Small organizations outpace large enterprises in MFA adoption

The use of MFA has nearly doubled since 2020 and that phishing-resistant authenticators represent the best choice in terms of security and convenience for users, according to Okta.

MFA authentication gains traction

MFA authentication has steadily gained traction across organizations and industries, largely due to its critical role in mitigating cybersecurity risks. External forces, such as the COVID-19 pandemic and highly publicized cyberattacks, also helped to drive adoption.

90% of administrators and 64% of users signed in using MFA during January 2023.

The technology industry is best placed to move to a passwordless future, with 87% of account logins already using MFA. Insurance (77%), professional services (75%), construction (74%), and media & communications (72%) round out the top five industry adopters. Surprisingly, highly regulated industries tend to lag behind.

Organizations with fewer than 300 employees (79%) exceed the MFA use of enterprises with more than 20,000 employees (54%).

Overcoming hurdles in MFA adoption

MFA adds an extra layer of security on top of credentials like passwords, which are highly susceptible to abuse. More than 80% of business web application attacks and nearly half of all business email compromise attacks result from stolen username and passwords. MFA provides greater certainty that a user is who they claim to be before granting access to an application or online account.

MFA verifies identities by asking users to provide different types of information or factors to gain access to an account or application. However, an increase in sophisticated MFA bypass attacks is prompting organizations to evaluate the need for phishing-resistant authentication flows.

While it’s frequently assumed that technology decision-makers must “trade off” security for user experience, research finds that on average, signing in with passwordless, phishing-resistant authenticators saves time and is less prone to failure when compared to using passwords.

While MFA adoption is gaining ground, there are still hurdles that must be overcome. To help CIOs, CSOs, and policymakers make informed decisions on which authenticators to adopt, it helps to understand the benefits and drawbacks of each.

5 tips to improve your authentication strategy

While transitioning to a more robust authentication strategy may seem daunting, organizations can take relatively simple steps to get started:

• Require MFA in sign-on policies and enforce phishing-resistance for administrative access to sensitive applications and data.
• Make MFA adoption a C-suite and board-level priority. Given its effectiveness for securing an organization’s most valuable 5 resources and information, the MFA adoption rate should be visible at the highest levels of the organization.
• Take a zero-trust approach to access, in which access is granted according to Identity properties on a per-session and least-privilege basis, and is determined according to the assurance requirements of the requested application or data.
• Create dynamic access policies that evaluate user attributes, device context (whether the device is known, managed, or exhibiting a strong posture), network attributes (whether the network is trusted), and whether the request is consistent with previous user behaviors.
• Develop a longer-term plan to minimize or eliminate the use of passwords.