Market Guide for User Authentication

Published: 16 November 2017 ID: G00321165

Analyst(s): Ant Allan, David Mahdi, Anmol Singh

While mature user authentication vendors and orthodox methods have

considerable market presence, the number and variety of technologies and
vendors continue to grow. Security and risk management leaders must take
a strategic approach when selecting vendors to meet needs across multiple
use cases.

Key Findings
■ Regulatory requirements continue to be a dominant driver for investment in this market,
although a check-box mentality is common. Other drivers include threats and actual incidents,
such as phishing attacks, that reveal the weaknesses of legacy passwords.
■ User and customer experience (UX/CX) as well as trust improvements, together with a desire to
reduce total cost of ownership (TCO), fuel interest in new methods, such as mobile push.
■ While many larger legacy vendors are investing in new methods, the market is attracting new
vendors that blend orthodox methods and analytics. In addition, access management (AM)
vendors continue to gain traction in cloud-first enterprises, and some online fraud detection
(OFD) vendors are adding strong customer authentication.

Recommendations
Security and risk management leaders responsible for delivering effective identity and access
management capabilities should:

■ Seek user authentication methods that best provide the necessary balance among trust, TCO
and UX/CX in each use case. Identify candidate vendors that can deliver these methods across
multiple use cases.
■ Look for vendor differentiation in breadth of capability and in experience and expertise in a
relevant vertical market, such as retail banking and healthcare, rather than focusing on legacy
products and services that are increasingly commoditized and horizontal.
■ Seek products and services that integrate rich analytics and adaptive techniques with robust
orthodox, credential-based authentication methods, especially in enterprises taking a lean-
forward stance to address advanced threats that exploit user credentials.
 Strategic Planning Assumptions
By the end of 2020, 90% of large and global enterprises, and 60% of midsize enterprises, will
employ rich analytics and adaptive techniques, up from about 30% and 10% today.

By the end of 2021, user authentication vendors that cannot leverage machine-learning capabilities
will lose market share among large and global enterprises engaging in digital business.

Market Definition
This document was revised on 27 November 2017 and 8 December 2017. The document you are
viewing is the corrected version. For more information, see the Corrections page on gartner.com.

To enhance network, application and data security, reduce fraud and other risks, and to address
specific threats and regulatory requirements, security and risk management leaders seek products
and services that provide user authentication for an enterprise's workforce, partners, customers and
so on, to enable their access to electronic or digital assets owned or managed by, or provided on
behalf of, the enterprise.

User authentication is the real-time corroboration (with an

implied or notional confidence or level of trust) of a person's
claim to an identity previously established to enable their
1
access to an electronic or digital asset.

User authentication is particularly important in identity and access management (IAM), because
confidence in users' identities is foundational to the value of other IAM functions — such as
authorization (especially segregation of duties), audit (individual accountability) and analytics. It also
provides an important element of fraud prevention and secure payment initiatives.

The market encompasses a variety of products and services, implementing a range of

2
authentication methods in addition to, or in place of, legacy passwords.

Orthodox methods are based on one or more credentials, and are typically classified by the kind of
3
credentials, or authentication factors, that they use: "what you know, hold and are (or do)." Many
modern products and services augment these orthodox methods with approaches that apply
analytics to a variety of contextual or other signals that can increase (or decrease) confidence in a
claimed identity. Analytics approaches typically drive adaptive responses that balance risk and trust
4
at the moment of access.

User authentication capabilities are delivered via discrete software, hardware or cloud-based
services, or are embedded in other offerings such as operating systems (OSs), AM and OFD tools.

Page 2 of 51 Gartner, Inc. | G00321165

 Figure 1 summarizes the scope of the user authentication market. The height of "Products and
Services" rectangles indicates the notional prevalence of each kind of solution within this market.
The "pie" at bottom right represents our Trusted Identity Corroboration Model (TICM; see Note 1).

Figure 1. The Scope of the User Authentication Market

CASB: cloud access security broker.

Source: Gartner (November 2017)

Market Direction
The authentication market is populated with mature vendors and a growing number of new entrants,
including those in and from adjacent markets (especially AM and OFD). It also includes wholly new
vendors offering new twists on orthodox methods or blending orthodox methods with analytics.

Among these, most significantly for the evolution of the user authentication market, many AM
vendors embed phone-as-a-token methods and more, rivaling the capability of some mainstream
vendors. These are increasingly viable alternatives to stand-alone user authentication products and
5
services for cloud-first enterprises. In addition, a number of AM vendors offer discrete user
authentication services, enabling them to more easily displace incumbent vendors.

Gartner, Inc. | G00321165 Page 3 of 51

 At the same time, several user authentication vendors are expanding functionality into adjacent
markets. For example, Gemalto's SafeNet Trusted Access provides web and cloud single sign-on
(SSO) functionality of an AM service, while still lacking the broader functionality of vendors in that
market, such as Okta, Ping Identity and SecureAuth.

Working groups, promoting industry standards, such as Fast IDentity Online (FIDO) Alliance,
continue to make progress. Although deployments remain nascent, FIDO is gaining support,
especially among vendors in Asia/Pacific. FIDO provides a common standards-based framework for
authentication that can eliminate the need for centrally managed passwords, which are a magnet for
attackers. The framework potentially enables enterprises to easily change the methods they use
over time, since any FIDO Authenticator works with a FIDO-compliant infrastructure. Security and
risk management leaders should note that FIDO is making its way into their enterprises via Windows
10, with Windows Hello for Business (see "Innovation Insight for Fast IDentity Online Protocols").
Gartner recommends gaining familiarity and insight by conducting research into Windows Hello for
Business, as this will likely influence authentication strategies in the short term to midterm,
especially as third-party vendors are beginning to offer integration with Windows Hello for
6
Business.

While defeating attacks and increasing trust in legitimate users' identities is a key driver for
authentication "beyond passwords," choices of new methods across all use cases are increasingly
7
guided by UX and especially CX needs, as well as TCO considerations.

Phone-as-a-Token Methods
Phone-as-a-token methods (see "Technology Insight for Phone-as-a-Token Authentication")
continue to be the methods of choice in a majority of new and refreshed token deployments across
8
a wide range of use cases. These methods are among the most widely available in the market.

One-time password (OTP) apps for phones are becoming accepted in higher-risk use cases,
9
although OTP hardware tokens (or smart cards and the like) still dominate. OTP apps or, more
commonly, out-of-band (OOB) methods are used in banking and similar sectors to provide
10
transaction authorization. However, legacy OOB methods are increasingly vulnerable and should
11
be deprecated in at least higher-risk use cases. More vendors now offer OTP-less mobile push
modes that offer trust, TCO and UX/CX benefits over OTP apps and OOB SMS and voice modes.
Gartner projects that mobile push will become the dominant phone-as-a-token method over the
next one to two years.

Smart Cards and Other Public-Key Hardware Tokens

Smart cards and other public-key hardware tokens (see "Technology Insight for Public-Key
Authentication Tokens") are the most technically mature and most popular alternative to passwords
for Windows PC and network login, but as relatively few enterprises use an alternative, overall
12
adoption is rather low. Other options include public-key credentials ("user certificates") on the
13
endpoint device, maybe taking advantage of hardware protection ("virtual smart card"), or on a
14
smartphone connecting to a PC or tablet via Near Field Communication (NFC) or Bluetooth LE

Page 4 of 51 Gartner, Inc. | G00321165

 Nascent Bluetooth LE tokens holding public-key credentials might provide an alternative that can be
easily used with any endpoint device.
15
Some enterprises use contact and hybrid smart cards as common access cards (CACs), but
Gartner clients' interest in this technology remains low in vertical industries other than federal
government, healthcare, higher education, manufacturing and utilities.

Biometric Methods
Biometric methods (see "Technology Insight for Biometric Authentication") remain niche, but are of
increasing interest.

Fingerprint remains the most widely used biometric mode, with the technology embedded into a
wide range of notebook PCs and smartphones. Apple Touch ID in particular has generated a lot of
hype. Many banks have integrated Touch ID into their iOS apps, but the security value is limited; the
primary goal is improved CX. Face ID in iPhone X offers performance advantages over Touch ID and
other vendors' embedded fingerprint and face methods, but enterprises are still constrained by
16
design decisions made by Apple.

Gartner sees more strategic value in modes that can be implemented in software on any device and
use ubiquitous input devices. We see continued adoption of these modes in mobile banking, but
17
corporate workforce use for mobile remains nascent. Gartner projects significant growth in
adoption of nonfingerprint modes over the next few years, backed by mainstream authentication
vendors' partnerships with or acquisition of biometric vendors.

The FIDO Universal Authentication Framework (UAF) facilitates the integration of local (on-device)
biometric authentication with downstream services, but adoption is still nascent, uneven across
geographic regions (with notably more interest in Asia/Pacific), and the main obstacle is lack of
platform support. FIDO's impact on the user authentication market remains unclear.

Windows Hello for Business provides out-of-the-box support for a variety of biometric modes (such
as face). Thus, Hello offers alternatives to smart cards for Windows PC and network login. However,
because a local PIN remains available as a backup method, Hello doesn't provide the same level of
18
trust as smart cards.

Passive behavioral biometric methods incorporating gesture, handing and keyboard dynamics can
provide continuous authentication post-login, once a baseline has been established over a user's
first few (up to 10) interactions. Most adoption to date has been in retail banking in the context of
OFD, but these methods have potential benefits in workforce use cases as well, protecting active
sessions without resorting to intrusive timeouts. One vendor (UnifyID) provides "always on" passive
modes on mobile devices, evaluating handling dynamics and gait, among other signals, that can
provide authentication at login to an application or service from that device.

Gartner, Inc. | G00321165 Page 5 of 51

 Analytics and Adaptive Techniques
Analytics and adaptive techniques, common to other identity corroboration tools, continue to grow
in importance.

OFD tools with superior analytics have been adopted by relatively few enterprises outside their core
financial services use cases; some vendors, including CA Technologies and Dell Technologies
(RSA), target such OFD tools at larger enterprises for remote-access use cases. Other OFD vendors
with advanced analytics are now eyeing corporate use cases. A simpler approach suits midsize and
smaller large enterprises, which might be overwhelmed by the complexity of solutions aimed at
online banking.

The majority of mainstream authentication vendors only apply rules to simple contextual data (such
as endpoint device identity and geolocation), and very few consume negative signals that can
19
decrease confidence or indicate an attack or other risk. However, several larger mainstream
vendors, and some AM vendors too, are investing in advanced analytics, often integrating third-
party OFD or passive behavioral biometric technologies. Some vendors include these capabilities in
their base products and services, while others provide them as a premium option. In addition, new
vendors blending orthodox methods with advanced analytics are entering the market.

Over the next few years, Gartner projects that advanced analytics will see increased adoption in
20
mainstream use cases. However, security and risk management leaders should note that few
regulations demanding two-factor or multifactor authentication accept analytics techniques as a
21
single factor.

A well-established option for bring your own identity (BYOI; see "Innovation Insight for Bring Your
22
Own Identity") is the use of social login for low-risk online consumer access. Social login can
provide consumerlike UX for an enterprise's workforce. However, social identities are less
trustworthy than corporate identities, so security and risk management leaders must be able to
provide appropriate trust elevation for higher-risk access, within the context of adaptive techniques.

Higher-trust BYOI options include bank identity (such as the schemes established in northern
European countries and SecureKey Concierge), mobile identity (such as GSMA Mobile Connect)
and government electronic identity (e-identity). However, they are still nascent or geographically
restricted.

Few mainstream authentication vendors provide support for any BYOI options, but many AM
vendors can support social login and GSMA Mobile Connect (which uses the same standard
protocols as social login). Only a few vendors (such as Nexus Group, Safewhere and Signicat)
support bank identity or government e-identity.

