Welcome to the webinar, Adopting Passwordless Authentication. My name is Alejandro Leal, I'm a Research Analyst at KuppingerCole, and today I would like to talk about the recent report that we published last month on passwordless authentication for enterprises. So this report focused more on the use of passwordless solutions in workforce scenarios, and I would like to show you some of the insights that we learned. But before we begin, I'd like to remind you of some things to keep in mind during the webinar. So all of you are muted, there's no need to mute or unmute yourself.
We will also be conducting a few poll questions, and I would really like you to participate in those because it really helps us in our research. And there will be a Q&A session at the end of the webinar, so you can enter any question at any time using the C event control panel. And then we will be providing the slides and the recording of the webinar in the coming days. So here's the agenda. So we'll have a brief introduction of passwordless, then we'll talk about the market trends, and at the end we're going to go deep and then talk about the findings on the report that was published.
But before we begin, I'd like to have one poll question, and this is one of the questions that I've used in the past. And what's interesting is that in the previous webinar we had this question, but that webinar had an audience that was mainly composed of users and vendors from the consumer space. And in the poll question, most of them answered enhanced user experience as the primary driver for passwordless adoption. And we had the same question in a different webinar that was focused on the workforce scenarios, and most people answered improved security.
So if I can guess, I'm not trying to influence the results of this poll question, but since this LC and this webinar is focused on the enterprise, my guess is that most people will vote for improved security. But that just sort of shows you the different expectations that we have with users. In reality, passwordless authentication should be able to improve both user experience and security without compromising the other. Now we're going to go and move forward. And just as I was saying, the difference here is that, in general, enterprise solutions are designed to enhance security and control.
They also integrate with existing corporate IT systems, and they align with internal security protocols. Of course, it doesn't mean that all solutions should do this, right? It's because we're looking at it from the workforce perspective. If we compare the consumer perspective, then they tend to look at different aspects. But let's stick to the workforce for a second. But before, we need to go back to basics and describe the user journey. So what is the user journey? Digital identity is the key to move from unknown to known. Before a user becomes known, that user has a first interaction.
It could be onboarding, or it could be accessing a system or application, or performing a transaction. In that context, digital identity, and in the context of this webinar, passwordless authentication helps with that transition from unknown to known. And we have different sort of users. We have consumers, we have customers, partners, workforce, suppliers, devices, and things.
And although many vendors focus on particular use cases and certain industries, I believe that a solution that encompasses all of these users and is able to address different use cases, it's going to be the solution that will likely lead to more user adoption. Because whether it's consumer or enterprise, these vendors are facing the same challenges, which I will later talk about. But these are the challenges like interoperability, spreading the knowledge on the benefits of passwordless.
Many users are still reluctant to adopt these solutions because they're very comfortable with what they're using. So they're sort of facing the same issues. We all know why passwords are bad. I'm not going to spend too much time here. Here are just a few problems that passwords have when it comes to security. But if we really explore the origins of passwords, then we'll be able to learn more about why they are problematic.
So in the 1960s, early 1960s, computer scientists at MIT in the United States, they created the compatible time-sharing system, which essentially required users to use a password to access private files. Long story short, without going too much into detail, passwords were not created to provide secure authentication. They were instead created to keep track of the time spent on shared mainframe computers. So with that realization, you may be asking, so why are we still using passwords? It's been already more than 60 years since then, and we're still facing this authentication.
So that's where password authentication comes in. And here in the next slide, we'll have some of the trends observed. And as some of you may know, at Kuping Recall, we published two reports this year on passwords. One was focused on the consumer space and the other one on the enterprise space. But these market trends sort of, there are a conclusion of these two reports, you may say. So there's market growth. We see different passwordless vendors that are entering the market. Some of them have just a few years of existence.
So we see new innovative and specialized vendors competing with well-established companies. Then we see the market becoming more dynamic. Some of these vendors are just focusing on particular use cases or different industries. We see the impact of regulations, particularly in the United States, with the publication of a memorandum a couple of years ago. We also see the impact of FIDO and WebBot in accelerating the adoption of passwordless. We also see technical advancements like the use of passkeys, which most of the vendors that I did research on support passkeys.
