Market Guide For User Authentication

Market Guide for User Authentication
Published 13 December 2021 - ID G00731668 - 33 min read
By Analyst(s): Ant Allan, Tricia Phillips, Kaoru Yano

Initiatives: Identity and Access Management and Fraud Detection
User authentication is fundamental to identity-first security, and

tools increasingly overlap those in adjacent IAM and security
markets. IAM-focused SRM leaders should seek toolsets that
optimize robustness, flexibility, UX and inclusivity as part of a
cohesive cybersecurity strategy.
Additional Perspectives
■ Summary Translation + Localization: Market Guide for User Authentication

(24 January 2022)
Overview
Key Findings
■ Access management (AM) vendors are the preferred authentication providers in
cloud-first organizations. Those AM vendors able to meet legacy needs may displace
incumbent authentication-specific vendors, but authentication specialists may
succeed where they can provide added value.
■ Client interest in passwordless authentication, whether to enhance user experience

(UX) or mitigate risk, remains high. Fast IDentity Online 2 (FIDO2) is strategically
important here, but is not yet a universal solution. Other approaches can provide
significant value in the short to midterm.
■ User authentication more and more closely aligns with identity proofing and
affirmation (IPA), online fraud detection (OFD) and other analytics. These tools
enrich adaptive access approaches that can optimize both risk mitigation and UX.
Thus convergence within AM-centric platforms is likely.
■ The increasing market emphasis on smartphone-centric authentication methods can

result in unintentional demographic and socioeconomic discrimination in terms of
customers’ and citizens’ digital access.
Gartner, Inc. | G00731668 Page 1 of 22
This research note is restricted to the personal use of cavieira1@topazevolution.com.

Recommendations
Security and risk management (SRM) leaders responsible for identity and access
management (IAM) and fraud detection should:
■ Simplify their user authentication portfolios, to lower costs and provide a more
consistent UX for employees and customers, by exploiting the native capabilities of
their AM tools across as many use cases as possible.
■ Minimize time to value for passwordless authentication by fully exploiting

incumbent tools’ capabilities, even if the scope is limited to one or a few use cases
(such as Windows and SaaS login). This should be done while shifting investments
to support broader use of FIDO2 in the midterm.
■ Enhance resilience, flexibility and UX by broadening and deepening “risk-based” or

“conditional” approaches within the context of adaptive access and investing in
analytics and orchestration tools that enable continuous adaptive trust (CAT).
■ Address diversity, equity and inclusion concerns by creating a portfolio of

authentication and identity recovery methods that meets the needs of all users
without compromising security or UX.
Strategic Planning Assumption

By 2025, 80% of enterprises will fully meet their multifactor authentication needs for
remote and cloud access using the native capabilities of access management tools, thus
lowering the total cost of ownership by 30%.
Market Definition
User authentication provides real-time corroboration of an identity claim by a person
accessing an organization’s assets. It is foundational to network, application and data
security, because it reduces fraud, mitigates account takeover (ATO) and other identity
risks, and addresses regulatory requirements.
Tools in this market enable or provide one or more credential-based or signal-based

authentication methods that can augment or replace legacy passwords for employees,
contingent workers, partners, suppliers, business or retail customers, or citizens in one or
more use cases.
Vendors may offer any combination of on-premises software, cloud-based services,

software and hardware authenticators, and other software and hardware components.

Market Description
This Market Guide focuses on user authentication, which is used to corroborate the
claimed identity of a person already known to an organization. It contrasts with identity
proofing and affirmation (IPA) 1, which uniquely can corroborate the claimed identities of
“strangers” (to support, for example, customer onboarding or guest access).
User authentication provides an implied or notional level of trust 2 in a claimed identity by

evaluating one or more of the different kinds of evidence — credentials and signals —
shown in Figure 1 (see also Note 2).
Figure 1: Combining Credentials and Signals for Identity Corroboration

User authentication is foundational to other identity and access management (IAM)
functions that rely on having confidence in a person’s identity (authorization, audit and
identity analytics). It is also a cornerstone of identity-first security 3 and zero-trust
initiatives. 4
The user authentication market is not discrete. It overlaps with other technology markets
and capabilities (see Figure 2).
Figure 2. The Shape of the User Authentication Market
BYOI = bring your own identity; DCI = decentralized identity; IAM = identity and access
management; IGA = identity governance and administration; PAM = privileged access
management; SSE = security service edge; WAAP = web application and API protection
Tools in each area overlapped by “User Authentication” in Figure 2 can provide some user
authentication capability. This may be via a complete tool able to render an
authentication outcome (a decision or a “trust score” for adaptive access) or a tool that
provides signals that can be consumed by another tool.