Cloud-Delivered Authentication Services

Cloud-delivered authentication services continue to grow faster than the overall growth for this
market, and Gartner projects that this will continue, as multitenanted services mature and as cloud
becomes more widely adopted as a more effective way of delivering any application or service in
23
light of macroeconomic trends that will constrain staffing. This is also reflected in the increasing

Page 6 of 51 Gartner, Inc. | G00321165

 use of cloud-delivered AM tools and the increasing use of those tools to meet user authentication
24
needs in cloud-forward enterprises. On-premises solutions will persist in the longer term,
especially in more risk-averse enterprises that want to retain full control of user authentication
processes or support local access without dependence on internet connectivity.

Market Analysis
Security and risk management leaders, especially those focusing on IAM and fraud prevention, as
well as business leaders focusing on customer IAM, seek user authentication solutions to meet the
needs of one or many use cases in their enterprises. Use cases differ in the following criteria:

■ 25
Trust versus risk
■ TCO versus justifiable and available budget
■ 7
UX/CX versus users' needs
■ 26
Other technical and operational needs and constraints

Some methods suit a wide range of use cases, and many vendors offer tools that offer or support a
variety of distinct methods. However, security and risk management leaders might not find a single
solution that meets their needs across multiple use cases. Nevertheless, it is still possible to find a
27
single vendor, if not a single product or service, that can meet diverse needs.

This analysis explores enterprises' needs across the following patterns that fit the most common
scenarios we see in client inquiries and other interactions:

■ Workforce PC and network login

■ Workforce/partner remote access (via VPN, virtual desktop infrastructure [VDI] or web-facing
application)
■ Privileged access (systems administrators and other privileged users with access to critical
infrastructure)
■ Workforce/partner access to SaaS applications
■ Online and mobile retail banking
■ Other online B2C and government-to-constituent (G2C) access

Some of these patterns roll up multiple fine-grained use cases. There are a few other patterns and
discrete use cases that Gartner sees less often, that have less clear or less well-established best
practices.

Gartner, Inc. | G00321165 Page 7 of 51

 Workforce PC and Network Login
Prevalent methods: Public-key hardware tokens; fingerprint and other biometric methods; OTP
hardware tokens; phone-as-a-token methods; FIDO (Windows Hello for Business)

Gartner sees this pattern in a large minority (30% to 40%) of large and global enterprises, and a
smaller fraction of midsize enterprises.

Public-key hardware tokens dominate, largely because of the combination of native support for
"interactive smart card login" in Windows OSs and the native public-key infrastructure (PKI) services
in Active Directory (Active Directory Certificate Services), which have been available for nearly 20
years. However, workforce users seldom need the high trust that these tokens can provide. Smart
cards, in the form of Personal Identity Verification (PIV) cards, are mandated for U.S. federal
agencies by Homeland Security Presidential Directive 12 (HSPD-12).

Gartner has seen some corporate adoption of fingerprint-enabled notebook PCs, but few
28
organizations mandate the use of these capabilities. Nevertheless, we do see some use of third-
party biometric authentication, especially when security and risk management leaders seek
29
solutions that provide high individual accountability.

Some user authentication vendors support the use of OTP tokens and OOB methods for this
pattern. However, this requires a Microsoft Graphical Identification and Authentication (GINA)
replacement or new credential provider to be installed on every PC, which adds implementation
effort and might be fragile with respect to Windows OS upgrades. More importantly, OTP/OOB
methods provide only a local proxy for the user's Windows password, so an attacker who can
discover the user's password (or socially engineer a password reset) can log in as that user
elsewhere.

Windows 10 adds native support for authentication methods other than smart cards via Windows
Hello for Business, including native support for face, iris and fingerprint modes. However, even
where enterprises have now rolled out Windows 10, adoption of Windows Hello for Business has
not been a priority, especially given the hardware requirements for the new biometric modes.
30
Mainstream adoption will be uncommon until at least the second half of 2018. Security and risk
management leaders in enterprises rolling out Windows 10 should contact Gartner to discuss the
potential impact on their user authentication choices.

Some vertical industries have unique use cases. In healthcare, for example, UX is at a premium
because timely access to personal health information via share workstations is crucial to patient
care. The emphasis here is on "single touch" authentication methods, including contactless cards
(public-key hardware tokens or building access cards) or biometric methods (mainly fingerprint).

Workforce/Partner Remote Access

Prevalent methods: OTP hardware tokens; phone-as-a-token methods; analytics and adaptive
techniques; public-key hardware tokens

Page 8 of 51 Gartner, Inc. | G00321165

 This pattern continues to be the bread-and-butter of the enterprise user authentication market. We
see it in the majority of large and global enterprises, but a rather smaller fraction of midsize
enterprises.

OTP tokens and OOB methods dominate. The key advantage of all of these methods is that they
require no workstation client software or interface devices, enabling their use with a variety of PCs
and other endpoint devices that might be outside the company's control (for example, an
employee's home PC or tablet). As noted in the Market Direction section, phone-as-a-token
31
methods are now far more popular than OTP hardware tokens. However, OTP hardware tokens
32
might still be indicated for some users for security or operational reasons.

We see a small but growing use of analytics and adaptive techniques in this pattern. The main
benefit is to improve UX for users who are routinely connecting from home or partner offices to
33
access low-risk to medium-risk systems.

Public-key hardware tokens are sometimes used, especially where an enterprise has already
deployed them for PC and network login. However, problems with smart card readers and
34
middleware are hard to resolve remotely, impacting user productivity.

Privileged Access
Prevalent methods: OTP hardware tokens; public-key hardware tokens; OTP apps; mobile push

This pattern is widespread among large and global enterprises, but rather less common among
35
midsize enterprises.

OTP hardware tokens dominate, but public-key hardware tokens are also widely used. The choice is
largely influenced by what the enterprise is using for either of the patterns described above. In
particular, we see that many enterprises historically adopted OTP hardware tokens for remote
access and simply reused that incumbent method, especially for system administrators with remote
access for out-of-hours support.

The choice is also influenced by the constraints of integration with multiple target systems, with
variable support for different methods. These constraints will depend on an enterprise's privileged
account management (PAM) strategy. Providing system administrators and the like with access to
target systems via shared accounts under the aegis of a modern PAM tool, rather than via personal
accounts on each target system, means that there is a single point of integration for user
36
authentication.

Some enterprises are now using OTP apps and mobile push, but the majority still favor hardware
37
tokens for security and operational reasons. OTP apps and mobile push modes are particularly
38
appropriate choices for external privileged users (such as vendor technicians).

Gartner, Inc. | G00321165 Page 9 of 51

 Workforce/Partner Access to SaaS Applications
Prevalent methods: OTP hardware tokens; phone-as-a-token methods; analytics and adaptive
techniques

This pattern has become more popular as enterprises have made greater use of cloud services.

The preferred authentication methods here are very similar to those used for workforce/partner
remote access. Many enterprises are simply leveraging federated SSO support to extend the
solution that they have in place for that pattern.

The notable difference is that a small but growing number of cloud-first enterprises are looking
exclusively to an AM tool to meet their user authentication needs, potentially displacing an
5
incumbent user authentication vendor.

In this use case, a CASB might provide appropriate analytics capabilities to enable, or enhance, an
adaptive approach in conjunction with an AM or stand-alone user authentication tool. One CASB
vendor (CensorNet) acquired a user authentication vendor to integrate this workflow.

Online and Mobile Retail Banking

Prevalent methods: OTP hardware tokens, including remote chip authentication (RCA); phone-as-a-
token methods; analytics and adaptive techniques; biometric methods (in mobile use cases)

This pattern is commonplace across banks worldwide, sometimes driven by local regulations.

Analytics and adaptive techniques are widely used in this pattern, but in OFD tools, rather than
stand-alone user authentication tools. However, there are some geographic limitations, often
because of cultural mistrust of any kind of surveillance (such as in Eastern Europe).

OFD tools often exploit passive behavioral biometric modes together with other analytics to
corroborate the claimed customer identity, without the need for the friction of an additional orthodox
method. The tools can identify attacks or other risks or anomalies that elevate risk, prompting trust
elevation.

The range of orthodox authentication methods used for online banking is wide. There are some
clear geographical preferences, even without the constraints of local regulations, but even within
one country (for example, the U.K.) there can be wide variation.

Many banks take a two-tier approach, with a low or medium level of trust for initial login, and a
medium or high level of trust (via step-up authentication or transaction authorization) for potentially
risky transactions identified by OFD tools or static rules. Eastern European, Latin American and
Asian banks generally choose the higher trust option in each case.

The following methods are widely used, broadly in order of increasing trust:

■ 39
Enhanced passwords and "knowledge-based verification" (KBV; initial login only).

Page 10 of 51 Gartner, Inc. | G00321165

 ■ Phone-as-a-token methods, especially OOB SMS modes, although these are now less than
reliable.42 Some of the phone-as-a-token authentication tools aimed at the banking sector
incorporate analytics, consuming signals provided by the phone itself.
■ OTP hardware tokens or RCA, using Europay, Mastercard and Visa (EMV) payment cards with
40
handheld card readers.

Gartner sees many banks, especially in Anglophone countries, exploiting the same analytics
techniques they use for identity proofing and substantiation for new accounts for trust elevation for
4
existing customers, as an alternative to using the orthodox methods in the last two bullets above.

Mobile retail banking breaks some of these approaches for customer authentication; for example,
where the token converges with the endpoint device, it can no longer provide independent, and
therefore robust, transaction authorization. Banks seeking to better balance trust and CX are
beginning to adopt a variety of biometric modes: device-embedded biometric modes (typically
fingerprint and, more recently, iris) are widely used for initial login and offer better CX, but third-party
16,17
biometric modes are increasingly preferred for trust elevation in this use case.

Other Online B2C and G2C Access

Prevalent methods: Phone-as-a-token methods; analytics and adaptive techniques; biometric
methods (nascent in mobile use cases)

Many financial services enterprises, especially health insurance, are adopting a pattern similar to
online retail banking's. While there is no dominant pattern for other B2C and G2C, and many
enterprises still employ nothing beyond passwords, Gartner sees some other subpatterns emerging:

■ Many social networks, mobile network operators (MNOs) and some other consumer-focused
services use phone-as-a-token methods, especially OOB SMS modes, to support their
forgotten password processes. This is an alternative to sending email to users (with links to a
password reset page) that provides better security and UX/CX. Some global social networks
also make extensive use of analytics and adaptive techniques, and this is sometimes exploited
by smaller service providers (such as in Google reCAPTCHA).
■ We see some interest in using single-factor OOB authentication methods as a full alternative to
passwords for online services that are accessed infrequently. Therefore, users commonly forget
their passwords from one visit to the next. An OOB SMS text to a registered phone number
provides an "unforgettable" password; however, the increased risks of this mode mean that it
doesn't provide as big a step up in trust over passwords, and it should be used with caution.
■ Where social login is supported to avoid customers having to remember yet another username
and password, some enterprises use analytics and adaptive techniques with phone-as-a-token
methods for trust elevation. Integration with GSMA Mobile Connect potentially kills two birds
with one stone, but we still see little client interest in this.

Gartner, Inc. | G00321165 Page 11 of 51

 ■ There is nascent use of biometric authentication in G2C use cases in some geographies,
especially Asia/Pacific, primarily leveraging device-embedded methods (fingerprint and iris)
rather than third-party technologies.

Summary
Table 1 sets out our assessment of the prevalence and suitability of different kinds of authentication
method across the major patterns.