And it's one of the features that the most talked about, at least in the past year or so. And as we see, the industry is moving away from traditional methods and they're starting to adopt passwordless solutions. And that's because of the need for enhanced user experience, the need for security as we see new threats, such as with the creation of, or the use, let's say, in the use of generative AI and deepfakes, the sophistication of phishing attacks is becoming more and more problematic. So there's a security aspect, of course. We see new entrants and we see evolving regulations.
And all of these aspects are pushing the adoption of passwordless solutions. But it's not going to be easy. We will see later some of the challenges.
Briefly, we have a market sizing chart where we predict that the compound annual growth rate will go up to 31%. And we will be providing an updated chart next year, of course. But this is just increasing, as I've mentioned in the previous slide. So on this slide, I have the leading passwordless authentication vendors. There are 36 on this slide from both reports, from the consumer one and the enterprise report. And here we see well-known companies, but we also see companies that just focus on the consumer space. Some of them just focus on the enterprise.
Some of them are just trying to solve the transition from legacy applications to modern authentication systems. Other vendors are just focused on the financial industry. So it really depends. We have a lot of variety. And it really shows you that the need for passwordless is real. But in the end, it depends on the organization and the context within that organization. So there are a lot of opportunities for these vendors to keep moving towards the adoption of passwordless.
I think the next slide is interesting because here we have the distribution of supported authentication methods among the vendors that I just listed. So as you can see here, 79% of the vendors, 79% of them are still supporting username and password for authentication and for account recovery. I think that's a very big percentage. And of course, they tell me that they just want to be able to provide that to their customers, because in the end, it's their customer's choice if they want to keep using traditional methods.
But if we want to move on to a passwordless future, I think we need to really remove this option and educate users, educate the organizations and the customers, and tell them that there are better alternatives. And it's not as difficult as it may sound. It's not as expensive as it may seem. So I think the messaging needs to be more clear. And there's a lot of work to do. And the same thing applies with SMS codes and push notifications. These are feasible factors. And SMS codes, similarly to passwords, they were not created to provide secure authentication.
They were sort of a messaging protocol. So it's a bit strange that we are using authentication methods that were never really created to provide security. And here we see 94% of the vendors, they're supporting PASKIs. I think there was only one vendor that didn't support it. And it's on the roadmap. So I guess you could say it's almost 100%. We have also push notifications, mobile connect with 25%, and vendor authenticators. So if you compare these numbers to the research I did two years ago, we see a decrease in username and password, SMS codes, et cetera. But it's still not that substantial.
So I've been talking about the challenges for a while now. And here are some of them. As I mentioned, user adoption is a big challenge. Many are reluctant to abandon traditional methods. And that's mainly because of lack of education, I'd say. And with the conversations I have with the vendors, they tell me that it's mainly lack of education. So I think vendors have an opportunity in this particular challenge. It's not really a challenge, I'd say.
It's more of an opportunity because they have the job to educate, let's say, the masses and to spread the word that passwordless authentication is a good alternative. Then there are cost barriers, financial implications of deploying passwordless can deter organizations.
And I think at the same, like the user adoption challenge, vendors have the ability to suggest that despite the cost, in the end, passwordless authentication will make your business more productive, more secure, and you can even argue more profitable because you're going to be less dependent on traditional methods of authentication, which are not safe at all. So again, it's that messaging aspect that vendors need to do. Then we have perhaps the biggest challenge, interoperability.
So we have a diverse range of authentication protocols across various platforms, which results in compatibility challenges. And again, so if a website is still not supporting WebAuth or any other protocol, and the user needs to go back to username and password, then the whole passwordless talk is not tangible. It doesn't make an impact on the users. So I think that's perhaps one of the biggest challenges. And clearly there's work to be done. And here's another challenge that the vendors have the opportunity to change, which is adaptation.
As I demonstrated in the previous slide, 79% of the vendors still offer traditional username and passwords as an optional feature, right? It's depending on what the customers want, but they still want to be able to provide that option for them. The thing is, I see some vendors which appear in the innovation category, which you will see later on. Some of these vendors are not using SMS codes or passwords or any other feasible factor. They came up with their own alternative ways of account recovery in this case, let's say.
