The future of MFA: Closing the gap between policy and implementation

Most successful data breaches still start with stolen credentials or phishing attacks, making multi-factor authentication (MFA) a front line defense against cyber attacks. Critical to any organization’s identity and access management (IAM) strategy, MFA makes it harder for attackers to use stolen credentials to access corporate networks.

Despite the extra security MFA provides, Microsoft estimates that 99.9% of compromised accounts don't have MFA, leaving them vulnerable to attacks.

Let's look at the current status of MFA, and what the future of MFA will bring.

Despite its importance as a key defense against identity attacks, MFA adoption across all users remains slow. Budgets are tight, IT teams are pulled in different directions, and buy-in from the C-suite and end-users is hard to get.

With AI enabling more and smarter CVE attacks, security teams are facing pressure to remediate an overwhelming number of vulnerabilities. This, along with tighter regulation, is driving more organizations to implement MFA.

MFA as a technology is also constantly adapting. While not new, adaptive authentication, context-aware controls, and passwordless authentication (particularly passkeys) are quickly going mainstream.

The danger for Active Directory environments is that implementing MFA in a hybrid environment is not simple. Teams often have to choose between one MFA tool for their cloud-based identities, and another for on-prem networks. Operating in silos means fragmented visibility, time lost to management overhead, and a real challenge to meet the speed and scale of today's threats.

As MFA adoption picks up steam, the global MFA market is poised for explosive growth. In 2025, the global MFA market size was estimated at $21.46 Billion, and is expected to reach 69.79 Billion by 2034.

Although pervasive myths around MFA implementation still hold back many organizations, more flexible modern MFA is changing perceptions. A few common objections include:

• Some organizations may consider MFA too complicated to deploy

• Some might not want strong authentication to change their current processes

• Others might consider MFA too expensive

While some of these concerns are understandable, some are simply based on an outdated understanding of MFA. Modern MFA is, across the board, much easier to use and implement. Organizations also now have more options to choose from, increasing their ability to handpick a tool that fits their unique environment and needs.

As for price, the price of implementing MFA is dwarfed by the cost of a data breach, and the right MFA will integrate seamlessly with your existing environment.

For many sectors, MFA is, or soon will be, a security requirement. Many regulatory bodies and compliance standards now recommend or mandate MFA to prevent credential compromise.

A few examples of MFA and two-factor authentication (2FA) compliance requirements include:

• Microsoft mandates MFA for Microsoft 365 admin center, effective February 2026.

• The EU's NIS2 Directive requires MFA at organizations across Europe's governmental and critical sectors.

• CMMC 2.0 is enforceable as of November 10, 2025, bringing strong authentication requirements to U.S. defense contractors.

• The New York Department of Financial Services (NYDFS) mandates MFA for financial institutions.

• PCI DSS 4.0 requires MFA for all access to online payment transaction data as of March 2025.

• The Federal Trade Commission (FTC) Safeguards requires organizations across virtually every area of commerce to have MFA for user accounts with access to customer data, or face stiff penalties.

• A proposed update to the HIPAA Security Rule would require HIPAA MFA for any system that grants access to electronic protected health information (ePHI).

As sensitive data becomes increasingly attractive for cybercriminals, expect to see more regulations explicitly mandate MFA.

MFA is a critical step in mitigating common cybersecurity risks, and key for anyone looking to enhance their access management.

What’s next for MFA? Over the next few years, we'll continue seeing a focus on how MFA is implemented.

Alex Weinert, vice president of identity security at Microsoft, views driving more multifactor authentication usage as, “the most important thing we can do for the ecosystem.” He continues, “Our strong position is that all user sessions should be multifactor authentication protected.”

It’s not only privileged user accounts that pose a danger to your system. Regular users, too, can give bad actors access to important resources. MFA is an effective way to protect all types of users from unauthorized access.

The simple truth is that any user account protected solely by a password presents a risk to your organization. The key to successful MFA implementation is to implement a zero-trust policy — protecting all access points, regardless of the user’s level of privilege.

Of course, you need to balance security with productivity. You might want to require admins to complete MFA on every login. A standard user might need to authenticate less frequently. With UserLock, you can use granular controls and contextual access management to provide security with a seamless user experience.

Following best practices when implementing MFA will help you optimize security. Some examples of MFA best practices include:

• Monitor your system for suspicious patterns: IT departments need real-time monitoring that tracks user activity and detects unusual behavior. UserLock enables organizations to identify potential threats and take prompt action to prevent harm.

• Regularly review and update MFA policies to match security needs: Your users, systems, and security needs will change. To ensure your MFA offers the right protection, regularly check that your MFA policies are suitable for your current requirements.

• Use contextual controls to avoid disrupting end-users: Context-aware access controls allow or deny login attempts based on factors such as the user’s location, device, and time of day. UserLock’s contextual access management helps prevent unauthorized access and reduce the risk of future threats.

• Deploy MFA methods that suit your users: MFA methods include the use of hardware tokens, authentication apps, and push notification mobile apps. Deploying the authentication method that best suits your system is paramount. If your organization needs MFA for remote work, offline access, or single sign-on (SSO), pick a tool that delivers the features you need.

• Report on user activity and access: During deployment and ongoing management, keep a report of your MFA implementation. UserLock’s compliance reporting capabilities enable organizations to track and report on user activity and access to meet regulatory requirements. This helps to ensure compliance and reduce the risk of future threats.

Remember that system security is not a one-off task. It’s an ongoing effort to protect against existing and emerging threats. The challenge for anyone tasked with implementing MFA will be achieving a balance between securing data while remaining user-friendly.

Generally, MFA methods verify something the user has, is, or knows. For this reason, it’s extremely challenging for an attacker to complete the second verification step, even when they know a user’s password.

It’s essential to use secure MFA methods that align with your organization’s security needs.

While they’re all better than passwords alone, some MFA methods offer much more protection than others. More secure MFA methods, such as hardware tokens and keys, generate unique codes or security keys for each login attempt. As the user physically possesses these methods, they are difficult to duplicate or compromise.

On the other hand, less secure MFA methods, like smartphone SMS-based verification or email passcodes, can be easily guessed or intercepted.

For many users, push notifications offer a happy medium: a nearly frictionless experience, with high security.

As in almost every field, artificial intelligence (AI) has improved MFA by enabling predictive user modeling and threat detection. This approach involves machine learning algorithms analyzing user behavior patterns to identify deviations and flag them as potential threats.

AI-powered threat detection can help create a smoother user experience. It helps organizations detect and respond to security threats in real-time without damaging the user experience. However, analytics are already well established within many MFA platforms. More will be using their insights to further enhance factors like contextual access management.

AI risks and ethics are concerns across every industry. The use of AI in MFA brings the usual challenges and considerations, including concerns about privacy and potential algorithmic bias. Organizations must ensure that data protection policies are in place, algorithms are transparent, and resources are adequate. Any legal and regulatory needs must also be implemented.