Page 12 of 51 Gartner, Inc. | G00321165

 Table 1. Prevalence and Suitability

OTP hardware tokens

EMC RCA

OTP apps for smartphones

OOB SMS or voice

Mobile push

Public-key hardware tokens

Public-key credentials for smartphones

Fingerprint*

Other active biometric modes

Passive behavioral biometric modes

Device identity and location awareness

Broad contextual, adaptive techniques

Workforce ■ — ■ ■ ■ ■■■■ ■ ■ ■ — — —
PC and ✔ ✘ ✔ ✘ ✔ ✔✔ ✔✔ ✔ ✔✔ ✔✔ ✘ ✔
network
login

Workforce/ ■■ — ■■■ ■■ ■■ ■ ■ ■ ■ ■ ■■ ■
partner ✔ ✘ ✔✔ ✔ ✔✔✔✔ ✔ ✔✔ ✔ ✔✔ ✔✔ ✔✔ ✔✔✔
remote
access

Privileged ■■■ — ■■ ■ ■ ■■ ■ — — — — ■
access ✔✔ ✘ ✔ ✘ ✔✔✔ ✔✔ ✔ ✘ ✘ ✔✔ ✘ ✔✔

Workforce/ ■ — ■■■ ■■ ■■ ■ ■ ■ ■ — ■ ■
partner ✔ ✘ ✔✔ ✔ ✔✔✔ ✔ ✔✔ ✔ ✔✔ ✔✔ ✔✔ ✔✔✔
access to
SaaS
applications

Online and ■■ ■■ ■ ■■ ■■■ ■ ■ ■ ■ ■■ ■■■■ ■■■

mobile retail ✔ ✔✔ ✔ ✘ ✔✔✔ ✘ ✔✔ ✔ ✔✔ ✔✔✔ ✔✔✔ ✔✔✔✔
banking

Other online — — ■ ■■■ ■■ ■ ■ — — — ■■ ■

B2C and ✘ ✘ ✔ ✔ ✔✔ ✘ ✔✔ ✘ ✔✔ ✔✔✔ ✔✔ ✔✔✔
G2C access

Prevalence is represented by one to four square bullets, with four bullets indicating that the method is commonplace in the pattern,
and with a dash indicating no prevalence. Suitability is represented by one to four check marks, with four indicating that the method is
the best suited in the pattern. A cross indicates that we deprecate the use of that method.
* Fingerprint: This does not include device-embedded modes integrated with OTP or push apps.

Source: Gartner (November 2017)

Gartner, Inc. | G00321165 Page 13 of 51

 Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to
provide more understanding of the market and its offerings.

A representative vendor listed in this Market Guide has the following characteristics.

■ Provides either or both of:

■ One or more stand-alone products or services implementing an authentication decision
point (ADP), delivered via dedicated infrastructure (software, hardware or cloud-based
services) or self-contained client software (including software development kits [SDKs]).
■ Products (such as OTP hardware tokens or cryptographic smart cards) that can be
consumed by any compatible ADP (including those embedded in OSs and the like).
■ Typically provides user authentication by the use of orthodox credentials curated by the
implementing enterprise. It might also incorporate:
■ Analytics (from simple rules to machine learning) evaluating evidence (signals, indicators,
contextual data, etc.) that can modify the level of trust in an identity claim or drive adaptive
responses such as "step-up authentication."
■ Other identity corroboration capabilities, such as BYOI integration.

The representative vendors do not constitute an exhaustive list of all providers with these
characteristics (which number in the hundreds). This research aims to provide Gartner clients with
an illustrative view of the varied offerings available, taking account of market presence, diversity of
authentication methods and delivery options, citations in and relevance to Gartner client
interactions, consonance with overarching market trends, and so on.

Thus, the vendors listed in this Market Guide range from well-established authentication vendors
with significant presence in the market or often cited in client interactions, to notable smaller, less-
often-cited authentication vendors, especially those offering potentially transformational
technologies or approaches delivering on the future needs of end-user organizations.

Some vendors in adjacent markets covered by Gartner market research, especially AM and OFD,
build user authentication capabilities into those products and services that can meet an enterprise's
wants and needs as described in the Market Definition section. Many Gartner clients include AM
vendors, such as Okta, Ping Identity and SecureAuth, in shortlists of "user authentication" vendors,
even for non-SaaS use cases (however, vendors' support for and experience with non-SaaS use
cases varies widely). Other clients include OFD vendors, such as Easy Solutions and ThreatMetrix,
in their shortlists for strong customer authentication.

Unless such a vendor also has a stand-alone user authentication product or service, it is not
included as a representative vendor here; readers are encouraged to review "Magic Quadrant for
Access Management, Worldwide" and "Market Guide for Online Fraud Detection."

Page 14 of 51 Gartner, Inc. | G00321165

 Table 2. Forty Representative User Authentication Vendors

Vendor HQ (ISO Description

3166-1
Alpha-2 or
ISO
3166-2:US)

AimBrain UK AimBrain is a more recent market entrant that targets the finance sector with its
authentication service, which combines server-side biometric authentication
using proprietary face, voice and behavioral modes with advanced analytics
techniques. It focuses on fraud detection and adaptive authentication for
customers in mobile banking use cases (pertinent to this research) as part of an
omnichannel approach that also includes branch, ATM and contact center.

BehavioSec SE BehavioSec is a well-established vendor, providing continuous authentication

based on the assessment of a variety of behavioral biometric traits. These
technologies can also provide negative signals, such as indicators of malicious
bot activity. BehavioSec targets banking, among other verticals, and is designed
to be used with enterprises' "risk engines" in OFD and other user authentication
products and services. It has OEM relationships with several vendors in these
markets.

BIO-key US-NJ BIO-key is a well-established biometric-centric authentication vendor,

specializing in fingerprint-based methods, but also providing authentication
tokens. Its sensor-agnostic software solutions include an enterprise platform for
web platforms and applications, as well as turnkey solutions for Windows, EPIC,
Allscripts and web (SAML). It also offers Windows-Hello-certified USB fingerprint
sensors. BIO-key holds multiple patents related to biometric authentication,
secure transport and process integrity, and processing, and its fingerprint
solutions are widely used in use cases out of scope for this Market Guide.

CA Technologies US-NY CA Technologies (CA) offers a combined authentication and OFD platform that is
delivered as server software and as a cloud service. In addition, third-party cloud
service providers (CSPs) offer a white-label version of CA's service. All offerings
support a wide range of authentication methods. CA also provides payer
authentication for card-not-present transactions (out of scope for this research)
and is a prominent vendor in other IAM markets, including access management.

Callsign UK Recent market entrant Callsign offers Intelligence Driven Authentication Solution,
which applies advanced analytics to device, location and behavior signals to
provide dynamic workflows for adaptive authentication, and supports a range of
methods for trust elevation. It targets consumer and workforce use cases,
including support for mobile, web, cloud and data center applications, VPNs and
physical and virtual desktops, and telephone channel use cases.

Cognitas US-TX Cognitas offers two phone-as-a-token authentication options, as well as support
Technologies for a broader range of third-party methods, and for web, cloud and remote
access use cases. Cognitas has solutions for remote access and mobile security
in addition to its offerings in this market.

Crossmatch US-FL A long-established biometric vendor, Crossmatch offers DigitalPersona

Composite Authentication, which supports a wide range of orthodox
authentication methods as well as analytics for time, velocity, location and
behavior signals. DigitalPersona targets web, cloud, VPNs and desktop use
cases, and has custom solutions aimed at banking (via integration with Temenos)

Gartner, Inc. | G00321165 Page 15 of 51

 Vendor HQ (ISO Description
3166-1
Alpha-2 or
ISO
3166-2:US)
and U.S. public sector organizations. Crossmatch also offers biometric solutions
in other markets, including citizen identity, law enforcement, payments and time
and attendance.

CryptoPhoto AU Recent market entrant CryptoPhoto offers an unusual variation on mobile push
authentication aimed at customer use cases. A customer has to match an image
displayed on the login page with one of a small selection of images (from a larger
set) displayed in the app. This session verification mechanism, which
CryptoPhoto calls "verifier impersonation resistance," blocks phishing and
doesn't significantly erode the good CX common to mobile push modes.

Daon US-VA A long-established biometric professional services vendor, Daon entered this
market with its IdentityX solution several years ago. IdentityX augments common
phone-as-a-token modes with a variety of biometric modes. The solution is
targeted primarily (but not solely) at online and mobile banking.

Dell US-MA RSA is a subsidiary of Dell Technologies following the latter's 2016 acquisition of
Technologies EMC. RSA is a long-established provider in this market, very well-known for its
(RSA) OTP hardware tokens first offered by Security Dynamics in 1986, now branded as
RSA SecurID. RSA now offers a wide range of authentication methods, split
across different products and services. RSA also engages in other IAM markets.

Duo US-MI Duo was one of the first vendors in the market to offer mobile push
authentication, in addition to other phone-as-a-token methods and support for
third-party OTP hardware tokens, such as Yubikey. It offers four editions of its
cloud-delivered authentication service, from Duo Free to Duo Beyond, which has
the broadest range of capabilities. All Duo editions (except Free) include web
SSO capability and adaptive authentication, including the ability to check users'
device hygiene (such as for out-of-date software or missing security controls).

Entrust Datacard US-MN Entrust Datacard offers a wide-focus authentication product and a new cloud-
delivered service, both of which support a very wide range of methods. It was
one of the first vendors in the market to offer mobile push technologies and to
support the use of a smartphone for Windows login. Entrust Datacard is
executing on a roadmap to build out richer analytics capabilities, including a
partnership with iovation for device reputation, and integrates a variety of
biometric methods. It also engages in other markets, including physical access,
Internet of Things (IoT) security, citizen identity and border control.

EZMCOM IN EZMCOM offers a wide-focus authentication product and a new cloud-delivered

service, both of which support a very wide range of methods. It targets both
customer and workforce use cases in banking, retail and other vertical industries.
It has a significant presence in Asia/Pacific, and is gaining traction in Europe and
other geographies. It provides identity proofing and substantiation based on OCR
as well as ICAO passports using biometric comparison of the passport photo
with the person's face, and can automatically enroll the person for subsequent
biometric authentication.

FacePhi ES FacePhi is a biometric authentication vendor with a tight focus on the use of face
for mobile banking customer authentication. It can support both local and

Page 16 of 51 Gartner, Inc. | G00321165

 Vendor HQ (ISO Description
3166-1
Alpha-2 or
ISO
3166-2:US)
centralized biometric data storage, comparison and matching, and recently
gained FIDO accreditation. Its customers are chiefly in Latin America and Europe.

Forticode AU Recent market entrant Forticode offers Cipherise, a novel phone-as-a-token

authentication product. Cipherise enables passwordless login via a mobile push
app, which provides a range of risk-appropriate responses to complete
authentication, including simple notification, acknowledgment, and
cryptographically protected public-key credentials. The cryptographic protection
is enabled by on-demand secret key generation via a "scrambled" PIN pad. A
QRcode option enables login without a username. Cipherise can also support
contact center (inbound and outbound) and physical access use cases.

Gemalto NL Gemalto has two wide-focus authentication portfolios: Gemalto Digital Banking,
targeted at consumer and corporate e-commerce; and SafeNet, targeted at
workforce use cases. Gemalto offers a very wide range of authentication
methods and adaptive authentication capabilities in each portfolio. Gemalto also
engages in other markets, including physical access, IoT security, citizen identity,
payment cards, transportation and mobile. In 2017, Gemalto acquired 3M's
identity management business, 3M Cogent, extending the range of biometric
technologies in its authentication portfolios.