So they completely eliminate those insecure factors, and they come with their own proprietary ways of securing an account. And I think that that's an opportunity for many vendors to innovate, to compete, and to keep moving forward towards a passwordless future. So we'll go to the second poll. And just out of curiosity, we want to know which cyber attacks are you most concerned about? Is it phishing, account takeovers, inside threats, or privilege escalation attacks? So now it's time to talk about the leadership compass.
Just briefly, just so people are aware of how we do this, basically, we first identify vendors that are covering the market. We contact them, we ask them to participate, and if they decide to do so, we get a briefing with them, we send them a questionnaire with hundreds of questions. And then based on the briefing and the questionnaire, we evaluate and then we analyze all the information, and we create a draft. We send back the dedicated chapter for each vendor together with the report results.
And then they get a fact check stage where they get the chance to talk about the results or something regarding the product description. So we can always have a second call with them. And then after that, we publish. So the whole process, it really depends how long it takes, depends on how many vendors participate. For example, in the leadership compass on passwordless for consumers that was published in May, I think there were like 29, 30 vendors.
It took, I believe, five months from the very beginning to the publication date. So it really depends. But I'd say between three to four months will be more accurate. So here we have the categories of leadership in the report. We have product leadership, which focuses on the functionality of the product. Then we have the market leadership. It emphasizes the number of customers, geographical presence, ecosystem partners. Then we have innovation leadership, and then the overall leadership. So here is the overall leadership in the leadership compass on passwordless for enterprises.
So here we see some vendors that have already a big market presence and they combine with innovative features. They stand out and they are on the right side of the overall leadership. But we also see young, not very, let's say, not with a huge market presence worldwide, but we still see some small companies that are very innovative that are also on the right side of the leadership. So we look at these four sections, right? And what's interesting is that some of these vendors have completely different use cases. Some of them just focus on addressing legacy issues.
Some of them have a more niche focus on certain industries. Some of them are dependent on Microsoft and they want to be able to provide their customers with a passwordless alternative. Some of them are focused on telecommunications. So it really depends. On the next slide, we'll share the product leadership. So this is based on the analysis of product features and capabilities. And on the left side, we have seven categories that we use to assess the product. So we have the architecture, so how modern the architecture of the solution is.
We have authentication, so how many authentication methods the solution is able to provide and whether they're still providing feasible factors, etc. Identity and access management support. We have identity APIs, device posture, so the ability to provide device health checks, etc. Compliance, that's a big one, particularly in the workforce, and scalability. So each solution has a chapter and also a spider graph with these categories that I just mentioned. So now we have the innovation leadership category. And here on the left, I have just a few innovative, let's say, features.
I mean, most of them, of course, have strong adaptive authentication, cryptographic approaches, but some of them have a more, let's say, focus on these aspects. On microservices, that's something we're looking for. And as I mentioned earlier, secure account recovery mechanisms, because for account recovery, many vendors are still supporting helpdesk, which makes it very inconvenient for users to be able to recover their account. So here we're looking at not only secure account recovery mechanisms, but also user-friendly ones.
And also the support of decentralized identity and verifiable credentials and the wallet, etc. Especially here in Europe, where we see in the next years, we'll see the adoption of the European wallet. So that's also something we are looking for.
Next, we have the market leaders. So despite the presence of major players, the evolving nature of the market allows for smaller companies to enter and establish a niche area of expertise. And as an example, some smaller vendors are targeting mobile operators, as well as the financial industry. Now we have the, well, before I go to the last poll question, by looking at the innovation on the part of the market and the overall leadership, I hope that you are able to see the diversity of vendors. They're all very different in their own ways. They all provide passwordless in their own ways.
But in the end, it's all about moving towards this passwordless future that I've been mentioning multiple times. For me, the fact that we are still providing username and password, that's something that needs to be addressed. And I know it's not that easy. I guess it's perhaps easy for the analysts here to say that. But when you talk to your customers and when you're trying to improve their organization, and when you want to hear what they want, then I think it's a different topic. It could be a bit more challenging.
