User Authentication (MFA) Buyers' Guide 2024

Enterprise user authentication solutions are services that enable organizations to roll out MFA for all employees in order to prevent account take over attacks (ATOs).

This involves provisioning a method of multi-factor authentication (MFA), such as an authenticator app, biometrics, FIDO2, MFA keys) etc., policy-based controls for governing access to systems, analyzing login attempts, credential management, and other identity controls such as single sign-on.

User authentication is a critical process in identity management used to authenticate end-user access to systems. In this guide, we’ll outline our recommendations for businesses looking to implement an MFA solution. We’ll cover:

A high-level overview of how user auth works
Our guide to the best user auth vendors
Common user auth challenges and how to address them
A features checklist
Our recommendations on choosing the best software
Future trends in the user auth space

Why MFA matters: One single compromised account or credential can cause a widespread data breach.

Using MFA prevents 99.9% of account compromise attacks (Microsoft)
MFA is the foundation of an effective identity security strategy
Regulatory compliance and cyber insurance providers increasingly require organizations to implement MFA strategies

How user auth works: The goal of user auth solutions is simple: to verify that a user is who they say they are, before granting access. They work by requiring users to authenticate using two or more authentication factors when attempting to access an account, and by analyzing certain background risk signals.

Authentication factors: Users need to have these authentication factors in order to be able to access an account. Factors fall into three categories:

Knowledge: Something the user knows, e.g. a password or PIN. This is the weakest factor as it can be guessed or cracked by malware.
Possession: Something the user has, e.g. a smartphone, a hardware device, or a token (this could be a passwordless FIDO2 token stored in a browser).
Inherence: Something unique to the user, e.g. their face, their fingerprint, or their voice. This is seen as the most secure ‘factor’ as it is the hardest to imitate accurately (although not impossible).

Multi-factor authentication requires two or more of these factors to be held by the user in order to verify access to an account.

Risk signals: Alongside the proactive measures required by the user, modern authentication solutions also look at several risk signals in order to further secure accounts against compromise.

Risk signals can include monitoring network traffic for suspicious activity, monitoring device health, analyzing IP locations to unusual login requests, and more.

Identity and access management: User auth is typically delivered as part of a broader suite of identity and access management controls. This can include user directory services, single sign-on, identity proofing and verification (used to authenticate unknown users, e.g. strangers), passwordless authentication and privileged access management.

Best User Auth Providers: We have put together several shortlists of the best MFA and identity and access management providers across multiple categories:

The user authentication market is broad, and there are multiple solutions available. Some offer user authentications as part of broader IAM platforms. Some are point solutions simply for deploying MFA or passwordless authentication. Others focus more on biometrics.

Finding the best solution will depend on your requirements – but broadly we would recommend looking at an IAM platform with user authentication capabilities. There is a move in the market towards consolidating identity controls which can provide better outcomes and easier management in the long term.

Common user auth challenges: Despite the security benefits, many organizations have not implemented user authentication. In our conversations with security teams, there 3 common challenges raised:

1) End user friction: Users may view authentication factors as frustrating, including senior leadership teams.

We recommend choosing a solution which focusses on end user experience, including ease of use and flexibility when authenticating to address concerns around friction. We also recommend implementing single sign-on and passwordless authentication factors to reduce friction on end users.

This is particularly important for industries like healthcare – where multiple users may need to authentic to the same terminal on a regular basis.

2) Onboarding: Onboarding can be challenge for any identity platform, as it can be complex and time consuming to build policies and integrate all required applications.

We recommend investing in an IAM platform that can cover multiple areas, including user auth, single sign-on an PAM. By consolidating tools to one provider, you can simplify deployment and ensure scalability.

3) MFA Bypass: There has been increasing concern around MFA bypass attacks and how these can be mitigated.

We recommend investing in solutions that focus on phishing-resistant user authentication, leveraging FIDO2 Passkeys, hardware tokens and passwordless authentication.

