1 Executive Summary

In this Leadership Compass, we assess solutions that lay the groundwork for customers in adopting passwordless authentication. To better understand the fundamental principles this report is based on, please refer to KuppingerCole’s Research Methodology.

Passwordless authentication has become a popular and catchy term. It is used to describe a set of identity verification solutions that remove the password from all aspects of the authentication flow and from the recovery process as well. To minimize the dependence on passwords, the industry has been working for a long time on different technical solutions and standards. As the industry continues to embrace innovative solutions, the era of passwordless is gradually giving way to more secure, user-friendly, and efficient authentication methods, marking a new stage in the evolution of digital security.

Given the security risks and inconvenience associated with passwords, there is a trend for organizations to replace and eliminate passwords altogether. Although the internet has changed significantly since its inception, password authentication has practically remained unaltered. The password is remnant of an era before hacking and credential-based attacks became a widespread problem. The issue with passwords is that they can easily be stolen and compromised—without the knowledge of the user or the service provider. In addition, passwords can be costly, time-consuming, difficult to manage, and result in poor user experience. Furthermore, the fact that password reuse is a common practice among customers and employees only exacerbates the problem.

Although passwordless options have been around for a while, some recent solutions are gaining traction with enterprises and even consumer-facing businesses. For example, smart cards and hardware tokens have been used as an alternative to usernames and passwords for decades. Nevertheless, some of the distinctive features of passwordless solutions include the ability to support a wide range of authenticators, public key cryptography, biometrics, comprehensive APIs, frictionless user experience, and legacy applications and services.

It is important to note that passwordless authentication solutions tailored for enterprise use cases and those designed for consumer use cases exhibit distinct differences in response to varied expectations. Consumer-focused solutions must prioritize additional functionalities such as seamless omnichannel experiences, self-service options, robust privacy management, a consistent and user-friendly interface, and the flexibility to operate on any device. These heightened expectations stem from the diverse preferences and demands of consumers who prioritize a personalized and adaptable authentication experience.

Figure 1: Main drivers of passwordless authentication adoption

Notably, user experience expectations diverge significantly between employees and consumers. Employees may tolerate more friction in the authentication process, aligning with organizational IAM policies, whereas consumers, driven by convenience, are prone to disengage if faced with complexity or delays. Additionally, consumer solutions must navigate the challenges of unmanaged IT environments, requiring adaptability to authenticate users securely on any device while prioritizing privacy and compliance with stringent regulations like GDPR. In essence, while both enterprise and consumer solutions aim for secure authentication, their emphasis on security measures, user experience, and scalability varies to meet the unique needs of each user category.

However, organizations seeking passwordless authentication solutions must consider various factors, including security, ease of implementation, interoperability, and cost-effectiveness. The importance of user experience cannot be overstated, as seamless authentication processes are essential for consumer adoption. By understanding these considerations and evaluating the offerings from different vendors, consumers can identify the solution that best meets their specific needs and preferences.

1.1 Key Findings

What are the top considerations buyers should know about?

• The passwordless authentication market is dynamic, vibrant, and competitive, with different vendors offering similar but distinct solutions.
• Despite the presence of major players, the evolving nature of the market allows smaller companies to enter and establish a niche by leveraging technical innovation or catering to specific use cases.
• User experience expectations diverge significantly between employees and consumers. While both groups benefit from the security and efficiency of passwordless systems, their divergent contexts and priorities necessitate tailored approaches.
• Consumer-focused solutions must prioritize functionalities such as seamless omnichannel experiences, self-service options, robust privacy management, a consistent and user-friendly interface, and the flexibility to operate on any device.
• The creation of open standards such as FIDO2 and WebAuthn has increased the adoption of passwordless technologies. In addition, the use of passkeys is likely to be a catalyst for widespread adoption.
• The Overall Leaders (in alphabetical order) are 1Kosmos, Beyond Identity, CyberArk, Entrust, HID, HYPR, IBM, Microsoft, Okta, OneSpan, Ping Identity, Thales, and Transmit Security.
• The Product Leaders (in alphabetical order) are 1Kosmos, Beyond Identity, cidaas, CyberArk, Entrust, HID, HYPR, IBM, Microsoft, Nevis Security, Nok Nok, Okta, One Identity, OneSpan, Ping Identity, SecureAuth, Thales, and Transmit Security.
• The Innovation Leaders (in alphabetical order) are 1Kosmos, Beyond Identity, CyberArk, Entrust, Futurae Technologies, HID, HYPR, IBM, Nok Nok, Okta, OneSpan, Ping Identity, SecureAuth, Thales, and Transmit Security.
• The Market Leaders (in alphabetical order) are CyberArk, Entrust, Exostar, HID, IBM, Microsoft, Okta, OneSpan, Ping Identity, Thales, and Transmit Security.

1.2 Market Analysis

The market for passwordless authentication products and services has witnessed exponential growth in recent years, driven by the increasing demand for secure and user-friendly authentication methods. This surge in demand has resulted in the emergence of a diverse set of vendors vying for prominence within the passwordless landscape.

While the market is not yet considered mature, it remains highly dynamic and rife with opportunities for both established players and newcomers alike. Despite the presence of major players, the evolving nature of the market allows smaller companies to enter and establish a niche by leveraging technical innovation or catering to specific use cases. Therefore, this KuppingerCole Leadership Compass deals with the most important players in the field of passwordless authentication for consumers.

The accelerating adoption of passwordless solutions is closely tied to the evolving regulatory landscape and the establishment of industry standards. For example, the U.S. government recently published a cybersecurity memorandum emphasizing the need for stronger enterprise identity and access controls, including using phishing-resistant MFA and adopting a Zero Trust model. Furthermore, the development of open standards such as Fast Identity Online (FIDO)2 and WebAuthn have further generated adoption of passwordless technologies.

FIDO2 and WebAuthn use public key cryptography and strong authentication to enable passwordless authentication while reducing the risk of password-related attacks, such as phishing and credential stuffing. FIDO has also worked with companies such as Microsoft, Google, and Apple to integrate and adopt FIDO standards across their operating systems. More recently, these companies have announced plans to support passkeys on their platforms. For example, Apple's latest update, iOS 16 for iPhones as well as macOS Ventura for Macs, now supports passkeys, while Google introduced support for passkeys in December 2022.

Consequently, the transition to passwordless forms of authentication will continue to gain momentum. Organizations must evaluate the assurance level they seek for their relying applications and, if appropriate, leverage the benefits of passwordless technology. Therefore, organizations' systems must cease supporting legacy authentication methods that are prone to phishing attacks, such as mobile SMS codes, voice calls, push notifications or one-time passcodes (OTP). These techniques, once standard practices, are increasingly seen as less secure and are trusted less and less by security professionals.

KuppingerCole Analysts predicts that the Compound Annual Growth Rate (CAGR) goes up to 31.1%, leading the passwordless authentication market to reach 6.6 billion USD by 2025. This expected growth can also be attributed to the user-friendliness of this method and to the possibility the easy integration of those systems within a company framework, as well as the rising cases of data theft and the constant search of the companies to protect their sensitive information. North America and EMEA are the regions where this service is experiencing the strongest growth.

Figure 2: Passwordless authentication market size predictions

The need for passwordless authentication solutions is increasing, but finding one that is simple, effective, and secure is challenging. Organizations must confront password-based threats and find alternatives without disrupting their users or business practices. If implemented successfully, a passwordless solution will not only increase the security posture of the organization but also deliver a convenient and frictionless user experience.

While these solutions promise enhanced security and convenience, enterprises are faced with a myriad of options in the market. This report aims to demystify the landscape of passwordless authentication, offering consumers guidance in navigating the diverse array of products and services available.

What remains to be seen in the market is whether customers can overcome old-school mentalities. Despite the promise of new authentication methods, many people are still reluctant to move away from traditional security methods due to user acceptance, lack of education, security limitations, and deployment costs. In addition, there's also an interoperability issue that needs to be addressed in websites, ledgers, and wallets. This challenge arises from the diverse range of authentication protocols and standards used across different platforms and services, leading to compatibility issues and fragmentation in the authentication ecosystem.

For instance, if a password is still required by a third party and the website does not support WebAuthn or similar technologies, users are forced to revert to traditional passwords, complicating what should be a streamlined process. This often results in an inconvenient and frustrating experience, as it contradicts the ease and security promised by passwordless solutions. For a more detailed exploration of these scenarios, check out The Second Law of AuthN Dynamics.

Additionally, some vendors continue to offer username/password authentication as an option for account recovery, available at the customer’s choice and not as a mandatory feature. However, to truly advance toward a passwordless future, vendors must prioritize educating users on the vulnerabilities associated with traditional password systems and actively develop innovative or more secure alternatives. This approach not only enhances security but also aligns with evolving consumer expectations for more convenient and robust authentication solutions.

The declaration that "the password is dead" has echoed throughout the tech community for well over two decades, yet the reality is starkly different; passwords remain pervasive and stubbornly entrenched in digital authentication processes. Despite the significant shift towards passwordless authentication, the widespread and rapid disappearance of passwords seems unlikely. As a result, passwordless is destined to become yet another form of strong authentication, with its ability to fill specific use cases such as consumer authentication.

The future promises a landscape where fewer passwords are needed, and their presence is largely obscured by passwordless solutions. However, passwords will still lurk in the shadows, a lingering relic of an older era of digital authentication. For this reason, selecting the right passwordless solution that meets the unique challenges and needs of each organization is essential. The passwordless journey must consider the expectations of each of your organization's customer segments as well as the appropriate level of security and user experience.

1.3 Delivery Models

Passwordless authentication solutions are mainly delivered as a cloud hosted software-as-a-service (SaaS) solution, with all participating vendors providing this deployment model. However, support and integration with on-premises environments are also offered by most vendors. Despite the continued relevance of on-premises deployments, organizations are requiring more agile multi-cloud and multi-hybrid deployments that provide a gradual migration to the cloud. On the one hand, for SaaS offerings, the licensing models are often priced per user, per transaction, and per time period. On the other hand, for on-premises deployments, licensing costs can be measured as per-user or per-server.

1.4 Required Capabilities

This Leadership Compass analyzes which of the passwordless authentication offerings in the market are best suited to form the foundation for a Zero Trust model, in providing:

• An integrated and secure authentication approach
• A strong level of usability (e.g., simple device onboarding; recurring authentication)
• Authentication methods that eliminate passwords and other easily phishable factors
• The ability for organizations to control which users and devices can access sensitive information

Thus, solutions must not only deliver functionality and support for integration, but also meet our requirements regarding the architecture, deployment model, and their interoperability with traditional applications, cloud services, and new digital services.

The focus is on solutions that cover these capabilities:

Support for a broad range of authenticators is essential for accommodating diverse user preferences and needs. This includes various methods such as biometrics (e.g., fingerprint, facial recognition), hardware tokens, mobile push notifications, and knowledge-based authentication.

Strong Authentication encompassing Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA), provides an added layer of security by requiring users to provide multiple forms of verification before gaining access. 2FA and MFA mechanisms are typically constructed from two or more authentication elements taking from three categories (something the user knows, like a password or PIN; something the user has, like a hardware device or mobile phone; and/or something the user is, like a biometric feature).

Risk, context-based, and continuous authentication leverages contextual information such as device location, user behavior patterns, and transaction history to dynamically assess the risk level associated with each authentication attempt. This approach enables organizations to adapt authentication requirements based on real-time risk assessments.

Adaptive and step-up authentication further enhance security by dynamically adjusting authentication requirements based on risk levels. Adaptive authentication automatically selects the appropriate authentication method based on contextual factors, while step-up authentication prompts users for additional verification when the risk level is elevated.

Support for legacy applications and services is crucial for ensuring seamless integration with existing infrastructure, allowing organizations to modernize their authentication processes without disrupting legacy systems.

Strong cryptographic approaches, such as Private/Public Key encryption and Zero Knowledge Encryption, ensure data confidentiality and integrity during authentication processes. Private/Public Key encryption involves the use of asymmetric cryptography, where a public key is used for encryption and a private key for decryption. Zero Knowledge Encryption allows verification of user credentials without exposing sensitive information.

Integration with 3rd-party authenticators enables organizations to leverage additional authentication methods provided by external providers, expanding the range of options available to users.

Integration capabilities to established platforms enable seamless integration with existing identity and access management (IAM) solutions, ensuring interoperability and ease of deployment.

Frictionless user experience is essential for promoting user adoption and satisfaction. Solutions should prioritize simplicity and ease of use while maintaining strong security measures.