HID Global US-TX HID Global has a wide-focus authentication portfolio, including the HID ActivID
Authentication Server, encompassing a wide range of authentication methods.
HID Global targets online retail banking and remote access use cases in midsize
and large enterprises, as well as U.S. federal agencies, where it claims a majority
share of the Personal Identity Verification (PIV) market. The company is a wholly
owned subsidiary of ASSA ABLOY and engages in other markets, including PKI,
IoT security, and physical access control (including IAM integration via Quantum
Secure).

i-Sprint SG Owned by Automated Systems Holdings Limited (ASL), a subsidiary of Teamsun

Innovations Technology, i-Sprint's core offering in this market is AccessMatrix Universal
Authentication Server (UAS), one of an integrated set of IAM products and
services. It supports a wide range of authentication methods, and i-Sprint has a
strong market focus on customer authentication in banking, especially in Asia/
Pacific.

Idemia FR Formed in 2017 from the merger of Oberthur Technologies and Safran Identity
and Security (formerly Morpho), Idemia's portfolio spans a very wide range of
authentication methods. The new company has set out a strategic direction with
biometric methods at the forefront of what it calls "augmented identity." Idemia's
user authentication solutions are primarily targeted at the banking vertical. The
company engages in other markets, including IoT security, telecom, citizen
identity and public security (including law enforcement).

ImageWare US-CA IWSY is a long-established biometric company that entered this market with its
Systems (IWSY) cloud-delivered GoVerifyID service (on Amazon Web Services). The service
supports several different biometric modes from multiple OEM partners, as well
as phone-as-a-token authentication. It can be readily integrated via standard
identity federation protocols and APIs, and offers flexible authentication

Gartner, Inc. | G00321165 Page 17 of 51

 Vendor HQ (ISO Description
3166-1
Alpha-2 or
ISO
3166-2:US)
workflows. The service is also offered under license by Fujitsu. IWSY's Enterprise
Edition extends integration to internal Microsoft Windows AD environments and
Azure AD.

KeyIdentity DE KeyIdentity is well-established in the DACH region, Benelux, U.K. and U.S., with
both the open-source LinOTP authentication platform and the commercial
offering that significantly extends LinOTP's functionality. KeyIdentity's Multi-
Factor Authentication (MFA) platform adds additional authentication methods,
transaction authorization (including "four-eyes" scenarios), API-based integration
and tailored workflows, and support for Windows and macOS desktop login
(including offline OTP authentication), as well as for Linux. KeyIdentity
development and support is completely based in Germany.

Kobil Systems DE Kobil Systems is a long-established vendor in this market, with market traction in
Europe, the Middle East and Asia/Pacific. Its current portfolio includes PKI
components, the Smart Security Management Server platform and the mAST
mobile SDK. Kobil targets multiple verticals, including financial services,
healthcare and energy. Its portfolio provides strong customer authentication and
transaction authorization, protecting native and web apps, along with secure
messaging (such as chat) and document signing.

Micro Focus UK Micro Focus's authentication offerings have a long pedigree in the market, going
(NetIQ) back to its genesis in Novell. Micro Focus Advanced Authentication provides an
open framework that orchestrates a range of authentication options targeted at
workforce use cases, including SaaS (via SAML), web (via API), Windows, macOS
and Linux desktop login. It can be co-implemented with Micro Focus Access
Manager or used as a stand-alone solution.

Microsoft US-WA Microsoft offers Azure Multi-Factor Authentication (MFA) as a cloud-delivered

service supporting a range of phone-as-a-token methods. Third-party OTP
hardware tokens, such as YubiKey, can also be supported, although this requires
on-premises infrastructure. Azure MFA is available as a discrete service, but is
widely acquired as part of an Azure bundle such as Enterprise Mobility + Security.
It is fully integrated with Azure AD Premium, Microsoft's access management
offering. A subset of Azure MFA's capabilities are available with Office 365
licenses and for administrators of Azure tenants.

Nok Nok Labs US-CA Nok Nok is a more recent market entrant, targeting consumer-facing mobile and
web applications in enterprises seeking to deploy a solution built around FIDO
authentication protocols. Nok Nok S3 Authentication Suite provides an out-of-
the-box, FIDO-certified authentication server along with SDKs for mobile clients,
authenticators and IoT devices. The majority of its customers are in North
America, Europe and Japan, across telecom, financial services and retail
verticals. Nok Nok Labs is one of the original founders of the FIDO Alliance and
author of its primary standards.

Nuance US-NY Nuance is a well-established voice and language technology vendor, with
conversational and cognitive artificial intelligence solutions. Nuance's biometric
voice authentication is widely used in contact centers and interactive voice
response systems for caller verification and fraud detection. It has a presence in
this market via its voice authentication for digital channels. It has recently added

Page 18 of 51 Gartner, Inc. | G00321165

 Vendor HQ (ISO Description
3166-1
Alpha-2 or
ISO
3166-2:US)
face modes, combining additional technologies for liveness testing and lip
tracking; passive behavioral biometric modes; and device and network
capabilities for fraud detection.

Nymi CA-ON Nymi, a more recent market entrant, offers the Nymi Band, a Bluetooth- and
NFC-enabled wearable token integrating an electrocardiogram (ECG) biometric
mode that offers continuous two-factor authentication. Nymi provides SDKs for
custom integration, and supports PC and network login via the Microsoft
Companion Device Framework in Windows Hello for Business. The Nymi Band
also offers native support for many physical access control systems.

One Identity US-WA One Identity is the IAM subsidiary of Quest Software. Defender, its core
authentication platform, has a long history in this market, through multiple
acquisitions and divestments. Defender integrates with Active Directory for
identity management, and supports OTP hardware and software tokens. One
Identity also offers a cloud-delivered service, Starling Two-Factor Authentication,
which supports phone-as-a-token authentication. Both solutions are targeted at
enterprise workforce use cases.

Raonsecure KR Raonsecure, a more recent market entrant targeted at banking, government and
enterprise customers in the Asia/Pacific region, offers a FIDO-certified biometric
authentication solution, TouchEn OnePass. This supports a variety of biometric
modes, as well as a PIN and a pattern-based authentication mode, directly for
mobile use cases and via mobile push for PC use cases. Raonsecure also offers
TouchEn mOTP for OOB authentication.

Samsung SDS KR Samsung SDS, formerly the IT service provider for the Samsung Group, is now a
proprietary solutions provider. It recently entered this market with Nexsign, a
FIDO-certified biometric authentication solution for mobile use cases in finance,
government and large enterprises. It also addresses physical access and digital
business use cases.

Secret Double IL Secret Double Octopus recently entered this market with its proprietary phone-
Octopus as-a-token solution that enables password-free authentication for workforce use
cases, including Windows PC and network login, and access to applications.
Secret Double Octopus uses multichannel techniques to protect against
authenticator cloning, man-in-the-middle (MITM) attacks and key theft. It has
early traction in Europe, the U.S. and Asia/Pacific.

SecuredTouch IL SecuredTouch is a new market entrant that applies machine learning to analyze a
variety of behavioral biometric traits on mobile devices. Its offerings provide
continuous authentication (U-Nique, as well as Continew-ID for Android devices)
and discover malicious bot activity via negative signals (Humanobot).
SecuredTouch targets banking and other financial industries for customer
authentication and fraud prevention. Its solutions generate a risk score that can
be consumed by customers' OFD tools.

STC Group RU (US-NY) STC, which trades as SpeechPro in the U.S., is an established voice technology
vendor, with speech recognition and other solutions as well as its biometric
authentication offerings. Its voice biometric technology is used in contact centers

Gartner, Inc. | G00321165 Page 19 of 51

 Vendor HQ (ISO Description
3166-1
Alpha-2 or
ISO
3166-2:US)
for caller authentication, and has a presence in this market via its combined face
and voice modes for mobile, web and desktop use cases. Its combination of
face- and text-dependent voice modes enables analysis of lip movements for
enhanced liveness testing.

Symantec US-CA Symantec's cloud-based service, Symantec Validation & ID Protection (VIP), is
well-established in the authentication market. VIP offers a wide range of
authentication methods addressing workforce, partner and customer use cases.
Symantec VIP Access Manager adds SSO capability to web and cloud
applications. Symantec has tightly integrated VIP with its DLP, CASB and
encryption offerings.

TeleSign US-CA TeleSign offers a cloud-delivered authentication service offering a range of

phone-as-a-token methods delivered via APIs and SDKs. It also offers PhoneID,
which uses phone number data to drive adaptive authentication. TeleSign
engages directly with global and large enterprises, especially cloud service
providers, as well as with developers via its self-service platform. TeleSign also
reaches many large and midsize enterprises via OEM agreements with several
other authentication vendors, including some enumerated in this research.

Transmit US-MA Transmit Security is a new market entrant. It combines analytics of contextual
Security and behavioral data with support for a wide range of orthodox authentication
methods, with an emphasis on biometric modes. Transmit Security targets
banking and other financial industries, addressing mobile and web use cases as
part of an omnichannel approach that offers a unified authentication experience
for customers.

Twilio US-CA Twilio is a cloud communications platform vendor that enables enterprises to add
messaging, voice, and video in web and mobile applications. It entered this
market with its acquisition of Authy in 2015. Twilio Two-factor Authentication
(2FA) is a phone-as-a-token authentication service targeted at customer-facing
service providers, and designed to be easily integrated in web and cloud
applications. It has significant traction across multiple vertical industries and has
OEM agreements with a small number of IAM vendors.

Vasco Data US-IL Vasco Data Security International (Vasco), a long-established vendor in this
Security market, offers its Trusted Identity Platform, which includes a wide range of
International authentication methods and analytics for diverse signals. It supports integration
with third-party fraud detection tools, which is relevant to its strong focus on
customer authentication in banking. Vasco has a significant presence in this
vertical market in Europe and Latin America, as well as horizontal enterprise
customers globally.

WatchGuard US-WA Network security vendor WatchGuard acquired pure-play authentication vendor
(Datablink) Datablink in 2017. The company has a strong customer base in banking in Latin
America, based on Datablink's earlier acquisition of BRToken. WatchGuard plans
to develop Datablink's mobile push technologies as part of a cloud service
targeted mainly at midsize enterprises.

Yubico SE + US-CA Yubico is probably best-known for its distinctive YubiKey multiprotocol OTP,
Universal Second Factor (U2F) and public-key hardware tokens, which are also

Page 20 of 51 Gartner, Inc. | G00321165

 Vendor HQ (ISO Description
3166-1
Alpha-2 or
ISO
3166-2:US)
supported by many other vendors. Yubico has some notable deployments with
large global cloud companies, including Google and Salesforce. In partnership
with Google, Yubico actively participates in FIDO, and this partnership is largely
responsible for the FIDO U2F specification. With U2F in Google Chrome, any
personal U2F-compliant token from Yubico or other vendors can be leveraged by
multiple service providers.

Table Notes:
HQ: Country where the vendor is headquartered (ISO 3166-1 alpha-2 codes) and state for U.S.-based vendors.
Description: A brief narrative description of the vendor and its offerings in this market.
Benelux: Belgium, the Netherlands and Luxembourg.
DACH: Germany, Austria, Switzerland.
ICAO: International Civil Aviation Organization.

Source: Gartner (November 2017)

Tables 3 to 5 show the authentication methods offered with and supported by the vendors,
segregated by focus (roughly, by the range and variety of authentication methods offered).

