The global multifactor authentication (MFA) market is predicted to reach more than $10 billion by 2017 as three-, four- and five-factor authentication systems gain prominence. Part of this growth can be attributed to the rise of biometric security services, such as fingerprint, retina and facial scanning. A recent Markets and Markets report found that all authentication methods using more than two factors included some form of biometric scanning. However, despite such big-value estimates, some experts argue that the model itself is flawed — will some or all of these innovations get scrapped before they reach enterprises?

The Magic Number

Right now, 90 percent of the MFA market belongs to two-factor authentication. These “standard” methods include passwords, hardware tokens and PINs, although some systems do employ a secondary biometric scan. With a predicated compound annual growth rate of 19.67 percent over the next three years, however, it’s clear that the other 10 percent — and the biometric technology needed to support them — will play a large role. As it stands, three-factor authentication is mostly used in bank lockers and immigration, while four- and five-step methods only make an appearance in high-level government operations. Part of the problem is cost since it’s often prohibitive for a small business to roll out full facial recognition or install high-level fingerprint scanners.

Consider Homeland Security’s most recent project, an airport biometric scanning program that costs at least $7 billion. Slate notes that government officials are currently testing the “exit” portion of the system, which uses facial and iris recognition to identify non-U.S. citizens when they leave the country. Ideally, this would help Customs and Border Protection keep track of visa holders and make sure they are obeying any restrictions.

Opponents of the system argue that most illegal immigrants and militant threats don’t enter or leave through airports and that those overstaying their visa welcome typically don’t leave at all. Still, the plan is to roll out the system in 10 airports by 2015 despite claims that a similar system offered only 85 percent accuracy and worries about whether confirming identities is its main purpose.


However, according to a Network World article, the biggest threat to the growth of multifactor authentication is top-down thinking. It’s a familiar model: Security companies or C-suite executives mandate how, when and where employees authenticate their identity, and employees comply. The problem? In an acronym, BYOD. When Apple and Android became household names, employees started demanding network access at work. Now, these same devices not only feature authentication software, but — at least in Apple’s case — they are trying to leverage new identity attributes, such as location. Consumer interest is also driving the authentication market: Customers want better access to banks and e-commerce services without exposing themselves to undue risk. Is bring-your-own-authentication (BYOA) the next step forward?

The idea has merit, certainly. Mobile users want access on the run, not just while they are sitting at a desk or after “checking in” with company headquarters. But physical location is a fundamental constant of MFA: Employees must be in the building, physically present at a scanner to properly identify themselves. Part of this is cost savings, and part is human oversight; other workers, security guards and even cleaning staff often have a passing familiarity with most employees and a natural distrust of anyone unknown to them. Taking authentication off site opens up the possibility of remote deception without the fallback of scrutiny from other users.

There is little doubt that the multifactor authentication market will continue to grow as companies look for ways to empower users while still ensuring they aren’t impostors. The speed of this growth, however, will be determined by the flexibility of the biometric solutions developed and how well they integrate with the prevailing BYOD culture of corporate environments.

More from

2022 Industry Threat Recap: Finance and Insurance

The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

X-Force Prevents Zero Day from Going Anywhere

This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The X-Force Vulnerability and Exploit Database shows that the number of zero days being released each year is on the rise, but X-Force has observed that only a few of these zero days are rapidly adopted by cyber criminals each year. While every zero day is important and organizations should still devote efforts to patching zero days once a patch is released, there are characteristics of certain…

And Stay Out! Blocking Backdoor Break-Ins

Backdoor access was the most common threat vector in 2022. According to the 2023 IBM Security X-Force Threat Intelligence Index, 21% of incidents saw the use of backdoors, outpacing perennial compromise favorite ransomware, which came in at just 17%. The good news? In 67% of backdoor attacks, defenders were able to disrupt attacker efforts and lock digital doorways before ransomware payloads were deployed. The not-so-great news? With backdoor access now available at a bargain price on the dark web, businesses…

Hack-for-Hire Groups May Be the New Face of Cybercrime

Google’s Threat Analysis Group (TAG) recently released a report about growing hack-for-hire activity. In contrast to Malware-as-a-Service (MaaS), hack-for-hire firms conduct sophisticated, hands-on attacks. They target a wide range of users and exploit known security flaws when executing their campaigns. “We have seen hack-for-hire groups target human rights and political activists, journalists and other high-risk users around the world, putting their privacy, safety and security at risk,” Google TAG says. “They also conduct corporate espionage, handily obscuring their clients’ role.”…