adoption within the next three years. However, other passwordless methods and
authentication flows are already widely available, many in the infrastructure that
organizations already have in place. 7
Continuous Adaptive Trust (CAT): CAT is Gartner’s conceptual model that stresses the
efficacy of combining orthodox, credential-based methods with recognition, affirmation
and risk signals (see Figure 1) to provide sufficient trust in an identity claim in a way that
optimizes both risk mitigation and UX.
CAT emerges from the confluence of user authentication with IPA, OFD and other
analytics within a broader risk-based approach. This approach seeks to dynamically
balance trust in a claimed identity against the risk of access in a way that is consistent
with zero-trust principles.
CAT is not a product or service but can be realized by the effective orchestration of
multiple components, likely with AM tools playing a central role. 8
UX is not just a “nice to have.” While user authentication might seem only a minor aspect
of overall UX, a poor user authentication UX reduces employee agility or increases
customer abandonment. Ultimately, it degrades operational performance and decreases
business revenue.
IAM leaders should also pay attention to socioeconomic bias, especially with regard to the
acceptability and possession of different authenticators. In particular, an increasing
market emphasis on smartphones for authentication (and for identity wallets; see below)
risks marginalizing the minority that do not own them. 11
Biometric authentication using face or voice offers a more universal option, given that
cameras and microphones are widely available on many devices, including unattended
terminals and kiosks. Presentation attacks and privacy concerns are significant but not
insuperable barriers to adoption. 12
Decentralized Identity (DCI): DCI extends the BYOI concept of allowing people to select
and use third-party digital identities, giving people the ability to create and control their
own digital identities via a wallet app on a smartphone (similar in function and UX to
wallet apps used by Apple Pay or Google Pay).
Identity wallets enable people to share assertions about themselves with an organization
in a trusted way, without having to disclose sensitive data that is not actually required for
any specific interaction. DCI thus reduces the organization’s need to collect and centrally
store customer identity data, and therefore reduces risk.
DCI is still emerging but has the potential to provide (among a wide range of other things)
an alternative to an organization’s proprietary MFA tools. However, crucially, the trust that
DCI can deliver depends on what the wallet custodian itself uses for identity proofing and
user authentication (a bootstrapping problem). 13
Table 1 summarizes the variety of vendors that explicitly offer user authentication tools —
that is, those that can render an authentication outcome. Thus it does not include vendors
in other markets whose tools provides signals that can be consumed by other tools (see
Figure 2).
Authentication Patterns
The prevalence and suitability of different authentication methods, and how they are
delivered, varies across use cases. Gartner identifies six major patterns, which span a
variety of use cases for internal and external users (see Table 2).
In addition, some industries have unique use cases for specific user populations:
■ Finding good options for MFA in these use cases can be fraught with technical
and administrative challenges, and no methods prevail. Specialized vendors or
approaches might be needed (for example, use of photo ID cards with
“product” bar codes for point-of-sale [POS] access).
■ In some use cases, physical security and administrative controls might provide
adequate, reasonable and effective risk mitigation.
Market Evolution
Gartner predicts that the user authentication market will evolve in line with the current
market trends outlined in the Market Direction section.
■ The range and variety of authentication methods and flows, especially those
supporting passwordless authentication. Support for W3C Web Authentication
(WebAuthn) is already common; we predict that vendors will add FIDO2 capability to
their phone apps over the next 18 months. 16
■ The scope of access across remote access, PAM and client/server, as well as SaaS
and web applications. Some AM vendors can support Windows login via third-party
17
components, but we do not consider this to be strategically important as FIDO2
apps are emerging to meet that need.
Some vendors (such as Thales, formerly Gemalto/SafeNet) have responded to this market
pressure by developing their own AM tools, and this will likely continue. However, the risk
here is significant, especially now that we see increasing consolidation in the AM market.
