Multi-Factor Authentication Marketplace

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free

Multi-Factor Authentication Marketplace

by Faulkner Staff

Docid: 00021366

Publication Date: 2209

Report Type: MARKET


Multi-factor authentication (MFA) is the process of authenticating or
verifying an individual’s identity using multiple (normally three or more)
independent “factors.” These factors typically include something the
subject “knows” (like a password); something the subject “possesses” (like
an access card); and something the subject “is” as represented by a unique
biometric marker (like a fingerprint).

Report Contents:

Executive Summary

[return to top of this

“Multi-factor authentication” (MFA) is the process of authenticating (or
verifying) an individual’s (or subject’s) identity using multiple
(normally three or more) independent “factors”. These factors, as
illustrated in Figure 1, typically include:

  • Something the subject “knows” (like a password)
  • Something the subject “possesses” (like an access card)
  • Something the subject “is” as represented by a unique biometric marker
    (like a fingerprint)

Faulkner Reports
Identity Management Market

Multi-factor authentication was largely developed in response to concerns
over traditional userid/password security, which is considered insecure –
particularly for high-security access – since userids and passwords can

  • Shared among multiple individuals, almost always inappropriately.
  • Stolen, especially if userid/password combinations are written down or
    recorded, either on paper or in plain-text digital files.
  • Captured via a keylogger or other malware device.
  • Volunteered by an unsuspecting individual as part of a “social
    engineering” attack.

In an MFA environment, a compromised userid and password does not equal
disaster, since a subject must furnish two additional means of
self-identification to gain access to protected enterprise or personal

Figure 1. What Is Multi-Factor Authentication?

Figure 1. What Is Multi-Factor Authentication?

Source: US National Institute of Standards and Technology


Of the three MFA factors, the “something a subject (or user) is”
biometric marker is considered the most reliable authentication indicator.

The term “biometrics” encompasses a broad range of technologies used to
identify an individual or authenticate a individual’s claimed identity by
measuring and analyzing his or her physiological or behavioral
characteristics. Biometric modalities based on physiological
characteristics include:

  • Fingerprint recognition
  • Hand geometry
  • Iris recognition

Biometrics based on behavioral characteristics include:

  • Voice verification
  • Signature verification
  • Key stroke dynamics, which authenticates individuals based on their
    typing rhythm

Physiological biometrics, which involve direct measurement of a subject’s
inherent physical characteristics, are considered more reliable than
behavioral biometrics that rely on idiosyncratic qualities like voice and
signature that can be mimicked. Behavioral characteristics are often
reserved for applications in which an individual’s identity must be
determined at a distance (such as over the phone).


Multi-factor authentication (MFA) is distinguished from

  • Single-factor authentication (SFA), which requires one verifiable
    identity credential
  • Two-factor authentication (TFA or 2FA), which requires two verifiable

Today, TFA is probably more popular than either MFA or SFA.

Market Dynamics

[return to top of this

In establishing the need for multi-factor authentication, the US National
Institute of Standards and Technology (NIST) observes the following:

When it comes to securing online accounts,
most of us are familiar with the standard combination of using a [userid]
and a unique password. For many years, this was considered a reasonably
secure way to limit access to just the authorized users of the account.
However, due to normal human behavior, people tend to choose easy to
remember passwords or reuse the same passwords at multiple online

A simple password is likely one that a hacker
can discover using a variety of hacking tools; and a reused password may
have been previously revealed in a data breach. Once a [userid]/password
combination has been listed among the data of known breached accounts, it
is no longer secure, no matter how long or complex that password was. In
fact, databases of known breached account information reveal the actual
passwords in use around the world, and we can see that people typically
fail to choose sufficiently long, complex, and unique [passwords]. A study
of the most common passwords used globally has “123456”, “qwerty” (six
consecutive keys on a keyboard) and “password” among the top 5.

Therefore, it is necessary to add more layers
of authentication beyond a password to ensure that accounts remain
secured. These additional layers lead to the term of “multi-factor
authentication” or MFA and can include three elements:

    • Things you know – such as a password or other personally-known
      information such as the answers to security questions.
    • Things you have – such as an id badge with an embedded chip, or a
      digital code generator.
    • Things you are – such as physical traits like your fingerprints or

MFA utilizes factors from multiple of these
elements to prove users’ identities. For example, in addition to entering
a password, a user may be required to provide a code that was sent to
their phone or email account.1


Multi-factor authentication may not be appropriate – or, perhaps more
correctly, necessary – for all authentication applications.