Mainstream vendors in this market typically offer tools that manage and consume
credentials curated by the implementing organization, most commonly some kind of
token (“type 2”) to be used in conjunction with a legacy password to provide multifactor
authentication (MFA). 5
Nonpassword knowledge (“type 1”) and third-party biometric (“type 3”) methods are less
well represented.
Some vendors offer software and hardware components to support native authentication
logic in operating systems and other platforms (for example, for Microsoft Windows
interactive smart card login). These vendors may be distinguished as authenticator
vendors, when they lack their own authentication decision engine.
Many vendors have now added business policy decision capabilities, ranging from simple
conditional rules to machine learning (ML) models, to consume and score recognition,
affirmation and risk signals. This shift toward signals has created opportunities for other
vendors that focus on signal analytics.
Stand-alone IPA tools can also be used in an authentication flow, but few vendors
explicitly target user authentication use cases. The need for IPA for onboarding and
identity recovery continues to increase, particularly in customer use cases where attackers
can readily outsmart traditional reset processes.
Vendors in other markets — most notably, AM (which we say more about in the following
section) — also offer user authentication capabilities, either natively within their primary
offering or as a discrete component within an integrated portfolio.
Vendors in any market might offer fully independent, stand-alone tools that fall wholly
within the “user authentication” space. For example, some document-centric identity
proofing (DCIP) vendors offer discrete biometric authentication tools using the same face
recognition capability that they employ for identity proofing.
Market Direction
Access Management: Access to Microsoft 365 and other SaaS applications dominates
Gartner clients’ inquiries about user authentication, fueled by concerns about how the
shift to the cloud has increased the attack surface and exposed organizations to ATO and
other risks. In many cases, the client has been successfully attacked.

Most organizations moving to the cloud adopt an AM tool to provide runtime access
controls for all kinds of users. In many cases, this is Microsoft Azure Active Directory
Premium (AADP). All AM vendors offer user authentication capability in their AM tools or
as part of an integration toolset. 6
Increasingly, many organizations adopt their AM vendor’s native user authentication

capability not just for cloud access, but also for legacy use cases, especially remote
access. Many AM vendors provide legacy RADIUS or LDAP integration, but remote access
tools increasingly support identity federation.
Some IAM leaders will seek other user authentication tools when these provide easier
management, more granular control or a better UX; integrate better with legacy systems or
better address specific use cases or user constituencies; or provide other methods or
functionality (such as transaction authorization).
Passwordless Authentication: Passwords remain a significant source of risk for

organizations — even when incorporated with another method for MFA — and of friction,
frustration and fatigue for users and administrators. Thus, IAM leaders are increasingly
seeking passwordless authentication methods.
Gartner predicts that FIDO2 methods will dominate in the midterm, with more than 25%
adoption within the next three years. However, other passwordless methods and
authentication flows are already widely available, many in the infrastructure that
organizations already have in place. 7
Continuous Adaptive Trust (CAT): CAT is Gartner’s conceptual model that stresses the
efficacy of combining orthodox, credential-based methods with recognition, affirmation
and risk signals (see Figure 1) to provide sufficient trust in an identity claim in a way that
optimizes both risk mitigation and UX.
CAT emerges from the confluence of user authentication with IPA, OFD and other
analytics within a broader risk-based approach. This approach seeks to dynamically
balance trust in a claimed identity against the risk of access in a way that is consistent
with zero-trust principles.
CAT is not a product or service but can be realized by the effective orchestration of
multiple components, likely with AM tools playing a central role. 8

User experience: Employee and customer UX — which roll up into employee experience
(EX) and customer experience (CX) — are increasingly important for all organizations. 9
UX is a key driver of new methods (such as passwordless authentication) and strategic
approaches (such as CAT).
UX is not just a “nice to have.” While user authentication might seem only a minor aspect
of overall UX, a poor user authentication UX reduces employee agility or increases
customer abandonment. Ultimately, it degrades operational performance and decreases
business revenue.
Diversity, Equity and Inclusion (DEI): Demographic bias in biometric authentication,

especially in methods that use ML, can discriminate against certain groups, impairing
security as well as UX. IAM leaders concerned with ethics and reputation must ensure that
methods are fair across ethnicity, age and gender. 10
IAM leaders should also pay attention to socioeconomic bias, especially with regard to the
acceptability and possession of different authenticators. In particular, an increasing
market emphasis on smartphones for authentication (and for identity wallets; see below)
risks marginalizing the minority that do not own them. 11
Biometric authentication using face or voice offers a more universal option, given that
cameras and microphones are widely available on many devices, including unattended
terminals and kiosks. Presentation attacks and privacy concerns are significant but not
insuperable barriers to adoption. 12
Decentralized Identity (DCI): DCI extends the BYOI concept of allowing people to select
and use third-party digital identities, giving people the ability to create and control their
own digital identities via a wallet app on a smartphone (similar in function and UX to
wallet apps used by Apple Pay or Google Pay).
Identity wallets enable people to share assertions about themselves with an organization
in a trusted way, without having to disclose sensitive data that is not actually required for
any specific interaction. DCI thus reduces the organization’s need to collect and centrally
store customer identity data, and therefore reduces risk.
DCI is still emerging but has the potential to provide (among a wide range of other things)
an alternative to an organization’s proprietary MFA tools. However, crucially, the trust that
DCI can deliver depends on what the wallet custodian itself uses for identity proofing and
user authentication (a bootstrapping problem). 13

Market Analysis
Market Landscape
The user authentication market has evolved over more than 30 years since the first one-
time password (OTP) hardware tokens became available. 14 However, it currently has the
characteristics of an emerging market, with vendors jockeying for position, coming from
different directions and offering a mixed array of options and capabilities.
Table 1 summarizes the variety of vendors that explicitly offer user authentication tools —
that is, those that can render an authentication outcome. Thus it does not include vendors
in other markets whose tools provides signals that can be consumed by other tools (see
Figure 2).

Table 1: Types of Vendors In the User Authentication Market
(Enlarged table in Appendix)
Authentication Patterns
The prevalence and suitability of different authentication methods, and how they are
delivered, varies across use cases. Gartner identifies six major patterns, which span a
variety of use cases for internal and external users (see Table 2).