Device trust on multiple devices allows organizations to establish trust levels for different devices based on factors such as device health, compliance status, and user behavior, enabling secure authentication across various endpoints.

Support for all major Identity Federation standards, including SAML (Security Assertion Markup Language) and OAuth, facilitates seamless single sign-on (SSO) experiences across different applications and services.

Comprehensive set of APIs enables organizations to customize and extend authentication capabilities according to their specific requirements, fostering flexibility and innovation.

Flexible, modern software architecture ensures scalability, resilience, and adaptability to evolving security threats and technological advancements.

Scalability and performance are critical for supporting large-scale deployments and ensuring responsive authentication processes, particularly in high-demand environments with millions of users.

We expect solutions to cover a majority of these capabilities, at least at a baseline level. There is no minimum number of customers or revenue caps that vendors must meet—both large international companies and small but innovative startups are included in this report. Some vendors did not respond to requests to participate or chose not to participate. Profiles of these vendors, as well as other interesting vendors, can be found in Chapter 6, "Vendors to Watch."

2 Leadership

Selecting a vendor of a product or service must not only be based on the information provided in a KuppingerCole Leadership Compass. The Leadership Compass provides a comparison based on standardized criteria and can help identify vendors that shall be further evaluated. However, a thorough selection includes a subsequent detailed analysis and a Proof of Concept of pilot phase, based on the specific criteria of the customer.

Based on our rating, we created various Leadership ratings. The Overall Leadership rating provides a combined view of the ratings for

• Product Leadership
• Innovation Leadership
• Market Leadership

2.1 Overall Leadership

Figure 3: Overall Leadership in the passwordless authentication for consumers market

The Overall Leadership chart is linear, with Followers appearing on the left side, Challengers in the center, and Leaders on the right. The rating provides a consolidated view of all-around functionality, market presence, and financial security.

However, these vendors may differ significantly from each other in terms of product features, innovation, and market leadership. Therefore, we recommend considering our other leadership categories in the sections covering each vendor and their products to get a comprehensive understanding of the players in this market and which of your use cases they support best.

The Overall Leadership chart shows that a significant number of vendors have achieved a high level of maturity, with just fewer than half of the vendors in the Leaders segment. Ping Identity, after the merger with ForgeRock, is the overall leader and takes a strong position with the combined portfolio, despite some integration work still to do.

Ping Identity is followed by a group of two vendors, including IBM and Transmit Security. IBM's solution is highly scalable, integrates easily with 3rd parties for MFA, and offers a wide selection of authentication mechanisms. Transmit Security offers excellent orchestration capabilities and strong omni-channel features. These are well-established vendors with a global partner ecosystem, strong market position, and presence in various regions of the world.

In the Challenger segment, we see a mix of vendor types: IAM vendors, specialists for biometric authentication, vendors focusing on SIM-card based authentication, and others that are focused on specific areas. They have overall good capabilities and a high degree of flexibility in configuration, while lacking some of the more advanced features other vendors provide. All vendors within the Challenger section have good products with varying levels of device compatibility, scalability, deployment, and API capabilities. Furthermore, some still have limited global presence, affecting their rating for Overall Leadership.

Overall Leaders are (in alphabetical order):

• 1Kosmos
• Beyond Identity
• CyberArk
• Entrust
• HID
• HYPR
• IBM
• Microsoft
• Okta
• OneSpan
• Ping Identity
• Thales
• Transmit Security

2.2 Product Leadership

Product leadership is the first specific category examined below. This view is mainly based on the presence and completeness of required features as defined in the required capabilities section above. The vertical axis shows the product strength plotted against the combined/overall strength on the horizontal axis. The Product Leadership chart is rectangular and divided into thirds. Product Leaders occupy the top section. Challengers are in the center. Followers are in the lower section.

Figure 4: Product Leadership in the passwordless authentication for consumers market

Again, we find several vendors in the Leaders segment. These include Ping Identity with the combined Ping / ForgeRock product Portfolio, IBM, Transmit Security and then several vendors that are head-to-head, including Beyond Identity, HYPR, HID, Entrust, and Microsoft. 1Kosmos is also close to this group, as well as CyberArk and Okta. Nok Nok, OneSpan, Thales, SecureAuth, One Identity, cidaas, and Nevis Security have also made it into the Leaders segment.

The other vendors are placed in the Challenger segment, with Entersekt, Exostar, Futurae Technologies and SAASPASS being close to becoming Leaders. These other vendors are all positioned more towards the center of the Challenger segment.

Product Leaders (in alphabetical order):

• 1Kosmos
• Beyond Identity
• cidaas
• CyberArk
• Entrust
• HID
• HYPR
• IBM
• Microsoft
• Nevis Security
• Nok Nok
• Okta
• One Identity
• OneSpan
• Ping Identity
• SecureAuth
• Thales
• Transmit Security

2.3 Innovation Leadership

Next, we examine innovation in the marketplace. Innovation is, from our perspective, a key capability in all IT market segments. Customers require innovation to meet evolving and even emerging business requirements. Innovation is not about delivering a constant flow of new releases. Rather, innovative companies take a customer-oriented upgrade approach, delivering customer-requested and other cutting-edge features, while maintaining compatibility with previous versions.

This view is mainly based on the evaluation of innovative features, services, and/or technical approaches as defined in the Required Capabilities section. The vertical axis shows the degree of innovation plotted against the combined/overall strength on the horizontal axis. The Innovation Leadership Chart is rectangular and divided into thirds. Innovation Leaders occupy the top section. Challengers are in the center. Followers are in the lower section.

Figure 5: Innovation Leadership in the passwordless authentication for consumers market

Innovation Leaders are those vendors that are delivering cutting-edge products, not only in response to customers’ requests but also because they are driving the technical changes in the market by anticipating what will be needed in the months and years ahead. There is a correlation between the Overall, Product, and Innovation Leaders, which demonstrates that leadership requires feature-rich products that are looking over the horizon to bring advancements to help their customers.

Both established and specialized vendors continue to innovate in the passwordless market. Innovation is driven by capabilities such as account recovery, identity proofing, biometrics, decentralized identity, and the addition of capabilities powered by AI/ML; this category also includes vendors rethinking traditional approaches, such as in the field of Access Management.

In the Leaders segment, Ping Identity comes in ahead of Transmit Security, closely followed by a group of five vendors, consisting of 1Kosmos, Beyond Identity, Futurae Technologies, IBM, and HYPR. Other vendors in this segment include CyberArk, Entrust, HID, Nok Nok, Okta, OneSpan, SecureAuth, and Thales.

Innovation Leaders (in alphabetical order):

• 1Kosmos
• Beyond Identity
• CyberArk
• Entrust
• Futurae Technologies
• HID
• HYPR
• IBM
• Nok Nok
• Okta
• OneSpan
• Ping Identity
• SecureAuth
• Thales
• Transmit Security

2.4 Market Leadership

Finally, we analyze Market Leadership. This is an amalgamation of the number of customers, the number of transactions evaluated, the ratio between customers and managed identities/devices, the geographic distribution of customers, the size of deployments and services, the size and geographic distribution of the partner ecosystem, and the financial health of the participating companies. Market Leadership, from our point of view, requires global reach.

In this chart, the vertical axis shows the market strength plotted against the combined/overall strength on the horizontal axis. The Market Leadership Chart is rectangular and divided into thirds. Market Leaders occupy the top section. Challengers are in the center. Followers are in the lower section.

Figure 6: Market Leaders in the passwordless authentication for consumers market

Microsoft is leading the market, being a dominant player in the IAM space. Following them are large IT vendors with a considerable footprint in the IAM market; these are IBM, Okta, Ping Identity, and Thales. CyberArk, Entrust, HID, OneSpan, Transmit Security and Exostar are also positioned in the Leader segment.

The rest of the vendors are rated as Challengers. These are smaller vendors with mostly small partner ecosystems and limited market presence on a global scale.

Market Leaders (in alphabetical order):

• CyberArk
• Entrust
• Exostar
• HID
• IBM
• Microsoft
• Okta
• OneSpan
• Ping Identity
• Thales
• Transmit Security

3 Products and Vendors at a Glance

This section provides an overview of the various products we have analyzed within this Leadership Compass. Aside from the rating overview, we provide additional comparisons that put Product Leadership, Innovation Leadership, and Market Leadership in relation to each other. These allow identifying, for instance, highly innovative but specialized vendors or local players that provide strong product features but do not have a global presence and large customer base yet.

Based on our evaluation, a comparative overview of the ratings of all the products covered in this document is shown in Table 1. Since some vendors may have multiple products, these are listed according to the vendor’s name.

Vendor	Security	Functionality	Deployment	Interoperability	Usability
1Kosmos
Beyond Identity
cidaas
CyberArk
Descope
Entersekt
Entrust
Ergon
Exostar
Futurae Technologies
GSMA
HID
HYPR
IBM
Jumio
Microsoft
Nevis Security
Nok Nok
Okta
One Identity
OneSpan
OwnID
Ping Identity
SAASPASS
SecureAuth
Thales
Transmit Security
TrustBuilder

Table 1: Comparative overview of the ratings for the product capabilities

In addition, we provide in Table 2 an overview which also contains four additional ratings for the vendor, going beyond the product view provided in the previous section. While the rating for Financial Strength applies to the vendor, the other ratings apply to the product.

Vendor	Innovativeness	Market Position	Financial Strength	Ecosystem
1Kosmos
Beyond Identity
cidaas
CyberArk
Descope
Entersekt
Entrust
Ergon
Exostar
Futurae Technologies
GSMA
HID
HYPR
IBM
Jumio
Microsoft
Nevis Security
Nok Nok
Okta
One Identity
OneSpan
OwnID
Ping Identity
SAASPASS
SecureAuth
Thales
Transmit Security
TrustBuilder

Table 2: Comparative overview of the ratings for vendors

4 Product/Vendor evaluation

This section contains a quick rating for every product/service we’ve included in this KuppingerCole Leadership Compass document. For many of the products there are additional KuppingerCole Product Reports and Executive Views available, providing more detailed information.

4.1 Spider graphs

In addition to the ratings for our standard categories such as Product Leadership and Innovation Leadership, we add a spider chart for every vendor we rate, looking at specific capabilities for the market segment researched in the respective Leadership Compass. For this market segment, we look at the following categories:

Architecture and Deployment – this category represents the combination of the architecture and the deployment options. In architecture, we look at the type of architecture and focus on modern, modular architectures based on microservices. This also affects deployment, given that container-based deployments provide good flexibility.

Authentication – here, we measure the variety and usefulness of authentication methods present within each solution. Almost all solutions support username/password and various OTP methods. Therefore, advanced support for authentication mechanisms, especially FIDO, mobile, behavioral biometrics and mobile SDKs are preferred.

Fraud Prevention – this dimension evaluates the effectiveness of each solution in detecting and mitigating fraudulent activities. This category assesses the solution's ability to monitor user behaviour, detect anomalies, and respond to potential threats in real-time.

Customization and APIs – this category is related to the architecture but focuses more on the comprehensiveness of APIs and the simplicity of customization. We consider the degree to which consumers can personalize their authentication experience, including options to customize methods, preferences, and settings to align with their own preferences and requirements. This also requires stable APIs. APIs furthermore build the foundation for providing an Identity API Layer to digital services and for orchestration with other services.

Device Compatibility – in this area, we evaluate the extent to which the passwordless authentication solution supports a variety of consumer devices, including smartphones, tablets, laptops, and desktop computers, ensuring seamless access across different platforms and operating systems.

User Experience (UX) – here, we assess the ease of use, intuitiveness, and accessibility of the passwordless authentication methods provided by each vendor. Consider factors such as user interface design, frictionless enrolment and authentication processes, and support for various devices and platforms.

Scalability – this rating is influenced by many factors including the architecture of the vendor solution, the number of customers supported and deployment models available. For SaaS-delivered solutions, multi-cloud utilization, geographic distribution, SLAs, and maximum supported number of transactions per second are considered.

4.2 1Kosmos – BlockID Customer

1Kosmos was founded in 2018 and is headquartered in New Jersey. With its innovative blockchain ID solution, the company offers digital identity and passwordless authentication solutions for enterprises and consumers. The BlockID platform provides a suite of products for enterprise use (BlockID Workforce), private consumer use (BlockID Customer), and identity verification (BlockID Verify). The 1Kosmos platform unifies identity proofing and passwordless authentication, including SIM (subscriber identity module) binding capabilities that prevent online fraud and account takeover. Coverage includes North America, Western Europe, Middle East, India, Singapore, and Australia.

