MFA Statistics for 2026: Adoption Rates, Effectiveness, and the Push-Bombing Problem

Multi-factor authentication has finally crossed from best practice to security baseline, and the numbers behind that shift are stark. Phishing-resistant MFA blocks more than 99% of identity-based attacks even when the attacker already has a valid username and password, according to the Microsoft Digital Defense Report 2025. Workforce MFA adoption reached 70% of users as of January 2025, per the Okta Secure Sign-in Trends Report 2025. And the threat that MFA exists to stop keeps growing: Microsoft blocked roughly 7,000 password attacks per second across Entra ID in the past year, and identity-based attacks surged 32% in the first half of 2025 alone. These are the MFA statistics IT, security, and compliance leaders should know in 2026.

Key MFA statistics at a glance

• 99%+ of identity-based attacks can be blocked by phishing-resistant MFA, even when the attacker possesses the correct username and password, per the Microsoft Digital Defense Report 2025.
• 7,000 password attacks per second were blocked by Microsoft Entra ID over the past year, with 97% of identity attacks taking the form of password spray, per Microsoft.
• 70% workforce MFA adoption rate as of January 2025, up steadily from 66% a year earlier across billions of Okta authentications, per the Okta Secure Sign-in Trends Report 2025.
• 22% of all 2025 breaches began with stolen credentials, the leading initial-access vector, per the Verizon 2025 Data Breach Investigations Report.
• 63% year-over-year growth in phishing-resistant authenticator adoption, rising from 8.6% of users to 14.0% in twelve months, per Okta.
• $4.67M average breach cost when stolen or compromised credentials were the initial access vector, per the IBM 2025 Cost of a Data Breach Report.
• 5 billion active passkeys are now in use worldwide, with 75% of consumers recognizing the technology, per the FIDO Alliance State of Passkeys 2026 report.
• 41% of users still trust insecure SMS-based authentication, despite its well-documented vulnerability to SIM swapping, per the Yubico 2025 Global State of Authentication Survey.

87% versus 42% MFA adoption gap between the technology sector and the transportation and warehousing sector, the widest industry spread on record, per Okta.

‍

MFA effectiveness: what the numbers actually show

The 99% figure is the most-cited statistic in identity security, and it holds up under the latest data. Per the Microsoft Digital Defense Report 2025, phishing-resistant MFA stops more than 99% of identity-based attacks even when the attacker already holds valid credentials. Microsoft sees this at scale: the company processes more than 100 trillion security signals daily, blocks roughly 4.5 million new malware attempts, analyzes 38 million identity risk detections, and scans 5 billion emails for malware and phishing.

The volume of attacks MFA has to stop is staggering and growing. Microsoft Entra ID blocked an average of 7,000 password attacks per second over the past year, according to the same Microsoft report. Identity-based attacks rose 32% in the first half of 2025 compared with the same period in 2024. And 97% of all identity attacks were password spray, where an attacker tests common passwords against thousands of accounts in parallel. MFA breaks that math: even if the attacker guesses right, the second factor stops the login.

The economic case is just as clear. Per the IBM 2025 Cost of a Data Breach Report, breaches initiated through stolen or compromised credentials cost an average of $4.67 million, sit among the top initial-access vectors, and take a mean of 246 days to identify and contain. That is more than eight months of attacker dwell time inside the environment. Organizations that deploy MFA, particularly phishing-resistant MFA, on every privileged and external-facing account close the door on the entry vector that gives attackers the longest runway.

MFA adoption rates by industry, organization size, and region

Workforce MFA adoption hit 70% of users as of January 2025, according to the Okta Secure Sign-in Trends Report 2025, which analyzed billions of anonymized authentications across Okta Workforce Identity customers. That figure is up from 66% a year earlier and reflects a mostly steady annual climb since 2020. The other side of the same number is the gap: nearly a third of workforce users still authenticate without a second factor.

Industry adoption varies widely. Per Okta, the technology sector leads at 87% MFA adoption. Retail sits at 52%, though it also posted the largest single-year gain of any industry, rising 9 percentage points after Scattered Spider campaigns hit major retailers in early 2025. Transportation and warehousing lag at 42%, and healthcare and pharmaceuticals reached 74% (up from 70%). Most other industries cluster in the 60% to 80% band.

Organization size shows a counterintuitive pattern. Per the same Okta study, there is an inverse correlation between headcount and MFA adoption rate: smaller organizations tend to enroll a higher share of users than the largest enterprises. Adoption did climb meaningfully in mid-market and large enterprise tiers between 2024 and 2025 (from 74% to 77% in organizations with 1,250 to 3,999 employees, and from 67% to 71% in those with 4,000 to 19,999 employees), which suggests that centralized identity platforms are starting to close the gap.