Table 2: Common User Authentication Use Cases
In addition, some industries have unique use cases for specific user populations:
■ Clinical access in healthcare delivery organizations where UX is critical to patient

care. The emphasis here is on “single-touch” authentication methods (contactless
cards/tokens and biometric methods).

■ Frontline workers in manufacturing, retail, transportation, natural resources and
so on. Across different industries the major challenges are (a) the use of shared
devices (such as PCs and tablets etc.) and (b) high staff churn and staff rotation
(shift work), as well as significant use of temporary staff.
■ Finding good options for MFA in these use cases can be fraught with technical
and administrative challenges, and no methods prevail. Specialized vendors or
approaches might be needed (for example, use of photo ID cards with
“product” bar codes for point-of-sale [POS] access).
■ In some use cases, physical security and administrative controls might provide
adequate, reasonable and effective risk mitigation.
Market Evolution
Gartner predicts that the user authentication market will evolve in line with the current
market trends outlined in the Market Direction section.
AM vendors will increasingly satisfy mainstream authentication needs across several

dimensions:
■ The range and variety of authentication methods and flows, especially those
supporting passwordless authentication. Support for W3C Web Authentication
(WebAuthn) is already common; we predict that vendors will add FIDO2 capability to
their phone apps over the next 18 months. 16
■ The scope of access across remote access, PAM and client/server, as well as SaaS
and web applications. Some AM vendors can support Windows login via third-party
17
components, but we do not consider this to be strategically important as FIDO2
apps are emerging to meet that need.
■ Integration with identity-proofing tools (which might be part of the AM portfolio),

initially to support customer onboarding. These will be increasingly relevant for gig
workers and remote employees, not just to meet HR needs but also to support
credential life cycle management. 18
■ Increased analytics capabilities to support fraud detection, continuous adaptive

trust (CAT) and adaptive access approaches, as well as improved interoperability
with external tools providing signals and analytics. Along with this, increased
orchestration capabilities to manage authentication flows smoothly within user
journeys.

Opportunities for stand-alone authentication vendors offering commoditized
authentication methods — OTP, legacy OOB, and mobile push — will continue to shrink as
AM vendors’ capabilities improve. To succeed in the market, these vendors will need to
focus on the differentiators discussed in the Market Direction section.
Some vendors (such as Thales, formerly Gemalto/SafeNet) have responded to this market
pressure by developing their own AM tools, and this will likely continue. However, the risk
here is significant, especially now that we see increasing consolidation in the AM market.
There is a small but important role for specialist vendors that can provide organizations
that have particularly complex legacy application infrastructures with a cohesive user
authentication framework. These vendors might have their own user authentication
capability or integrate with AM or third-party user authentication tools. 19
FIDO2 has precipitated a surge in the number of vendors coming to market with hardware
security keys, with the only common differentiators being Certified Authenticator Levels
and prices. A few vendors offer keys with embedded fingerprint readers to enable PIN-less
and passwordless authentication.
Opportunities for vendors that have come to market with explicitly passwordless mobile
MFA solutions 20 will be eroded by increased support for, and adoption of, FIDO2. To
succeed, these vendors must demonstrate sufficient added value to justify additional
investment.
Vendors that combine endpoint protection, endpoint encryption and endpoint user
authentication are desirable in industries that are heavily regulated or that have more
traditional access and device strategies. However, these vendors will face increasing
pressure to add support for “anytime, anywhere” access needs.
Biometric authentication specialists will see increasing opportunities, especially in

customer IAM use cases, and crossover with DCIP and DCI tools will increase. AM vendors
and other authentication specialists will likely continue to tend to partner with biometric
authentication vendors, rather than develop biometric technology themselves.
We expect to see continued innovation. While it continues to surprise us that the market
can sustain more than 300 vendors — a number that has increased year over year — wider
standardization around FIDO2 is likely to remove many commodity vendors from the
market.

Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is
intended to provide more understanding of the market and its offerings.
Market Introduction
Table 3: Representative Vendors in User Authentication
Market Recommendations
IAM and other security leaders should:

■ Simplify their user authentication portfolios, to lower costs and provide more
consistent UX for employees and customers, by exploiting the native capabilities of
their AM tools across as many use cases as possible.
■ Take advantage of AM tools’ ability to manage authentication flows to enable

a differentiated and highly flexible authentication UX across all user journeys.
■ Favor AM vendors that provide open integrations that give access to a

marketplace of multiple stand-alone authentication vendors and methods.
■ Minimize time to value for passwordless authentication by fully exploiting

incumbent tools’ capabilities, even if the scope is limited to one or a few use cases
(such as Windows and SaaS login). This should be done while shifting investments
to support broader use of FIDO2 in the midterm.
■ Enhance resilience, flexibility and UX by broadening and deepening “risk-based” or

“conditional” approaches within the context of adaptive access and investing in
analytics and orchestration tools that enable CAT.
■ Build CAT into zero-trust initiatives and, as part of adaptive access within an
identity fabric, cybersecurity mesh architecture (CSMA) approaches.
■ Look for integration with security service edge (SSE) and other security tools
that embed analytics and adaptive access capabilities, which can enable and
benefit from an integrated CAT approach.
■ Address diversity, equity and inclusion concerns by seeking methods that inherently
minimize bias and creating a portfolio of methods that can regularize risk mitigation
and UX across all groups.
■ Consider differences in user preferences, language and available technologies

based on geography, culture and other demographics.
■ IAM leaders in financial institutions that are closing physical branches or

government agencies that are moving citizen services to digital channels
should invest in technologies that will ensure secure access to critical digital
assets for economically and socially vulnerable groups. 21