To mitigate fraud and account takeover, 1Kosmos improves customer onboarding with self-service Know Your Customer (KYC) identity verification, ensuring compliance and security. The platform integrates identity into consumer authentication processes, serving industries such as financial services, telecommunications, healthcare, retail, education, and more. With BlockID Customer, users authenticate using a variety of methods, depending on their needs, the risk profile of the activity, and the security requirements of each access request. The solution provides biometric passwordless authentication with optional identity proofing that can adjust to flexible levels of identity assertion to support the evolving needs of customers while maintaining access to multiple accounts via one consistent experience.

In addition, 1Kosmos offers a biometric capability known as LiveID, which uses a proprietary 3D modelling technique for face detection. It is Patent Pending and captures the live motion, emotion as well as 3D map of a user’s face, including depth detection, and checking the distance between ears and nose to ensure that a complete map of a user's face is taken while enrolling the user. This is immediately followed by asking the user to provide a government-issued document such as a driver's license or a passport to ensure that the user enrolling the LiveID is the same user who has enrolled into the platform. Through the LiveID feature, account recovery relies on a user's facial biometrics, captured during registration, thus ensuring identity verification, and eliminating the risk of unauthorized account access.

The solution integrates with industry authentication standards such as OAuth, OIDC, SAML, and FIDO. It also provides legacy support through RADIUS and offers interoperability across a wide range of operating systems, including Windows, Office365, Mac, iOS, Android, Linux, and Unix. To strengthen security and support compliance, 1Kosmos has been independently certified with the ISO/IEC 27001 and EIDAS standards, as well as certified by FIDO2, SOC 2 Type II, and DEA EPCS and ISO/IEC 30107-3 by iBeta. The company is also certified to the NIST 800-63-3 standard by Kantara. Furthermore, 1Kosmos provides its own authenticator, which is FIDO2 certified but also supports Yubico, Trust Key, Feitian, OneSpan, Thetis, Google Titan, and others. The platform has also enabled authentication using the FIDO key on the 1Kosmos mobile app itself and has a new biometric based security key for shared workstation use cases.

In addition to the rapid deployment, the 1Kosmos platform supports legacy systems and multiple authentication channels with a high level of flexibility and scalability. Overall, 1Kosmos offers a robust and innovative approach to passwordless authentication that combines advanced biometric authentication, strong fraud detection features, support for verifiable credentials, and seamless integration capabilities. 1Kosmos appears in the overall, product, and innovation leadership categories which should be of interest to organizations in North America and the APAC.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 3: 1Kosmos’s rating

Leader in

4.3 Beyond Identity – Secure Customers

Beyond Identity was founded in 2019. They are headquartered in New York and have offices and customers around the world. As an innovator in passwordless MFA solutions, Beyond Identity aims to lay the foundation of a passwordless future by eliminating passwords and other phishable factors. The company offers a broad range of capabilities supporting passwordless MFA, device trust, risk-based authentication, and zero trust approaches. The company is primarily focused on North America but has a growing number of customers in EMEA.

Secure Customers is a cross-platform passwordless authentication solution that allows businesses and organizations to provide consumers with a frictionless authentication experience without passwords, push notifications, one-time codes, and second devices for native mobile and web applications running on any device and platform. Beyond Identity combines key-based (FIDO2) and certificate-based (PKI) authentication to provide a secure, cryptographic authentication system. This system is phishing-resistant, protecting against identity and verifier impersonation risks.

The solution provides an innovative implementation of asymmetric cryptography that eliminate passwords from the customer experience and the organization's database. As a result, there is no need for passwords, required to authenticate. Using the self-signed X.509 certificate and the public-private key pairs ensures that users are in possession of only two attributes: "something you are" from the device biometric and "something you own" from the possession of a private key.

Secure Customers is deployed through embeddable SDKs, which are available for both native mobile and web applications. This allows companies to deliver a branded first-party native experience across all their applications to accelerate conversions throughout the user journey while providing protection from account takeover fraud. The solution is compliant with PSD2 Strong Customer Authentication. In addition, Beyond Identity uses an API-first and standards-based approach which integrates with other access management solutions, identity proofing solutions, and endpoint security tools for on-prem or hybrid deployments. API protocols supported include REST, JSON-RPC, gRPC, GraphQL, Webhooks, SCIM, LDAP, and more. SAML, OIDC, OAuth2, and JWT are supported as well.

In conclusion, Beyond Identity not only simplifies and secures consumer use cases but also empowers organizations on their passwordless journey by providing innovative solutions that enhance user experience, bolster security, and drive digital transformation. By leveraging Beyond Identity's passwordless MFA, users are fortified against phishing and ransomware threats, leading to an improved overall customer journey. Beyond Identity appears in the overall, product, and innovation leadership categories.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 4: Beyond Identity’s rating

Leader in

4.4 cidaas – cidaas

cidaas was launched as a brand in 2018. It is the customer identity-as-a-service offering of Widas ID GmbH. The Widas Group is a globally active IT service and innovative software company, founded in 1997 and headquartered in Germany. cidaas is hosted primarily as SaaS in multiple public IaaS providers and their own facilities. Their service is globally distributed for high availability and scalability, utilizing multiple data centers in the EU, Asia, and North America. Licensing/subscription options are based on feature packages and include pricing by either monthly active or registered users. The company is mainly focused on Europe but with a growing number of customers in North America and the APAC region.

cidaas delivers a turnkey solution for federated identities, SSO, MFA, and passwordless authentication. cidaas is a flexible and scalable solution based on micro services and big data, making it easy to integrate with various systems. With its APIs and event-based architecture, it excels at handling high peaks during special events such as holidays or marketing campaigns. The solution provides an SDK to enable customers to integrate cidaas’ authentication and risk engines to customer developed applications. The cidaas SDK can collect various signals such as device type, device fingerprint, IP address, geo-location, and IMEI/SIM data for evaluation. Moreover, the cidaas fraud detection system uses a wide range of information and factors to assess risk, including past user activity as well as data available from public and private vendors. It can also detect bot-generated registration and login attempts, brute force password guessing attacks, and credential stuffing attacks.

cidaas has integrated WebAuthn and passkeys so that organizations can easily incorporate passwordless authentication. The platform's Suggest Verification feature supports a smooth transition from traditional passwords, encouraging users to adopt additional methods such as passkeys during the login process. Furthermore, cidaas enhances its authentication capabilities with the cidaas ID Validator, offering a robust digital identity check to ensure strong authentication across the system. In addition, cidaas supports a wide range of authentication options. Some of the most common methods of authentication include magic links, push notifications, and FIDO2. Moreover, their mobile authenticator app offers facial and voice recognition biometric methods developed by them and is compatible with built-in Android fingerprint and facial recognition and Apple’s FaceID and TouchID. All biometric options include liveness detection. cidaas also accepts various authentication methods, including email/phone/SMS OTP and other app-based authenticators such as Google or Microsoft. cidaas supports all federated authentication protocols, including JWT, OAuth2, OIDC, and SAML. cidaas is eIDAS certified and ISO 27001 audited and has a strong focus on secure development practices. However, cidaas is not yet FIDO or SOC 2 Type 2 certified.

Overall, cidaas has a relatively small global presence compared to many of the other vendors. On the other hand, the company is innovative and provides a flexible modern solution based on a scalable microservices architecture that fits well to the requirements of a modern passwordless authentication approach. cidaas should be of interest to organizations within the EMEA region. The company appears in the product leadership category.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 5: cidaas’ rating

Leader in

4.5 CyberArk – Identity Security Platform

Having been in the market since 1999, CyberArk has established itself as a leader in Identity Security. Since then, the company has continued to add technical functionality to its broad suite of products in response to changing user preferences and market demands. CyberArk helps companies protect their highest-value information assets, infrastructure, identities, and applications. Headquartered in Israel and the US, CyberArk has offices in the U.K., France, Germany, the Netherlands, India, and Singapore and serves customers in more than 65 countries.

The CyberArk Identity Security Platform is a fully cloud-hosted SaaS service. However, CyberArk provides multiple ways to integrate with on-premises environments and even offers the ability to store user secrets in a self-hosted vault. It supports public cloud and hybrid deployment models with its App Gateway service, enabling VPN-less, Zero Trust access, SSO, and access management capabilities back to on-premises applications and services.

The CyberArk Identity Security Platform stands out because it goes beyond just a collection of products. It offers a cohesive set of solutions that work together and share key components, creating a unified platform for various use cases. The platform provides passwordless authentication for all types of identities including human (employees, customers, vendors, partners, etc.) and machine (passwordless authentication for machine-to-machine communication). In addition, CyberArk recently enhanced its passwordless authentication capabilities by introducing support for passkeys. By leveraging CyberArk’s passkeys, users can access applications and websites with phishing-resistant, FIDO2-compliant, and NIST Authentical Assurance Level (AAL3) authentication that replace passwords and work across different user devices.

The solution allows customers to create fully customizable self-service registration widgets that can be placed anywhere on a customer's website. This gives customers a quick and easy way to provide a registration and authentication experience for their customers' customers. Alternatively, CyberArk provides easy-to-use user APIs for organizations to build fully customizable registration experiences. CyberArk supports all relevant FIDO2 standards and has integrated with most MFA vendors on the market that support FIDO2. However, CyberArk Identity also integrates with many other vendors using other standards such as OATH HOTP/TOTP, RADIUS, and SAML, and OIDC.

Overall, CyberArk Identity offers a holistic and scalable solution for continuous passwordless authentication with minimal interference to the end users. The company's primary focus is on North America, but it has also experienced significant growth in the EMEA, APAC, and Latin America markets, which is bolstered by a robust partner ecosystem. CyberArk appears in the overall, product, market, and innovation leadership categories. This makes CyberArk a strong option for organizations seeking a unified and feature-rich passwordless solution.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 6: CyberArk’s rating

Leader in

4.6 Descope – Descope

Founded in 2022, Descope is a cloud-based customer authentication and identity management platform. Headquartered in Los Altos, California, the company's mission is to enable organizations to integrate authentication, authorization, and customer identity management into their applications. The company focuses on enterprises in North America, EMEA, APAC, and Latin America.

Through its innovative Descope Flows feature, customers gain access to an easy-to-use, code-free workflow interface that allows them to design and customize the entire user journey. This drag-and-drop functionality spans front-end and back-end processes, including authentication, authorization, MFA, and federation. With a strong emphasis on passwordless authentication, Descope supports a wide array of authentication methods, including passkeys, magic links, OTP, biometrics, social logins, and TOTP authenticator apps. In addition, Descope offers capabilities ranging from authorization support to flexible user management and an extensive connector ecosystem, ensuring that organizations can tailor their CIAM solutions to meet their unique needs.

Furthermore, risk-based MFA can be implemented in a visual workflow. Conditional checks can be added during the authentication process to check for a variety of risk factors. Based on the assigned risk score, branching user paths can be created that display an "account locked" screen, take the user through an MFA flow, or log the user in directly. Moreover, the solution has connectors with identity verification tools which can be used to collect and validate user identity documents during sign-up or login. Descope is a FIDO-certified service and supports any FIDO authenticators and platform authenticators that implement WebAuthn or passkeys. Descope prioritizes infrastructure scalability, security, and compliance, providing a good foundation for advanced enterprise needs. Supported protocols include SAML, OIDC, OAuth2, and JWT. Descope is SOC 2 Type 2 and ISO 27001 certified.

With comprehensive resources available, including documentation, tutorials, and APIs, Descope stands as a reliable solution for organizations seeking to enhance their customer identity management processes. Descope, being a rather young vendor, has still relatively small global presence, compared to many of the vendors. On the other hand, the company is innovative and determined. Organizations of any size looking for a cost-effective and user-friendly solution should definitely consider Descope.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 7: Descope’s rating

4.7 Entersekt – Entersekt Authentication

Entersekt was founded in 2010. In addition to its headquarters in Atlanta, GA, Entersekt operates offices in South Africa, Mauritius, United Kingdom, and Europe. The company provides transaction authentication to financial institutions, ensuring that it is both secure and free of unnecessary friction. In 2023, in an effort to expand its customer base, Entersekt announced the acquisition of Modirum, a digital payment security provider. The solution is designed to address the challenges of fraud in a holistic way. Coverage includes North America, EMEA, APAC, and Latin America.

