Report: Just 16% Of Organizations Use MFA Across All Password Logins

Secret Double Octopus (SDO), in partnership with Dimensional Research, have released a global annual study focusing on the state of workforce passwordless authentication and multi-factor authentication (MFA) usage generally.


To gather these insights, over 300 IT professionals with responsibility for workforce identities and their security at organizations with more than 1,000 employees were surveyed.


Of note, only 16% of organizations use MFA across all password logins, suggesting MFA has not reached an end-to-end universality required to completely seal off the surface area of attack.

Horacio Zambrano, Secret Double Octopus

We spoke with Horacio Zambrano, Secret Double Octopus to discuss the company's latest report findings and what they mean for organizations looking to fortify their identity and access management with MFA. Why was this research conducted? What are the challenges organizations are facing that you were looking to gain more insight into?


The research was conducted as part of Secret Double Octopus’ annual survey of where the state of passwordless MFA adoption is today, and use of traditional MFA that represents an alternative. This year’s study focused on clarifying the confusion with the term passwordless authentication, which often includes features of adjacent solutions like single sign-on (SSO) that mimic a passwordless experience but do not achieve the full security promise of true passwordless.


Organizations are having to redefine their authentication strategy in light of the shift to greater remote work and hybrid workforces, which expand the surface area of attack.


There is a fair amount of confusion over how to leverage legacy IAM investments with newer passwordless authentication offerings.


Most organizations do not use MFA consistently and uniformly, creating openings for hackers to still penetrate into their organizations.


What was most surprising about this report's findings? The most surprising finding from this year’s report was that a high number of respondents (49%) to already be using “next generation passwordless MFA” solutions as we defined it in the study. This shows high acceptance of these types of solutions, in addition to the high optimism that they will become the standard for authentication in the next 5 years.


What should organizations be doing to make sure they're on the right track when it comes to password security and identity management?


Organizations should audit their use of MFA technologies and understand holes in their architecture and environment.


Select passwordless vendors that can deal with the heterogeneous and broad use case requirements of their environment, versus becoming pigeon-holed by one provider’s offering.


Distinguish between convenience “passwordless like” solutions that still retain a password the user needs to remember, and those that do not.


###