Market Guide for User Authentication

11 August 2025 - ID G00837203 - 12 min read
By James Hoover, Nayara Sangiorgio,  and 1 more
User authentication is a cornerstone of digital identity and identity-first security. Identity and access management leaders should seek toolsets that minimize account takeover risks and optimize user experience as part of a cohesive cybersecurity strategy that reflects human-centric design.

Overview

Key Findings

  • The most effective way to offer core user authentication services is via the capabilities of a deployed access management (AM) tool.
  • Passwordless, phishing-resistant multifactor authentication (MFA) is required for workforce authentication to stand up to the current threat environment.
  • Attacks that bypass authentication through theft of session tokens and attacks on credentialing processes are now commonplace.

Recommendations

Identity and access management (IAM) leaders should:
  • Efficiently fulfill the majority of common authentication needs by exploiting the built-in capabilities of already deployed AM tools.
  • Increase the efficacy of authentication by deploying passwordless, phishing-resistant MFA (that is, FIDO2 or ITU-T X.509) wherever technically possible.
  • Compensate for attacks on session tokens and credential management processes by implementing tools that supplement authentication via identity verification (IDV) or detection and response.

Strategic Planning Assumption

By 2029, organizations that implement phishing-resistant MFA will experience 80% fewer credential-based security breaches than those relying on legacy authentication methods.

Market Definition

Gartner defines user authentication as the journey-time process that provides credence in a claim to an identity established for a person for access to digital assets. User authentication is delivered by some combination of (a) an authenticator, (b) signals evaluation and (c) an authentication decision point, which may be from different vendors.
User authentication is used to provide credence in an identity claim for a person already known to an organization. The credence must be sufficient to bring account takeover (ATO) risks within the organization’s risk tolerance.
Without effective authentication, the security of and trust in that person’s digital interactions are deeply undermined.
User authentication is foundational to and protects the value of other functions within an organization’s identity fabric, namely: runtime authorization, especially segregation of duties (SOD), audit (individual accountability), and identity analytics.
It thus enables identity-first security across infrastructure (compute, storage, network), applications and data.

Mandatory Features

  • A policy administration and decision point that can be coupled with assets being accessed directly or indirectly (e.g., via an AM tool) in any way. This may be offered as a stand-alone tool or as a capability within an offering in another market (e.g., via an access management tool). This capability must support either (a) consumption of one or more authenticators of any kind or origin or (b) the evaluation of at least one kind of recognition and risk signals.

Common Features

  • Consuming device-native authenticators (e.g., biometrics, FIDO2 multidevice passkeys) or portable identities (e.g., social identities, decentralized identities).
  • Advanced signals analytics techniques (including machine learning and AI).
  • Continuous or adaptive authentication.
  • Authenticator/credential life cycle management (including password blocklisting).
  • Identity verification or affirmation for onboarding, credentialing and account recovery.

Market Description

This document was revised on 26 August 2025. The document you are viewing is the corrected version. For more information, see the Corrections page on Gartner.com.
This Market Guide focuses on user authentication, which provides credence in an identity claim for a person already known to an organization. It contrasts with identity verification, which uniquely provides credence in the claimed identities of people unknown to the organization (for example, to support customer onboarding or guest access).
User authentication works by evaluating one or more different kinds of evidence — credentials and signals — as shown in Figure 1.
Figure 1: A Simple Taxonomy of Authentication Methods
Multifactor authentication uses two or three different types of credentials. Type one is known to the user, type two is held by the user, and type three is what the user is or does. Continuous, passive authentication uses behavioral and situational signals. These provide credence in a claimed identity.
The user authentication market is crowded with vendors offering tools that are often not directly competitive against one another. An AM tool offering authentication capabilities, a biometric authentication specialist and passwordless phone-as-a-token authentication vendor are all ostensibly players in the user authentication space. While all three fulfill the same broad need, they are not fungible or interchangeable within an IAM infrastructure.

This indicates a sort of fragmentation wherein user authentication is primarily provided as a capability of AM tools, which may be supplemented as needed by one or more specialist vendors.

Market Direction

The market direction is defined by five top trends with an overarching design principle (see Figure 2).
Figure 2: User Authentication Market Trends
Top five user authentication trends are access management, passwordless authentication, phishing-resistant multifactor authentication, account takeover prevention, and credentialing and recovery. These define the market direction with an overarching human-centric security design principle.

Human-Centric Security Design

Applying human-centric security design (HCSD) principles and taking a human-first approach to identity-first security can improve both security and UX. UX is a key driver of new methods (such as passwordless authentication) and adaptive access approaches.
IAM leaders (and everyone else) must ensure that authentication method selections account for the diverse needs and circumstances of all users. IAM leaders should also pay attention to socioeconomic bias, especially with regard to the acceptability and possession of different authenticators.
HCSD yields flexibility in risk-appropriate controls, giving the workforce and customers multiple ways to achieve secure outcomes without compromising business objectives.