Entersekt excels in delivering authentication in a cross-channel and context-aware manner, ensuring the optimal authenticator is selected for each channel, use case, and risk level. Additionally, the solution provides the ability to escalate to more stringent identity verification measures as the situation requires. By supporting various biometric and passwordless methods, Entersekt aims to eliminate reliance on traditional password-based systems, enhancing security and user experience across diverse banking scenarios. The solution is designed to provide personalized and context-aware authentication experiences, enabling financial institutions to safeguard their customers' accounts and transactions. In addition, Entersekt's approach unifies authentication across digital banking and 3-D Secure transactions, closing gaps vulnerable to fraud attacks inherent in siloed authentication systems. This centralized cross-channel strategy streamlines integration and improves user experience by eliminating the need for multiple customer authentication providers.

The solution integrates risk signals to tailor authentication methods based on individual risk levels. Risk scoring capabilities provide dynamic advice on authentication levels based on various factors, fostering a tailored and frictionless user journey. In instances of authentication failure, Entersekt offers identity verification features, including selfie checks and ID document scanning, to reinforce proof of identity. Supported API protocols include REST. To strengthen security and support compliance, Entersekt has been independently certified to ISO/IEC 27001, PCI-3DS, and PCI-DSS v 3.2 and is currently undergoing SOC 2 Type II.

Entersekt's solution offers protection against the latest fraud schemes while ensuring a consistent, cross-channel user experience across digital and payment channels. Overall, the solution’s focus on addressing banking-specific challenges and adopting a holistic approach positions it as a leading provider of authentication solutions for the financial industry. Backed by a global ecosystem, the company can deploy such solutions at scale and fast. The company's primary focus is the EMEA region, but it has also experienced significant growth in the North American, APAC, and Latin American markets.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 8: Entersekt’s rating

4.8 Entrust – Identity as a Service (IDaaS)

Entrust, formerly known as Entrust Datacard, is a well-established vendor and trusted by leading customers in finance, government, healthcare, insurance, and enterprise use cases. The company provides identity-based security software and services in the areas of public key infrastructure (PKI), multi-factor authentication, and fraud detection for those looking to access secure networks, connected devices, or conduct financial transactions. In 2024, Entrust announces the completion of its acquisition of Onfido, a global leader in identity verification and no-code orchestration capabilities. Headquartered in Minneapolis, MN, Entrust also has offices in London, Tokyo, Washington, D.C., and other cities internationally.

Entrust Identity as a Service (IDaaS) is a cloud-based IAM platform that facilitates a broad range of MFA authenticators, certificate-based passwordless access, SSO, and more. The platform has three product lines for workforce, consumer, and citizen use cases. It is an all-in-one user authentication and authorization solution in the cloud that helps organizations realize a Zero Trust framework with an identity first approach. The solution provides passwordless authentication with x.509 certificate-based authentication for both users and devices as well as support for FIDO2 keys and passkeys. In addition, Entrust's adaptive risk-based access capabilities ensure that stringent security measures are applied only when necessary, such as when a user logs in for the first time from a new device. Recently, the solution has focused on improving the process of pairing devices, making it more automatic and intuitive for users.

Their risk engine evaluates device type, IP address, geo-location, velocity, and user attributes to assess whether the security posture of the device meets security and compliance requirements. Furthermore, Entrust streamlines remote customer onboarding by combining robust identity verification (IDV) and digital signing functionalities with the simplicity of social logins, offering a user-friendly solution for verifying identities. API protocols include SOAP, REST, SCIM, RADIUS, and LDAP. Other protocols supported include JWT, Kerberos, OAuth, OIDC, and SAML.

In conclusion, Entrust's innovative approach to passwordless authentication offers a secure and convenient solution that enhances user experience while maintaining security measures. The solution has a strong set of capabilities for customers who need high security assurance. Entrust has a global partner ecosystem and presence that help in delivering their solutions. Organizations of all sizes and in all industries should consider Entrust for their passwordless journey. Entrust appears in the overall, product, market, and innovation leadership categories.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 9: Entrust’s rating

Leader in

4.9 Ergon – Airlock

Ergon Informatik is on the verge of its 40th anniversary and currently has over 400 employees in Switzerland and a small sales office in Germany. The product has a strong presence in the DACH region (Germany, Austria, Switzerland) and serves customers in the financial industry as well as banking software vendors. They also have a small but growing number of customers in the Middle East, North America, and the APAC region. Airlock is a single security product by Ergon with multiple services within the Secure Access Hub. The Secure Access Hub includes a Web application and API protection (WAAP), 2FA, and IAM. Airlock 2FA, Airlock IAM, and Airlock Secure Access Hub will be considered in this passwordless authentication leadership compass.

Airlock IAM is the central access management component of the Airlock Secure Access Hub. It provides users access to data and applications, with SSO and automated user administration. The solution offers adaptive and context-based authentication of users and clients. Airlock IAM supports many authentication methods that may be combined into authentication flows. Passwordless authentication is accomplished using FIDO2 and Airlock 2FA support. In addition, Airlock IAM can both provide digitally signed credentials as well as receive and verify for verifiable credentials support. Ergon’s approach acts as an abstract layer for self-sovereign identity (SSI), providing the ability to receive, extract, verify, and issue verifiable credentials. Even externally managed identities such as social login profiles or federation group IDs such as SwissID can be integrated.

The solution can support on-premises, full multi-tenancy for cloud, and hybrid deployment models. However, it is not available for IaaS deployments, although both Ergon and partner companies offer a SaaS and managed service. Furthermore, the integration of WAAP and IAM provide a seamless and secure access control solution for web applications. It strengthens access control, simplifies management, and enhances security for web applications, helping organizations protect their sensitive data and resources. In addition, Airlock’s Continuous Adaptive Trust feature focuses on providing dynamic and context-aware security measures to protect digital assets and provides access to resources based on the continuously evolving risk landscape. The solution's functionality is primarily available via REST-based APIs, although LDAP, RADIUS, and Java are supported. Strong API security is given and derived from its long history in the WAF market, focusing on content security.

Ergon's Airlock has a well-established and mature set of capabilities with a strong focus on WAF, API security, CIAM and strong authentication in one solution. Its customers and partner ecosystem are primarily focused on the DACH region, although it is growing in the EMEA and APAC regions. The broad support for multiple authentication methods combined with the ability to freely design authentication and self-service flows makes Airlock IAM a strong and versatile product for passwordless authentication.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 10: Ergon’s rating

4.10 Exostar – The Exostar Platform

Exostar was founded in 2000. Its headquarters are in Herndon, Virginia, with additional development centers in the UK and Bangalore, India. The company significantly expanded its portfolio through the acquisition of Pirean in 2018. Exostar is a steward of communities in highly regulated industries such as defense, aerospace, life sciences, healthcare, energy, telecommunications, and financial services. It mainly focuses on providing specialized solutions tailored to specific industries rather than attempting to cater to a broad range of customers. In 2023, Exostar was acquired by Arlington Capital Partners. Coverage includes North America, Europe, Latin America, and the APAC region.

The Exostar Platform supports both SaaS and on-premises deployments. It offers a set of packaged services (consumer and enterprise access management) as well as the ability to easily build, integrate and publish custom IAM services and user journeys (built using no-code workflow and the platform's secure plug-in integration service). The platform has been designed in line with the concepts commonly considered for Identity Fabrics—in particular, speed of integration, no-code workflow and orchestration, ease of reuse, and micro-services to support the use of specific capabilities in isolation. Additionally, Exostar offers ease of integration through packaged APIs and tenant onboarding via an Authenticator as a Service offering.

The passwordless capabilities described in this report are provided via the Exostar Access: One solution. Exostar provides a comprehensive suite of passwordless authentication features, including support for phishing-resistant multifactor authentication using FIDO2 and third-party authenticators, such as OAuth and QR codes. The platform offers a wide range of passwordless methods, including FIDO2 passkeys, Windows Hello, Apple Local Authentication (Face ID, Touch ID, Optic ID), QR-based login, email, SMS, and knowledge-based authentication. Exostar's passwordless authentication solution includes a secure device framework for mobile access using their mobile SDK and supports the latest authentication services to tailor user journeys through customizable workflows.

Exostar's approach prioritizes delivering highly trustworthy user credentials via secure onboarding and identity proofing services, ensuring alignment with stringent standards such as NIST 800-63. In addition, Exostar is a Certificate Authority (CA) and has been named a full-service credential service provider by the Kantara Initiative. Exostar also supports JWT, Kerberos, OAuth2, OIDC, and SAML tokens/protocols. The platform adheres to several standards and regulations, including support for Strong Customer Authentication requirements in accordance with PSD2 / PSD3, Open Banking and Consumer Data Rights.

Exostar continues to add innovative features to its roadmap. The company is a well-known provider of IAM solutions, and its identity proofing and passwordless capabilities provide a strong offering for customers in complex and highly regulated industries. With a focus on user experience and high security standards, Exostar provides organizations with the tools they need to deliver streamlined services while ensuring compliance. Exostar appears in the market leadership category.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 11: Exostar’s rating

Leader in

4.11 Futurae Technologies – Futurae Authentication Platform

Founded in 2016 as an ETH-Zurich spin-off, Futurae stands out due to its founders' deep expertise in cybersecurity and usability research, rooted in academia. The company provides MFA, transaction confirmation, and fraud prevention solutions focused on the global financial industry and expanding to other verticals. The Futurae Authentication Platform delivers a high level of flexibility with a deep focus on user experience and robust security measures. Futurae is a preferred choice for mid-market to large enterprises across the EMEA region, with a growing number of customers in North America and APAC.

The platform offers comprehensive, ready-to-deploy passwordless authentication solutions that meet a diverse range of security requirements and user needs. It supports various authentication methods including push notifications, TOTPs, QR-codes (online, offline, and usernameless), multi-challenge authentication, SMS-codes, magic links, FIDO2, and passkeys. This versatility ensures that Futurae can accommodate any user interface, from mobile and web applications to smart home devices, while providing a seamless authentication experience across all platforms. Futurae’s platform also includes advanced features such as cryptographically secure transaction signing that adheres to rigorous regulatory standards like PSD2 SCA and 3D Secure. These capabilities can be further enhanced with end-to-end encryption to ensure top-tier security, particularly for transaction confirmations and other sensitive operations.

In its commitment to enhancing usability and security further, Futurae has introduced features like synchronous authentication, which delivers real-time authentication results and addresses mobile clock drifting—a crucial advantage for dynamic web applications and high-security access controls. The platform’s multi-numbered challenge authentication introduces an additional security layer by requiring manual entry for numeric challenges, which protects against automated attacks in sensitive operations. Usernameless QR codes simplify login processes, eliminating the need for usernames while ensuring secure and swift access via encrypted scanning. Features like automatic account recovery (i.e. account migration) enable users to seamlessly transfer their security token to a new or restored device. This process, facilitated by securely storing a recovery token on the device, Futurae’s backend, and device backups, automates account reinstatement upon app reinstallation. Futurae has been independently certified with the ISO/IEC 27001 and SOC 2 Type II, as well as certified by FIDO2, ISO 9001:2008, and PCI-DSS v 3.2. Futurae offers API-based integration compatible with all modern IAMs and core-banking systems, and also supports FIDO2, RADIUS, OAuth, OIDC, JWT, and SAML.

With its comprehensive suite of features and commitment to innovation, Futurae has demonstrated its ability to win and serve high-demand customers with a broad set of advanced requirements and needs in diverse geographies and at various scales. Futurae Authentication Platform is an essential consideration for any organization considering deploying passwordless authentication solutions, particularly in the EMEA region. Recognized in the innovation leadership category, Futurae continues to set the standard for future-focused authentication technologies.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 12: Futurae’s rating

Leader in

4.12 GSMA – Number Verify

Founded in 1995, the GSMA is a global organization representing mobile operators and organizations across the mobile ecosystem and adjacent industries. GSMA Open Gateway is a framework of common network API designed to provide universal access to operator networks for developers. The GSMA Open Gateway Memorandum of Understanding (MoU) is supported by some of the world’s largest and most innovative mobile network operators, currently representing over 65% of mobile connections and over 3 billion users. Mobile Network Operators support has steadily increased since the launch of the initiative in February 2023.

