...we recommended that, for each use case, an enterprise must consider at least the required minimum authentication strength (commensurate with the level of risk), ease of use and the maximum justifiable total cost of ownership (TCO).I agree that authentication strength should be matched against risk but that's not the only factor that should be considered. We are talking to more and more customers who are willing to enhance their authentication strength because costs for some two-factor solutions are declining. The typical conclusion I see a customer reaching is that for less than what they paid to protect higher risk transactions they can now protect all access to their network. So rather than simply replace the higher-risk transactions with a cheaper - but as effective solution - companies are considering increasing the footprint of their strong authentication deployment to cover more users even if they are doing less risky things. So for the same or even less money they are increasing their overall security posture.
So while I agree with Gartner that risk plays into the authentication mechanism a company might use I would also recommend that a company look at overall cost. Why protect only high-risk transactions if you can extend strong authentication to all users in your company?