Gartner, Inc. | G00321165 Page 21 of 51

 Vendor

CA

Dell
ogies

match

Page 22 of 51
Cross-

Technol-
Technol-

(#)
Delivery Model

C, O
C, O
C, O
†

✔
OTP Hardware Tokens

(✔)
EMC RCA

✔
OTP Apps for Smartphones

(##)
✔, F
✔, T

✔
OOB SMS or Voice

(✔),
✔, T
Table 3. Wide-Focus User Authentication Vendors

✔
Mobile Push Wide-Focus User Authentication Vendors

✔, F
✔, T

(###)
Public-Key Hardware Tokens

✔ (#)
Public-Key Credentials for Smartphones

✔
Face

✔
Fingerprint

Voice

F
Other Biological Modes

(###)
✔, E,

Other Behavioral Modes

(✔)

✔
✔

Device Identity and Location Awareness

✔
✔

Analytics Consuming Other Signals

Advanced Analytics (Incl. ML)

(✔)

Notes
card
ware-

cation
cation
vanced
CA Ad-

(#) RSA
(#) Soft-

Authenti-
Authenti-

based "vir-
tual" smart

Gartner, Inc. | G00321165

 Vendor

ogies
(RSA)
Delivery Model

Gartner, Inc. | G00321165

OTP Hardware Tokens

EMC RCA

OTP Apps for Smartphones

OOB SMS or Voice

Mobile Push Wide-Focus User Authentication Vendors

Public-Key Hardware Tokens

Public-Key Credentials for Smartphones

Face

Fingerprint

Voice

Other Biological Modes

Other Behavioral Modes

Device Identity and Location Awareness

Analytics Consuming Other Signals

Advanced Analytics (Incl. ML)

Notes
AA.
O only

access
tive Au-

ice, RSA
(###) Via
(##) Only
Manager

thentica-

manage-
with RSA
AA), C, O
tion (RSA
(RSA AM),

as an SDK

integration

ment serv-
with RSA's
RSA Adap-

Page 23 of 51
 Vendor

card

COM
EZM-
Data-

Page 24 of 51
Entrust

Gemalto
(#)
Delivery Model

C, O
C, O
C, O,
✔

(#)
✔,
OTP Hardware Tokens

B, T
✔, T
EMC RCA

(##)
✔, T
T

✔
✔
OTP Apps for Smartphones

✔, F,
V
✔

(#)
OOB SMS or Voice

✔, T
✔, T,
✔

(#)
Mobile Push Wide-Focus User Authentication Vendors

✔, F, T
✔, F, T
✔
Public-Key Hardware Tokens

(✔)

✔, B
✔
✔
✔
✔ Public-Key Credentials for Smartphones

Face

(✔)
✔, U
†
✔

Fingerprint

† (###)
✔

Voice

Other Biological Modes

Other Behavioral Modes

(✔)
✔ (#)

(####)
✔
✔
✔

Device Identity and Location Awareness

✔
✔

Analytics Consuming Other Signals

Advanced Analytics (Incl. ML)

(✔)

Notes
vices.
gait on
(#) Plus
Identity
Access.
SecurID

Trust, C;
(#) Intelli-

(#) Trans-

fication is
Guard, O.

supported
supported
mobile de-

action veri-

Gartner, Inc. | G00321165

 Vendor

Delivery Model

Gartner, Inc. | G00321165

OTP Hardware Tokens

EMC RCA

OTP Apps for Smartphones

OOB SMS or Voice

Mobile Push Wide-Focus User Authentication Vendors

Public-Key Hardware Tokens

Public-Key Credentials for Smartphones

Face

Fingerprint

Voice

Other Biological Modes

Other Behavioral Modes

Device Identity and Location Awareness

Analytics Consuming Other Signals

Advanced Analytics (Incl. ML)

Notes
(###)
digital
digital

RCA is

port for
banking
banking

portfolio.
portfolio.
(##) EMC

card sup-

malto As-
only in the
supported
only in the

third-party

(####) Ge-
Match-on-

fingerprint.

Page 25 of 51
 Vendor

HID

tions

Page 26 of 51
Global

i-Sprint
Innova-
Delivery Model

CO
CO

✔
✔,
OTP Hardware Tokens

B, T,

†
EMC RCA

✔
✔
OTP Apps for Smartphones

✔
✔
OOB SMS or Voice

✔
Mobile Push Wide-Focus User Authentication Vendors

✔, T, F

†
Public-Key Hardware Tokens

✔, B

†
✔
Public-Key Credentials for Smartphones

(#)
Face

†, U,
✔

(#)
Fingerprint
†, U
(#)

Voice
†, U,

Other Biological Modes

†, U
(#, ##)

Other Behavioral Modes

✔
✔

Device Identity and Location Awareness

✔
✔

Analytics Consuming Other Signals

Advanced Analytics (Incl. ML)

Notes
ing).

cation
(client-

(server-
Sprint's
surance

tal Bank-

Authenti-
side) or i-

Biometric
Hub (Digi-

(#) Via UAF

Framework

Gartner, Inc. | G00321165

 Vendor

tity

Kobil

Micro
Focus
Idemia

(NetIQ)
Systems
KeyIden-
O
Delivery Model

Gartner, Inc. | G00321165

C, O
O, C
C, O

✔
✔
✔
OTP Hardware Tokens

✔, T

†
✔
EMC RCA

✔, T
T

✔
✔
✔
OTP Apps for Smartphones

✔, F,

✔
✔
✔
OOB SMS or Voice

✔
✔
✔
Mobile Push Wide-Focus User Authentication Vendors

✔, F, T
✔

✔,
Public-Key Hardware Tokens

(✔)
B, U
✔, U

✔
✔
Public-Key Credentials for Smartphones
✔

Face

(✔)
(✔)
✔

Fingerprint

(✔)
(✔)
†

Voice
(✔)

Other Biological Modes

(✔)

Other Behavioral Modes

✔
✔
✔

Device Identity and Location Awareness

†

✔
✔

Analytics Consuming Other Signals

✔

Advanced Analytics (Incl. ML)

Notes
side).
(##) Multi-
ple modes.

Page 27 of 51
 Vendor

Delivery Model

OTP Hardware Tokens

EMC RCA

OTP Apps for Smartphones

OOB SMS or Voice

Mobile Push Wide-Focus User Authentication Vendors

Public-Key Hardware Tokens

Public-Key Credentials for Smartphones

Face

Fingerprint

Voice

Other Biological Modes

Other Behavioral Modes

Device Identity and Location Awareness

Analytics Consuming Other Signals

Advanced Analytics (Incl. ML)

Notes
Syman- C ✔ ✔ (✓) ✓ (✓) (✓) † † † ✔ ✔
tec

Vasco C, O ✔, ✔, T ✔, F, ✔, S, ✔, F, T ✔, U ✔, Φ ✓, I, Φ (✔) ✔ ✔
Data Se- B, T, T T
curity In- U
terna-
tional

Table Notes:
For a discussion of the authentication methods represented in the columns in this table, see "A Taxonomy of User Authentication Methods," as well as the previously cited Technology
Insight research, including "Technology Insight for Biometric Authentication," "Technology Insight for Phone-as-a-Token Authentication," and "Technology Insight for Public-Key Authen-
tication Tokens."
A check mark ("✔") indicates full functionality. The symbol "†" indicates out-of-the-box support for third-party authenticators.
A check mark in parentheses ("(✔)") indicates full functionality via an OEM relationship.
Delivery model: C = cloud (IDaaS); O = on-premises software or hardware; S = self-contained SDK (no back end; i.e., not just an SDK that integrates with a back-end infrastructure)
Tokens (OTP Hardware Tokens to Public-Key Hardware Tokens columns): B = Bluetooth-connected hardware token; F = app integrates device-embedded fingerprint or face modes; S =
SMS only; T = supports transaction authorization and user authentication; U = FIDO U2F integration; V = voice only
Public-key hardware tokens: These include, for example, Derived PIV Credentials (NIST SP 800-157). These do not include integrated public-key credentials used to sign responses

Page 28 of 51 Gartner, Inc. | G00321165

 Vendor

Delivery Model

OTP Hardware Tokens

EMC RCA

OTP Apps for Smartphones

OOB SMS or Voice

Mobile Push Wide-Focus User Authentication Vendors

Public-Key Hardware Tokens

Public-Key Credentials for Smartphones

Face

Fingerprint

Voice

Other Biological Modes

Other Behavioral Modes

Device Identity and Location Awareness

Analytics Consuming Other Signals

Advanced Analytics (Incl. ML)

Notes
from mobile apps (mobile push or biometric modes).
Biometric methods (Face to Other Biological Modes columns): These do not include integration of device-embedded face or fingerprint modes such as Apple Face ID or Touch ID in
OTP/push apps, as the vendor software simply consuming a "black box" decision over which the vendor has no control. E = eye (scleral) vein; H = heartbeat (ECG); I = iris; P = palm; U
= FIDO UAF integration; Φ = Integrated with a phone-as-a-token smartphone app.
Other behavioral modes: These include gesture, handling and/or keystroke dynamics. These are generally passive (continuous authentication). A = active.
Device identity and location awareness: Typically rule-based evaluation of simple familiarity signals, typically (a) device identity, software characteristics and so on; and (b) geoloca-
tion or geovelocity.
Analytics consuming other signals: Affirmative signals increase confidence in the identity claim, elevating trust. Negative signals reduce confidence in the identity claim, decreasing
trust.
Advanced analytics: Advanced analytics (including machine learning) are predictive and prescriptive, not just descriptive and diagnostic.

Source: Gartner (November 2017)

Gartner, Inc. | G00321165 Page 29 of 51

 Table 4. Tight-Focus User Authentication Vendors
Vendor

Delivery Model

OTP Hardware Tokens

EMC RCA

OTP Apps for Smartphones

OOB SMS or voice

Mobile Push

Public-key hardware tokens

Public-Key Credentials for Smartphones

Face

Fingerprint

Voice

Other Biological Modes

Other Behavioral Modes

Device Identity and Location Awareness

Analytics Consuming Other Signals

Advanced Analytics (Incl. ML)

Notes
Cognitas C, O ✔, F ✔, F, ✔ ✔
Technolo- T
gies

Crypto- C, O ✔, F, ✔, Φ (#) Includes

Photo T (#) (##) an image-
matching
session veri-
fication
mechanism.
Fallback
mechanisms
include an ul-
trasonic
prompt and
"long-poll"
via an alter-
nate channel,
as well as
typical offline
OTP genera-
tion.

Page 30 of 51 Gartner, Inc. | G00321165

 Vendor

Duo

Microsoft
Forticode

Gartner, Inc. | G00321165

Delivery Model

C, O

C (#)
†
OTP Hardware Tokens

†, U
EMC RCA

✔
✔
OTP Apps for Smartphones

✔
✔
OOB SMS or voice

✔
✔
Mobile Push

✔, F,
Public-key hardware tokens
†, U

Public-Key Credentials for Smartphones

✔ (#)
Face

Fingerprint

Voice

Other Biological Modes

Other Behavioral Modes

✔

Device Identity and Location Awareness

✔ (#)

Analytics Consuming Other Signals

✔ (#)

Advanced Analytics (Incl. ML)

Notes
app.
Free.

with the
Cipherise
tionality is
metric de-

all editions
available in
cludes bio-

generation.

except Duo
(##) App in-

nent as well
tions require

ises compo-
cryption-key

an on-prem-
(#) Some op-
(#) This func-

(#) Integrated

Page 31 of 51
 Vendor

Labs

Page 32 of 51
Nok Nok
(#)
Delivery Model

C, O
OTP Hardware Tokens

EMC RCA

OTP Apps for Smartphones

OOB SMS or voice

Mobile Push
✓ (##)

Public-key hardware tokens

Public-Key Credentials for Smartphones

Face
†, U

Fingerprint
†, U
(###)

Voice
†, U

Other Biological Modes

Other Behavioral Modes

Device Identity and Location Awareness

Analytics Consuming Other Signals

Advanced Analytics (Incl. ML)

Notes
mode.

modes.
QRcode

response

NNL SDK
does inte-

fingerprint
challenge/
supports a

embedded
Strong Au-
thentication

(###). In this
(NNL SaaS).
as a Service
as the Azure

instance, the
MFA service.