Evidence
In addition to the specific citations below, this research is based on publicly available
information and hundreds of direct interactions with vendors and end-user organizations
over the past 18 months.
1
Market Guide for Identity Proofing and Affirmation defines identity proofing as the
combination of activities during an interaction that brings an identity claim within
organizational risk tolerances, such that (a) the real-world identity exists and (b) the
individual claiming the identity is, in fact, the true owner of that identity and is genuinely
present during the process. It further defines identity affirmation as the combination of
activities that provide supporting evidence for an identity claim to establish trust in an
interaction, such that confidence is increased during the identity-proofing process that
fraud is not taking place.
2
“Trust,” “assurance” and “confidence” are roughly synonymous terms that are used in
different definitions of authentication. Formally, “credence” is the canonical term for the
strength or degree of belief in a proposition (for example, an identity claim). In an
authentication context this term is implicitly reflected in the “credentials” that form the
basis of orthodox authentication methods. Both derive from the Latin verb “crēdo” (“I
believe,” “I trust in,” “I rely on,” “I accept as true”). Note also that trust (credence) in an
identity claim does not imply trust in the person (that is, that they are trustworthy).
3
Top Security and Risk Management Trends 2021 observes that identity-first security
represents the way all information workers will function, regardless of whether they are
remote or office-based. In this approach, all applications and resources must be
considered “at risk” and secured as though they are exposed on the public internet.
4
Quick Answer: How to Explain Zero Trust to Technology Executives defines zero trust as
“a security paradigm that replaces implicit trust with continuously assessed explicit risk
and trust levels based on identity and context supported by security infrastructure that
adapts to risk-optimize the organization’s security posture.” NIST Special Publication 800-
207, Zero Trust Architecture states (§3.1.1): “The enhanced identity governance approach
to developing a [zero trust architecture] uses the identity of actors as the key component
of policy creation.”

5
Combining any two factors — that is, instances of two different canonical types —
provides two-factor authentication (2FA). Strictly, multifactor authentication (MFA) implies
more than two factors, but the term MFA is very often used where there are only two —
and combinations of three factors are rare. Most legacy “MFA” tools are really only “+1FA”
tools, adding a single extra factor to an existing password. “MFA” has been a convenient
shorthand for these tools, but it masks an important distinction between legacy
approaches and modern passwordless MFA tools.
6
User authentication functionality is an inclusion criterion for Magic Quadrant for Access
Management and is evaluated for vendors in Critical Capabilities for Access
Management.
7
Take 3 Steps Toward Passwordless Authentication notes that IAM leaders are often put
off by the prospect of investing in novel technologies, unaware of the passwordless
methods and flows that are available in incumbent tools, such as Windows Hello for
Business in Windows 10 and various innovations in AADP and third-party AM tools.
8
Shift Focus From MFA to Continuous Adaptive Trust observes that an access decision
engine must be able to orchestrate when and how it consumes signals or scores from
different tools; correlates these with its own analytics; invokes appropriate adaptive
responses; and captures and acts on their outcomes.
9
Top Strategic Technology Trends for 2022: Total Experience observes that organizations
are seeking better CX and EX strategies that will lead to greater confidence, satisfaction,
loyalty and advocacy. As digital channels are increasingly the main vehicles for
engagement, IT leaders must identify and improve UX touchpoints for customers and
employees using multiexperience (MX) technologies.
10
Hype Cycle for Identity and Access Management Technologies, 2021 discusses this
not only in the profile of biometric authentication but also in the profile of DCIP (which
uses biometric facial recognition technologies). Vendors should also review Product
Managers Must Reduce Bias in Biometrics.
11
Many passwordless solutions even rely on a user enrolling multiple personal devices —
smartphones, tablets, PCs and hardware tokens — to create a “chain of trust” that enables
identity recovery if a device is lost, stolen or otherwise replaced. This approach
demonstrates a lack of awareness and empathy for the many global customers and
citizens for whom this is impractical at best. See:

■ The Digital Lives of Refugees: How Displaced Populations Use Mobile Phones and
What Gets in the Way, GSMA.
■ Exploring the UK’s Digital Divide, Office for National Statistics.
■ Some Digital Divides Persist Between Rural, Urban and Suburban America, Pew
Research Center.
12
Three Biometric Authentication Risks You Can’t Ignore notes that presentation attack
detection (PAD) is essential to minimize the risk of presentation attacks. PAD might
require an additional technology, or it might be inherent in the mode. Regarding privacy,
IAM leaders are required to protect personal data, as well as manage user consent in
compliance with an increasing number of privacy laws and regulations. For example, the
European Union’s General Data Protection Regulation (GDPR) has specific requirements
about data processor obligations. We expect increased adoption of privacy-preserving
biometric technologies with decentralized data storage (from, for example, Anonybit and
Keyless [acquired by Sift]). However, IAM and privacy leaders must cope with the impacts
of broad legislation that often fails to distinguish between surveillance and authentication
use cases.
13
See the profile of DCI in Hype Cycle for Identity and Access Management
Technologies, 2021 and Innovation Insight for Decentralized Identity and Verifiable
Claims. The trustable, shared assertions are known technically as verifiable claims or
verifiable credentials. Mainstream adoption of DCI is two to five years away, but
integration with device-native wallets that people are already familiar with will likely aid
user acceptance and accelerate adoption, especially for customer authentication and
other customer and citizen applications.
14
Enigma Logic’s SafeWord OTP tokens (now offered by Thales Digital Identity and
Security) were commercially available at least as early as 1987. Security Dynamics’
SecurID OTP tokens (now offered by SecurID, an RSA Business) were commercially
available from 1990.
15
The only vendors with explicit support for IBM z/OS mainframes that Gartner has
encountered are IBM (via an OEM relationship with Rocket Software) and Vanguard
Integrity Professionals (VIP).

