KuppingerCole Report
Executive View
By John Tolbert

Keyless Biometric Authentication

Keyless specializes in advanced authentication technologies to help customers increase authentication assurance and decrease risks of data leakage. Keyless delivers passwordless authentication utilizing state-of-the-art biometrics and innovative cryptography that improves enterprise and consumer security and is user friendly.

1 Introduction

As the number and severity of data breaches rise, businesses, governments, and other organizations seek to improve the authentication experience and raise assurance levels to mitigate against continuously evolving threats. Cyber-attacks put personal information, state secrets, trade secrets, and other forms of intellectual property at risk. Fraud against consumers and consumer-facing businesses has ramped up significantly. Increasing security and improving usability are the twin goals of modular authentication service upgrade projects. Data owners and IT architects have pushed for better ways to authenticate, based on changing business and security risks as well as the availability of newer technologies. Businesses have lobbied for these security checks to become less obtrusive and provide a better user experience (UX). Legacy IAM systems sometimes struggle not only to meet changing business requirements but also to keep up with the latest authentication technologies. This is especially true regarding legacy IAM solutions used by consumer-facing organizations. Many enterprises are choosing to augment their IAM systems by logically separating authentication from the IAM stack and utilizing discrete services that offer Multi-factor Authentication (MFA) with extensible risk analysis features informed by various types of intelligence. Many organizations are opting to deploy these capabilities in conjunction with their Identity-as-a-Service (IDaaS) solutions or as part of a "cloud-first" strategy.

MFA is the employment of multiple methods of determining that a user is who they are purporting to be in the context of an access request. Risk-adaptive authentication is the process of gathering additional attributes about users and their environments and evaluating those attributes in the context of risk-based policies. The goal of risk-based adaptive authentication is to provide the appropriate risk-mitigating assurance levels for access to sensitive resources by requiring users to further demonstrate that they are who they say they are. This is usually implemented by "step-up" authentication and/or the acquisition of additional attributes about the user, device, environment, and resources requested. Different kinds of authenticators can be used to achieve this, some of which are unobtrusive to the user experience. Examples of step-up authenticators include phone/email/SMS One Time Passwords (OTPs), mobile apps for push notifications, mobile apps with biometrics, Smart Cards or other hardware tokens, and behavioral biometrics.

Behavioral biometrics can provide a framework for login, in-app authorization (e.g. for online payments) and/or continuous authentication, by evaluating user behavior to a baseline set of patterns. Behavioral biometrics usually involves keystroke analysis, mobile "swipe" analysis, and even mobile gyroscopic analysis. These methods generally require the use of client-side agents, either standalone or embedded into applications as SDKs.

Solutions in this space can present multiple authentication schemes, methods, and challenges to a user or service according to defined policies based on any number of factors, for example, the time of day, the attributes of the user, their location, or the device from which a user or service attempts authentication. The factors just listed as examples can be used to define variable authentication policies. User Behavior Analysis (UBA) employs risk-scoring analytics algorithms to first baseline regular access patterns and then be able to identify anomalous behavior which can trigger additional authentication challenges or attribute collection.

A wide variety of MFA mechanisms and methods exist in the consumer authentication market today. Examples include:

  • Strong/Two-Factor or Multi-Factor Authentication devices, such as mobile biometric apps, and/or mobile apps that leverage operating system biometric capabilities,

  • One-time passwords (OTP), delivered via phone, email, or SMS,

  • Out-of-band (OOB) application confirmation, usually involving push notifications to mobile devices,

  • Identity context analytics, including

    • IP address

    • Geo-location and geo-velocity

    • Device ID and device health assessment

    • User Behavioral Analysis (UBA)

Authentication and the related identity and context assurance values, then, can be considered a pre-cursor to authorization. The evaluation of these additional attributes can be programmed to happen in response to business policies, changing risk factors and regulation.

In the case of regulation especially, strong authentication and/or MFA are often required, with some industries more regulated than others -- for example, the financial industry. The EU Revised Payment Services Directive (PSD2) dictates that service providers in this sector must use "Strong Customer Authentication" (detailed below). In the US, the New York Department of Financial Services 23 NYCRR 500 has similar provisions for MFA.

Financial institutions are also subject to Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations in various jurisdictions globally. Compliance with these regulations requires collecting personal information about customers.

However, many countries and states within countries have regulations that are designed to protect the privacy of their citizens and residents when acting as consumers. The EU General Data Protection Regulation (GDPR) is one of the best-known privacy regulations, which imposes stiff penalties for non-compliance. In the US, the California Consumer Privacy Act (CCPA) and follow-on California Privacy Rights Act (CPRA) are models that are being enacted and/or explored by other states. Thus, the collection of personal information by consumer IAM and authentication systems must adhere to an expanding number of privacy regulations.

In light of the above, one of the more recent additions to the authentication armory is "Passwordless" authentication. It is a popular term among product and service vendors today. Some passwordless options have been around for a while but are starting to be implemented more at enterprises and consumer-facing businesses. Passwordless options include the aforementioned biometrics and mobile push apps as well as simple possession of registered devices. Passwordless can also mean the evaluation of contextual risk factors without interrupting the user flow (in happy path flows). Passwordless methods provide security advantages and usability benefits. In the consumer facing market especially, innovation in authenticators that improve user-friendliness can be a competitive advantage.

A final, yet key consideration for authentication solutions is account recovery: when users forget passwords, lose credentials, or change devices, they need ways to get access to their accounts. Account recovery techniques include Knowledge-Based Authentication (KBA; but it is recommended to avoid this method as it is usually even less secure than password authentication), email/phone/SMS OTP, mobile push notifications, and account and device linking. Help desk assistance may also be needed on occasion, but it is a costly measure.

2 Product Description

Keyless was established in London in 2019 and is backed by leading VCs. They also have offices in Rome and Singapore. Keyless is focused on improving ...

Login Get full Access

3 Strengths and Challenges

Keyless Biometric Authentication presents a compelling set of features in the authentication market segment of IAM. Keyless Authenticator supports B2E ...

Login Get full Access


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.