Access Management

Every AM vendor offers user authentication capabilities in its AM tool or a broader toolset. Most organizations adopt their AM vendors’ native user authentication capabilities and seek other specialized tools only as needed to supplement technical limitations.
As major AM vendors increasingly invest in delivering modern, phishing-resistant MFA, the demand for niche or specialty MFA vendors is expected to decline significantly.

Passwordless Authentication

Passwords remain a significant source of risk for organizations and of friction, frustration and fatigue for users and administrators, contrary to HCSD principles. IAM leaders will seek passwordless authentication methods, with FIDO2 methods dominating within the next three years.
There’s burgeoning interest in multidevice passkeys (FIDO2 credentials synced across devices), especially for customer authentication. For workforce use cases, device-bound passkeys, especially when fully supported by AM vendors, are positioned to become the preferred option in the near term.

Phishing-Resistant MFA

MFA that incorporates authentication tokens may be vulnerable to a variety of attacks, some broadly defined as phishing attacks. Public-key authenticators (X.509 or, more strategically, FIDO2 methods) are the authentication methods most broadly accepted as providing true phishing resistance. FIDO2, in particular, is increasingly supported by AM tools, greatly reducing the complexity of deployment. As organizations pursue 100% coverage for stateful single sign-on (SSO), the number of systems that must directly support phishing-resistant authentication decreases. Some holdout systems not covered by an AM tool may not directly support a phishing-resistant method, but those should increasingly be the exception rather than the rule.

Compensating Controls for Attacks on Authentication

A common reactive control to protect against compromised credentials is the use of “known bad” credential lists as provided by AM tools or dedicated threat intelligence feeds. Quality and operational capabilities vary here. Some tools check only against passwords deemed to be “weak” without any promise of detecting compromise. Others may perform only an assessment at the time that the password is set. While incorporating weak and compromised password detection is important, IAM leaders will need to clearly define where and when these detections occur and standardize what steps are taken to validate and respond.
Other attacks against MFA target credentialing and account recovery. Here, attackers exploit weaknesses in the administrative processes for issuing and replacing tokens to gain access to a target account. IAM leaders will mitigate the risks of recovery attacks by refreshing enrollment and recovery workflows that incorporate suitable identity verification tools.
Apart from the phishing and credential compromise attacks discussed above, attackers can hijack an already authenticated session. In these cases, an overreliance on traditional active authentication methods leaves the user and organization exposed. Applying advanced analytics to a broader range of recognition and risk signals can increase the likelihood of detection, but increased data collection may introduce additional privacy considerations. Support for shared signals and the Continuous Access Evaluation Protocol (CAEP) shows promise in improving the interoperability of these capabilities. Integration with device management software can also reduce the risk associated with session theft by limiting the devices from which a session may originate.

Market Analysis

Market Landscape

The user authentication market has evolved over more than 35 years since the first one-time password (OTP) hardware tokens became available. However, it has some characteristics of an emerging market, with a burgeoning variety of vendors offering a mixed array of capabilities, some novel.
Some vendors are readily identifiable as authentication specialists, typically offering decision point infrastructure, in addition to a variety of tokens and phone-as-a-token methods. However, there is an increasingly wide variety of other vendors with authentication capabilities in this market and others, including:
  • AM vendors. User authentication is a core capability of AM tools, with offerings varying in breadth and depth. This category also includes customer IAM (CIAM) specialists.
  • Biometric authentication specialists. These often overlap with identity verification.
  • Communications platform as a service (CPaaS) vendors. These providers offer a variety of phone-as-a-token authentication methods, especially out-of-band (OOB) SMS.
Other vendors — for example, virtual private network (VPN) and privileged access management (PAM) vendors — offer capabilities that can be used only with their other products or services, rather than supporting authentication to generic targets. Thus, they lie outside the market.

Market Evolution

Gartner predicts that the user authentication market will evolve in line with the current market trends outlined in the Market Direction section.
AM vendors will increasingly satisfy mainstream authentication needs across several dimensions:
  • The range and variety of authentication methods and flows, especially those supporting passwordless authentication. Support for the World Wide Web Consortium (W3C) Web Authentication (WebAuthn) is already common. We project that vendors will add further support for multidevice passkeys in the next 12 to 18 months, especially for customer authentication, as well as for device-bound passkeys for workforce authentication. We also anticipate increased support for CAEP as a mechanism to mitigate the threat of session theft.
  • The scope of access across PC or LAN, client/server, and other data center assets, as well as SaaS and web applications. However, for the time being, extending the scope of AM tools typically relies on third-party glueware.
  • Integration with identity verification tools. Initially used to support customer onboarding, these will be increasingly relevant for gig workers and remote employees, not just to meet HR needs, but also to support credential life cycle management.
  • Increased analytics capabilities to support ATO prevention and continuous adaptive access, improved interoperability with external tools providing signals and analytics, and increased orchestration capabilities to manage authentication flows smoothly in user journeys.
Increased investment in FIDO2 support for workforce contexts by major AM vendors will dramatically reduce the available opportunity for stand-alone vendors with commoditized OTP hardware tokens, phone-as-a-token authentication offerings or specialized passwordless technologies.
Biometric authentication specialists continue to have a market opportunity. AM vendors and others are likely to continue partnering with biometric vendors, rather than acquiring or developing biometric capabilities.

