August 12, 2014 By Douglas Bonderud 3 min read

The global multifactor authentication (MFA) market is predicted to reach more than $10 billion by 2017 as three-, four- and five-factor authentication systems gain prominence. Part of this growth can be attributed to the rise of biometric security services, such as fingerprint, retina and facial scanning. A recent Markets and Markets report found that all authentication methods using more than two factors included some form of biometric scanning. However, despite such big-value estimates, some experts argue that the model itself is flawed — will some or all of these innovations get scrapped before they reach enterprises?

The Magic Number

Right now, 90 percent of the MFA market belongs to two-factor authentication. These “standard” methods include passwords, hardware tokens and PINs, although some systems do employ a secondary biometric scan. With a predicated compound annual growth rate of 19.67 percent over the next three years, however, it’s clear that the other 10 percent — and the biometric technology needed to support them — will play a large role. As it stands, three-factor authentication is mostly used in bank lockers and immigration, while four- and five-step methods only make an appearance in high-level government operations. Part of the problem is cost since it’s often prohibitive for a small business to roll out full facial recognition or install high-level fingerprint scanners.

Consider Homeland Security’s most recent project, an airport biometric scanning program that costs at least $7 billion. Slate notes that government officials are currently testing the “exit” portion of the system, which uses facial and iris recognition to identify non-U.S. citizens when they leave the country. Ideally, this would help Customs and Border Protection keep track of visa holders and make sure they are obeying any restrictions.

Opponents of the system argue that most illegal immigrants and militant threats don’t enter or leave through airports and that those overstaying their visa welcome typically don’t leave at all. Still, the plan is to roll out the system in 10 airports by 2015 despite claims that a similar system offered only 85 percent accuracy and worries about whether confirming identities is its main purpose.

Bring-Your-Own-Multifactor-Authentication

However, according to a Network World article, the biggest threat to the growth of multifactor authentication is top-down thinking. It’s a familiar model: Security companies or C-suite executives mandate how, when and where employees authenticate their identity, and employees comply. The problem? In an acronym, BYOD. When Apple and Android became household names, employees started demanding network access at work. Now, these same devices not only feature authentication software, but — at least in Apple’s case — they are trying to leverage new identity attributes, such as location. Consumer interest is also driving the authentication market: Customers want better access to banks and e-commerce services without exposing themselves to undue risk. Is bring-your-own-authentication (BYOA) the next step forward?

The idea has merit, certainly. Mobile users want access on the run, not just while they are sitting at a desk or after “checking in” with company headquarters. But physical location is a fundamental constant of MFA: Employees must be in the building, physically present at a scanner to properly identify themselves. Part of this is cost savings, and part is human oversight; other workers, security guards and even cleaning staff often have a passing familiarity with most employees and a natural distrust of anyone unknown to them. Taking authentication off site opens up the possibility of remote deception without the fallback of scrutiny from other users.

There is little doubt that the multifactor authentication market will continue to grow as companies look for ways to empower users while still ensuring they aren’t impostors. The speed of this growth, however, will be determined by the flexibility of the biometric solutions developed and how well they integrate with the prevailing BYOD culture of corporate environments.

More from

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

How I got started: AI security researcher

4 min read - For the enterprise, there’s no escape from deploying AI in some form. Careers focused on AI are proliferating, but one you may not be familiar with is AI security researcher. These AI specialists are cybersecurity professionals who focus on the unique vulnerabilities and threats that arise from the use of AI and machine learning (ML) systems. Their responsibilities vary, but key roles include identifying and analyzing potential security flaws in AI models and developing and testing methods malicious actors could…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today