Regionally, the Americas lead in absolute adoption while Asia-Pacific is growing fastest. Per Okta, APAC MFA adoption climbed 7 percentage points year over year (from 61% to 68%), driven by Hong Kong (62% to 81%), South Korea (63% to 80%), and Japan (53% to 62%). The Americas and EMEA each grew 2 percentage points over the same window.

Phishing-resistant MFA is finally catching on

The fastest-moving number in identity in 2026 is the share of users on phishing-resistant authenticators. Per Okta, adoption of phishing-resistant authenticators (WebAuthn, FastPass, and smart card combined) rose 63% in a single year, climbing from 8.6% of users to 14.0% by January 2025. Okta FastPass usage nearly doubled, going from 6.7% to 13.3%. Over the same window, low-assurance SMS slipped from 17.5% to 15.3% and overall password usage edged down from 95.1% to 93.0%. About 7% of Okta users went the entire month without using a password for any sign-in, which validates that enterprise-scale password elimination is possible today.

Passkeys are the consumer face of the same shift. Per the FIDO Alliance State of Passkeys 2026 report, there are now 5 billion active passkeys in use worldwide, 75% of consumers recognize the technology, and 49% use passkeys regularly when they are available. Enterprise deployment is moving in parallel: per FIDO, 68% of organizations surveyed have either deployed or are actively deploying passkeys for employee sign-ins, with the research drawn from 1,400 decision-makers at organizations with 500-plus employees.

Performance numbers explain why users are switching. Per the same FIDO research, passkeys deliver a 93% login success rate compared with 63% for traditional MFA, and they cut average login time from 31.2 seconds with traditional MFA to 8.5 seconds. The FIDO Passkey Index 2025 adds composite numbers from Amazon, Google, Microsoft, PayPal, Target, TikTok, and other large service providers showing that passkey sign-ins are faster, more reliable, and reduce help-desk volume for the deploying organization.

MFA bypass: push bombing, fatigue attacks, and token theft

Attackers have adapted. The Verizon 2025 Data Breach Investigations Report put credentials at the top of the initial-access ladder: 22% of all 2025 breaches began with stolen credentials, and credential abuse remained the dominant entry vector across phishing, web attacks, and ransomware combined. The DBIR explicitly notes that conventional MFA is failing as attackers deploy prompt bombing, token theft, adversary-in-the-middle phishing kits, and other techniques to slip past historically robust protections.

Push bombing is the most prevalent. The CISA and FBI joint advisory on Scattered Spider (updated July 29, 2025 with TTPs from FBI investigations through June 2025) describes how the threat group sent repeated MFA push notifications to victims until they pressed "Accept" out of fatigue, in confusion with a legitimate prompt, or simply to make the notifications stop. Scattered Spider has used the technique against telecommunications, financial, gaming, and major retail companies, and the same playbook now appears in dozens of unrelated intrusion sets.

CISA's guidance is unambiguous: FIDO/WebAuthn or PKI-based MFA are the only forms of authentication resistant to phishing, push bombing, and SIM swap attacks. As an interim step while organizations migrate, CISA recommends number matching, which forces the user to read a number from the login screen and type or tap it on the authenticator. Number matching changes the interaction from a reflexive tap into an intentional decision and largely defeats automated prompt bombing.

Token theft is the other frontier. Per the Microsoft Digital Defense Report 2025, attackers increasingly bypass MFA entirely by stealing post-authentication session tokens through infostealer malware, illicit OAuth consent flows, or compromised device-code requests. Phishing-resistant authenticators bound to a device defeat the phishing step that leads to most token theft, but the broader fix is shorter session lifetimes, continuous re-evaluation of session risk, and conditional access policies that recheck device posture mid-session.

SMS, authenticator apps, and hardware keys: what users actually use

Authenticator preferences are still oddly out of step with the security data. Per the Yubico 2025 Global State of Authentication Survey of 18,000 employed adults across nine countries, 41% of respondents still trust SMS-based authentication despite its long-documented vulnerability to SIM swapping, and 26% still consider username-and-password alone the most secure option. The mismatch between user perception and security reality is one of the most stubborn problems in identity.

Hardware-based authentication is starting to win confidence where it matters. Per the same Yubico survey, confidence in hardware security keys and passkeys as the most secure option surged from 18% to 34% in the United States and from 17% to 37% in the United Kingdom between 2024 and 2025. Familiarity with passkeys is now self-reported at 35% in the US and 33% in the UK, though only 9% in France.