16
This kind of app is already available from specialist FIDO-focused vendors like
IDmelon. Akamai also offers something similar, but its solution relies on a custom
channel between the WebAuthn-enabled web browser and the smartphone app, rather
than the standard FIDO Client to Authenticator Protocol (CTAP). This means, among other
things, that it cannot be used for Windows 10 login.
17
For example, Tecnics provides this capability for Okta; Secret Double Octopus (SDO)
provides this capability for Okta, ForgeRock and others.
18
Predicts 2021: Identity and Access Management and Fraud Detection predicted that by
2024, 30% of large enterprises will newly implement identity-proofing tools to address
common weaknesses in workforce identity life cycle processes. See also Quick Answer:
How Can I Securely Reset Employee Passwords or Recover Accounts?
19
Vendors offering this capability include Radiant Logic, Safe-T and Silverfort. Some
ZTNA tools and some emerging “identity infrastructure detection and response tools”
(such as CrowdStrike Falcon Identity Protection, formerly Preempt) might also be used in
this way. More than one of these vendors positions this as “last mile” integration for AM
tools, extending their scope beyond SaaS and web applications.
20
Hype Cycle for Identity and Access Management Technologies, 2021 observes that
mobile MFA provides passwordless authentication by combining multiple (typically two)
factors in a smartphone app. Possession of the phone provides the first factor, with the
app typically using one or more of the following modes: OTP, mobile push, X.509 and
FIDO authentication protocols. The additional factor may be a biometric trait or a local
PIN. Biometric authentication may be device-native or proprietary.
21
See How Branch Closures Affect Access to Banking Services, Federal Reserve Bank of
St. Louis.
Note 1
Representative Vendor Selection
This research provides Gartner clients with a view of the available offerings, taking into
account:
■ Market presence
■ Diversity of authentication methods and delivery options
■ Citations in and relevance to Gartner client interactions

■ Consonance with overarching market trends
Thus, vendors represent what is core in the market, what extends it and what will
transform it.
A representative vendor listed in this Market Guide has the characteristics described in the
Market Definition and Market Description sections.
The list of representative vendors is not an exhaustive list of all providers. Many worthy
vendors are omitted with no implied criticism. Tool: Vendor Identification for User
Authentication compiles information about 306 providers, with a detailed review of 48.
Note 2. Credentials and Signals

Figure 1 updates the Gartner Identity Corroboration Model (GICM) from earlier research
(see IAM Leaders’ Guide to User Authentication). See Shift Focus from MFA to Continuous
Adaptive Trust for a fuller discussion of how credentials and signals can be combined to
maximize efficacy.
Curated credentials and internal recognition and risk signals accrue from a person’s
history with an organization. These can be used only for user authentication.
Curated credentials are the legacy backbone of the user authentication market. There are
three canonical types:
■ Type 1. Something known to only the person, such as a password, pattern, picture or
PIN.
■ Type 2. Something held by only the person, such as a security key, smart card or
smartphone.
■ Type 3. Something inherent to only the person — biometric traits such as face,
fingerprint and voice.
Recognition and risk signals can be categorized as:
■ Passive behavioral biometric methods, such as gait, gesture, handling and typing.
■ Behavioral data — such as interaction metrics — consumed by (user and entity)

behavioral analytics.

■ Contextual data, such as endpoint device identity, credentials, attributes and
location.
■ Knowledge-based verification (KBV), such as chosen security questions.
Passive behavioral biometrics are classed as recognition signals, rather than Type 3
curated credentials, because of differences in the way they are established and evaluated:
■ There is no enrollment “ceremony” to establish reference data; instead, baseline data

is aggregated over multiple interactions.
■ The user is not prompted to do anything, and there is no discrete comparison and
matching step; instead, probe data is continuously evaluated against the baseline.
Knowledge-based verification (KBV), also known as knowledge-based authentication

(KBA), is conventionally classified as a Type 1 method. However, we deprecate that
classification as KBV typically relies on information that is known by others, not only by
the person making a true identity claim.
Third-party credentials and external affirmation and risk signals accrue from a person’s
history and activity external to an organization. Only these can be used for IPA, as well as
for user authentication.
Bring your own identity (BYOI) is the concept of enabling people to select and use a third-
party digital identity, such as a social identity (a Facebook identity, for example) or a
higher-assurance identity (such as a bank or government identity), to access multiple
digital services.
Decentralized identity (DCI) extends BYOI by using, for example, distributed ledger
technologies (DLTs) to enable a person to create and control their own digital identity.
Photo identification documents (such as passports, national ID cards and driver’s

licenses) are consumed by document-centric identity proofing (DCIP) tools. DCIP involves
capturing an image of a photo identity document and checking for signs of tampering or
forging.
In addition, capture and analysis of a photo or video clip of the person determines genuine
presence. Finally, comparison of the photo with the one in the document — increasingly
often based on biometric face recognition — determines whether the person is the
legitimate document bearer.