Number Verify is part of the Open Gateway initiative as part of the anti-fraud and identity service suite. The solution is targeted to workforce, consumer, and partner use cases. Number Verify is a SIM-based authentication solution that provides a frictionless, phishing-resistant, cryptographically secure (because of the SIM card), possession factor authentication method. It is integrated directly into the mobile network and can perform a real-time verification of the mobile number and SIM card which provides a strong device binding. It is offered as a cloud-based, developer first, REST-based API service that allows partners and relying parties to verify possession of a claimed mobile digital identity thus allowing strong customer authentication.

The solution is already used by over six thousand trusted parties as part of their mobile app registration flows, with strong improvements in reducing fraud and improving customer satisfaction and experience. While SIM-based authentication is not a new technology, it is relatively new in Europe. It is already very well proven in other markets such as China (1.3 billion transactions per day). The solution delivers fast, simple, and friendly authentication while providing security at the same time. It can be seen as an evolution of SMS OTP and is complimentary to other 2FA/MFA factors, for example biometrics. It can offer passwordless login for users on its own or combined with other factors, such as device biometrics and FIDO passkeys.

The product has the potential to shape and create new opportunities in the passwordless authentication market. While GSMA's Number Verify solution may lack certain capabilities compared to most passwordless vendors, it is intentionally focused on addressing specific niche areas within the authentication landscape. They may want to consider pursuing more security certifications to increase adoption and market share. Their presence in South America, both in terms of strategic hubs and sales target, is a plus for that region and for their own growth potential. Therefore, Numbery Verify should be on the short list for organizations considering deploying phishing resistant and device-based possession features.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 13: GSMA’s rating

4.13 HID – Authentication Platform

HID is a subsidiary of ASSA ABLOY Group AB of Stockholm. Assa Abloy AB is a Swedish conglomerate whose offerings include products and services related to locks, doors, gates, and entrance automation. HID's headquarters are in Austin, TX. With over 4,000 employees worldwide and international offices that support more than 100 countries, the company develops highly secure solutions for identity and access management, including physical access controls, government identities, smart identity card manufacturing, credential issuance and management, biometric authentication, and identity proofing.

HID's Authentication Platform stands as a flexible solution designed for both consumer and workforce scenarios, offering a blend of strong identity assurance and user-friendly experience. The platform, deployable either on-premises or as a SaaS solution, integrates various authenticators such as HID Approve and the Crescendo portfolio, catering to diverse authentication needs. It supports authenticators and passkeys like smart cards, security keys, hardware tokens, biometrics, or mobile authentication solutions to simplify secure identity and access management. A key element of HID’s solution is that it goes beyond authentication to cover the complete user’s digital journey from onboarding to ongoing fraud prevention. The Identity Verification Service provides strong identity vetting and remote document verification, which are valuable features to strengthen and facilitate consumer onboarding and help attain compliance with regulations around eKYC and AML. The Risk Management Solution provides fraud prevention and risk mitigation capabilities. Supplementing the platform, the Credential Management System effectively manages PKI certificates and their lifecycle.

HID's support for Strong Customer Authentication (SCA) and transaction signing allows customers in the financial industry to meet EU PSD2 requirements, ensuring compliance while safeguarding Personally Identifiable Information (PII). HID's cloud-based authentication solutions enable standards-based security by being ISO 27001, ISO 27018, and SOC2 Type 2 certified, and enables compliance with GDPR, PSD2, and UK-GDPR. For APIs, HID supports REST, SOAP, WebAuthn, Webhooks, and SCIM, and CSV/JSON/XML formats as well as Open Banking and OpenID Financial. The company also supports the FIDO ecosystem with passkeys as well as standards such as OAuth, OIDC, RADIUS, and SAML, which can be used to facilitate interoperability with other IAM and IDaaS systems. HID has been a strong player in government and enterprise workforce IAM for years and is moving more into consumer use cases. By offering a diverse range of authentication methods and form factors, HID's Authentication Platform enables organizations to tailor their security solutions to meet specific needs and use cases effectively. HID is a solid option for organizations with highly regulated industries, high security requirements, and complex integration. The company appears in the overall, product, market, and innovation leadership categories.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 14: HID Global’s rating

Leader in

4.14 HYPR – Identity Assurance Platform

Founded in 2014, HYPR is a global company with offices in North America, EMEA, and Asia. With HYPR, secure logins can be performed with its passwordless phishing-resistant MFA solution that identifies users before they even enter the network. In contrast to many other solutions, HYPR integrates with the desktop authentication, securing initial access of users to their systems. Other solutions in this market segment manage access only to cloud services, but don’t protect the authentication event itself. With HYPR, the entire path from initial access to a system can be protected at multiple levels. HYPR solutions address both workforce identity and customer identity access management (CIAM), catering to two fundamental enterprise security needs.

The HYPR Identity Assurance Platform offers a solution to modern authentication challenges with its three core components: HYPR Authenticate, HYPR Adapt, and HYPR Affirm. HYPR Authenticate, powered by FIDO2 certified technology, addresses password-based authentication by replacing passwords and shared secrets with secure passkeys across all user populations, applications, and locations. By eliminating credential-based attacks and offering a user-friendly experience, HYPR Authenticate ensures both employees and customers enjoy seamless authentication.

HYPR Adapt enables organizations to manage identity-related risks effectively through real-time risk assessment and adaptive security controls. Leveraging a diverse set of data sources including user behavior, mobile, web, and browser signals, HYPR Adapt dynamically enforces step-up authentication or re-verification when necessary, minimizing friction while protecting users, systems, and operations. Finally, HYPR Affirm streamlines identity verification through automated and ongoing processes integrated into identity management workflows. Using AI-powered chat, video, facial recognition, and other cutting-edge technologies, HYPR Affirm mitigates fraud and ensures a user experience and secure method of confirming identities without ever relying on passwords, providing organizations with enhanced security and convenience.

The company is also a board member of the FIDO Alliance, helping to drive innovation and adoption of FIDO standards. To strengthen security and support compliance, HYPR has been independently certified with the ISO/IEC 27001 and SOC 2 Type II. Supported API protocols include REST, RADIUS, and Webhooks. In addition, SAML, OIDC, JWT, and OAuth2 are supported as well. The solution also has a Derived PIV Credentials mobile app, and accepts YubiKey, Feitian, and any other smart key that is FIDO2 certified. Enrollment of the HYPR app commonly is done via an Enterprise Mobility Management / Mobile Device Management (EMM / MDM) solution, or it can simply be downloaded from the app store. The app can be rebranded to the customer's design.

HYPR counts amongst the leading-edge solutions for passwordless authentication. It provides a well thought out and secure solution for passwordless and phishing-resistant authentication. Their strength is derived from the support for the entire flow from desktop authentication to backend applications, and the utilization of the established FIDO2 standards. HYPR appears in the overall, product, and innovation leadership categories.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 15: HYPR’s rating

Leader in

4.15 IBM – IBM Security Verify

IBM Corporation is a multinational technology and consulting company headquartered in Armonk, New York, USA. Founded in 1911, IBM has evolved from a computing hardware manufacturer into offering a broad range of software solutions, infrastructure hosting, and consulting services in such high-value markets as business intelligence, data analytics, cloud computing, virtualization, information security, and identity and access management. With a strong global presence and customers and partners across the globe, IBM is a major player in the market.

IBM Security Verify offers a SaaS solution for identity and access management, covering SSO, MFA, adaptive access, privacy and consent management, provisioning, governance, analytics, and passwordless authentication. With a fully cloud-based deployment, administration is conducted through a modern web application, allowing configuration of SSO applications, user records management, access policies, and platform security settings. Customers benefit from cloud-native operations, robust directory services, and extensive customization options through native APIs. Hybrid access management deployments include on-premises repositories and the IBM Application Gateway, ensuring secure access to on-prem web applications. Additionally, IBM Security Verify's on-premises access management and identity governance and administration solutions offer administrative interfaces, policy enforcement points, and governance modules for access review, lifecycle management, and analytics.

With a focus on security, scalability, and flexibility, IBM Security Verify caters to the diverse identity management needs of modern organizations. The solution delivers passkeys natively to enable consumers and the workforce at scale. It supports a wide range of passwordless authentication methods, including QR login, passkeys, FIDO2 (TouchID, Windows Hello), and MFA methods such as knowledge questions, SMS OTP, email OTP, voice OTP, and time-based OTP. In addition, the platform provides granular policy control by application and implements risk-based conditional access, considering factors like new device, IP address, geographic location, device context, and user/group attributes for enhanced security. For additional application connectivity, REST, SOAP, WebAuthn, and Webhooks and LDAP and SCIM for provisioning are supported. It is also ISO 27001/27018 certified, PCI-DSS Level 1, SSAE 18, and SOC 2 Type 2 attested

IBM positions itself as a leader in the IAM space and provides feature-rich and modern solutions for customers that intend to adopt a passwordless approach. IBM also benefits from its integration to other IBM services. Organizations that are looking for mature, highly scalable, and secure enterprise authentication should put IBM on the list of solutions to consider. IBM appears in the overall, product, market, and innovation leadership categories.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 16: IBM’s rating

Leader in

4.16 Jumio – Jumio Platform

Founded in 2010 and based in Sunnyvale, California, Jumio operates globally with a presence in North America, Latin America, EMEA, and the APAC. The company helps organizations know and trust their customers online. From account creation to ongoing monitoring, the Jumio platform provides passwordless authentication, risk signals, identity proofing, and compliance solutions that improve the entire digital customer journey. With a focus on fighting fraud and financial crime, accelerating customer onboarding, and ensuring regulatory compliance including KYC and AML, Jumio has facilitated over a billion transactions across hundreds of countries.

Jumio offers a comprehensive SaaS solution for identity verification, with a focus on browser and operating system support to ensure compatibility. With multiple integration options for web and mobile channels, including an API, mobile (for iOS and Android applications) and web SDKs, and web client, Jumio provides flexible and customizable solutions tailored to each client's needs. The Jumio portal supports SSO for seamless access management. Their suite of Risk Signal services includes device risk assessment, global identity checks, email risk assessment, address validation, phone number risk assessment, social security number check and government database checks to mitigate fraud and ensure compliance with regional regulations. Furthermore, Jumio offers authentication services and a risk and rules engine, allowing clients to customize risk scoring and decision-making workflows.

The Jumio solution uses facial recognition as a biometric authentication method. It verifies returning online users by comparing their live selfies with a previously captured selfie taken during the initial registration/onboarding process. Jumio’s selfie verification works by analyzing various factors, including image quality to ensure user presence, validity checks to confirm the authenticity of the selfie, similarity assessments to match the ID photo with the end-user selfie, and age estimation to detect any discrepancies between the selfie's apparent age and the date of birth provided.

Jumio's advanced ID verification process employs both automated checks and optionally manual forensic analysis by trained verification experts to detect document tampering, forgery, and other fraudulent activities, ensuring identity verification with minimal human intervention. In addition, the integration is done via REST API and Webhooks. Supported authentication protocols include OAuth2. Jumio also has an OIDC connector. By leveraging advanced technologies such as biometrics, AI, and liveness detection, Jumio addresses multiple challenges throughout the identity lifecycle. Organizations looking for a solution that provides fast and efficient identity in compliance with regulatory requirements should consider Jumio.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 17: Jumio’s rating

4.17 Microsoft – Microsoft Entra

Microsoft Entra is a cloud-based identity and access management portfolio focused on facilitating business to consumer applications and providing enterprise authentication capabilities. Microsoft Entra is one of the global leaders in the cloud infrastructure market and it is delivered via dozens of data centers operating globally. Microsoft offers Entra as its primary IDaaS Access Management platform. The solution provides directory services, identity federation, and access management from the cloud in a single integrated platform with extensive integrations as well as the ability to address traditional IAM (B2E), B2B, and B2C use cases.

Microsoft Entra offers four robust passwordless authentication methods tailored to meet diverse user needs and security requirements. First, Windows Hello for Business provides a seamless experience for information workers with designated Windows PCs, utilizing biometric and PIN credentials tied directly to the user's device. This method offers PKI integration and single sign-on (SSO) support, facilitating access to corporate resources on-premises and in the cloud. Second, the Authenticator App transforms iOS or Android phones into passwordless credentials, allowing users to sign in across platforms and browsers through biometric authentication or PIN confirmation. Third, leveraging the FIDO2 standard, FIDO2 security keys offer strong authentication, eliminating the need for passwords and enhancing account security. These keys, available in various form factors including USB, Bluetooth, or NFC, provide robust authentication for Microsoft Entra ID and hybrid joined Windows 10 devices, as well as supported browsers. Finally, Microsoft Entra certificate-based authentication (CBA) enables users to authenticate directly with X.509 certificates against their Microsoft Entra ID, bolstering security against phishing attacks and ensuring secure sign-in with PKI. Additionally, Windows 11 significantly enhances security against phishing attacks by enabling users to substitute traditional passwords with passkeys. Windows also facilitates Cross-Device Authentication, allowing websites and apps to authenticate users via a passkey stored on a mobile device.