The SMS exit is real but slow. Per the Okta Secure Sign-in Trends Report 2025, SMS usage among workforce users dropped from 17.5% to 15.3% over twelve months, and the Verizon 2025 DBIR explicitly recommends against SMS one-time passwords as an MFA factor because of their susceptibility to SIM swapping and interception. Authenticator-app push and biometric platform authenticators are absorbing most of that volume, with FIDO2 hardware keys and passkeys taking the most security-sensitive share.

MFA in compliance frameworks: PCI DSS 4.0, NIS 2, and CMMC

Regulators have caught up with the threat model. PCI DSS v4.0.1, the payment-card security standard maintained by the PCI Security Standards Council, made MFA mandatory for all access into the cardholder data environment as of March 31, 2025. Requirement 8.4.2 extends the MFA mandate beyond administrators to all users with access to the CDE, across cloud workloads, hosted systems, workstations, servers, and endpoints. Implementing MFA for one type of access does not eliminate the need to apply MFA to others, and non-compliance penalties run from $5,000 to $100,000 per month.

The same direction of travel is visible across other frameworks. NIS 2 in the European Union now requires multi-factor or continuous authentication for essential and important entities under Article 21. The U.S. Department of Defense Cybersecurity Maturity Model Certification (CMMC 2.0) requires MFA for any account accessing controlled unclassified information at Levels 2 and 3, and CISA-issued binding operational directives have moved federal civilian agencies to phishing-resistant MFA under CISA guidance. Combined, these regimes are forcing MFA from a "should" into a "must" for hundreds of thousands of organizations that touch payment data, EU operations, defense contracts, or federal systems.

Cyber insurance is the other compliance vector. Underwriters have moved MFA from a recommended control to a hard prerequisite for coverage. Industry reporting on Marsh McLennan and other major brokers shows that missing or partial MFA is now among the top reasons for first-submission cyber policy denials, with carriers requiring MFA on remote network access, privileged accounts, and email at minimum. For practical purposes, an organization without MFA on those surfaces is often uninsurable in 2026.

Emerging MFA trends in 2026

Phishing-resistant MFA is replacing basic MFA as the new baseline. Per the Microsoft Digital Defense Report 2025, basic MFA still stops the vast majority of password attacks but is no longer sufficient against modern adversary-in-the-middle kits. Major technology providers including Salesforce, GitHub, AWS, and Microsoft have committed to mandatory MFA for privileged users, with phishing-resistant factors expected to follow.

Passkeys are crossing into the enterprise mainstream. Per the FIDO Alliance State of Passkeys 2026 report, 68% of surveyed organizations have deployed or are actively deploying passkeys for workforce sign-in, with the strongest momentum in the United States and United Kingdom. The 8.5-second average login time is now a competitive differentiator, not just a security claim.

Adaptive and continuous MFA are pulling ahead of static factor combos. Per the Verizon 2025 DBIR, a growing share of breaches involve stolen session tokens or post-authentication abuse, which means a single MFA gate at login is no longer enough. Adaptive MFA that reassesses risk mid-session and conditional access policies tied to device posture are now the higher-assurance pattern.

Push bombing has prompted near-universal adoption of number matching. Per CISA, number matching is the interim recommended defense against MFA fatigue, and Microsoft, Okta, and most enterprise identity providers now enable it by default. Organizations still running unmatched push notifications are now an outlier.

The MFA adoption gap by company size and industry is closing slowly. Per Okta, the 45 percentage-point gap between the technology sector (87%) and transportation/warehousing (42%) remains the widest industry spread on record, but every lagging industry posted growth in 2025. Retail's 9-point jump after the Scattered Spider incidents shows how quickly an industry can move when a peer suffers a public breach.

Insurance, regulation, and procurement are now the primary drivers of MFA rollout. Per the PCI Security Standards Council and CISA, regulatory mandates including PCI DSS 4.0.1, NIS 2, CMMC, and binding operational directives have made MFA non-optional for entire industries. Combined with hardening cyber insurance requirements, MFA has moved from "should have" to "must have" for any organization touching regulated data or buying coverage.

For broader context on the trends above, see our password statistics and identity theft statistics roundups.

How swif.ai helps

swif.ai gives IT and security teams a single console to enforce device, identity, and compliance controls across the macOS, Windows, and Linux endpoints behind the numbers above. Explore swif.ai unified endpoint management to see how it works.