Optionally, data can be extracted via optical character recognition (OCR) or from the
document’s chip using near-field communication (NFC).
Affirmation signals are those that can provide supporting evidence for an identity claim to
establish trust in an interaction, and thus increase the confidence that fraud is not taking
place during an identity-proofing or user authentication process.
Document Revision History

Market Guide for User Authentication - 26 June 2020
Market Guide for User Authentication - 26 November 2018
Market Guide for User Authentication - 12 February 2016
Recommended by the Authors

Some documents may not be available as part of your current Gartner subscription.
Innovation Insight for Many Flavors of Authentication Token

Technology Insight for Biometric Authentication
Take 3 Steps Toward Passwordless Authentication
Shift Focus From MFA to Continuous Adaptive Trust
Innovation Insight for Decentralized Identity and Verifiable Claims
Market Guide for Online Fraud Detection
Market Guide for Identity Proofing and Affirmation

Critical Capabilities for Access Management
Enhance Remote Access Security With Multifactor Authentication and Access
Management

© 2022 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of
Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form
without Gartner's prior written permission. It consists of the opinions of Gartner's research
organization, which should not be construed as statements of fact. While the information contained in
this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties
as to the accuracy, completeness or adequacy of such information. Although Gartner research may
address legal and financial issues, Gartner does not provide legal or investment advice and its research
should not be construed or used as such. Your access and use of this publication are governed by
Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its
research is produced independently by its research organization without input or influence from any
third party. For further information, see "Guiding Principles on Independence and Objectivity."

Table 1: Types of Vendors In the User Authentication Market
Type* Description
Adjunct Vendors offering tools in other SRM markets or further afield, but no other
IAM tools. They may offer authentication capabilities as stand-alone tools or
embedded within other tools.
AM Vendors offering AM tools that provide centralized authentication, single

sign-on (SSO), session management and authorization enforcement for
target applications in multiple use cases (B2E, B2B and B2C). Adaptive and
contextual authentication are core elements, as is support for modern
identity protocols such as SAML, OAuth 2.0 and OIDC. a
Analytics-focused Authentication specialists with a singular or distinctive focus on rich

analytics, especially machine learning, including behavior analytics and
passive behavioral biometric methods. Some provide orthodox, credential-
based methods as well. This category is contiguous with online fraud
detection (OFD); OFD vendors offer similar techniques, but their tools are
differentiated by use-case-specific capabilities. bc
Biometric Authentication specialists with a singular or distinctive focus on active

biometric authentication methods. Several vendors use ML, especially for
face and voice modes. Several vendors add support for FIDO protocols as an
option. d
Gartner, Inc. | G00731668 Page 1A of 13A

Type* Description
Customer IAM IAM vendors with a specific focus on customer IAM wants and needs. They
may offer authentication capabilities as stand-alone tools or embedded
within other tools. e
CPaaS Communications platform as a service (CPaaS) vendors offering cloud-based

middleware from which buyers can develop, run and distribute
communications software. They may offer authentication capabilities
embedded within the platform. f
Portable digital identity Vendors with specialized tools that combine MFA with identity proofing, bring
your own identity (BYOI) or decentralized identity (DCI) capabilities. g
FIDO-focused Authentication specialists with a singular or distinctive focus on FIDO-based

methods. Some offer non-FIDO solutions as well. Several vendors in other
categories support FIDO protocols as an option. h
Knowledge Authentication specialists with a singular or distinctive focus on advanced

knowledge authentication methods, typically those based on memorized
patterns or pictures.
OFD Vendors offering OFD tools that typically enable real-time fraud monitoring,
and may be focused on detection alone, or also on mitigation, once
fraudulent activity is suspected. OFD vendors who have built the capability to
deliver event-based detection and decisioning are increasingly focusing on
ATO use cases and detecting fraud at login. Case management capabilities
are included in almost all such tools (sharply differentiating them from
analytics-focused authentication tools). c

Type* Description
PAM Vendors offering privileged access management (PAM) tools that can
discover, manage and govern privileged accounts on multiple systems and
applications; control access to privileged accounts; randomize, manage and
vault credentials (password, keys, etc.); and so on. They may offer
authentication capabilities embedded within these tools. i
Phone-as-a-token Authentication specialists that came to market with a singular or distinctive

focus on phone-as-a-token methods. Many can support other vendors’ OTP
hardware tokens, but some now offer their own. Many wide-focus vendors
also supply phone-as-a-token methods. h
Portfolio Vendors providing tools across two or more IAM markets: AM, identity
governance and administration (IGA), PAM, or user authentication. They may
offer authentication capabilities as stand-alone tools or natively within other
tools.
Wide-focus Authentication specialists with a varied portfolio of authentication methods.

Several are historically regarded as “OTP token vendors,” but all offer phone-
as-a-token methods and maybe also public-key (X.509, FIDO) authentication
methods, biometric methods or analytics.
X.509 Authentication specialists with a tight focus on X.509 authentication tokens.

