Growth in Phishing-Resistant MFA Adoption Noted in 2023
/ 5 min read
Quick take - In 2023, the adoption of phishing-resistant multi-factor authentication (MFA) methods increased significantly, particularly for technologies like WebAuthn hardware keys and Okta’s FastPass, yet overall MFA usage remained relatively low and plateaued at around 65%, despite government initiatives to promote wider implementation.
Fast Facts
- Adoption of phishing-resistant multi-factor authentication (MFA) methods, such as WebAuthn hardware keys and Okta’s FastPass, has nearly doubled in 2023, yet overall MFA usage remains low at around 65%.
- Despite government mandates to increase MFA implementation, adoption rates have plateaued, with significant differences across industries; the technology sector leads at 88%, while warehousing and transportation lag at 38%.
- Smaller organizations (under 300 employees) show higher MFA adoption rates (82%) compared to larger enterprises (59%), which face challenges due to legacy systems and multiple identity providers.
- As of early 2024, only 5% of Okta Workforce Identity Cloud users have eliminated passwords entirely, with a notable preference for push notifications over SMS for second authentication factors.
- Okta recommends requiring MFA for all users and transitioning to phishing-resistant solutions to enhance security and user experience, as these methods are faster and more user-friendly than traditional password systems.
Growth of Phishing-Resistant MFA in 2023
The adoption of phishing-resistant multi-factor authentication (MFA) methods has seen significant growth in 2023. Rates have nearly doubled for technologies such as WebAuthn hardware keys, device-based passkeys, and Okta’s FastPass. Despite this increase, the overall usage rate of phishing-resistant MFA remains relatively low, with the general adoption of all MFA types plateauing at approximately 65%. This plateau persists even in light of recent government mandates aimed at increasing MFA implementation.
Influences on MFA Adoption
Okta’s CEO, Todd McKinnon, highlighted that the next wave of MFA adoption may be influenced more by user experience and security assurance than by security concerns alone. MFA adoption among organizations utilizing Okta Workforce Identity Cloud surged from around 35% in early 2020, peaking at 50% during the COVID-19 pandemic and reaching about 65% by 2022. However, MFA adoption rates have remained flat throughout 2023, despite ongoing governmental pushes for wider MFA use. By the end of the year, a substantial 91% of Okta administrators reported using MFA.
Adoption rates for MFA differ significantly by industry. The technology sector leads with an adoption rate of 88%, while the warehousing and transportation sector lags at only 38%. In the government sector, MFA adoption increased from 48% to 55% in 2023. A correlation was observed between organization size and MFA adoption rates, with smaller organizations (fewer than 300 employees) exhibiting higher adoption rates at 82%, compared to larger enterprises (over 20,000 employees) at 59%. Large enterprises often face challenges in adopting modern identity frameworks due to legacy infrastructure complexities and reliance on multiple identity providers.
Regional and User-Level MFA Adoption
Regional MFA adoption rates as of early 2024 indicate that Europe, the Middle East, and Africa have a rate of 68%, followed closely by North and South America at 67%, and Asia and the Pacific at 61%. Okta’s research specifically measures user-level MFA use, assessing the percentage of users signing in with MFA over a designated time frame. The survey only accounts for MFA events within the Okta Workforce Identity Cloud, and some clients may utilize MFA from other identity providers. Notably, 95% of users within the Okta Workforce Identity Cloud still incorporate passwords in their MFA schemes.
Among the second authentication factors, push notifications are preferred over SMS-texted temporary codes, with 29% versus 17%. “Soft token” code-generating applications are used by 14% of users. Phishing-resistant MFA methods are increasingly recognized for their effectiveness against social engineering attacks. Okta categorizes these methods into three types: smart cards, WebAuthn/FIDO2-compliant protocols, and Okta FastPass. Smart cards, while secure, require both a card reader and a unique card, making them costly to implement. WebAuthn/FIDO2-compliant protocols, encompassing hardware keys and device-bound passkeys, are noted for their user-friendliness and security. Okta FastPass leverages biometric verification and risk-based authentication, offering administrators greater control than passkeys.
As of January 2024, only 5% of Okta Workforce Identity Cloud users had eliminated passwords entirely, marking a small but significant step toward passwordless access. The usage of Okta FastPass has increased from 2% in 2023 to 6% in 2024, while WebAuthn authenticator usage rose from 2% to 3%. FIDO2 WebAuthn adoption among users with administrative permissions grew from 8% to 9%, and Okta FastPass usage among administrative users increased from 5% to 13%.
Okta aims to phase out passwords by enabling users to set up accounts without them through alternative authentication methods. However, enterprise IT managers may hesitate to implement passwordless solutions due to concerns regarding costs and control. Okta’s analysis underscores that phishing-resistant MFA methods are faster and more user-friendly compared to traditional password systems. FastPass and WebAuthn are identified as the most secure and user-friendly options in the company’s usability assessment.
To enhance MFA adoption, organizations are recommended to require MFA for all users, prioritize MFA deployment, implement advanced identity access management mechanisms, and transition to phishing-resistant MFA solutions.
Original Source: Read the Full Article Here
