One year ago, Okta CEO Todd McKinnon and I were curious to understand the state of passwordless. How many percentages of users have truly moved away from passwords? Is multi-factor authentication (MFA) now the norm? And who's still sticking with password-based logins? 
 

To answer these questions, we initially thought about surveying the market, or crawling website login pages. But we soon realized that the most objective and valuable approach would be to share how Okta’s own customers are using MFA and passwordless solutions. And so, based on anonymized data from their billions of monthly authentications, we've compiled a transparent assessment of the state of authentication.
 

Our new Secure Sign-in Trends Report details many intriguing trends and takeaways. Some have confirmed what we already suspected, while others surprised us. Here are a few of the headlines:

Security and user experience aren’t mutually exclusive

We already knew that going passwordless can greatly improve an application's security by eliminating the threat from password attacks. But there’s a common misperception that better security must mean a more frustrating experience for end users, full of extra hurdles and time-consuming authentication steps.
 

In reality, our report finds that stronger security and better user experience can actually go hand in hand. In our authenticator performance assessment, phishing-resistant authenticators like Okta FastPass and FIDO2 WebAuthn come out on top as more secure and user-friendly than other options.

MFA adoption has nearly doubled since 2020 — and keeps growing

Around two-thirds of our workforce users have now implemented MFA, according to the report, up from 35% in February 2020. That reflects a fairly steady 5-6% annual growth rate in MFA adoption, with one notable exception: As the COVID-19 pandemic swept across the globe in early 2020, and local lockdowns forced a global shift to remote work, organizations suddenly needed new ways to protect their workers and keep their devices and data secure. MFA adoption surged, reaching 50% by the end of March — a jump of 15 percentage points in less than two months.    

Phishing-resistant authentication is on the rise

Finally, we wanted to understand the adoption of phishing-resistant authenticators, such as Okta FastPass and FIDO2 WebAuthn. Our report finds that it’s still early days for these authenticators, as less than 4% of Okta workforce users have utilized them. 
 

However, the tide is clearly turning. In fact, phishing-resistant options accounted for over half of the latest year-over-year growth in MFA adoption. These solutions are also still quite new, but the dramatic growth of both authenticators over the past 12 months bodes well for future adoption.

More trends and takeaways

Those are just some of the findings of our new report, but there are plenty more. For example, it includes a breakdown of organizations by industry, region, and size, exploring which kinds of companies are most likely to embrace secure sign-in methods. (Spoiler alert: smaller companies and those in tech are the most eager adopters of MFA, while large enterprises and those in heavily regulated industries lag behind.) The report also compares the speeds and failure rates of different authentication methods, reveals how far the passwordless revolution has progressed, and offers helpful tips for improving your authentication strategy. 
 

I hope you find this data-driven look at the state of authentication as revealing and informative as we have. I’m already excited for next year’s edition and look forward to learning which strategies and technologies gain favor with our workforce users in the year ahead.