Haider Iqbal | Director of Product Marketing
More About This Author >
Haider Iqbal | Director of Product Marketing
More About This Author >
The 2026 KuppingerCole Leadership Compass - Passwordless Authentication B2C and Passwordless Authentication for Enterprise - validate a reality many organizations are already confronting: implementing passwordless authentication at scale requires more than introducing passkeys in isolation. It demands architectural flexibility, strong cryptographic foundations, and the ability to support diverse users, devices, and regulatory environments - consistently and securely.
Across both enterprise and consumer markets, KuppingerCole’s latest assessments independently confirm the importance of a portfolio‑level approach to passwordless authentication.
In its 2026 Leadership Compass, KuppingerCole names Thales a Leader across both enterprise and consumer passwordless authentication for the third consecutive year, a recognition that reflects not only product strength, but Thales’s ability to operationalize passwordless authentication across real‑world identity ecosystems.
Explore KuppingerCole’s 2026 Passwordless Authentication Leadership Compass Reports
See why Thales was named a Leader in both the Enterprise and B2C Passwordless Authentication Leadership Compass reports, and learn how a portfolio-based approach can help organizations scale passwordless authentication across workforce, partner, and customer identity journeys.
Passwordless 360°: The Framework Behind the Recognitionline here
Central to the Thales recognition is Passwordless 360°, a structured, holistic approach to implementing passwordless authentication at scale.
While many organizations have introduced passwordless methods, these deployments are often fragmented and built around isolated use cases or specific authenticators. This limits their ability to scale and deliver a consistent user experience and security outcomes.
Passwordless 360° is designed to address this challenge by aligning identity, risk, and authentication strategies into a unified model. It encompasses:
- Defining the user ecosystem — workforce, partner, and customer access journeys
- Mapping risk-based authentication types to each user population
- Conducting gap analysis against the current authentication posture
- Building the path to achieve transformational results on UX, security, and cost efficiencies
The framework is designed to help organizations leverage modern FIDO passkeys while preserving existing investments in legacy authentication infrastructure, a practical consideration for enterprises managing complex, hybrid identity environments.
The Importance of a Broad Authenticator Portfolio
Across both enterprise and consumer passwordless markets, the 2026 KuppingerCole Leadership Compass reports highlight Thales's ability to design and manufacture its own authenticators as a key differentiator.
Support for FIDO2, passkeys, and modern authentication standards is now expected across vendors. Thales, however, produces its own FIDO2 hardware security keys, PKI-based smart cards and tokens enabling tighter control over allowed token types in regulated environments.
Enterprise: Control as a Requirement, not a Preference
In the Passwordless Authentication for Enterprise report, KuppingerCole identifies Thales’s hardware authenticator manufacturing capability as a key differentiator, particularly in regulated and security-sensitive environments.
Organizations must be able to define and enforce which authenticators are allowed, how credentials are bound to devices, and how assurance levels are maintained across different user populations. Thales’ vertically integrated approach enables this level of control directly, rather than relying on external authenticator ecosystems.
As phishing-resistant authentication has become a baseline expectation, this control is critical for security, compliance, and operational consistency.
B2C: Extending the Same Assurance to Consumer Identity
The same benefits apply to Thales’s consumer identity offering.
In the Passwordless Authentication for B2C Leadership Compass, KuppingerCole highlights deep integration between Thales OneWelcome Identity Platform and Thales secure hardware and cryptographic technologies, including FIDO authenticators, as a key strength, extending hardware-backed assurance into consumer-facing deployments.
This integration means Thales applies the same hardware-backed assurance model used in enterprise environments to consumer-facing applications. In practice, this means organizations can deliver consistent authentication across both workforce and customer experiences – even in large-scale, unmanaged environments.
Flexible Deployment Options to Fit Enterprise Needs
KuppingerCole’s Passwordless Authentication for Enterprise Leadership Compass positions deployment flexibility as a first-order evaluation criterion.
While many organizations position passwordless as cloud-first, the enterprise reality is more complex. Large organizations operate across cloud, on-premises, and legacy systems, constrained by data residency, regulatory obligations, and business continuity requirements. In sectors such as banking & financial services, healthcare, government, defence, and critical infrastructure, authentication cannot always depend on cloud connectivity.
Deployment flexibility, therefore, becomes a prerequisite for scale. Passwordless authentication must function consistently across environments and remain operational during network or cloud disruptions.
KuppingerCole highlights Thales’s support for cloud, on-premises, and hybrid architectures, alongside an access continuum model that preserves on-premises authentication during outages – directly addressing enterprise requirements for resilience and sovereignty.
What Multi-Brand / Multi-Tenant Support Brings to Consumer Authentication
Consumer identity at scale is structurally different from enterprise IAM. Organizations across sectors such as banking, retail, and telecommunications must manage tens of millions of identities across multiple brands, geographies, and regulations simultaneously.
In these contexts, multi-brand and multi-tenant architecture is essential for managing passwordless authentication consistently and at scale. Without it, identity systems fragment. Separate stacks per brand or region introduce duplication, inconsistent user experiences, and increased operational risk. They also make it harder to enforce consistent security and compliance controls across markets.
The 2026 KuppingerCole Passwordless Authentication for B2C Leadership Compass recognizes Thales’s support for multi-brand and multi-tenant deployments alongside scalable identity workflows – including self-registration, consent management, and social login – designed to operate at high volume and availability.
The regulatory dimension is particularly significant. Organizations operating across the EU must comply with regulations such as GDPR and eIDAS, often across multiple jurisdictions.
A multi-tenant architecture directly addresses these requirements. It enables centralized enforcement of consent, identity assurance, and data handling policies, while allowing each brand or market to accommodate local regulatory variation without standing up separate infrastructure. Security controls remain consistent across the entire estate, and compliance reporting becomes auditable at the organizational level rather than brand by brand.
Leading Across Enterprise and Consumer Markets
Recognition in both Leadership Compass reports reflects what Thales delivers in practice - an identity portfolio capable of securing workforce, partner, and consumer authentication at scale, across deployment models and authenticator form factors.
Download the 2026 KuppingerCole Leadership Compass - Passwordless Authentication B2C or the 2026 KuppingerCole Leadership Compass: Passwordless Authentication for Enterprises today.
See the Full Passwordless Authentication Evaluation
Download the 2026 KuppingerCole Leadership Compass reports to compare passwordless authentication capabilities across enterprise and consumer identity, including deployment flexibility, authenticator support, and scalability.