There is a small but important role for specialist vendors that can provide organizations
that have particularly complex legacy application infrastructures with a cohesive user
authentication framework. These vendors might have their own user authentication
capability or integrate with AM or third-party user authentication tools. 19
FIDO2 has precipitated a surge in the number of vendors coming to market with hardware
security keys, with the only common differentiators being Certified Authenticator Levels
and prices. A few vendors offer keys with embedded fingerprint readers to enable PIN-less
and passwordless authentication.
Opportunities for vendors that have come to market with explicitly passwordless mobile
MFA solutions 20 will be eroded by increased support for, and adoption of, FIDO2. To
succeed, these vendors must demonstrate sufficient added value to justify additional
investment.
Vendors that combine endpoint protection, endpoint encryption and endpoint user
authentication are desirable in industries that are heavily regulated or that have more
traditional access and device strategies. However, these vendors will face increasing
pressure to add support for “anytime, anywhere” access needs.
We expect to see continued innovation. While it continues to surprise us that the market
can sustain more than 300 vendors — a number that has increased year over year — wider
standardization around FIDO2 is likely to remove many commodity vendors from the
market.
Market Introduction
Table 3: Representative Vendors in User Authentication
(Enlarged table in Appendix)
Market Recommendations
IAM and other security leaders should:
■ Build CAT into zero-trust initiatives and, as part of adaptive access within an
identity fabric, cybersecurity mesh architecture (CSMA) approaches.
■ Look for integration with security service edge (SSE) and other security tools
that embed analytics and adaptive access capabilities, which can enable and
benefit from an integrated CAT approach.
■ Address diversity, equity and inclusion concerns by seeking methods that inherently
minimize bias and creating a portfolio of methods that can regularize risk mitigation
and UX across all groups.
1
Market Guide for Identity Proofing and Affirmation defines identity proofing as the
combination of activities during an interaction that brings an identity claim within
organizational risk tolerances, such that (a) the real-world identity exists and (b) the
individual claiming the identity is, in fact, the true owner of that identity and is genuinely
present during the process. It further defines identity affirmation as the combination of
activities that provide supporting evidence for an identity claim to establish trust in an
interaction, such that confidence is increased during the identity-proofing process that
fraud is not taking place.
2
“Trust,” “assurance” and “confidence” are roughly synonymous terms that are used in
different definitions of authentication. Formally, “credence” is the canonical term for the
strength or degree of belief in a proposition (for example, an identity claim). In an
authentication context this term is implicitly reflected in the “credentials” that form the
basis of orthodox authentication methods. Both derive from the Latin verb “crēdo” (“I
believe,” “I trust in,” “I rely on,” “I accept as true”). Note also that trust (credence) in an
identity claim does not imply trust in the person (that is, that they are trustworthy).
3
Top Security and Risk Management Trends 2021 observes that identity-first security
represents the way all information workers will function, regardless of whether they are
remote or office-based. In this approach, all applications and resources must be
considered “at risk” and secured as though they are exposed on the public internet.
4
Quick Answer: How to Explain Zero Trust to Technology Executives defines zero trust as
“a security paradigm that replaces implicit trust with continuously assessed explicit risk
and trust levels based on identity and context supported by security infrastructure that
adapts to risk-optimize the organization’s security posture.” NIST Special Publication 800-
207, Zero Trust Architecture states (§3.1.1): “The enhanced identity governance approach
to developing a [zero trust architecture] uses the identity of actors as the key component
of policy creation.”
6
User authentication functionality is an inclusion criterion for Magic Quadrant for Access
Management and is evaluated for vendors in Critical Capabilities for Access
Management.
7
Take 3 Steps Toward Passwordless Authentication notes that IAM leaders are often put
off by the prospect of investing in novel technologies, unaware of the passwordless
methods and flows that are available in incumbent tools, such as Windows Hello for
Business in Windows 10 and various innovations in AADP and third-party AM tools.