As Ping Identify explains, “At first, it might seem like a good idea to
protect all of your digital resources with the most secure methods
available, such as facial recognition or fingerprints. However, those
methods require users to have recognition technologies available, which
can be expensive. On the other hand, if you’re not protecting sensitive
information, you might consider using SFA with a password or PIN, or [TFA]
with a mobile phone if most of your users have them.  Although these
methods might not provide the highest level of security, they are easier
and less expensive to implement. The trick is finding the appropriate
balance between security and the user experience.”2

Market Leaders

[return to top of this

Multiple companies compete in the multi-factor authentication market,

  • Web-hosting firms (offering MFA “as-a-service”)
  • Telcos (via managed authentication services)
  • Software companies (via authentication features within offerings)

According to research conducted by MarketsandMarkets, prominent MFA
providers include:

  • Microsoft (US)
  • Broadcom (US)
  • OneSpan (US)
  • Okta (US)
  • Micro Focus (UK)
  • Thales (France)
  • RSA Security (US)
  • Cisco (US)
  • Ping Identity (US)
  • HID Global (US)
  • ESET (Slovakia)
  • Yubico (US)
  • ForgeRock (US)
  • CyberArk (US)
  • OneLogin (US)
  • SecureAuth (US)
  • Oracle (US)
  • Salesforce (US)
  • Secret Double Octopus (Israel)
  • Silverfort (Israel)
  • Trusona (US)
  • FusionAuth (US)
  • HYPR (US)
  • Keyless (US)
  • Luxchain (Hong Kong)3

[return to top of this

The MFA market is complicated – and, sometimes, contradictory – as
revealed by the following items.

A Growing Market

Reflecting the ever-rising concerns about enterprise security and
personal privacy, MarketsandMarkets predicts that the multi-factor
authentication market, valued at an estimated $12.9 billion in 2022, will
grow to $26.7 billion by 2027, a compound annual growth rate (CAGR) of
15.6 percent during the forecast period.4

A “Global Mandate”

Speaking optimistically, analyst Andre Durand suggests that “Multi-factor
authentication (MFA) is on its way to becoming a global mandate. As we
work diligently to hold our ground and advance against the global threat
landscape, we will see more government and industry consortia begin to
mandate the use of MFA to combat authentication fraud. Just as quickly,
driven by a new kind of fatigue, MFA fatigue, we will see companies
leverage risk signals to reduce the burden of MFA prompts.”5

A Slow Adoption

Assuming a more pessimistic tone, analyst François Amigorena reminds us
that “In their everyday lives, most people ignore two-factor, [much less
true multi-factor], authentication. This reluctance [to engage in
multi-factor authentication] has propelled several tech giants to make MFA

  • “Salesforce now mandates MFA,
  • “2FA will gradually become mandatory for all Google users, and
  • “[Amazon’s] Ring has already made 2FA mandatory.

“Unfortunately, the same [anti-multi] attitude exists in the workplace,
with enterprise MFA adoption still low.”6

A Regulatory Push

Most modern data security and personal privacy regulations – and
regulatory regimes – either recommend or require the use of multi-factor

For example, the recently-published version 4.0 of the Payment Card
Industry Data Security Standard (PCI DSS), includes an “expansion of
Requirement 8 to implement multi-factor authentication (MFA) for all
access into the cardholder data environment.”7


MarketsandMarkets reports that small-to-medium-sized enterprises (SMEs)
are “actively investing in MFA solutions to enhance their security
posture.” Most SMEs suffer from:

  • Small security budgets
  • Few IT security specialists
  • Limited IT security tools
  • Seemingly relentless cyber attacks

Hence, any technology that reduces unauthorized access to SME systems is
generally welcomed, if not embraced.

“With small businesses slowly moving to the cloud, there is a significant
need for MFA.”8


[return to top of this

MFA and Privilege

According to analyst François Amigorena, “The more organizations
understand the value of applying principles of least privilege
and privileged account management to all accounts, the
more they will understand the advantage of securing logins across all
users.  Organizations will put more effort into finding a balance
between employee productivity and security. And when they do, get ready to
see the demand for granular, customizable MFA explode.”9

The Password Is Me

Although multi-factor authentication is generally accepted as today’s
best authentication solution, MFA has always felt like a temporary or
stopgap security measure. It is, after all:

  • Inconvenient for users
  • A pain to implement for IT staffs
  • Not that easy to administer
  • Usually still involves passwords or pins (which everyone wants to
    phase out)

The big “factor” recommending MFA is the incorporation of biometrics,
which seem to offer the ultimate formula for user identification and
authentication (I&A).10

While MFA will continue to be enhanced and promoted for authentication
purposes, expect major new developments in the field of biometrics,
leading, eventually, to a universal biometrics-based, single-factor
authentication scheme.

[return to top of this


[return to top of this