Several wide-focus vendors provide X.509 authentication tokens. h

Type* Description
* The “type” names are illustrative. They should not be taken as defining a market or market segment.
a
See Critical Capabilities for Access Management
b
See Shift Focus From MFA to Continuous Adaptive Trust
c
See Market Guide for Online Fraud Detection
d
See Technology Insight for Biometric Authentication
e
See Innovation Insight for Customer Identity and Access Management
f
See Market Guide for Communications Platform as a Service
g
See Market Guide for Identity Proofing and Affirmation, Innovation Insight for Decentralized Identity and Verifiable Claims
h
See Innovation Insight for Many Flavors of Authentication Token
I
See Magic Quadrant for Privileged Access Management
Source: Gartner (December 2021)

Table 2: Common User Authentication Use Cases
Common Integration Prevalent Methods and

Pattern Scope
Pathways Approaches
Windows PC and network login Internal (employees, contractors) ■ Native support ■ X.509 tokens (“interactive smart
only card login”), PIN-protected (or,
■ Third-party software (credential
rarely, biometric-enabled)
provider)
■ FIDO2 (including Windows Hello
for Business [WHfB]), with a PIN or
local biometric method
■ OTP tokens and phone-as-a-token

methods (via third-party
software), with legacy password
(or, rarely, app PINs or device-
native or third-party biometric
methods)
■ Fingerprint, face and other

biometric methods (via third-party
software, as well as FIDO2/WHfB
with device-native modes)

Pattern Scope
Pathways Approaches
macOS and network login Internal only ■ Third-party software ■ X.509 tokens, PIN-protected (or,

methods, with legacy password
methods)
Remote access (VPN, zero-trust Internal and external (gig workers, ■ Third-party software (agents) ■ X.509 tokens, PIN-protected (or,
network access [ZTNA], VDI) partners, suppliers) rarely, biometric-enabled)
■ RADIUS
■ FIDO2/WebAuthn, with PIN or local
■ LDAP
biometric method (emerging), via
■ Federation (SAML, OIDC), direct or an AM tool
via an AM tool
methods)

Pattern Scope
Pathways Approaches
Privileged account login Internal and external (partners, Directly or via a PAM tool: ■ X.509 tokens, PIN-protected (or,
suppliers — vendor technicians) ■ Third-party software (agents) rarely, biometric-enabled)
■ RADIUS ■ OTP tokens and phone-as-a-token

methods (except out-of-band
■ LDAP
[OOB] messaging and voice
■ Federation (SAML, OIDC), directly modes, which are strongly
or via AM tool deprecated), with legacy password
methods)
Client/server* application login Internal and external (gig workers, ■ Native support ■ X.509 tokens, PIN-protected (or,
partners, suppliers) rarely, biometric-enabled)
■ Third-party software (SDK, API),
directly or via a ZTNA or AM tool ■ OTP tokens and phone-as-a-token
■ Kerberos
■ LDAP native or third-party biometric
■ Enterprise single sign-on methods)
(password vaulting-and-
forwarding)

Pattern Scope
Pathways Approaches
SaaS or web application login Internal and external ■ Native support ■ X.509 tokens, PIN-protected (or,
■ Third-party software (API)
■ FIDO2/WebAuthn, with PIN or local
■ Federation (SAML, OIDC), directly
biometric method (emerging)
or via an AM tool
■ OTP hardware tokens and phone-
■ Reverse proxy or HTTP header, via
as-a-token methods, with legacy
an AM tool
password (or, less commonly, as a
single factor)
■ Including remote chip
authentication (RCA) in
banking, using a PIN-protected
payment card
■ Recognition and risk signals

■ Typically via OFD tools for
customer authentication in
banking and so on
■ Typically only in retail customer

use cases:
■ Enhanced passwords
■ “Magic links”
†

Pattern Scope
Pathways Approaches
■ IPA (e.g., knowledge- based

verification [KBV] or, more
rarely, document-centric identity
proofing [DCIP])
Mobile app login Internal and external ■ Third-party software (SDK), ■ Internal and some external use
directly or via a unified endpoint cases mirror SaaS and web
management (UEM) or an AM tool application login via an AM tool
■ Some external use cases embed

methods within the app. A silent
factor (a stored password or
software cryptographic token)
may be combined with:
■ Enhanced password methods
■ Face, fingerprint, voice or other

biometric methods (device-
native or third-party, via vendor
SDKs, FIDO Universal
Authentication Framework
[UAF] or FIDO2)

Pattern Scope
Pathways Approaches
* This pattern might also include mainframe and client/server applications. However, these are an increasingly niche requirement, generating only a handful
of client inquiries, and are explicitly supported by few vendors. 15
†
“Magic links” provide a kind of out-of-band authentication using email or an SMS message. However, rather than an OTP, the message embeds a link that
the user simply clicks on to authenticate and continue the login process.