8
Shift Focus From MFA to Continuous Adaptive Trust observes that an access decision
engine must be able to orchestrate when and how it consumes signals or scores from
different tools; correlates these with its own analytics; invokes appropriate adaptive
responses; and captures and acts on their outcomes.
9
Top Strategic Technology Trends for 2022: Total Experience observes that organizations
are seeking better CX and EX strategies that will lead to greater confidence, satisfaction,
loyalty and advocacy. As digital channels are increasingly the main vehicles for
engagement, IT leaders must identify and improve UX touchpoints for customers and
employees using multiexperience (MX) technologies.
10
Hype Cycle for Identity and Access Management Technologies, 2021 discusses this
not only in the profile of biometric authentication but also in the profile of DCIP (which
uses biometric facial recognition technologies). Vendors should also review Product
Managers Must Reduce Bias in Biometrics.
11
Many passwordless solutions even rely on a user enrolling multiple personal devices —
smartphones, tablets, PCs and hardware tokens — to create a “chain of trust” that enables
identity recovery if a device is lost, stolen or otherwise replaced. This approach
demonstrates a lack of awareness and empathy for the many global customers and
citizens for whom this is impractical at best. See:
■ Some Digital Divides Persist Between Rural, Urban and Suburban America, Pew
Research Center.
12
Three Biometric Authentication Risks You Can’t Ignore notes that presentation attack
detection (PAD) is essential to minimize the risk of presentation attacks. PAD might
require an additional technology, or it might be inherent in the mode. Regarding privacy,
IAM leaders are required to protect personal data, as well as manage user consent in
compliance with an increasing number of privacy laws and regulations. For example, the
European Union’s General Data Protection Regulation (GDPR) has specific requirements
about data processor obligations. We expect increased adoption of privacy-preserving
biometric technologies with decentralized data storage (from, for example, Anonybit and
Keyless [acquired by Sift]). However, IAM and privacy leaders must cope with the impacts
of broad legislation that often fails to distinguish between surveillance and authentication
use cases.
13
See the profile of DCI in Hype Cycle for Identity and Access Management
Technologies, 2021 and Innovation Insight for Decentralized Identity and Verifiable
Claims. The trustable, shared assertions are known technically as verifiable claims or
verifiable credentials. Mainstream adoption of DCI is two to five years away, but
integration with device-native wallets that people are already familiar with will likely aid
user acceptance and accelerate adoption, especially for customer authentication and
other customer and citizen applications.
14
Enigma Logic’s SafeWord OTP tokens (now offered by Thales Digital Identity and
Security) were commercially available at least as early as 1987. Security Dynamics’
SecurID OTP tokens (now offered by SecurID, an RSA Business) were commercially
available from 1990.
15
The only vendors with explicit support for IBM z/OS mainframes that Gartner has
encountered are IBM (via an OEM relationship with Rocket Software) and Vanguard
Integrity Professionals (VIP).
17
For example, Tecnics provides this capability for Okta; Secret Double Octopus (SDO)
provides this capability for Okta, ForgeRock and others.
18
Predicts 2021: Identity and Access Management and Fraud Detection predicted that by
2024, 30% of large enterprises will newly implement identity-proofing tools to address
common weaknesses in workforce identity life cycle processes. See also Quick Answer:
How Can I Securely Reset Employee Passwords or Recover Accounts?
19
Vendors offering this capability include Radiant Logic, Safe-T and Silverfort. Some
ZTNA tools and some emerging “identity infrastructure detection and response tools”
(such as CrowdStrike Falcon Identity Protection, formerly Preempt) might also be used in
this way. More than one of these vendors positions this as “last mile” integration for AM
tools, extending their scope beyond SaaS and web applications.
20
Hype Cycle for Identity and Access Management Technologies, 2021 observes that
mobile MFA provides passwordless authentication by combining multiple (typically two)
factors in a smartphone app. Possession of the phone provides the first factor, with the
app typically using one or more of the following modes: OTP, mobile push, X.509 and
FIDO authentication protocols. The additional factor may be a biometric trait or a local
PIN. Biometric authentication may be device-native or proprietary.
