Multi-Factor Authentication (MFA) has been a central element in the security strategies of many organizations, yet a recent survey indicates that a significant number of Chief Information Security Officers (CISOs) are questioning its effectiveness. According to findings from Portnox, 85% of CISOs voiced concerns that MFA is struggling to keep pace with increasingly sophisticated cyber attacks.
MFA requires users to present two or more verification factors to access resources like applications or online accounts, theoretically enhancing security beyond just a username and password. This method can include various verification forms, such as passwords, biometric data, or security tokens. While organizations have adopted MFA to bolster their identity and access management protocols, recent data suggests a shift in thinking.
The survey, which included 200 CISOs from companies with revenues over $500 million and was conducted by Wakefield Research, highlights a growing trend towards passwordless authentication. An impressive 92% of CISOs reported that their organizations have implemented, are in the process of implementing, or plan to implement such systems. This marks a notable increase from 70% in 2024, indicating a move from viewing passwordless solutions as optional to recognizing them as standard.
The implementation of passwordless systems has doubled within a year, rising from 7% to 14%, while the number of CISOs planning to implement this technology surged from 38% to 52%. This momentum reflects a broader distrust of MFA, with nearly all participants expressing doubts about its capability to counter evolving threats. A staggering 96% believe MFA cannot keep pace with new cyber challenges, with 98% concerned that it does not adequately protect employees. This skepticism is supported by the fact that 58% of CISOs believe that high-profile security breaches are likely due to compromised passwords or authentication methods.
Interestingly, the transition to passwordless authentication is also being influenced by employee feedback. CISOs noted that improved productivity (41%) and enhanced user experience (39%) are among the top benefits of this shift. The move away from passwords is welcomed by staff, as 50% of CISOs reported receiving complaints that existing security measures hinder work efficiency.
Denny LeCompte, CEO of Portnox, commented, “MFA, while better than nothing, is a threat mitigation tool. By removing passwords entirely, passwordless authentication reduces the attack surface for cybercriminals and eliminates the risks associated with phishing, credential stuffing, and brute-force attacks. In addition, passwordless provides a better user experience and aligns the most secure path with the path of least resistance for users.”
With 40% of CISOs already having started or completed their passwordless implementation and a completion rate that has seen substantial growth from 2024 to 2025, the trend towards a passwordless future is clear. However, it suggests that MFA may not be the long-term solution organizations had hoped for.