Microsoft Entra ID supports applications, hosted in any public or private cloud. It also supports any SaaS application and offers pre-integrated SaaS application gallery. Additionally, integration with on-premises web-based applications is also provided. In addition, Microsoft Entra ID has obtained an impressive list of security certifications, such as CSA Star, ISO 27001/27018, SSAE 18 SOC 2 Type 1/2, and many country-specific security certifications. FIDO 2 and OpenID profiles are certified as well. Microsoft Entra ID offers strong support for Access Management capabilities, including hardware authenticators such as CAC/PIV cards, Duo, Feitian, OATH (any), OneSpan Digipass, Thetis, Smartcards, Symantec VIP, and YubiKey tokens. CBAC, RBAC, ABAC, PBAC, RAdAC, and ReBAC principles are supported, and Microsoft Entra ID roles can be assigned to users, groups, and service principals. Microsoft Entra ID also works with JWT, Kerberos, OAuth, OIDC, and SAML. Microsoft Entra ID functionality is available via REST, JSON-RPC, XML-RPCSCIM, LDAP, RADIUS, Java, AMQP, and UDP Socket API.

Each organization has different requirements and needs when it comes to adopting a passwordless approach. However, Microsoft Entra ID has the scalability and performance to provide organizations with several passwordless options and feature-rich capabilities. The solution should be on the shortlist for any organization looking for robust authentication services. Microsoft appears in the overall, product, and market leadership categories.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 18: Microsoft’s rating

Leader in

4.18 Nevis Security – Authentication Cloud, Identity Cloud, and Nevis Identity Suite

Nevis Security protects many banking, insurance, healthcare, iGaming, and government portals and secures a large percentage of e-banking transactions in Switzerland making it one of the leaders in identity and access management solutions in the country. Nevis recently expanded into the UK market and has a strong presence in Germany and Singapore. In addition to its headquarters in Zurich, Nevis operates offices in Germany and Hungary.

The Nevis passwordless authentication is offered as both a standalone, API-first SaaS offering dubbed Authentication Cloud, as part of the SaaS based CIAM Identity Cloud product. The product is also available as part of the on-premises/IaaS based Nevis Identity Suite. With their solid background and strength in CIAM, Nevis Security’s main target audience is passwordless authentication for consumers. The solution supports various use cases across in-app, mobile-only, or multi-device environments. These include passwordless MFA with device biometrics, cryptographically secured transaction confirmations compliant with PSD2 regulations, username-less authentication, multi-account support, and protection against push bombing through number matching. For onboarding and recovery, Nevis supports automated, document-based identity verification, enabling users to register new devices even after total device loss.

The FIDO-certified solution is available as a brandable access app for customization, mobile SDKs for native app integration, and FIDO2/WebAuthn/Passkey support for web-only clients, ensuring authentication across desktop and mobile platforms. Whether customers prefer their own access app, integration into existing apps via Nevis SDKs, or passkey for users who prefer not to install an app, Nevis provides the flexibility to serve different audiences with the right passwordless option. Nevis emphasizes rapid implementations for customers, with low-code, no-code, and hardened SDK features. Customization is possible and complete custom flows can be created using the configuration tool. In addition, Nevis also integrates with many other vendors through other standards such as OAuth, SAML, and OIDC. Nevis Security is ISO/IEC 27001 certified.

Nevis Security has demonstrated its ability to serve different customers in different geographies. The company is strong in the finance industry, and the product suite benefits from the focus on security for that sector. They are also targeting the gaming, government agencies, and insurance markets. Organizations with requirements for high security and identity proofing will want to review Nevis’ offering for passwordless authentication. The company continues to expand its capabilities and should be of interest to organizations in North America, EMEA, and Southeast Asia. Nevis appears in the product leadership category.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 19: Nevis’ rating

Leader in

4.19 Nok Nok – Nok Nok S3 Suite and Nok Nok Authentication Cloud

Founded in 2011, Nok Nok, based in San Jose, California, was founded to replace legacy password-based authentication with next-level passwordless MFA for digital consumer companies. The company’s founders have always understood that a lack of standards was one of the primary inhibitors to broader adoption of strong authentication technologies. This is why Nok Nok was one of the six founding members of the FIDO Alliance. Mid-market and large enterprise customers in North America, EMEA, and APAC are the company's main focus.

Nok Nok's S3 Authentication Suite (S3 Suite) is a next-generation authentication platform tailored for regulated and high-security sectors, including financial institutions, mobile network operators, and governments. With the ability to scale to millions of users, the Nok Nok platform is ideally suited for use by enterprises with a large customer base. The S3 Suite encompasses an Authentication Server alongside App SDKs tailored for mobile, web, and smartwatch applications, ensuring wide-reaching accessibility. With its App SDKs, Nok Nok facilitates deployment of modern FIDO/passkey-based authentication. It provides support for a range of “risk signals” (additional factors influencing authentication decisions), which include geolocation and travel speed, device health status, jailbreak detection and so on. The solution has native integration with third-party ID verification solutions for ID verification and account recovery purposes. For those seeking a cloud-based authentication solution, Nok Nok Authentication Cloud, powered by the S3 Suite, offers strong security capabilities, enabling authentication from anywhere.

By leveraging the existing security features of users' devices and hardware tokens, Nok Nok offers a robust, convenient authentication across various applications. Its adaptive policy engine enables context-based strong authentication, catering to the needs of regulated market verticals. The solution provides a flexible way to determine PSD2 SCA compliance through the rules engine. If an authenticator used by a user does not fully meet SCA requirements, additional authentication steps can be triggered through rule configuration. The solution supports the notion of "known"/"trusted" devices. Additional authentication can be triggered when new devices are used for the first time. This is also supported in conjunction with synced passkeys.

Nok Nok provides a fully integrated and extensible strong authentication platform based on the FIDO Alliance specifications. It provides a flexible and future-proof solution suitable for the needs of large enterprises. Nok Nok should be on the short list for organizations considering deploying passwordless authentication solutions. The company appears in the product and innovation leadership categories.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 20: Nok Nok’s rating

Leader in

4.20 Okta – Okta Identity Cloud

Based in San Francisco, California (US), Okta's cloud identity platform is targeted at the workforce and customer identity management. Okta's acquisitions of Auth0 (CIAM, developers) and atSpoke (IGA) broadened Okta's portfolio in 2021. Okta’s Identity Cloud is a cloud-based identity platform that provides organizations with a scalable solution for managing user identities, controlling access to applications and data, and enabling seamless user experiences across various devices and platforms. The platform is used by customers, developers, and businesses to address complex identity problems. Notable features include SSO, MFA, workflows, user provisioning, lifecycle management, API access management, adaptive security policies, and passwordless authentication.

Okta Identity Cloud provides a wide range of capabilities to secure access to applications, devices, and data, while maintaining a user-friendly experience. Okta offers native user experiences for administrators and end-users, including an admin console, end-user dashboard, and native mobile/desktop apps. Okta Verify and Okta FastPass are available through the same app which can be deployed via mobile and desktop platforms. This app provides several features, including passwordless and FastPass capabilities. FastPass also offers MFA phishing-resistant capabilities. Moreover, on-premises agents called identity bridges are available for connecting to systems behind the firewall. Okta Access Gateway serves as a reverse proxy for on-premises app SSO and authorization.

Okta supports OAuth2 Device Flow and machine-to-machine authorization. Customers are using their IoT device identity management features for use cases such as connected cars, home automation, smart speakers, etc. Okta accepts many mobile authenticator apps in addition to their own, Android/iOS biometrics, OTP, and FIDO U2F/2.0 authenticators. Okta supports REST, Webhooks, WebSockets, and WebAuthn APIs. Okta/Auth0 have many connectors for BI, CRM, marketing analytics and automation, other IAM systems, and popular SaaS apps.

Okta Identity Cloud's passwordless authentication capabilities allow organizations to embrace modern authentication methods while maintaining a user-friendly experience. Okta provides a feature-rich and mostly cloud-based solution with strong federation, SSO, authentication, and policy management for both CIAM and workforce use cases with good DevOps support. Okta appears in all leadership segments of this Leadership Compass. Organizations contemplating a move to the cloud for their access management services should consider Okta.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 21: Okta’s rating

Leader in

4.21 One Identity – OneLogin Platform

One Identity brings together IGA, IAM, PAM, and active directory management capabilities. It acquired OneLogin in October 2021 to support its vision to help customers shift from a fragmented to a holistic approach to identity management and security. OneLogin by One Identity offers workforce and customer identity and access management solutions with real-time actionable intelligence and automated configurations. OneLogin supports many pre-configured cloud services that can be easily connected and provides services for access management, SSO, user provisioning, mobile identity, compliance, and both multi-factor and adaptive authentication with various passwordless authentication options to choose from.

OneLogin has a modern multi-tenant SaaS micro-services architecture based on immutable infrastructure and infrastructure as code, with an on-premises reverse proxy available as a Docker container. On-premises components of the platform are IaaS agnostic, supporting a wide range of IaaS platforms. The solution provides access management functionality for both workforce and customer identity needs. Its core offerings include SSO, which encompasses a workforce portal, cloud directory, synchronization with external directories, self-service password management, and support for unlimited application enablement through SAML and OIDC protocols. Additionally, OneLogin's platform includes robust session management capabilities, an extensive app catalog, APIs for integration, comprehensive logging and reporting, and customizable branding options.

For consumers, OneLogin provides core directory services, authentication features, social login and registration, customizable login pages, self-service password reset, and integration with SIEM tools. It facilitates the management of customer identities at a large scale, offering a robust and dependable CIAM solution. By utilizing advanced machine-learning capabilities, the solution streamlines customer authentication. The SmartFactor feature enhances security with MFA, adaptive authentication, compromised credential checks, dynamic block listing, and configurable login flows, including passwordless authentication. OneLogin provides a modern, easy-to-navigate administrative UI and user self-service. Dashboards and reporting options are provided with some native support for some significant compliance frameworks such as GDPR, PDS2, and PCS DSS. OneLogin's federation-related capabilities include support for SAML 2.0, OAuth 2, OIDC, JWT, and SCIM.

OneLogin offers a modern and feature-rich solution in the market and would likely be suitable for any type of organization looking to adopt a scalable platform. The solution offers a comprehensive suite of IAM functionalities tailored for both workforce and customer identity needs, ensuring secure and seamless access to resources across various platforms and applications. The company appears in the product leadership category.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 22: One Identity’s rating

Leader in

4.22 OneSpan – OneSpan Authentication

OneSpan, formerly VASCO, is headquartered in Boston, MA, US, and has offices in US, Europe, Canada, Singapore, UAE, Japan, and Sydney. VASCO was founded in 1991 and has a long history of providing highly effective security solutions, including token-based authenticators, e-signature, and fraud prevention to financial services and enterprise customers. VASCO was well-known for its Digipass® products and has acquired several security companies over the years. In May 2018, the new brand, OneSpan, was launched to reflect the strength of a single, integrated solution platform that secures users, devices, and transactions across the digital experience. The company has presence in North America, EMEA, APAC, and Latin America.

OneSpan delivers security solutions across multiple environments, including cloud, on-premises, and hybrid setups. This adaptability meets diverse business needs and allows organizations to implement security measures tailored to their specific needs. The OneSpan Authentication Suite serves as a state-of-the-art API-based platform, facilitating login requests and e-signature validation to protect online transactions from malicious attacks. On the backend, OneSpan provides solutions such as the OneSpan Cloud Authentication (OCA), a cloud-based MFA solution for online applications, and the OneSpan Authentication Server (OAS), which validates authentication requests for secure access to corporate resources and applications. On the frontend, OneSpan offers hardware and mobile authenticators, including Digipass hardware authenticators with MFA and transaction signing capabilities, as well as the OneSpan Mobile Authenticator app for secure login via mobile devices using biometrics or PIN with OTP. The Mobile Authenticator Studio provides built-in security and a frictionless authentication experience for mobile applications, while the Mobile Security Suite offers a toolkit for developers, integrating various authentication technologies and improving authentication UX.