21
See How Branch Closures Affect Access to Banking Services, Federal Reserve Bank of
St. Louis.
Note 1
Representative Vendor Selection
This research provides Gartner clients with a view of the available offerings, taking into
account:
■ Market presence
Thus, vendors represent what is core in the market, what extends it and what will
transform it.
A representative vendor listed in this Market Guide has the characteristics described in the
Market Definition and Market Description sections.
The list of representative vendors is not an exhaustive list of all providers. Many worthy
vendors are omitted with no implied criticism. Tool: Vendor Identification for User
Authentication compiles information about 306 providers, with a detailed review of 48.
Curated credentials and internal recognition and risk signals accrue from a person’s
history with an organization. These can be used only for user authentication.
Curated credentials are the legacy backbone of the user authentication market. There are
three canonical types:
■ Type 1. Something known to only the person, such as a password, pattern, picture or
PIN.
■ Type 2. Something held by only the person, such as a security key, smart card or
smartphone.
■ Type 3. Something inherent to only the person — biometric traits such as face,
fingerprint and voice.
■ Passive behavioral biometric methods, such as gait, gesture, handling and typing.
Passive behavioral biometrics are classed as recognition signals, rather than Type 3
curated credentials, because of differences in the way they are established and evaluated:
■ The user is not prompted to do anything, and there is no discrete comparison and
matching step; instead, probe data is continuously evaluated against the baseline.
Third-party credentials and external affirmation and risk signals accrue from a person’s
history and activity external to an organization. Only these can be used for IPA, as well as
for user authentication.
Bring your own identity (BYOI) is the concept of enabling people to select and use a third-
party digital identity, such as a social identity (a Facebook identity, for example) or a
higher-assurance identity (such as a bank or government identity), to access multiple
digital services.
Decentralized identity (DCI) extends BYOI by using, for example, distributed ledger
technologies (DLTs) to enable a person to create and control their own digital identity.
In addition, capture and analysis of a photo or video clip of the person determines genuine
presence. Finally, comparison of the photo with the one in the document — increasingly
often based on biometric face recognition — determines whether the person is the
legitimate document bearer.
Affirmation signals are those that can provide supporting evidence for an identity claim to
establish trust in an interaction, and thus increase the confidence that fraud is not taking
place during an identity-proofing or user authentication process.
Type* Description
Adjunct Vendors offering tools in other SRM markets or further afield, but no other
IAM tools. They may offer authentication capabilities as stand-alone tools or
embedded within other tools.
Customer IAM IAM vendors with a specific focus on customer IAM wants and needs. They
may offer authentication capabilities as stand-alone tools or embedded
within other tools. e
Portable digital identity Vendors with specialized tools that combine MFA with identity proofing, bring
your own identity (BYOI) or decentralized identity (DCI) capabilities. g
OFD Vendors offering OFD tools that typically enable real-time fraud monitoring,
and may be focused on detection alone, or also on mitigation, once
fraudulent activity is suspected. OFD vendors who have built the capability to
deliver event-based detection and decisioning are increasingly focusing on
ATO use cases and detecting fraud at login. Case management capabilities
are included in almost all such tools (sharply differentiating them from
analytics-focused authentication tools). c
PAM Vendors offering privileged access management (PAM) tools that can
discover, manage and govern privileged accounts on multiple systems and
applications; control access to privileged accounts; randomize, manage and
vault credentials (password, keys, etc.); and so on. They may offer
authentication capabilities embedded within these tools. i
Portfolio Vendors providing tools across two or more IAM markets: AM, identity
governance and administration (IGA), PAM, or user authentication. They may
offer authentication capabilities as stand-alone tools or natively within other
tools.