Features Checklist: When selecting a user auth solution, we recommend looking for the following features:

Broad authentication support: Look for a solution which supports broad methods of authentication, including biometrics, push notifications, passwordless, FIDO2 passkeys and more. This gives you greater flexibility and supports broad user preferences and backup authentication options.
Phishing resistant MFA: Prioritize phishing resistant MFA factors, such as biometrics, passwordless auth and FIDO2 Passkeys. These are the most effective in preventing phishing and ATO attacks.

Policies and controls: Ensure the solution has enables flexible policies and controls for governing authentication workflows and enforcing additional checks on users.

Ease of use/accessibility: Test the user experience of the platform to ensure it is easy to use, fast and accessible for all employees, regardless of technical ability/experience.

Adaptive MFA: We recommend investing in solutions which cover adaptive MFA policies – using risk signals to enforce greater checks when suspicious activity is detected. For example, a user logging in on a new device may be asked for additional authentication checks.

Integrations: User auth platforms should offer pre-build integrations with your user directory service and the applications you commonly use. This

Analytics and alerts: It is important that your solution keeps a record of access and events. If an anomaly or unusual event is identified, relevant users should be alerted.

Compliance: Many compliance bodies (across all industries) will expect organizations to implement MFA. Common frameworks include ISO 27001 / SOC II.

Our Recommendations: Our general advice for organizations starting their journey to finding the right user authentication solution is:

Focus on the end-user experience. When testing solutions, make sure the platform is fast, easy-to-use and won’t impact productivity. Minimize friction as much as possible by enabling passwordless authentication processes, and single sign-on where possible.

Deploy the most secure, phishing-resistant methods of authentication, like FIDO2 passkeys, biometrics and hardware tokens where possible. This provides the most effective protection against account compromise.

The market trend is toward consolidation – we would recommend selecting a trusted provider offering a suite of identity and access management solutions. This will enable you to scale your offering and extend user auth with other important identity capabilities.

Prioritize enforcing MFA on your most critical accounts and services. Where possible, map out workflows for governing which resources users can access and limit access to the most critical applications. This is an important component of building a zero-trust framework.

Consider account remediation and recovery in case users are locked out of their accounts. Make sure backup methods are robust so they cannot be bypassed by attackers, but also ensure that users can access their accounts securely if they lose a hardware token, for example.

Future Trends: MFA is not a new technology, but user authentication is a fast-moving space. Here are three key trends to keep an eye on:

The industry is moving away from common ‘possession factors’ such as one time-passcodes to more secure ‘inherence’ factors like biometrics. However, leveraging employee-owned smartphones, for biometrics controls may lead to security risks, as these devices are unmanaged. In addition, the rise of AI voice and face cloning technology is causing some doubt about the future security of relying on biometrics, particularly voice-based controls.

There is a clear move towards passwordless adoption in the consumer space, with leaders like Apple, Google, Amazon and Microsoft encouraging adoption of FIDO2 Passkeys as an alternative to passwords. Enterprise adoption of Passkeys is low, with point solutions more commonly used to deploy passwordless auth. But this is likely to change as more enterprise identity providers deploy FIDO2 Passkeys as an option for organizations.

There is a move toward consolidation in the identity and access management space broadly. Gartner has tracked over 400 vendors in the space currently, but as passwordless authentication and Passkeys become the standard organizations may look to consolidate their identity stack and invest in one platform rather than multiple disparate solutions for IAM.

Further Reading:

Top 10: Top 10 User Authentication Solutions
Interview: Antoine Jebara, Co-Founder & GM MSP Business, JumpCloud
Interview: Will LaSala, Field CTO, OneSpan
Interview: Jason Keenaghan, Director Product Management, IAM, Thales
Interview: James Richmond, Senior Solutions Engineer, OKTA

User Authentication (MFA) Buyers’ Guide 2024

How to choose the right User Authentication software.