1 Introduction / Executive Summary
The password is remnant of an era before hacking and credential-based attacks became a widespread problem. Although the internet has changed significantly since the early days, passwords have practically remained the same. In parallel, cybercriminals have targeted operating systems with increasing sophistication and frequency as computers have become more accessible worldwide.
For years, IT professionals have discussed the idea of passwords becoming obsolete. The issue with passwords is that they can easily be stolen and compromised. In addition, passwords can be costly, time-consuming, difficult to manage, and result in poor user experience. Furthermore, the fact that password reuse is a common practice among customers and employees only exacerbates the problem.
To make matters worse, credential-based attacks and account takeover fraud cases have been on the rise, which have disrupted businesses and organizations already affected by the COVID-19 pandemic, the global supply chain crisis, and the 2022 Russian invasion of Ukraine. The security risks and inconvenience of passwords has led to a trend in which organizations are replacing and eliminating passwords altogether.
Keeping passwords secure is a top priority for organizations because once one is compromised, it is very difficult to prevent or detect a security breach since attackers are in possession of a legitimate password. By getting rid of the risk associated with passwords, however, organizations will add a significant layer to the overall security of their IT infrastructure.
As a result, Passwordless Authentication has become a popular and catchy term. It is used to describe a set of identity verification solutions that remove the password from all aspects of the authentication flow and from the recovery process as well. Therefore, by eliminating passwords as a method of authentication, organizations will remain competitive, secure, compliant and have a modern authentication system that does not require users to remember passwords.
Some passwordless options have been around for a while but are starting to be implemented more by enterprises and even consumer-facing businesses. For example, smart cards and hardware tokens have been used as an alternative to usernames and passwords for decades. Nevertheless, some of the distinctive features of passwordless solutions include the ability to support a wide range of authenticators, public key cryptography, biometrics, comprehensive APIs, and support for legacy applications and services, among other things.
Account recovery must also be considered for IAM and especially passwordless authentication solutions: when users forget passwords, lose credentials, or change devices, they need ways to get access to their accounts. To ensure users can regain access to their accounts without compromising their security, a variety of trusted recovery options should be available.
The development of open standards such as FIDO2 and WebAuthn have further generated adoption of passwordless technologies. Moreover, the U.S. government recently published a cybersecurity memorandum emphasizing the need for stronger enterprise identity and access controls, including using phishing-resistant MFA and adopting a Zero Trust model.
Consequently, organizations' systems must cease supporting legacy authentication methods that are prone to phishing attacks, such as mobile SMS codes, voice calls, push notifications or one-time passcodes (OTP). It is therefore imperative that organizations and agencies pursue greater use of passwordless authentication solutions as they modernize their authentication systems.
The need for Passwordless Authentication solutions is increasing, but finding one that is simple, effective, and secure is challenging. Organizations must confront password-based threats and find alternatives without disrupting their users or business practices. If implemented successfully, a Passwordless Authentication solution will not only increase the security posture of the organization but also deliver a convenient and frictionless user experience.
There are a sizable number of vendors in the Passwordless Authentication market. Many of the vendors have developed specialized risk-based passwordless products and services, which can integrate with customers' on-premises IAM components and support the migration of legacy applications to modern authentication systems. However, we prefer vendors who deliver a solution that can be applied to multiple use cases (workforce, consumer, partners). Therefore, the major players in the Passwordless Authentication segment are covered within this KuppingerCole Leadership Compass.
- The use of the password dates back to an era before hacking and credentials-based attacks became a common and pervasive problem.
- As long as passwords continue to be used, businesses and organizations will remain vulnerable to identity attacks.
- Geopolitical tensions and global disruptions have made organizations more susceptible to account takeover attacks and fraud cases.
- A passwordless MFA solution should be able to provide a frictionless login experience and eliminate the reliance on passwords or other easily phishable factors.
- The creation of open standards such as FIDO2 and WebAuthn have increased adoption of passwordless technologies.
- The Passwordless Authentication market is a dynamic, exciting, and competitive space where different vendors provide similar but unique solutions.
- The Overall Leaders (in alphabetical order) are 1Kosmos, CyberArk, Entrust, ForgeRock, HID Global, HYPR, IBM, Microsoft, Ping Identity, Thales, and Transmit Security.
- The Product Leaders (in alphabetical order) are 1Kosmos, Beyond Identity, CyberArk, Entrust, ForgeRock, HID Global, HYPR, IBM, IDEE, Microsoft, Nevis Security, Ping Identity, RSA, Thales, and Transmit Security.
- The Innovation Leaders (in alphabetical order) are 1Kosmos, Beyond Identity, CyberArk, Entrust, ForgeRock, Futurae Technologies, HID Global, HYPR, IBM, Identité, Ping Identity, and Transmit Security.
- The Market Leaders (in alphabetical order) are Cisco, CyberArk, Entrust, Exostar, ForgeRock, HID Global, IBM, Microsoft, Ping Identity, RSA, Thales, and Transmit Security.