* The “type” names are illustrative. They should not be taken as defining a market or market segment.
a
See Critical Capabilities for Access Management
b
See Shift Focus From MFA to Continuous Adaptive Trust
c
See Market Guide for Online Fraud Detection
d
See Technology Insight for Biometric Authentication
e
See Innovation Insight for Customer Identity and Access Management
f
See Market Guide for Communications Platform as a Service
g
See Market Guide for Identity Proofing and Affirmation, Innovation Insight for Decentralized Identity and Verifiable Claims
h
See Innovation Insight for Many Flavors of Authentication Token
I
See Magic Quadrant for Privileged Access Management
Windows PC and network login Internal (employees, contractors) ■ Native support ■ X.509 tokens (“interactive smart
only card login”), PIN-protected (or,
■ Third-party software (credential
rarely, biometric-enabled)
provider)
■ FIDO2 (including Windows Hello
for Business [WHfB]), with a PIN or
local biometric method
macOS and network login Internal only ■ Third-party software ■ X.509 tokens, PIN-protected (or,
rarely, biometric-enabled)
Remote access (VPN, zero-trust Internal and external (gig workers, ■ Third-party software (agents) ■ X.509 tokens, PIN-protected (or,
network access [ZTNA], VDI) partners, suppliers) rarely, biometric-enabled)
■ RADIUS
■ FIDO2/WebAuthn, with PIN or local
■ LDAP
biometric method (emerging), via
■ Federation (SAML, OIDC), direct or an AM tool
via an AM tool
■ OTP tokens and phone-as-a-token
methods, with legacy password
(or, rarely, app PINs or device-
native or third-party biometric
methods)
Privileged account login Internal and external (partners, Directly or via a PAM tool: ■ X.509 tokens, PIN-protected (or,
suppliers — vendor technicians) ■ Third-party software (agents) rarely, biometric-enabled)
Client/server* application login Internal and external (gig workers, ■ Native support ■ X.509 tokens, PIN-protected (or,
partners, suppliers) rarely, biometric-enabled)
■ Third-party software (SDK, API),
directly or via a ZTNA or AM tool ■ OTP tokens and phone-as-a-token
methods, with legacy password
■ Kerberos
(or, rarely, app PINs or device-
■ LDAP native or third-party biometric
■ Enterprise single sign-on methods)
(password vaulting-and-
forwarding)
SaaS or web application login Internal and external ■ Native support ■ X.509 tokens, PIN-protected (or,
rarely, biometric-enabled)
■ Third-party software (API)
■ FIDO2/WebAuthn, with PIN or local
■ Federation (SAML, OIDC), directly
biometric method (emerging)
or via an AM tool
■ OTP hardware tokens and phone-
■ Reverse proxy or HTTP header, via
as-a-token methods, with legacy
an AM tool
password (or, less commonly, as a
single factor)
■ Including remote chip
authentication (RCA) in
banking, using a PIN-protected
payment card
■ “Magic links”
†
Mobile app login Internal and external ■ Third-party software (SDK), ■ Internal and some external use
directly or via a unified endpoint cases mirror SaaS and web
management (UEM) or an AM tool application login via an AM tool
* This pattern might also include mainframe and client/server applications. However, these are an increasingly niche requirement, generating only a handful
of client inquiries, and are explicitly supported by few vendors. 15
†
“Magic links” provide a kind of out-of-band authentication using email or an SMS message. However, rather than an OTP, the message embeds a link that
the user simply clicks on to authenticate and continue the login process.
Product
Vendor
, Service or Solution Name
1Kosmos BlockID
BehavioSec BehavioSec
Cisco ( Duo Security) Duo Multi-Factor Authentication (MFA), Duo Access, Duo Beyond
Daon IdentityX
FaceTec ZoOm
Okta (including Auth0) Okta MFA, Okta Adaptive MFA, and others; Auth0 platform
Secret Double Octopus Octopus Passwordless Enterprise, Octopus Pro, Octopus Starter, Octopus
Lite
Silverfort Silverfort
Yubico YubiKey