Representative Vendors

The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.

Vendor Selection

The vendors listed below do not imply an exhaustive list (see Table 1). This section is intended to provide more understanding of the market and its offerings (see Note 1).

Representative Vendors in the User Authentication Market

VendorProduct
1Kosmos
  • BlockID Verify
Auraya
  • ArmorVox
    EVA Web Video
Axiad
  • Axiad Conductor
Badge
  • No discrete products
Beyond Identity
  • Secure Customers
  • Workforce Secure Access Platform
Cisco Duo
  • Duo Advantage
  • Duo Essentials
  • Duo Premier
CyberArk
  • CyberArk Adaptive Multi-Factor Authentication (MFA)
  • CyberArk Workforce Identity
Entrust
  • Entrust Workforce Identity
Facephi
  • No discrete products
FaceTec
  • 3D FaceMap
HID Global
  • HID ActivID
  • HID DigitalPersona
HYPR
  • HYPR Identity Assurance Platform
IBM
  • IBM Verify
Imprivata
  • Enterprise Access Management
iProov
  • iProov Biometric Solution Suite
  • Palm Verifier
Jumio
  • Jumio Authentication
LexisNexis
  • IDVerse
Microsoft
  • Microsoft Entra ID
  • Nuance
  • Windows Hello for Business
Mitek
  • IDLive Face
  • IDVoice Verified
  • MiPass
Okta
  • Okta Customer Identity Cloud
  • Okta Workforce Identity Cloud
One Identity (OneLogin)
  • OneLogin Customer Identity
  • OneLogin Workforce Identity
  • SmartFactor Authentication
OneSpan
  • Digipass Hardware Authentication
  • Intelligent Adaptive Authentication
OpenText
  • OpenText Access Manager (NetIQ)
  • OpenText Advanced Authentication (NetIQ)
Ping Identity
  • PingOne MFA
  • PingOne Protect
  • The Ping Identity Platform
rf IDEAS
  • WAVE ID RFID Readers
RSA
  • RSA ID Plus
  • RSA SecurID
Secret Double Octopus (SDO)
  • Octopus Authentication Platform
SecureAuth
  • Customer Identity Management
  • Passwordless Continuous Authentication
  • Workforce Identity Management
Thales
  • OneWelcome Authenticators
  • SafeNet Trusted Access
  • Thales OneWelcome Identity Platform
ToothPic
  • ToothPic Passkey
Transmit Security
  • No discrete products
Veridas
  • No discrete products
Source: Gartner

Market Recommendations

IAM and cybersecurity leaders should:
  • Migrate to a minimum effective toolset for user authentication, to lower costs and provide a more consistent UX for workforce and customers, by exploiting the native capabilities of their AM tools across as many use cases as possible:
    • Take advantage of AM tools’ ability to manage authentication flows to enable a differentiated and highly flexible authentication UX across all user journeys.
    • Favor AM vendors that provide open integrations that give access to a marketplace of multiple, stand-alone authentication vendors and methods.
    • Evaluate the benefits of using additional tools that can increase the reach of an AM tool’s authentication capabilities, versus using additional authentication tools to address legacy and specialized needs.
  • Minimize time to value for passwordless authentication by fully exploiting incumbent tools’ capabilities, even if the scope is limited to one or a few use cases (such as Windows and SaaS login):
    • Explore broader use of Windows Hello for Business and device-bound passkey options to provide phishing-resistant passwordless MFA.
    • Implement compensating controls to reduce existing methods’ susceptibility to phishing.
  • Reduce the risk associated with attacks on or bypassing authentication by deploying compensating controls for common scenarios:
    • Enable built-in checks for weak or compromised credentials. Invest in third-party feeds only when a clear plan for validation and response is possible.
    • Ensure that new investments in higher-trust authentication methods are matched by credentialing and account recovery process improvements.
    • Do not use the same authentication method for interactive logins as for credentialing and recovery. Do not rely on knowledge-based verification (“security questions”) and email-delivered OTP, both of which Gartner deprecates.

Evidence

This research is based on publicly available information and hundreds of direct interactions with vendors and end-user organizations during the past 18 months.

Note 1: Representative Vendor Selection

This research provides Gartner clients with a view of the available offerings, taking into account:
  • Market presence
  • Diversity of authentication methods and delivery options
  • Citations in and relevance to Gartner client interactions
  • Consonance with overarching market trends
Thus, vendors represent what is core in the market, what extends it and what will transform it. A representative vendor listed in this Market Guide has the characteristics described in the Market Definition and Market Description sections.
The representative vendors do not represent an exhaustive list of all providers; they are only a handful out of a total of approximately 400. Many worthy vendors have been omitted, with no implied criticism.