With OneSpan's solutions, organizations can achieve critical business goals by implementing strong and frictionless authentication mechanisms across their digital ecosystem. By combining software authentication methods with hardware-based security, such as hardware tokens, FIDO2 authenticators and biometric devices, OneSpan delivers a strong level of protection against unauthorized access. In addition, utilizing patented visual transaction signing technology, OneSpan’s cross-platform CRONTO technology ensures secure channel support, enabling programmable confirmation of sensitive operations and transactions across various platforms. OneSpan is ISO/IEC 27001, 27017, 27018, SOC2 Type 2 and CSA STAR certified.

OneSpan offers a suite of authentication solutions designed to deliver strong security and seamless user experiences across various platforms. The solution excels in providing tailored project delivery, white-glove treatment support/customer success management, and a commitment to understanding and meeting the unique security challenges faced by each client. Organizations of all sizes and in all industries looking for a feature-rich and flexible solution should consider OneSpan. The company appears in the overall, product, innovation, and market leadership categories.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 23: OneSpan’s rating

Leader in

4.23 OwnID – OwnID

Started by Gigya co-founder and long-time Gigya executives, OwnID was founded in 2021 and has offices and team members in Tel Aviv, San Francisco, Kyiv, and Mallorca. OwnID adds cross-device native passwordless capabilities to any website authentication flows to improve the user experience and security. It can be used for B2B2C use cases. Customers range from small to large enterprises in EMEA and North America.

The solution is a fully multi-tenant SaaS solution tailored for leading consumer brands in the retail, e-commerce, travel, sports, and entertainment industries. It allows end-users to instantly sign-in with their phone biometrics instead of using a password on any platform, without installing an app. OwnID aims to increase conversion and security while supporting different edge cases such as cross device, non-FIDO support, and account recovery. It includes self-service onboarding and integration which allows the user to create an account and choose the identity platform they are using.

The platform boasts intelligent detection capabilities, identifying specific user devices, browsers, operating systems, and other relevant user details to dynamically provide the most suitable authentication journey for each user. By gradually transitioning users away from outdated authentication methods to biometric-first authentication, the solution ensures a unified authentication experience across all digital properties. OwnID functions both as the custodian of customer data and the session manager of websites or mobile apps, eliminating the need to store customer data persistently and enabling integration with any system.

The solution has some distinctive features. For example, its detect-and-deploy approach enables simplified implementation of passwordless authentication through a data-driven authentication layer that optimizes user journeys for enhanced user experience and conversion rates. Also, OwnID's no rip and replace strategy addresses the complexity of modern tech stacks by offering a modular, component-based platform that integrates into existing systems without the need for cumbersome system overhauls. Finally, by leveraging some innovative capabilities inherited from Gigya, the founding team's previous venture, OwnID benefits from expertise in building and deploying configurable registration/login solutions. Supported protocols include JWT, Kerberos, OAuth, OIDC, RADIUS, SAML, and TACACS. OwnID is ISO/IEC 27001, SOC2 Type 2, and FIDO2 certified.

Despite being a young vendor, OwnID has demonstrated its ability to serve large customers from a broad range of industries. With a strong, feature-rich solution built on a modern architecture, broad standards support and a well-thought-out roadmap, OwnID provides a solid foundation for organizations looking to embark on a passwordless journey.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 24: OwnID’s rating

4.24 Ping Identity – The Ping Identity Platform

Ping Identity was founded in 2002 and is based in Denver, Colorado. Ping Identity was among the first of the enterprise IAM vendors to adapt to consumer-facing requirements. Ping Identity started with a primary focus in identity federation. Since then, Ping Identity has continued to grow and accelerate innovative capabilities, acquiring Symphonic Software for policy-driven authorization and ShoCard for decentralized identity, SecuredTouch for fraud prevention capabilities and Singular Key, now known as PingOne DaVinci, for user experience orchestration across the platform. With the acquisition of Ping Identity and ForgeRock by Thoma Bravo and the recent merger of the two companies, two strong, established vendors in the IAM field are joining forces. These acquisitions augment the other areas of their identity portfolio.

The Ping Identity Platform stands out with its comprehensive approach, combining the strengths of ForgeRock and Ping Identity to offer a set of identity services addressing the industry's toughest challenges. With a broad focus that includes access management, rich identity management, cloud-native identity governance, and decentralized identity, this platform delivers strong orchestration capabilities at scale. Recent enhancements enable customizable identity relationships, facilitating dynamic organizational models and simplifying the management of access and branding requirements across various brands and organizational units. Additionally, the Ping Identity Platform supports multiple custom domains and enables the customization of brand journeys, making it ideal for supporting multiple brands within a single deployment, particularly in B2B2C scenarios. Furthermore, with PingOne for Customers Passwordless, the platform offers ecosystem support for passwordless authentication, ensuring a smooth and secure authentication experience across various authenticators and user types.

The platform recognizes that passwordless authentication must cater to diverse user needs and application requirements, supporting various types of authenticators such as FaceID or hardware tokens. Moreover, it ensures a smooth and self-serve process for recovering access in case of lost or stolen authenticators, offering multiple options for users. Advanced orchestration capabilities within the platform enable the enrollment, usage, recovery, and updating of passwordless authenticators, while also integrating MFA, passwords, and federated SSO paths as needed. With the Ping Identity Platform, organizations can accommodate and orchestrate multiple authentication journeys for consumers, employees, partners, and devices. The solution's functionality is available via APIs and supports SOAP, REST, Webhooks, SCIM, LDAP, and RADIUS. All platform functionality is also available via CLIs. SDKs are provided for a wide range of popular programming languages. Third-party integrations are well supported, which includes integration to popular ITSM, threat intelligence, EPP, EDR, and UEM solutions.

Ping Identity's cloud-ready software and SaaS solutions are highly scalable and offer maximum flexibility to customers in terms of support for standards as well as innovation for cutting-edge use cases. Ping Identity has a strong presence in North America and good representation in EMEA and APAC regions with a suitable partner ecosystem. They appear in all leadership categories in this Leadership Compass and continue to move in a positive direction.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 25: Ping Identity’s rating

Leader in

4.25 SAASPASS – SAASPASS IAM

SAASPASS was formed in 2013 and is headquartered in San Francisco. Their product, SAASPASS IAM, is centered on providing passwordless authentication services to small and large customers in the government, defense, finance, and insurance industries. The solution is built on a passwordless architecture and zero trust security model. It's available on both as SaaS and on-premises. The platform delivers capabilities such as MFA, SSO, shared access management, directory services, access control policies, endpoint protection, PAM, reporting and auditing, and delegated admin types.

SAASPASS offers a user-friendly solution for IAM needs, providing customers with a single, centralized platform to manage their authentication and security requirements. Unlike other providers that offer separate point solutions requiring multiple purchases and dashboards, SAASPASS consolidates various IAM functionalities into a unified interface, serving as a single pane of glass for all IAM needs. The platform includes extensive support for MFA integrations, supporting various protocols and offering SSO capabilities. Notably, the platform extends its security coverage to social media, SaaS apps, and on-premises applications, ensuring comprehensive protection across various digital assets. The user experience for passwordless authentication is particularly compelling for both consumers and the workforce.

Furthermore, SAASPASS distinguishes itself with its intuitive UI and user experience (UX) for administrators. SAASPASS also offers a mobile SDK that companies can incorporate that functionality into their own mobile app, with multiple MFA methods supported, or launch their own branded authenticator app for their web apps. Their mobile application also supports encrypted barcode scanning, remote login MFA, mobile URL callback, and mobile on-device login to prevent MITM attacks. In addition, the solution includes self-service bulk enrollment capabilities for FIDO2. API support includes REST, SOAP, and WebSockets, and CSV/JSON/XML formats. The solution also supports LDAP and SCIM for provisioning. It is also compliant with PSD2 Strong Customer Authentication requirements.

The SAASPASS product supports a good variety of authenticators, and it offers reasonable scalability, which makes it attractive for environments where high security and authentication assurance is needed. Organizations looking for modular authentication services or needing to add-on passwordless capabilities to an existing IAM infrastructure may want to look at SAASPASS capabilities in these areas.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 26: SAASPASS’ rating

4.26 SecureAuth – SecureAuth Customer

SecureAuth has been in the market since 2005 and is headquartered in Irvine, CA. The company is dedicated to staying ahead through continuous modernization and innovation. In late 2021, SecureAuth’s acquired Acceptto and added contextual behavior threat intelligence to its list of capabilities. In 2022, the company launched Arculix, a next generation platform that combines orchestration, passwordless, and continuous authentication capabilities. This solution delivered MFA, risk-based adaptive authentication, SSO, authorization and policy management, and user self-service capabilities. And in late-2023, SecureAuth acquired Cloudentity adding innovations across authorization, end-user consent, and Open Finance as well as further enhancements to SecureAuth's passwordless authentication capabilities, making it a versatile and advanced solution for IAM needs. As of April 2024, SecureAuth offers two solutions: One for Workforce IAM which is based on the core SecureAuth IDP platform and is focused on use-cases where the business owns and/or controls the devices from which users are trying to gain access. And a second offering for Customer IAM which is based on the Cloudentity platform and is focused on use-cases where the end-user is a customer outside of the control of the business (i.e. a B2C scenario) and potentially gaining access via a complex business ecosystem (i.e. a B2B2C or B2P2C scenario). Both offerings now include the orchestration, passwordless and continuous authentication capabilities previously offered and marketed as the Arculix product. The union and realignment of this broad set of technology enables SecureAuth to provide modern frictionless experiences across the entire spectrum of IAM use cases. SecureAuth has a large customer base in medium to enterprise organizations, predominantly in North America, with some growth in the EMEA and APAC regions. The company serves organizations in the financial, manufacturing, government, healthcare, insurance, retail, and energy industries.

By offering solutions that cater to both Workforce IAM and Customer IAM implementations, SecureAuth facilitates the deployment of risk-based adaptive authentication policies using modern data science techniques to ensure continuous authentication across the entire enterprise. Key technological functionalities include a universal authentication fabric (UAF), adaptive and continuous authentication, passwordless authentication, AI/ML behavior-based analytics risk engine, intelligent MFA, device trust, a mobile app, and a mobile SDK.

SecureAuth solutions provide an innovative approach with its UAF that encompasses device trust (for root of trust) and an AI/ML driven risk engine that tracks over 200 variables and integrates third party intelligence. This approach enables continuous authentication that allows users to log-in one time with biometric or other passwordless methods and after that they can log-in passwordlessly into other apps, VPN, VDI, etc. By continuously authenticating users every few minutes with Invisible MFA, the solution provides an easy-to-use experience while securing access.

SecureAuth also uses its risk engine to establish a level of assurance (LOA) that begins before the first login and continuously adjusts the LOA score post-authentication throughout the user journey. In addition, the MFA feature enhances security by evaluating access post-authorization using push notifications or verification codes, even offline. SecureAuth’s solutions are implemented in a cloud-native microservice architecture that can support on-premises, cloud, and hybrid deployment models as well as air-gapped environments. SDKs are given that support Java, .NET, Python, Go, Ruby, and JavaScript programming languages and SDKs for Android and iOS platforms. API protocols supported include REST, Webhooks, SCIM, LDAP, and RADIUS. Third-party integrations are well supported, which includes integration to popular ITSM, threat intelligence, EPP, EDR, and UEM solutions.

The SecureAuth solution has been modernized over the past years and suits our requirements for a modern, microservices-based architecture. SecureAuth continues to move in a positive direction and appears in both the product and innovation leadership categories of this Leadership Compass.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 27: SecureAuth’s rating

Leader in

4.27 Thales – Thales OneWelcome

Thales is a French global company and leader in the aerospace, transportation, defense, and security markets. Its Digital Identity & Security division employs approximately 17,500 people worldwide and sells through a large network of distributors and resellers. Thales has a unique capability to design, develop and deploy equipment, systems and services that meet the most complex security requirements. In 2022, the company acquired Dutch CIAM company OneWelcome, one of the leading European providers of CIAM. As a result, Thales offers a comprehensive suite of integrated IAM products and services designed to address various identity use cases for customers, partners, and external identities for different verticals like insurance, banking, government, and telecommunications.