Table 3: Representative Vendors in User Authentication
Product
Vendor
, Service or Solution Name
1Kosmos BlockID
authID.ai Verified, AuthentifID
BehavioSec BehavioSec
Callsign Intelligence Engine, Authentication Suite
Cisco ( Duo Security) Duo Multi-Factor Authentication (MFA), Duo Access, Duo Beyond
Daon IdentityX
Entersekt Entersekt Secure Platform (ESP)
FaceTec ZoOm
FEITIAN Technologies FEITIAN OTP Authentication System (FOAS), various hardware

authenticators
ForgeRock Access Management
HYPR HYPR Cloud Platform
IDmelon IDmelon Authenticator, IDmelon Reader, IDmelon Key
iProov Face Verifier, Basic Face Verifier, Palm Verifier

Product
Vendor
Jumio Jumio Authentication
KOBIL KOBIL SHIFT
Microsoft Azure AD Premium, Azure MFA; Windows Hello for Business
Okta (including Auth0) Okta MFA, Okta Adaptive MFA, and others; Auth0 platform
One Identity ( OneLogin) SmartFactor Authentication and others
Onfido Onfido Face Authenticate
Nuance* Nuance Gatekeeper
Ping Identity PingOne Cloud Platform
Secret Double Octopus Octopus Passwordless Enterprise, Octopus Pro, Octopus Starter, Octopus
Lite
SecurID, an RSA Business SecurID Authentication Manager, SecurID Access
Sift ( Keyless) Keyless
Silverfort Silverfort
Thales SafeNet Trusted Access, various banking-focused customer authentication

offerings
Veridas No discrete product names
Yubico YubiKey

Product
Vendor
* To be acquired by Microsoft at the end of 2021.

Market Guide For User Authentication - Market - Guide - For - Use - 731668 - NDX

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Market Guide For User Authentication - Market - Guide - For - Use - 731668 - NDX

Uploaded by

Copyright:

Available Formats

Published 13 December 2021 - ID G00731668 - 33 min read

By Analyst(s): Ant Allan, Tricia Phillips, Kaoru Yano

User authentication is fundamental to identity-ﬁrst security, and

■ Summary Translation + Localization: Market Guide for User Authentication

■ Client interest in passwordless authentication, whether to enhance user experience

■ The increasing market emphasis on smartphone-centric authentication methods can

Gartner, Inc. | G00731668 Page 1 of 22

This research note is restricted to the personal use of cavieira1@topazevolution.com.

■ Minimize time to value for passwordless authentication by fully exploiting

■ Enhance resilience, ﬂexibility and UX by broadening and deepening “risk-based” or

■ Address diversity, equity and inclusion concerns by creating a portfolio of

Strategic Planning Assumption

Tools in this market enable or provide one or more credential-based or signal-based

Vendors may offer any combination of on-premises software, cloud-based services,

Gartner, Inc. | G00731668 Page 2 of 22

This research note is restricted to the personal use of cavieira1@topazevolution.com.

User authentication provides an implied or notional level of trust 2 in a claimed identity by

Figure 1: Combining Credentials and Signals for Identity Corroboration

Gartner, Inc. | G00731668 Page 3 of 22

This research note is restricted to the personal use of cavieira1@topazevolution.com.

Figure 2. The Shape of the User Authentication Market

Gartner, Inc. | G00731668 Page 4 of 22

This research note is restricted to the personal use of cavieira1@topazevolution.com.

Gartner, Inc. | G00731668 Page 5 of 22

This research note is restricted to the personal use of cavieira1@topazevolution.com.

Increasingly, many organizations adopt their AM vendor’s native user authentication

Passwordless Authentication: Passwords remain a signiﬁcant source of risk for

Gartner, Inc. | G00731668 Page 6 of 22

This research note is restricted to the personal use of cavieira1@topazevolution.com.

Diversity, Equity and Inclusion (DEI): Demographic bias in biometric authentication,

Gartner, Inc. | G00731668 Page 7 of 22

This research note is restricted to the personal use of cavieira1@topazevolution.com.

Gartner, Inc. | G00731668 Page 8 of 22

This research note is restricted to the personal use of cavieira1@topazevolution.com.

Gartner, Inc. | G00731668 Page 9 of 22

This research note is restricted to the personal use of cavieira1@topazevolution.com.

■ Clinical access in healthcare delivery organizations where UX is critical to patient

Gartner, Inc. | G00731668 Page 10 of 22

This research note is restricted to the personal use of cavieira1@topazevolution.com.

AM vendors will increasingly satisfy mainstream authentication needs across several

■ Integration with identity-proofing tools (which might be part of the AM portfolio),

■ Increased analytics capabilities to support fraud detection, continuous adaptive

Gartner, Inc. | G00731668 Page 11 of 22

This research note is restricted to the personal use of cavieira1@topazevolution.com.

Biometric authentication specialists will see increasing opportunities, especially in

Gartner, Inc. | G00731668 Page 12 of 22

This research note is restricted to the personal use of cavieira1@topazevolution.com.

Gartner, Inc. | G00731668 Page 13 of 22

This research note is restricted to the personal use of cavieira1@topazevolution.com.

■ Take advantage of AM tools’ ability to manage authentication ﬂows to enable

■ Favor AM vendors that provide open integrations that give access to a

■ Minimize time to value for passwordless authentication by fully exploiting

■ Enhance resilience, ﬂexibility and UX by broadening and deepening “risk-based” or

■ Consider differences in user preferences, language and available technologies

■ IAM leaders in ﬁnancial institutions that are closing physical branches or

Gartner, Inc. | G00731668 Page 14 of 22

This research note is restricted to the personal use of cavieira1@topazevolution.com.

Gartner, Inc. | G00731668 Page 15 of 22

This research note is restricted to the personal use of cavieira1@topazevolution.com.

Gartner, Inc. | G00731668 Page 16 of 22

This research note is restricted to the personal use of cavieira1@topazevolution.com.

■ Exploring the UK’s Digital Divide, Ofﬁce for National Statistics.