Okta's 2025 Secure Sign-In Trends Report shows a slow decline in password use and gradual MFA growth, with 93% of workforce users using passwords in January 2025 (down from 95% a year earlier) and MFA adoption overall rising modestly.
Phishing-resistant authentication showed rapid growth, led by Okta FastPass, usage of which nearly doubled, driving phishing-resistant adoption from single digits to the mid-teens and suggesting a path to majority use within a few years.
Weaker factors faded, stronger options gained ground: SMS/security questions/voice codes edged down, push and soft tokens ticked up slightly, and mandated MFA for Okta administrators reached full adoption.
Organizations and their employees are slowly increasing their adoption of multi-factor authentication (MFA) and using passwords a bit less often, the 2025 Okta Secure Sign-In Trends Report shows.
At the same time, companies are rapidly accelerating their use of phishing-resistant authentication, especially of Okta's own FastPass solution, for which the usage rate nearly doubled."Organizations are maintaining the steady adoption of traditional defenses while rapidly shifting toward advanced security standards," notes report author Fei Liu, a Senior Emerging Technology Researcher at Okta.The survey of anonymized data from Okta Workforce Identity users worldwide revealed two seemingly contradictory trends: Users are abandoning passwords and adopting MFA in general at a snail's pace, while at the same time eagerly trying out advanced methods like FastPass, passkeys and hardware security keys.
Half phishing-resistant by 2028?
The double tracks make sense. Organizations and users are being cautious, hedging their bets by only slowly moving away from the tried-and-true while at the same time giving a chance to promising new methods of authentication.For example, 93% of all Okta Workforce Identity users in January 2025 still used passwords, some along with other methods, a small dip from the 95% who did a year earlier. The implication is that about 7% did not use passwords at all, a big jump proportionally from the 5% who didn't in January 2024.This means that "enterprise-scale password elimination is achievable today," Liu says. "While the number may seem small, it demonstrates exciting potential: Passwordless for enterprises is possible now."Meanwhile, adoption of Okta FastPass nearly doubled, from 6.7% to 13.3% of users, continuing its exponential growth. (It grew from 2% to 6.7% between January 2023 and January 2024.) Usage of all forms of phishing-resistant authentication also showed rapid growth over the year, from 8.6% to 14%.Other forms of phishing-resistant authentication didn't increase much among Okta clients. WebAuthn (including passkeys and USB keys) went from 3% to 3.2%, and smartcards went from 0% to 0.1%.Some caveats: Passkeys are meant for consumers, while FastPass is designed for the workplace. And because FastPass uses employee-held smartphones as a method of authentication, organizations don't need to buy USB hardware keys in bulk or implement a physical smart-card-reader system.The bigger implication is that if this exponential growth of phishing-resistant authentication continues, the adoption rate among users of Okta Workforce Identity could pass 50% by January 2028. And that would really boost the identity-security posture of Okta users across the board."This growth indicates that companies are actively replacing vulnerable, traditional security methods, such as SMS and passwords, with higher assurance authenticators," says Liu. "The adoption of phishing-resistant authenticators coincides with a decline in reliance on weaker factors."
Other forms of authentication don't show much change
The roughly 5% year-over-year growth of MFA adoption, a trend that began in 2021, was mostly due in the past year to the rapid uptake of Okta FastPass, as everything else barely moved the needle.As with password usage, use of texted SMS passcodes among Okta Workforce Identity clients dropped only two percentage points, from 17% to 15%. (The usage rate of texted MFA codes seems to be higher in the consumer sector.) Security questions ("What was your mother's maiden name?") dropped from 4% to 3%, and phoned passcodes dropped by the same proportion, from 1% to 0.7%.Slightly more secure forms of authentication ticked up by a couple of percentage points: Push notifications rose to 31% adoption from 29%, and "soft" tokens (e.g., authenticator apps) went to 16% from 14% last year.While we'd like to see password, SMS, email and voice-call usage drop more sharply, at least things are going in the right direction. MFA has finally become commonplace, even if some 30% of Okta Workforce Identity users still don't employ it."Our findings confirm that the industry has passed the point of treating MFA as an optional enhancement," says Liu. "It is critical for businesses to stay secure. Given the success rate of social engineering and phishing campaigns, the accelerated adoption of phishing-resistant authentication methods is a necessary market response."That roughly 70% MFA adoption rate seems to be evening out worldwide, as the Asia-Pacific region went from a 61% rate to a 68% one. Statistically, that's nearly identical to the European and Middle East region (69%, 68% last year) and the Americas (71%, 67% last year)."This regional growth likely reflects a stronger regulatory focus and rising security awareness across the APAC region, where governments and enterprises are accelerating digital transformation initiatives that emphasize identity protection and modern authentication," notes Liu.In terms of industry sectors, retail saw MFA adoption jump was from 43% to 52%, transportation and warehousing from 38% to 42%, and government 55% to 69%, a whopping 14-point increase. The tech sector continued to lead with an MFA adoption rate of 87%, statistically insignificant from 88% last year. Overall, most sectors were between 60% and 80% rates of adoption.Strangely, smaller firms still seem to have higher MFA adoption rates. Firms with fewer than 100 employees had an 86% rate, while enterprises with more than 20,000 employees had a 64% rate (up from 59% last year). It could be that bigger firms are having other programs handle their MFA, as was hinted at in last year's report.The 70% MFA adoption rate also shows that initial user resistance to more secure authentication can be overcome with persistence and, as Okta notes, with a little force."Policy can be a powerful driver of change," Liu points out. "Okta's mandatory MFA policy for administrator console access in 2024 resulted in 100% adoption among customer admins by August 2025."That bodes well for phishing-resistant authentication. The biggest hurdle right now is convincing users that it's easy to use.Okta's own survey of 81 third-party IT and security practitioners, combined with the enrollment time, failure rate and challenge rate of various authentication methods, shows that FastPass and WebAuthn-based methods are about as difficult as texted one-time codes while being much safer. The phishing-resistant factors are also faster to authenticate than passwords, which have a security score of zero on Okta's chart."As the matrix demonstrates, phishing-resistant methods WebAuthn and FastPass deliver a superior user experience and have the highest security scores," says Liu. "Lower assurance authenticators, such as password, email, security question, and soft token, score poorly for both security and usability."
How to raise your authentication game
Okta offers five tips on how to use authentication factors to make your organization more phishing-resistant.1. Prioritize phishing resistance by requiring phishing-resistant MFA for access to any sensitive data, while phasing out weaker forms of MFA, like texted or emailed codes, altogether.2. Elevate MFA as a risk metric by convincing company leadership that it's essential to maintaining a strong security posture and, by implication, will pay off in clear audits and greater regulatory compliance.3. Adopt zero trust by implementing the principle of least privilege, and implementing dynamic MFA challenges that take into account user behavior and device posture.4. Secure the full user lifecycle by starting new users on phishing-resistant MFA as they enroll and require phishing-resistant MFA for all account-recovery attempts.5. Plan for password minimization: Eventually, your organization will be phasing out its reliance on passwords altogether. Map out how you'd like that to happen."The old argument that robust security must come at the expense of user productivity is not supported by the data," writes Liu.All graphs courtesy of Okta.
Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.