(##) App also

grate device-
(#) C via NNL

Gartner, Inc. | G00321165

 Vendor

Delivery Model

OTP Hardware Tokens

EMC RCA

OTP Apps for Smartphones

OOB SMS or voice

Mobile Push

Public-key hardware tokens

Public-Key Credentials for Smartphones

Face

Fingerprint

Voice

Other Biological Modes

Other Behavioral Modes

Device Identity and Location Awareness

Analytics Consuming Other Signals

Advanced Analytics (Incl. ML)

Notes
One C, O † (##) ✔ ✔ (#) Defender:
Identity (#) (###) O only; Star-
ling: C only.
(##) Defender
only.
(###) Starling
only; confus-
ingly, One
Identity calls
the SMS
mode "push-
to-authenti-
cate."

Raonse- C, O ✔ ✔, U †, U (#) ✔, U ✔, I, (#) In this in-

cure U stance, the
OnePass au-
thenticator
does inte-
grate device-
embedded
fingerprint
modes.

Gartner, Inc. | G00321165 Page 33 of 51

 Vendor

Delivery Model

OTP Hardware Tokens

EMC RCA

OTP Apps for Smartphones

OOB SMS or voice

Mobile Push

Public-key hardware tokens

Public-Key Credentials for Smartphones

Face

Fingerprint

Voice

Other Biological Modes

Other Behavioral Modes

Device Identity and Location Awareness

Analytics Consuming Other Signals

Advanced Analytics (Incl. ML)

Notes
Secret C, O ✔, F, (#) Secret
Double T (#) Double Octo-
Octopus pus's au-
thenticator
app uses
multichannel
techniques.

TeleSign C ✔ ✔ ✔ ✔

Twilio C ✔, F, ✔ ✔, F, ✔
T T

Watch- O, S ✔, T ✔, F, † ✔, F, ✔
Guard T T
(Data-
blink)

Yubico C, O ✔, U ✔, U

Table Notes:
For a discussion of the authentication methods represented in the columns in this table, see "A Taxonomy of User Authentication Methods," as well as the previously cited Technology
Insight research, including "Technology Insight for Biometric Authentication," "Technology Insight for Phone-as-a-Token Authentication," and "Technology Insight for Public-Key Authen-

Page 34 of 51 Gartner, Inc. | G00321165

 Vendor

Delivery Model

OTP Hardware Tokens

EMC RCA

OTP Apps for Smartphones

OOB SMS or voice

Mobile Push

Public-key hardware tokens

Public-Key Credentials for Smartphones

Face

Fingerprint

Voice

Other Biological Modes

Other Behavioral Modes

Device Identity and Location Awareness

Analytics Consuming Other Signals

Advanced Analytics (Incl. ML)

Notes
tication Tokens."
A check mark ("✔") indicates full functionality. The symbol "†" indicates out-of-the-box support for third-party authenticators.
A check mark in parentheses ("(✔)") indicates full functionality via an OEM relationship.
Delivery model: C = cloud (IDaaS); O = on-premises software or hardware; S = self-contained SDK (no back end; i.e., not just an SDK that integrates with a back-end infrastructure)
Tokens (OTP Hardware Tokens to Public-Key Hardware Tokens columns): B = Bluetooth-connected hardware token; F = app integrates device-embedded fingerprint or face modes; S =
SMS only; T = supports transaction authorization and user authentication; U = FIDO U2F integration; V = voice only
Public-key hardware tokens: These include, for example, Derived PIV Credentials (NIST SP 800-157). These do not include integrated public-key credentials used to sign responses
from mobile apps (mobile push or biometric modes).
Biometric methods (Face to Other Biological Modes columns): These do not include integration of device-embedded face or fingerprint modes such as Apple Face ID or Touch ID in
OTP/push apps, as the vendor software simply consuming a "black box" decision over which the vendor has no control. E = eye (scleral) vein; H = heartbeat (ECG); I = iris; P = palm; U
= FIDO UAF integration; Φ = Integrated with a phone-as-a-token smartphone app.
Other behavioral modes: These include gesture, handling and/or keystroke dynamics. These are generally passive (continuous authentication). A = active.
Device identity and location awareness: Typically rule-based evaluation of simple familiarity signals, typically (a) device identity, software characteristics and so on; and (b) geoloca-
tion or geovelocity.
Analytics consuming other signals: Affirmative signals increase confidence in the identity claim, elevating trust. Negative signals reduce confidence in the identity claim, decreasing
trust.
Advanced analytics: Advanced analytics (including machine learning) are predictive and prescriptive, not just descriptive and diagnostic.

Source: Gartner (November 2017)

Gartner, Inc. | G00321165 Page 35 of 51

 Vendor

Sec

Ware
Daon

Page 36 of 51
(IWSY)
Image-
Callsign

FacePhi
BIO-key

Systems
Behavio-
AimBrain

C
C
Delivery Model

C, S
C, O
C, O
C, O

C, O,
OTP Hardware Tokens

(✔)
(✔) †
EMC RCA

✔
OTP Apps for Smartphones

(✔)

✔
✔
OOB SMS or Voice

✔, T
T
Mobile Push

(✔)

✔, F
✔, F
✔, F,
Public-Key Hardware Tokens

(✔)
Table 5. Primarily Biometric or "Blended" Authentication Vendors

Public-Key Credentials for Smartphones

Φ
✔
✔

Face

(✔)
✔, U
✔, U,
✔

Φ Fingerprint
✔

Voice
(✔)
(✔)

✔, U,

Other Biological Modes

P, U,
✔, E,
✔
✔
✔

Other Behavioral Modes

✔
✔
✔

Device Identity and Location Awareness

✔
✔
✔

Analytics Consuming Other Signals

✔
✔
✔

Advanced Analytics (Incl. ML)

Notes
Gartner, Inc. | G00321165
 Vendor

SDS
sung
Nymi

Sam-
dTouch
Nuance

Secure-
S
S

C
Delivery Model

Gartner, Inc. | G00321165

C, O
C, O,

(#)
OTP Hardware Tokens

EMC RCA

OTP Apps for Smartphones

OOB SMS or Voice

Mobile Push
✔, F

Public-Key Hardware Tokens

Public-Key Credentials for Smartphones

Face
(✔)

✔, U
(#)
Fingerprint
†, U
✔

Voice
✔, U
(#)

Other Biological Modes

†, I,
U (#)
✔, H,

Other Behavioral Modes

(✔)
✔

Device Identity and Location Awareness

✔

Analytics Consuming Other Signals

Advanced Analytics (Incl. ML)

Notes
OTPs.

bedded
generate
(#) Incor-

vice-em-
Samsung
SDS inte-

fingerprint
instances,
Token can

grates de-
(#) In these
porated in-

able token.
etary wear-
to a propri-

Page 37 of 51
 Vendor

STC
Group

Page 38 of 51
Security
Transmit
S
Delivery Model

C, O
OTP Hardware Tokens

†, U
EMC RCA

✔
OTP Apps for Smartphones

OOB SMS or Voice

✔ (#)
✔
Mobile Push

Public-Key Hardware Tokens

Public-Key Credentials for Smartphones

✔
✔

Face

Fingerprint
✔† (##)
✔

Voice
†

Other Biological Modes

†

Other Behavioral Modes

✔

Device Identity and Location Awareness

✔

Analytics Consuming Other Signals

✔

Advanced Analytics (Incl. ML)

Notes
voice

push).
tion to

mobile
and iris

modes,
modes.

an OTP
Security

Transmit
Transmit

instance,
can send

OTP-less
SMS and

over push

(##) In this
(as well as
(#) In addi-

notification

Gartner, Inc. | G00321165

 Vendor

Delivery Model

OTP Hardware Tokens

EMC RCA

OTP Apps for Smartphones

OOB SMS or Voice

Mobile Push

Public-Key Hardware Tokens

Public-Key Credentials for Smartphones

Face

Fingerprint

Voice

Other Biological Modes

Other Behavioral Modes

Device Identity and Location Awareness

Analytics Consuming Other Signals

Advanced Analytics (Incl. ML)

Notes
Security
does inte-
grate de-
vice-em-
bedded
fingerprint
modes.

Table Notes:
For a discussion of the authentication methods represented in the columns in this table, see "A Taxonomy of User Authentication Methods," as well as the previously cited Technology
Insight research, including "Technology Insight for Biometric Authentication," "Technology Insight for Phone-as-a-Token Authentication," and "Technology Insight for Public-Key Authen-
tication Tokens."
A check mark ("✔") indicates full functionality. The symbol "†" indicates out-of-the-box support for third-party authenticators.
A check mark in parentheses ("(✔)") indicates full functionality via an OEM relationship.
Delivery model: C = cloud (IDaaS); O = on-premises software or hardware; S = self-contained SDK (no back end; i.e., not just an SDK that integrates with a back-end infrastructure)
Tokens (OTP Hardware Tokens to Public-Key Hardware Tokens columns): B = Bluetooth-connected hardware token; F = app integrates device-embedded fingerprint or face modes; S =
SMS only; T = supports transaction authorization and user authentication; U = FIDO U2F integration; V = voice only
Public-key hardware tokens: These include, for example, Derived PIV Credentials (NIST SP 800-157). These do not include integrated public-key credentials used to sign responses
from mobile apps (mobile push or biometric modes).
Biometric methods (Face to Other Biological Modes columns): These do not include integration of device-embedded face or fingerprint modes such as Apple Face ID or Touch ID in
OTP/push apps, as the vendor software simply consuming a "black box" decision over which the vendor has no control. E = eye (scleral) vein; H = heartbeat (ECG); I = iris; P = palm; U
= FIDO UAF integration; Φ = Integrated with a phone-as-a-token smartphone app.
Other behavioral modes: These include gesture, handling and/or keystroke dynamics. These are generally passive (continuous authentication). A = active.
Device identity and location awareness: Typically rule-based evaluation of simple familiarity signals, typically (a) device identity, software characteristics and so on; and (b) geoloca-
tion or geovelocity.
Analytics consuming other signals: Affirmative signals increase confidence in the identity claim, elevating trust. Negative signals reduce confidence in the identity claim, decreasing

Gartner, Inc. | G00321165 Page 39 of 51

 Vendor

trust.

Page 40 of 51
Delivery Model

OTP Hardware Tokens

Source: Gartner (November 2017)

EMC RCA

OTP Apps for Smartphones

OOB SMS or Voice

Mobile Push

Public-Key Hardware Tokens

Public-Key Credentials for Smartphones

Face

Fingerprint

Voice

Other Biological Modes

Other Behavioral Modes

Advanced analytics: Advanced analytics (including machine learning) are predictive and prescriptive, not just descriptive and diagnostic.

Device Identity and Location Awareness

Analytics Consuming Other Signals

Advanced Analytics (Incl. ML)

Notes
Gartner, Inc. | G00321165
 Market Recommendations
While the prospect of a universal, high-trust authentication method may be initially attractive, it is
usually overkill. Most users have access to only low-risk or medium-risk applications and data, and
high-trust authentication may be unnecessarily costly and impose too much friction.

For many enterprises, the best approach is to implement a well-defined range of authentication
methods that balances needs in each use case (see "Best Practices for Selecting New User
Authentication Methods").

