1 Executive Summary
In this Leadership Compass, we assess solutions that lay the groundwork for customers in adopting passwordless authentication. To better understand the fundamental principles this report is based on, please refer to KuppingerCole’s Research Methodology.
Passwordless authentication has become a popular and catchy term. It is used to describe a set of identity verification solutions that remove the password from all aspects of the authentication flow and from the recovery process as well. To minimize the dependence on passwords, the industry has been working for a long time on different technical solutions and standards. As the industry continues to embrace innovative solutions, the era of passwordless is gradually giving way to more secure, user-friendly, and efficient authentication methods, marking a new stage in the evolution of digital security.
Given the security risks and inconvenience associated with passwords, there is a trend for organizations to replace and eliminate passwords altogether. Although the internet has changed significantly since its inception, password authentication has practically remained unaltered. The password is remnant of an era before hacking and credential-based attacks became a widespread problem. The issue with passwords is that they can easily be stolen and compromised—without the knowledge of the user or the service provider. In addition, passwords can be costly, time-consuming, difficult to manage, and result in poor user experience. Furthermore, the fact that password reuse is a common practice among customers and employees only exacerbates the problem.
Although passwordless options have been around for a while, some recent solutions are gaining traction with enterprises and even consumer-facing businesses. For example, smart cards and hardware tokens have been used as an alternative to usernames and passwords for decades. Nevertheless, some of the distinctive features of passwordless solutions include the ability to support a wide range of authenticators, public key cryptography, biometrics, comprehensive APIs, frictionless user experience, and legacy applications and services.
It is important to note that passwordless authentication solutions tailored for enterprise use cases and those designed for consumer use cases exhibit distinct differences in response to varied expectations. Consumer-focused solutions must prioritize additional functionalities such as seamless omnichannel experiences, self-service options, robust privacy management, a consistent and user-friendly interface, and the flexibility to operate on any device. These heightened expectations stem from the diverse preferences and demands of consumers who prioritize a personalized and adaptable authentication experience.
Figure 1: Main drivers of passwordless authentication adoption
Notably, user experience expectations diverge significantly between employees and consumers. Employees may tolerate more friction in the authentication process, aligning with organizational IAM policies, whereas consumers, driven by convenience, are prone to disengage if faced with complexity or delays. Additionally, consumer solutions must navigate the challenges of unmanaged IT environments, requiring adaptability to authenticate users securely on any device while prioritizing privacy and compliance with stringent regulations like GDPR. In essence, while both enterprise and consumer solutions aim for secure authentication, their emphasis on security measures, user experience, and scalability varies to meet the unique needs of each user category.
However, organizations seeking passwordless authentication solutions must consider various factors, including security, ease of implementation, interoperability, and cost-effectiveness. The importance of user experience cannot be overstated, as seamless authentication processes are essential for consumer adoption. By understanding these considerations and evaluating the offerings from different vendors, consumers can identify the solution that best meets their specific needs and preferences.
1.1 Key Findings
What are the top considerations buyers should know about?
- The passwordless authentication market is dynamic, vibrant, and competitive, with different vendors offering similar but distinct solutions.
- Despite the presence of major players, the evolving nature of the market allows smaller companies to enter and establish a niche by leveraging technical innovation or catering to specific use cases.
- User experience expectations diverge significantly between employees and consumers. While both groups benefit from the security and efficiency of passwordless systems, their divergent contexts and priorities necessitate tailored approaches.
- Consumer-focused solutions must prioritize functionalities such as seamless omnichannel experiences, self-service options, robust privacy management, a consistent and user-friendly interface, and the flexibility to operate on any device.
- The creation of open standards such as FIDO2 and WebAuthn has increased the adoption of passwordless technologies. In addition, the use of passkeys is likely to be a catalyst for widespread adoption.
- The Overall Leaders (in alphabetical order) are 1Kosmos, Beyond Identity, CyberArk, Entrust, HID, HYPR, IBM, Microsoft, Okta, OneSpan, Ping Identity, Thales, and Transmit Security.
- The Product Leaders (in alphabetical order) are 1Kosmos, Beyond Identity, cidaas, CyberArk, Entrust, HID, HYPR, IBM, Microsoft, Nevis Security, Nok Nok, Okta, One Identity, OneSpan, Ping Identity, SecureAuth, Thales, and Transmit Security.
- The Innovation Leaders (in alphabetical order) are 1Kosmos, Beyond Identity, CyberArk, Entrust, Futurae Technologies, HID, HYPR, IBM, Nok Nok, Okta, OneSpan, Ping Identity, SecureAuth, Thales, and Transmit Security.
- The Market Leaders (in alphabetical order) are CyberArk, Entrust, Exostar, HID, IBM, Microsoft, Okta, OneSpan, Ping Identity, Thales, and Transmit Security.