January 4, 2021

What to Consider When Evaluating MFA and CIAM Vendors

Advice from Gartner’s Market Guide for User Authentication 

By 2023, 60% of large and global enterprises, and 80% of MSEs, will deploy MFA capabilities consolidated with AM or similar tools, which is an increase from 10% and 25%, respectively, today.

Key Findings

■ The rapid adoption of cloud services hugely increases enterprises’ exposure to phishing and other attacks. This, in turn, drives new investment in multi-factor authentication (MFA) among other cloud security controls.

■ Access management (AM) vendors are the preferred authentication providers in cloud-first enterprises. Those able to meet legacy needs can displace incumbent authentication vendors.

■ Client interest in passwordless authentication continues to build. However, there are many ways to eliminate passwords, and technological constraints make a single universal approach elusive.

■ Smartphones are often central to MFA strategy or innovations, but this focus risks alienating people without smartphones for whom alternative methods are less secure or have poorer UX.

Recommendations

Security and risk management leaders responsible for identity and access management (IAM) should:

■ Follow the CARE standard for cybersecurity controls:user authentication should be consistent, adequate, reasonable and effective.

■ Identify candidate vendors that provide multiple optional methods. This can helpto address differential needs and constraints across constituencies in all use cases where MFA is needed.

■ Clearly define infrastructure, UX and other goals when seeking passwordless authentication. Ubiquity is not necessary to make headway, but beware of marginalizing some constituencies.

■ Seek products and services that instantiate continuous adaptive risk and trust assessment (CARTA) principles to provide a resilient response to advanced threats and to improve UX.

User authentication is foundational to identity and access management (IAM) functions that rely on having confidence in users’ identities:

■ Authorization, especially segregation of duties (SOD)

■ Audit (individual accountability)

■ Identity analytics

It also provides an important element of modern security, such as cloud and network security, and of fraud prevention initiatives in customer IAM.

The market encompasses a variety of products and services, implementing a range of authentication methods including, in addition to, or in place of, legacy passwords. 

Orthodox methods are based on one or more credentials. These methods are typically classified by the kind of credentials, or authentication factors, that they use: “what you know, hold and are (or do).” 

Combining two or more factors provides two-factor authentication (2FA) or multi-factor authentication (MFA). However, the term “MFA” is often used where there are only two factors.

Most legacy “MFA” tools are really only “+1FA” tools, adding a single extra factor to a legacy password. New “true” MFA tools are gaining attention among clients; these typically provide passwordless MFA

In any case, MFA provides far better confidence in a claimed identity than either factor alone and thus can significantly reduce account takeover (ATO) risks (however, no MFA method is bulletproof).

Many modern authentication providers augment their orthodox methods with approaches that evaluate a variety of contextual or other signals that can increase (or decrease) confidence in a claimed identity.

These approaches range from simple conditional rules to advanced analytics, often incorporating machine learning (ML).

They enable adaptive responses, either discreetly at login (can the person skip a prompt for MFA?) or continuously throughout a session, driving dynamic trust elevation or risk reduction.

MFA capabilities may be delivered via discrete software, hardware or cloud-based services. However, they are also embedded in other tools, such as AM tools and some online fraud detection (OFD) tools. 

CARTA Principles and Adaptive Access

A CARTA strategic approach can securely enable digital business in a world of advanced, targeted attacks. This approach allows real-time risk- and trust-based decision making with adaptive responses. 

Adaptive access implements CARTA principles in a runtime IAM context. It acts to balance trust against risk at the moment of access using a combination of trust-elevation and risk-mitigation techniques. 

Continuous adaptive access provides two benefits pertaining to user authentication:

■ Provide greater resilience to a variety of ATO attacks that can defeat orthodox authentication methods at login and do so throughout a session (“continuous authentication”).

■ Enhance UX by minimizing demands for step-up authentication (“just in time” MFA) or transaction authorization steps; thus adding friction only when risk demands it. 

Many MFA tools provide adaptive (or “risk-based”) authentication, but these typically enable only step-up authentication at login, not dynamic adaptive responses to post-login changes in risk and trust.

Furthermore, they typically assess only recognition (or familiarity) signals, disregarding risk signals linked to the user and other trust and risk signals linked to the environment and assets being accessed.

In contrast, newer “smart” MFA tools, as well as some AM tools, can consume a broad range of signals and can provide granular, moment-by-moment visibility of user activity throughout a session. 

Adaptive access for network and cloud use cases is also enabled by ZTNA or CASBs. Integration patterns for CASBs, ZTNA, AM and MFA will be described in future Gartner research.

In CIAM market segments (such as banking) that make use of OFD tools, these can also enable adaptive access and become similarly important, especially where they extend the value of AM tools. In complex environments, the ability to orchestrate a multiplicity of access decision engines, analytics tools, and authentication components in a flexible, dynamic way will be a critical success factor.

Orchestration enables authentication flows to be changed, responding to incidents or anticipating threats or improving UX, without making software changes as in legacy integration approaches.

Gartner identified Acceptto in it’s Analytics-Centric Authentication category which is defined as  “vendors with a special focus on rich analytics, especially machine learning, including passive behavioral biometric methods.” 

Learn how Acceptto’s Passwordless Continuous Authentication technology works and how it can strengthen your user authentication strategy here.



MFA continuous authentication IAM CARTA passwordless authentication CIAM Gartner