Security and risk management leaders should:

■ Embrace the opportunities offered by OOB push modes, among other phone-as-a-token
methods, with attention to the availability of devices and alignment to UX/CX and trust
requirements.
■ Identify use cases that will benefit from the value that analytics and adaptive techniques can
provide in both improving UX/CX and more effectively mitigating risk. While many clients focus
on the UX/CX improvements (deferring the friction of orthodox, credential-based methods until
the level of risk dictates it), the risk mitigation benefits of analytic approaches fit enterprises
taking a lean-forward stance to address advanced threats against user credentials.
■ Carefully evaluate mobile biometric methods, and do not be distracted by the hype around
Apple Touch ID and Face ID, or similar embedded methods implemented by handset vendors.
Give preference to third-party methods that can be implemented in software across all phones
(and other endpoint devices) for more consistent UX/CX; that can be fully curated by the
20
enterprise; and that generally offer higher trust.
■ Limit the use of smart cards and other public-key tokens to selected high-trust use cases, but
seek emerging solutions that promise greater versatility without the need for interface devices
for each user. Examples include methods that provision credentials to mobile devices (enabling
them to act as "contactless smart cards" via NFC or Bluetooth) and nascent Bluetooth LE
13
hardware tokens (wearables and other form factors).
■ Determine the value of AM tools' authentication capabilities, not only for access to SaaS
applications, but also for legacy remote access needs. AM vendors continue to extend their
capabilities to integrate with VPN and VDI technologies.
■ Especially in customer use cases in banking and other financial verticals, consider the need for
fraud prevention and user authentication as a whole. Evaluated the value of OFD tools as
authentication solutions or, conversely, the value of stand-alone user authentication tools with
advanced analytics as fraud detection solutions. However, at this time, it's likely that most large
enterprises in these verticals can best meet their needs with best-of-breed solutions in each
market.

The authentication market is populated with mature vendors and a growing number of new entrants.
Capabilities and experience/expertise across patterns, vertical industries and enterprise size (chiefly
between midsize and large/global) vary widely among these vendors.

Gartner, Inc. | G00321165 Page 41 of 51

 For some enterprises, using a single vendor can satisfy most needs, even when a variety of
methods are required across multiple use cases. However, security and risk management leaders
might consider using multiple vendors to address the needs of different use cases or sets of use
cases (for example, workforce versus customer or PC and network access versus remote and SaaS
access; see "Best Practices for Selecting New User Authentication Methods").

The use of multiple vendors is likely for those that are seeking advanced analytics techniques or
biometric authentication methods (neither of which are yet well-supported by most mainstream
"token" vendors or AM vendors).

Gartner Recommended Reading

Some documents may not be available as part of your current Gartner subscription.

"Defining Authentication Strength Is Not as Easy as 1, 2, 3; Update"

"A Taxonomy of User Authentication Methods"

"Hype Cycle for Identity and Access Management Technologies, 2017"

"Technology Insight for Phone-as-a-Token Authentication"

"Market Guide for Online Fraud Detection"

"Market Guide for User and Entity Behavior Analytics"

"Technology Overview for Adaptive Access Control"

"Technology Insight for Public-Key Authentication Tokens"

"Technology Insight for Biometric Authentication"

"Balance Trust and Agility With Good Authentication Choices for Workforce Local Access"

"Best Practices for Selecting New User Authentication Methods"

Evidence
In addition to the specific citations below, this research is based on publicly available information
and a variety of direct interactions with vendors (including, but not limited to, some of those
identified in the Representative Vendors section) and end-user enterprises.

1 This definition is new in Gartner research. While it is consistent with previous definitions, it more
clearly distinguishes user authentication from other instances of identity corroboration, such as
identity proofing and substantiation.

2 Legacy passwords remain a ubiquitous, but notoriously weak, user authentication method. Neither
increasing password length and complexity nor forcing periodic changes — both commonly

Page 42 of 51 Gartner, Inc. | G00321165

 demanded by regulators and auditors — is effective against purposeful attacks or accidental
leakage (see "Don't Waste Time and Energy Tinkering With Password Policies; Invest in More
Robust Authentication Methods or Other Compensating Controls").

3 Canonically, there are three kinds of credentials that characterize user authentication methods:

■ Type 1: Something known to only the user — for example, a password, a passphrase, a PIN, a
pattern or a picture.
■ Type 2: Something held by only the user — for example, a token, such as an OTP token or a
smart card with X.509 public-key infrastructure credentials. More pedantically, the credential is
the cryptographic key (or similar) stored in the token, rather than the token itself.
■ Type 3: Something inherent to only the user — that is, a biometric trait, either biological ("what
you are"), such as face topography or fingerprint, or behavioral ("what you do"), such as typing
rhythm.

These are usually referred to as "authentication factors," although it is ambiguous whether the term
refers to a kind or an instance of a credential.

Authentication may be based on just one of these authentication factors (although a token is rarely
used alone) or some combination of two or more factors — two-factor authentication or multifactor
authentication. However, "multifactor authentication" is typically used to refer to a combination of
only two factors. Sometimes, two different kinds of knowledge or two different biometric traits are
combined, but in a strict sense, neither provides two-factor authentication. See "A Taxonomy of
User Authentication Methods" for a more detailed discussion.

4 The same kinds of analytics are common in other markets, such as identity proofing and
substantiation and online fraud detection (OFD; see "Market Guide for Online Fraud Detection"); the
markets are contiguous and the boundaries between them are increasingly fuzzy. In the long term,
Gartner projects that converged analytics-led tools will be the norm. "Predicts 2018: Identity and
Access Management" projects that new analytics-led "identity corroboration hubs" will displace
existing authentication platforms in the majority of large and global enterprises by 2023, with more
than 10 vendors offering such tools by 2020. These techniques are strategically important as part of
a broader security strategy that embraces continuous adaptive risk and trust assessment (CARTA;
see "Use a CARTA Strategic Approach to Embrace Digital Business Opportunities in an Era of
Advanced Threats").

5 Gartner takes an increasing number of client inquiries from cloud-first enterprises that are looking
exclusively to an AM vendor to meet their user authentication needs. Given that a security and risk
management leader has identified the need to have an AM tool anyway — to provide identity
administration, SSO, authorization enforcement, and so on for multiple target systems in the cloud
(see "Magic Quadrant for Access Management, Worldwide") — he or she wants to avoid the
additional cost and complexity of selecting, implementing and integrating a third-party product or
service. Legacy user authentication needs might militate this, but an AM tool can often extend its
user authentication capabilities to SSL VPNs and similar remote access technologies, potentially
displacing an incumbent user authentication vendor. (Some VPN vendors also embed phone-as-a-

Gartner, Inc. | G00321165 Page 43 of 51

 token methods, but we have seen far less client interest in these embedded methods as an
alternative to mainstream user authentication tools.)

6Such vendors (and products) include Dell Technologies (RSA; RSA SecurID Access), Nymi (Nymi
Band), Symantec VIP, and Yubico (YubiKey). Some building access cards can also be used as
companion devices within HID Global iCLASS Seos.

7 CX is a particularly heavily weighted selection criterion in consumer-facing use cases. A Gartner

survey of U.S. bank customers, conducted in the wake of banks introducing new authentication
methods for retail banking in response to Federal Financial Institutions Examination Council (FFIEC)
guidance, revealed that 12% of customers had considered changing banks because they found
what their banks had done to be too onerous, and 3% actually had changed banks. Poor CX led to
lost business. In business to employee (B2E) and most B2B use cases, the users are a "captive
audience." Nevertheless, poor UX for workforce and partners adds friction, annoys users and
reduces agility and morale.

What is more, poor UX/CX often prompts users to seek ways to reduce friction, which can introduce
new vulnerabilities that reduce trust. A prosaic example of this is increasing password complexity,
which makes passwords harder to remember, prompting users to write them down, even when
security policies say they should not, which in turn creates potential exposure.

8 Phone-as-a-token methods as a class have lower TCO and offer better UX/CX than legacy OTP
hardware tokens. OTP apps or OOB methods are now widely used as an alternative to traditional
OTP hardware tokens by all sizes of enterprises across different vertical industries, and now have a
larger installed base than OTP hardware tokens. Many enterprises with incumbent OTP hardware
token solutions have migrated many or all users to OTP apps or OOB methods (using the same or a
new vendor) to reduce costs or improve UX/CX. These methods have also been newly adopted in
use cases where hardware tokens would be prohibitively expensive or unacceptable to users.

9A notable example is their use for system administrators and external users with administrator
privileges, such as vendor technicians, logging in to critical infrastructure (see "How to Secure
Remote Privileged Access for Third-Party Technicians").

10 Transaction authorization (or verification) allows the bank or other enterprise to confirm the details
and origin of a transaction (such as setting up a new payee or transferring money), which might
have been manipulated or inserted by an attacker or malware (for example, in a man-in-the-browser
attack). Transaction authorization might be triggered by static rules (for example, transfers over a
certain value) or by continuous adaptive risk and trust assessment by an OFD tool evaluating a
variety of identity and risk relevant signals (see "Market Guide for Online Fraud Detection").

11 OOB SMS modes are vulnerable to malware and carrier-level attacks ("SS7 hacks"), both of
which have been used successfully by cybercriminals. However, this does not mean that OOB SMS
modes have no value; it is still better to use OOB SMS modes than not use them. But where trust
and security are a premium, there are better alternatives such as OTP hardware tokens and,
particularly, mobile push modes. Sadly, limited penetration of suitable smartphones limits the utility
of mobile push in some use cases, and security and risk management leaders are left with a choice
between risky OOB SMS modes and costly, high-friction OTP hardware tokens.

Page 44 of 51 Gartner, Inc. | G00321165

 12Adoption is less than 50% globally. While public-key hardware tokens for Windows PC and
network login are natively supported (under the rubric of "interactive smart card login"), provisioning
and managing these tokens are relatively expensive, and UX is poor.

13Public-key credentials can be held in a secure element (such as a Trusted Processing Module) on
an endpoint device to provide a "virtual smart card" for protection against credential theft, but these
options offer lower trust than having the credentials in a discrete physical token.

14Public-key credentials on a phone can be used in different ways. A phone can emulate a
contactless smart card via Near Field Communication (NFC), which is interoperable with contactless
card protocols, or (with appropriate PC software) via Bluetooth. Other methods are contiguous with
OOB push modes that exploit public-key credentials for message integrity and proof of origin.

15 A common (or converged) access card (CAC) is a single corporate card or token that can be used
for PC, network and application login (user authentication), and for building access. Use as a photo
ID card is mandated in some regulated implementations, such as PIV cards, but is otherwise
optional. A CAC also may be used as, for example, a stored-value card (electronic wallet) for
vending machines, catering and transportation.

16 There are four major limitations of device-embedded biometric authentication methods in

comparison to third-party methods (see "Technology Insight for Biometric Authentication" for further
discussion):

■ Engineering decisions made by handset and OS vendors tend to favor processing efficiency
and UX (for example, to reduce false nonmatch or rejection rates), meaning they provide lower
confidence in the claimed identity. Newer options fare better here; for example, Apple claims
that Face ID is 20 times better than Touch ID (see "Face ID Security," Apple).
■ The vendors have not implemented presentation attack detection ("liveness testing") meaning
that the method can potentially be fooled by a fake fingerprint or a photo or video clip of
someone's face. Again, newer options fare better here; for example, the combination of
technologies in Face ID provides some PAD capability, making it more suited to enterprise
needs.
■ No enterprise has any control over who enrolls their fingerprints or face on a device. In
particular, accountability can be eroded when phones are shared and multiple users each enroll
a fingerprint instead of the primary user enrolling multiple fingerprints. This is an inherent
limitation in all device-embedded methods, meaning that they cannot be considered as
"curated credentials" within TICM (see Note 1).
■ Power-on access still relies on a potentially weak passcode, and the passcode is available as
an alternative way of unlocking a phone. While the latter doesn't apply when the embedded
method is integrated with an enterprise app or a FIDO Authenticator, the former means that an
attacker can potentially enroll their own fingerprint, iris or face in addition to or instead of the
legitimate user's, and subsequently masquerade as that person.