But still, I believe that's the way forward. So now the last poll question would be, which of the following best describes your organization's approach to authentication? Have you already adopted passwordless authentication? Do you still rely on username and password? Or do you have MFA on top of passwords? We've done research on this before, and it seems like most organizations, around 70% have MFA with passwords. And it's about like 15%, 15% have already adopted passwordless, and 15% are still relying on traditional methods.
So yeah, that's still, I guess, good news for the vendors to hear that there's still work to be done and there's a lot of potential in this market. But I would like to see the results at the end of the webinar. I would like to see the results at the end of the webinar and hear your thoughts on this. So moving on, we have just here some information on our upcoming event, Cyber Revolution, taking place in December. We're going to have a track on identity, security. So we'll have some topics on ITDR, for example.
So yes, we see sort of this convergence of, as we know, identity and cybersecurity, and we have plenty of topics on that. So make sure to check our website for more information on this.
And here, we do research. We have events and webinars like this one, and advisory projects. And if you want to check for more research on this topic, make sure to go to our website and check for white papers, advisory notes, and leadership compasses. This is the leadership compass that was published two years ago, but as I said, we published two this year.
Now, since it's the end of the presentation, I think I'd like to see the poll results. And then we can go to Q&A.
So yes, here we can see the results. And I hope I didn't influence the results, but as I was expecting, oh, no, it's not what I was expecting. Enhanced user experience with 48%. Okay. But it's very close to improved security. So as we said, it's sort of both. You cannot sacrifice the other. Both of them need to increase. So maybe next time we'll have an additional option that says A and B or something like that. Maybe we can go to the second poll question.
So again, we see here a very close race between the first two options. So account takeover and phishing attacks, which I'm not surprised. And password resolutions are supposed to address both of those.
And yeah, that's another reason why getting rid of phishable factors like SMS codes and insecure methods like username slash password, that's probably a wise thing to do. Okay. We can see the next question and then we can check the Q&A. So which of the following best describes your organization's approach to authentication? Yep. Looks like, as I said, around 70% of organizations have MFA including passwords. It's good news that we don't see any username slash password here. And we see 29% have already adopted passwords authentication. So that's actually a good thing.
So here we have some questions and we still have some time. So one of the questions is, how many enterprise vendors address consumer use cases as well? So if we look at the slide with all the vendors, I'd say that most of them, around 65 to 70%, address both use cases. And most small companies that are highly innovative, but they tend to just focus on certain use cases and industries. But that's more or less what I found. Next question is, what do you consider the most significant challenge to adoption? So as discussed, user adoption, but interoperability will be the other one.
But again, I think vendors have the chance to improve this and to address them and to see them as opportunities rather than challenges. Another question is, what is MobileConnect authentication? So MobileConnect, it's provided by an organization called GSMA. And it's mainly targeting the telecommunication industry. So you can perform a transaction or sign in by just using your mobile provider. And you can have this application, which is called MobileConnect, to authenticate and to perform secure transactions as well. You can look it up. It's on the internet.
But surprisingly, only 25% of the vendors support it. And with my conversations with some of them, it seems like many of them had, when they talked to their customers about MobileConnect, they usually sort of have like a stereotype that MobileConnect is just focused on telecommunication use cases.
So again, in that context, there's also some education to be done to increase visibility of this authentication method. And there's another question saying, what do you expect from face-slash-voice biometrics in Europe?
Well, that's a good question. As we know, in Europe, we like regulations and data protection. So there's a lot of talk about that, of course, every time we talk about the use of biometrics. But maybe I can do a follow-up on that. I think that many of these regulations are moving fast. And I think that if you compare it to the North American market, maybe there's more, let's say, sense of, I guess, sort of like, carefulness, maybe? That's the word that I was looking for.
But I think there's sort of a stereotype that in Europe, there are more things to look at in that sense of, in the context of regulations than in North America. And I believe that's the last question.
So, yes, I think we also ran out of time. So, yes, I really hope that this was useful. We'll be doing more research on passwordless next year. And I really hope that you guys found some of these insights useful. And I think that's it for this session. Thank you very much for your attention. Helpful in your research or in your own career.
So, thank you so much. And feel free to reach out anytime in case of any questions. Thank you.
