New report reveals trends in secure sign-in

There’s a popular business adage that we’ve found to be pretty credible: “You are what you measure.” No matter how well you may think you understand your customers or your industry, you won’t know for sure until you dig into the data. 

At Okta, we’ve seen our users opt for ever more robust sign-in solutions over the past 14 years. But what’s the true state of this trend today? How many of our customers have embraced passwordless, phishing-resistant access to their apps and services, and how many are sticking with less secure approaches? Who’s leading the charge, and who’s lagging behind? 

These are just some of the questions we answer in our new Secure Sign-In Trends Report. Based on anonymized data from Okta customers’ billions of monthly authentications, we’ve put together an extensive and transparent look at the state of sign-in security today. It includes a data-driven analysis of overall trends and a deep dive into approaches based on considerations such as industry, region, and company size.

Key takeaways

The report paints a picture of a steady, if not uniform, shift towards more secure approaches to access and Identity. And while it reaffirms much of what we’ve learned about our customers over the years, it also includes a few noteworthy surprises. Here are some of my biggest takeaways.

1. Security and user experience aren’t mutually exclusive

It may be conventional wisdom that a more secure access experience must come at the user’s expense. If you’ve ever had to solve a captcha or answer extra security questions to verify your Identity, you’ve likely experienced this friction. However, our report finds that phishing-resistant authenticators offer a superior user experience. 

In our authenticator performance and usability assessment, Okta FastPass and FIDO2 WebAuthn came out on top as more secure and user friendly than other options. And these high-assurance solutions can be faster too; when people log in to applications using Okta FastPass, they can shave off a third of the time, on average, that it would take with a password.

2. MFA adoption soared to support secure remote work — and keeps growing 

MFA adoption continues to grow 6% annually among our workforce users, with one notable exception. In early 2020, as the COVID-19 pandemic triggered lockdowns worldwide, organizations had to quickly adapt to support remote productivity. They needed to empower their workers to do their jobs from anywhere while at the same time keeping employee devices and data secure. 

As a result, MFA adoption soared from 35% at the beginning of February 2020 to 50% by the end of the following month. And it kept climbing. By January 2023, MFA adoption had reached 64% globally.    

Note: Figure does not include data from Okta Customer Identity Cloud (formerly Auth0), Okta Customer Identity Solution data (customer-facing uses of the Okta platform) 

3. Tech companies lead the way in MFA adoption

MFA adoption has been pretty consistent globally, with rates currently hovering between 62-65% across regions. But digging into the numbers, there are some clear variations across industries. As is often the case, the technology sector plays the role of early adopter and continues to record the highest MFA adoption rate (87%) among Okta workforce customers. Meanwhile, companies in highly regulated industries, including government, healthcare, financial services, and energy, lag behind. 

Many organizations within more regulated industries rely on legacy applications that only support basic authentication, such as usernames and passwords, rather than more modern MFA methods. Additionally, the need to meet emerging compliance and regulatory requirements in these industries can often slow adoption.

4. Smaller organizations outpace large ones for MFA adoption 

When we view MFA adoption by organization size, we see a rough inverse correlation between the number of employees and the rate of MFA adoption: The larger the organization, the lower the rate of adoption. 

Several factors may contribute to this adoption delta: For one, large enterprises may be slow to adopt modern Identity frameworks due to the complexity of replacing legacy infrastructure. They’re also more likely to use multiple Identity providers and may use MFA solutions other than Okta (our report only focuses on MFA usage on the Okta platform). 

5. It’s still early days for passwordless

Anyone who has forgotten their password or had it leaked in a data breach knows firsthand the perils of the traditional login box. At Okta, we strongly believe that passwordless authentication offers usability and security advantages. And many of our customers seem to agree, as they increasingly embrace passwordless solutions. 

However, as our report reveals, the lowly password remains hard to eradicate. In fact, close to 100% of Okta workforce users still resort to passwords for at least part of their access ecosystems. The password persists for a wide range of reasons: Companies might rely on legacy applications that only support basic authentication, and concerns over cost and change management can also slow the adoption of more secure solutions. But one thing remains clear: Organizations that move beyond the password stand to reap the benefits of more secure and user-friendly authentication. 

6. Phishing-resistant authenticators are on the rise

While passwords might be hard to shake, we also see promising growth for high-assurance authenticators, such as Okta FastPass and FIDO2 WebAuthn. While less than 4% of Okta workforce users have utilized these phishing-resistant authenticators, the tide is turning. In fact, phishing-resistant options accounted for over half of the year-over-year growth in MFA adoption. 

It’s also worth noting that Okta FastPass is in a new category of authenticators, and its phishing-resistant properties are newer still (announced in late 2022). The FIDO2 WebAuthn standard is also relatively new, and supporting browser and OS coverage have only recently improved. The dramatic growth of both authenticators over the past 12 months bodes well for future adoption.

Take action to secure your sign-in process

Securing your organization’s most valuable resources and information should be a top priority for any business leader. Here are five steps you can take today to improve your authentication strategy now and for the future. 

To discover more trends in secure sign-in, read the full report.