Gartner, Inc. | G00321165 Page 45 of 51

 Security and risk management leaders must carefully evaluate third-party methods, considering the
characteristics of different modes as well as the pros and cons of local and central architectures
(see "Technology Insight for Biometric Authentication").

17Early adopters include ANZ (AU), Atom bank (U.K.), Banco Nacional de Costa Rica (CR), Barclays
(U.K.: for business banking), bunq (NL), CommunityAmerica (U.S.), Grupo Mutual (R), HSBC (U.K.),
Mountain America (US), Santander (U.K.), USAA (U.S.), Wells Fargo (U.S.), Yapi Kredi (TR) and Zions
Bank (U.S.). Modes of choice are face recognition (from vendors such as Cognitec Systems, Daon
and FacePhi), voice recognition (Daon, Nuance and STC), scleral vein (Zoloz, formerly EyeVerify),
and fingerprint (via the phone's camera; Veridium), as well as behavioral biometric modes
(BehavioSec, BioCatch, NuData Security).

Banks will often implement these methods in parallel with support for, say, Touch ID, and allow
customers to use either for initial app login, but will use only these methods for step-up
authentication and transaction authorization supporting higher-risk transactions (such as setting up
a new payee).

18 FIDO supports a wider range of authentication methods, but it is biometric methods that have
dominated conversations about FIDO. FIDO UAF provides a way for local biometric authentication
on mobile devices to transition to applications using a standards-based approach. In brief, a
successful on-device authentication enables the client to authenticate to a specific application via
public key technology. However, FIDO is not necessary to enable the use of mobile biometric
modes and it constrains architecture options. Several vendors provide software development kits
(SDKs) that can be directly integrated with resident mobile apps to provide feature extraction,
comparison and matching entirely onboard the phone; others provide the ability to capture the
probe data on the phone, but do comparison and matching on a downstream authentication
infrastructure. Each of these architectures has its pros and cons (see "Technology Insight for
Biometric Authentication") and it is not clear at this time whether one is "universally" superior to the
other; more likely, we will see benefits of either approach dominating in different use cases. At this
time, FIDO supports only the former.

19 Analytics techniques apply analytics to some aggregation of identity-relevant signals for identity
corroboration — a superset of what we termed "contextual authentication" in earlier research (see
"A Taxonomy of User Authentication Methods") — along with a broader variety of signals that
indicate the level of risk at the moment of access. The value of these techniques increases with the
use of advanced analytics and large aggregations of signals. Adaptive techniques can then act to
balance trust against risk; for example, by invoking a trust elevation mechanism, such as step-up
authentication (see "Technology Overview for Adaptive Access Control" and "Enterprise Adaptive
Access: Are We There Yet?").

20 In combination with passive biometric modes, advanced analytics has the potential to provide at
least a medium level of trust without the need for any kind of password or token (see "Predicts
2017: Identity and Access Management" and "Don't Treat Your Customer Like a Criminal").

21The U.S. Department of Justice is the notable exception ("Criminal Justice Information Services
(CJIS) Security Policy").

Page 46 of 51 Gartner, Inc. | G00321165

 22Social login is essentially external identity federation with social networks to simplify login to web
and cloud applications. Commerce, media and entertainment enterprises have been leading
adopters. In true consumer contexts, social identity use can improve customer profiling, intimacy
and service. Here, security and risk management leaders should orchestrate integration efforts with
sales and marketing leaders, and may need to consider alternatives to traditional IAM toolsets, from
vendors such as Gigya and Janrain.

23 "How Demographics Rule the Global Economy," The Wall Street Journal.

24 "Survey Analysis: What IAM Leaders Are Saying About Budgets, IoT and Technology Plans
Through 2018" presented survey results indicating that, through 2018, 29% of respondents were
planning to use IDaaS solutions for both user authentication and access management. "Magic
Quadrant for Access Management, Worldwide" projects that, by 2021, IDaaS will be the majority
access management delivery model for new purchases, up from less than 20% today.

25 Risk-appropriate authentication is a best-practice architectural principle that dictates that a

security and risk management leader must, for each use case, evaluate minimum levels of trust
commensurate with the level of risk, and choose authentication methods offering at least that level
of trust.

26 Other needs include things such as transaction authorization, digital signature and converged
access card. Other constraints include, for example, endpoint independence, the ability to work in
locations with no wireless connectivity, and safety or security requirements that prohibit the use of
personal devices.

27Several vendors described in the Representative Vendors section would be able to provide, for
example, a cloud-based authentication service supporting phone-as-a-token authentication for a
company's customers and cryptographic smart cards for Windows PC and network login for its
workforce.

28 Many users (up to 15%) have problems some of the time, and at least some users are unable to
reliably use this mode at all. These UX issues, especially with the typical swipe sensors, have led to
user disenchantment and low adoption.

29Although abuse is still possible, biometric traits cannot be easily shared with others as passwords
and tokens can.

30 In the short term, at least, we expect to see more interest in third-party implementations of other
biometric modes that can make use of existing cameras, microphones and the like, especially
where enterprises can implement the same biometric modes across any endpoint device (phone,
tablet and so on).

31The significantly reduced logistical overheads make phone-as-a-token methods particularly

suited to access by partners and other third-party users, as well as company employees who are
geographically remote.

Gartner, Inc. | G00321165 Page 47 of 51

 32Some users might not be able to use a phone-as-a-token method at all (for example, because
they do not have a corporate or personal smartphone for OOB push modes) or reliably (for example,
because of poor network coverage for OOB SMS and voice modes). Other users who don't have a
corporate phone may be unwilling to use their personal phones (although when faced with the poor
UX of using an OTP hardware token, they might reconsider) or simply don't have smartphone.

33One notable "partner" example arises in healthcare. Affiliated physicians are not employees of the
healthcare delivery organization (HDO), but have an elective relationship. Obliging the affiliated
physician to use an OTP hardware token may sour and even curtail that relationship. Adopting
analytics and adaptive techniques can minimize the burden of higher-trust authentication on
physicians by limiting its use to only those instances where the level of risk demands it.

34 One client noted that the impact of this problem was so severe that they had twice revised the
method that they used. First, they moved from smart cards to smart USB tokens, to eliminate the
smart card reader as a source of problems. Then, as other problems persisted, they moved away
from public-key hardware tokens altogether, deploying OTP tokens instead. We have also heard
from many U.S. federal agencies about these smart-card-related problems and their frustration at
not being able to move to something better, since they are mandated to use PIV cards for remote
access.

35In "Market Guide for Privileged Access Management," Gartner noted that high-trust
authentication must be enabled for access to privileged account and session management (PASM)
tools.

36 Such as a PASM tool (see "Market Guide for Privileged Access Management"). Although some
PASM tools have native authentication capabilities, most enterprises still seek integration with
incumbent user authentication services to provide consistent UX and enable a centralized policy
management. Furthermore, PASM vendors lack support for analytics and adaptive techniques that
IAM and other security and risk management leaders are increasingly demanding (see "Predicts
2017: Identity and Access Management").

37 From a security point of view, OTP and public-key hardware tokens can provide a higher level of
trust than phone-as-a-token methods, appropriate to the high level of risk associated with system
administrator access. (However, OTP hardware tokens are no less vulnerable to man-in-the-middle
attacks.) From an operational point of view, some security and risk management leaders are
concerned about the impact on out-of-hours support if a system administrator has neglected to
charge his or her phone.

38 Security and risk management leaders should be cautious about the right balance between ease
of provisioning and the level of trust they provide: OOB SMS modes are easy to provision, but
provide only low to medium trust; email provides low trust, and we deprecate it in this use case.
Gartner recommends OTP apps and OOB push modes that provide a level of trust closer to that
provided by OTP hardware tokens; provisioning these, even for ad hoc users, is not particularly
onerous for the enterprise or the users.

Page 48 of 51 Gartner, Inc. | G00321165

 39 Enhanced passwords often take the form of partial passwords: The user is prompted to enter
specified characters from the password, often described as "memorable information" or something
similar, via drop-down menus rather than the keyboard (to defeat keyboard-logging attacks; see "A
Taxonomy of User Authentication Methods" for other variants). KBV — also called knowledge-based
authentication (KBA) — is strongly deprecated: There are very high failure rates — an average of
10% to 15% — on KBA methods where users are asked "secret" life history questions based on
external public and PII data. This failure rate can climb to an average of 30% in cases of
populations without a plentitude of public data on them, such as young adults or new immigrants.
At the same time, the attackers can answer the challenge questions perfectly because they either
stole the "secret" data or found it on the internet.

40 Gartner sees some banks also use RCA for initial login. Even though this provides a higher level
of trust than is necessary at that point, some users, such as the lead author, find it easier to use the
same card and PIN that they use at POS or ATMs than remember rarely used "memorable
information."

Note 1 Trusted Identity Corroboration Model

"Take a New Approach to Establishing and Sustaining Trust in Digital Identities," introduced TICM
as the "Trusted Identity Capabilities Model." TICM provides a framework for classifying the variety of
credentials and other signals that can contribute to identity corroboration; it is not an architectural
model, nor does it represent a new market or "ideal" identity corroboration tool.

The upper segments (green in Figure 1) represent different classes of affirmative signals: evidence
that increases the confidence in the identity claim, elevating the associate level of trust. The lower
segments (orange in Figure 1) represent different classes of negative signals: evidence that reduces
the confidence in the identity claim, decreasing the associate level of trust. Identity corroboration
combines both affirmative and negative signals to yield a net confidence, of level of trust, in the
identity claim. (In the previous research, "identity corroboration" was erroneously used to label only
the affirmative signals.)

Affirmative signals include:

■ Third-party credentials: BYOI schemes fit here; these are generally based on orthodox,
credential-based authentication methods curated by a third-party (social network, MNO, bank
or government agency).
■ Curated credentials: All the orthodox, credential-based authentication methods managed by
the enterprise fit here — except passive biometric modes (see "Technology Insight for Biometric
Authentication" for a deeper dive into this distinction).
■ Familiarity signals: These include: (trusted) endpoint device identity; location; entity link
analysis; social footprint; normal behaviors; and passive biometric modes.

Negative signals include:

Gartner, Inc. | G00321165 Page 49 of 51

 ■ Risk signals: These include malware/jailbreak detection, short phone/email lifetime, anonymity
and location mismatch. Generally, these conform to recognized patterns that are associated
with a specific kind of risk.
■ Attack signals: These include device/location spoofing, nonhuman behavior, human-farm
behavior, attackerlike behavior and probing. Generally, these conform to recognized patterns
that are associated with a known kind of attack.
■ Anomalies: These are other deviations from normal behaviors that provide less specific
indicators of something out of the ordinary and potentially suspect signaling previously
unknown risks.

More on This Topic

This is part of an in-depth collection of research. See the collection:

■ IAM Leader's Guide to User Authentication

Page 50 of 51 Gartner, Inc. | G00321165

 GARTNER HEADQUARTERS

Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096

Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM

For a complete list of worldwide locations,

visit http://www.gartner.com/technology/about.jsp

© 2017 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This
publication may not be reproduced or distributed in any form without Gartner's prior written permission. It consists of the opinions of
Gartner's research organization, which should not be construed as statements of fact. While the information contained in this publication
has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of
such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice
and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner Usage Policy.
Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research
organization without input or influence from any third party. For further information, see "Guiding Principles on Independence and
Objectivity."

Gartner, Inc. | G00321165 Page 51 of 51