Thales offers a suite of IAM products and services, catering to the diverse needs of modern authentication. The flagship SaaS offering, OneWelcome Identity Platform, enables organizations with a versatile set of identity applications suitable for various use cases, including customer, partner, and supplier identities. The platform is built as an identity fabric on an open and extensible architecture, ensuring its compatibility with current IAM practices while also accommodating future trends like Self-Sovereign Identity (SSI) for both customers and the workforce of tomorrow. Thales further augments its offering with the OneWelcome Identity Cloud modules, addressing fraud detection and ATO protection through identity verification, identity affirmation, Strong Customer Authentication (SCA), and risk-based authentication. The solution encompasses a wide range of authentication methods, from traditional password-based authentication to modern solutions like FIDO2 and mobile-initiated verification. With Thales' OneWelcome Identity Platform, organizations can deploy robust authentication mechanisms, including hardware tokens, smart cards, and software-based authenticators, ensuring secure access across diverse environments and devices.

The solution offers a versatile set of capabilities designed to facilitate passwordless experiences for all users. These include extensive support for passkeys and the ability to synchronize passkeys for use across various devices and low-assurance scenarios. Verifiable credentials support is offered through the User Journey Orchestration module, to connect to national identity schemes for identity validation or natively verify the identity via various methods including liveness detection, ID photo to selfie matching, NFC eID capture, AML checks, manual verification. The Thales Digital ID Wallet also offers in-person verification. Support for IaaS installation is not available. Depending on the product component, on-premises and private cloud components are delivered as software deployed to a server or a Docker container. The product has been independently certified to support compliance with a wide range of standards, including FIPS, ISO, PSD2 and eIDAS, to name a few.

Overall, Thales offers a comprehensive solution that enables organizations to improve their identity management practices, adapt to evolving technologies, and effectively secure their systems and data. Organizations in highly regulated industries and security-conscious organizations in both the public and private sectors that require strong authentication should consider the OneWelcome Identity Platform. Thales appears in the overall, product, innovation, and market leadership categories.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 28: Thales’ rating

Leader in

4.28 Transmit Security – Transmit Security Platform

Transmit Security was founded in 2014 and is headquartered in Tel Aviv and Boston, MA. The company provides innovative authentication and risk management solutions to small and large companies worldwide. Its portfolio is built to address B2C, B2B, and B2B2C IAM needs. Transmit Security offers a passwordless authentication solution for customer and workforce authentication. The platform includes several modules such as app-less web authentication, workstation authentication, advanced decisioning engine, integration engine and more. However, the specific architecture deployed depends on customer requirements.

Transmit Security offers a solution that addresses various identity and security challenges faced by organizations. With the ability to improve the entire user lifecycle with a wide range of features, Transmit enables customers to efficiently manage multiple use cases. For example, the solution provides organizations with an advanced identity journey editor that allows them to customize their journeys, including device registration and other features. The platform’s identity orchestration capabilities allow organizations to configure and build flexible identities-related customer journeys. It has strong omni-channel capabilities and covers cross-channel use cases in a simple and seamless manner. Transmit provides its own native fraud detection offering and can also integrate and orchestrate additional solutions, particularly in the payments space, allowing for a comprehensive view of user activity—from logins to transactions—ideal for banking contexts.

Identity Verification functionalities are also included, allowing organizations to verify customer identities through automated ID and selfie analysis. External identity and fraud intelligence data sources can be consumed, and risk engine output can be sent over REST APIs that can be secured using JWT, OAuth2, OIDC, and SAML authentication. WebAuthn is supported as well. The service has been audited for ISO 27001 and SOC 2 Type 2. The platform supports passkeys, email magic links, MFA, and other passwordless methods. Transmit accepts FIDO U2F/2.0, OTPs, and mobile push authentication. All standard account recovery methods are present. They offer their own authenticator app and SDK. The authenticator app leverages built-in fingerprint and facial recognition biometrics.

Transmit's platform is a good choice for high scale/response environments and can support large-scale deployments, making it suitable for organizations of all sizes. Transmit Security's platform processes over a billion transactions daily for their customers worldwide. The platform has one of the most feature-rich offerings in the passwordless authentication market and would likely be suitable for any type of organization looking to adopt a passwordless solution. Transmit Security appears in the product, market, and innovation leadership categories.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 29: Transmit Security’s rating

Leader in

4.29 TrustBuilder – TrustBuilder.io

TrustBuilder, founded in 2008 and headquartered in Paris (France) and Ghent (Belgium), is a leading European vendor with a global reach. The company delivers a comprehensive SaaS Access Management platform with a tailored approach to meet industries' unique needs. The platform, TrustBuilder.io, offers two modules: TB Access Manager and TB Authentication Manager. These modules empower companies to address CIAM and MFA use cases, including online onboarding, identity verification, strong authentication, and authorization services, ensuring secure and seamless digital experiences for their users.

TrustBuilder.io. consists of different modules. TrustBuilder Access Manager is the component that provides Access Management and federation capabilities. TrustBuilder.io Multi-Factor Authentication adds capabilities for MFA and passwordless authentication, with TrustBuilder.io Notification Service as an addition providing push messages, as well as SMS and e-mail. TrustBuilder.io Identity Management supports identity lifecycles for secure customer onboarding. Self-service capabilities are added by the TrustBuilder.io Self-Service module. API security comes via TrustBuilder.io API. Finally, TrustBuilder.io Insights provides reporting and analytics.

The company places a strong emphasis on prioritizing identity-centric policies for access management. The solution offers an end-to-end experience to customers throughout their user journey, encompassing a wide range of capabilities such as SSO, MFA, Federated Identity Management, adaptive authentication, and passwordless authentication. It is delivered as a SaaS solution for MFA and CIAM, with a local component called TrustBuilder Connect which connects the SaaS solution with customers’ applications and sensitive data that can remain in their dedicated environments. The product is also delivered as a virtual appliance, container-based, or managed service by 3rd Party service providers.

A distinctive feature is its support for verifiable credentials. Document verification and biometric onboarding is completed by partners and are embedded in the product, providing regional coverage of over 190 countries. Customers may choose custom identity verification vendors to integrate the product with. Additional identity attributes can be verified by checking against national registries, by verifying verifiable credentials, and through data aggregation with credit bureaus, telecom, banks, universities, insurance, and employers. In addition, the company supports FIDO2 and integrates a FIDO authenticator in their mobile and browser authenticator. All the TrustBuilder functionality is available via APIs, in which SOAP, REST, Webhooks, JSON-RPC, LDAP, Google Pub/Sub, TCP Socket API, and RADIUS protocols are supported.

TrustBuilder positions itself as a good alternative to the established offerings supporting mid-market to enterprise organizations in the European market. The company is innovative and provides a secure and user-friendly solution. TrustBuilder is a solid option in this market segment.

Ratings	Security
	Functionality
	Deployment
	Interoperability
	Usability

Table 30: TrustBuilder’s rating

5 Vendors to Watch

Besides the vendors covered in detail in this document, we observe some other companies in the market that readers should be aware of. These vendors did not participate in the rating for various reasons, but nevertheless offer a significant contribution to the market space.

5.1 1Password

Founded in 2005 and headquartered in Toronto, Canada, 1Password is a leading provider of digital identity solutions, specializing in password management and authentication. With a mission to simplify and strengthen online security, 1Password offers a suite of products designed to protect sensitive information and streamline authentication processes for businesses and individuals alike. In November 2022, 1Password announced its acquisition of Texas-based passkey tool provider Passage. The company's focus is small and medium-sized organizations in North America, EMEA, APAC and Latin America.

Why worth watching: Passage is a passwordless authentication and user management solution for consumer apps and websites that enables developers to quickly implement login flows based on passkeys, magic links, login codes, and social logins. Passage also has the ability to add passkey authorization to an existing WebAuth solution. Its adaptable nature allows customization to suit the unique requirements of each application. Customers have the flexibility to integrate authentication flows directly into their apps or utilize a hosted login page provided by Passage. Furthermore, it can function as a standalone user identity management system or integrate with external identity providers (IdPs).

5.2 Authsignal

Founded in 2021 and headquartered in Auckland, New Zealand, Authsignal is a Fraud Ops Automation suite designed to enhance security and user experience seamlessly. The platform integrates drop-in step-up passwordless authentication, multi-factor authentication, and a no-code rules engine, enabling businesses to manage customer interactions with minimal friction effectively. Authsignal provides a comprehensive view of customer activities, allowing businesses to track, analyze, and respond to fraud threats through simple API integration.

Why worth watching: Authsignal's capabilities extend to protecting the entire customer journey, from initial access to post-transaction analysis. It allows businesses to implement dynamic security measures like step-up authentication challenges and customizable rules tailored to specific business needs.

5.3 Esatus

Esatus AG was founded in 1999 and it specializes in Information Security consulting, software development, and decentralized identity for customers in the banking, government, manufacturing, construction, and healthcare industries. The company consults with large enterprises for access management, access provisioning, and recertification. Esatus is primarily focused on the DACH region, but the product is globally applicable. They offer leading-edge SSI solutions for enterprises and end users.

Why worth watching: SOWL, formerly known as SeLF, is an all-in-one SSI suite which provides the rule engine with the capacity to select which credentials/attributes allow access to which applications and resources. SOWL is very generic, no specific use cases are emphasized (not focused on the workforce, consumers, or partners specifically). However, by allowing the user to make decisions about personal identifiable data, the solution adheres to the principles of SSI.

5.4 Facephi

Based in Alicante, Spain, Facephi provides a digital identity platform for digital identification and verification, particularly for KYC and AML compliance. Services include onboarding and authentication.

Why worth watching: Facephi offers a biometric authentication solution that leverages facial recognition technology to provide secure and convenient identity verification. Their platform integrates advanced facial recognition algorithms with robust security measures to authenticate users quickly and accurately.

5.5 Identité

Identité was publicly established in April 2020 and headquartered in Clearwater, Florida. The company was founded by a team of security and enterprise software veterans and its client-base is mainly composed of small and medium enterprises and moving up-market. With sales agents in North America, Latin America, and Europe, Identité's mission is to provide clients with a simple and secure user experience. Identité offers easy-to-use software solutions, cloud services and on-premises deployments.

Why worth watching: Identité operates in three domains: access, identity, and privileged. Products include NoPass for Consumer and NoPass for Employees. Their CIAM offering, NoPass for Consumer, includes APIs and an SDK which can be integrated into a company's web portal and mobile app to enable passwordless authentication.

5.6 IDlayr

IDlayr is headquartered in London and was founded in 2020 by serial entrepreneurs who previously built cloud communications and payments platforms Mblox, Nexmo, and Boku. IDlayr uses the cryptographic security of the SIM card that resides in every phone to deliver a binary response that confirms a verified identity (with the mobile number), a verified credential (with the SIM card), and a verified digital presence (with the active session). The product is targeted to workforce, consumer, and partner use cases.

Why worth watching: IDlayr provides an enterprise-friendly single point of integration for businesses looking to deploy SIM-based authentication. IDlayr's APIs provide an abstraction layer on top of the disparate, individual APIs provided by Mobile Network Operators (MNOs).

5.7 Keyless Technologies

Keyless was founded in 2019 and is headquartered in London, UK. It is an innovative deep-tech identity company that develops and provides a privacy-preserving passwordless biometric authentication solution. Keyless' unique value proposition is derived from combining advanced cryptography with facial biometrics and authentication. The product is based on 10 years of research in academia on technologies such as secure multi-party computation, zero knowledge proofs, and biometrics.

Why worth watching: The consumer offering has multiple use cases such as customer KYC, account recovery, and SDKs which incorporates all the features and core technologies of Keyless authentication.

5.8 Stytch

Founded in 2020 and based in San Francisco, California, Stytch is an identity platform built for developers. With advanced features like device fingerprinting and account takeover resistant authentication, Stytch provides the infrastructure to make organizations' IAM needs secure, reliable, and scalable. Stytch's sweet spot is the medium size enterprises in North America. However, the company has a growing number of customers in EMEA, APAC, and Latin America.

Why worth watching: Stytch was founded to offer authentication solutions that are not only developer-friendly but also prioritize user experience while incorporating fraud detection measures. The platform is designed to adapt to the evolving landscape of authentication, offering flexibility through an API-first approach and tailored solutions for both B2B and B2C use cases.

6 Related Research

Leadership Compass: Passwordless Authentication 2022.
Leadership Compass: Access Management 2023
Whitepaper: The Future is Passwordless. If you do it right.
Whitepaper: Simplifying and Strengthening Authentication with Passwordless Desktop MFA
Advisory Note: Maturity Level Matrix for IAM
Blog: Trends and Predictions - Passwordless Authentication

7 Copyright

© 2024 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole's initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaims all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole does not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks ™ or registered trademarks ® of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst company, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole Analysts AG, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and making better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.