Why MFA Can’t Cut It Anymore, Say 96% of CISOs
Multi-Factor Authentication (MFA) was once seen as the gold standard for protecting accounts. But now, it’s no longer good enough on its own—and security leaders know it.
In our CISO Perspectives for 2026 report, 96% of CISOs said MFA can’t keep up with today’s evolving threats, and 98% worry that it no longer provides sufficient protection for employees. That’s more than just a confidence issue—it’s a signal that legacy identity controls are no longer aligned with modern threat models.
MFA Falls Short
Let’s be clear: MFA is still better than nothing—but “better than nothing” doesn’t meet the bar in today’s hybrid, highly targeted enterprise environment. Threat actors have simply adapted and getting around it.
CISOs are now contending with:
- MFA bombing attacks
- SIM swapping and OTP interception
- Adversary-in-the-Middle (AiTM) phishing kits
- Shadow IT and unmanaged devices
Traditional MFA that relies on SMS, OTPs, or push notifications no longer delivers the assurance it once did. And in many cases, it’s creating friction without truly raising the bar on security.
Why Passwordless + Risk-Based Access Is Replacing MFA
Leading standards bodies, including NIST and the FIDO Alliance, now emphasize phishing-resistant methods, like certificate-based or cryptographic authentication, as the baseline for modern identity assurance. Increasingly, compliance frameworks and cyber insurance providers are also signaling that traditional MFA may no longer meet baseline risk requirements—accelerating the need to modernize.
CISOs aren’t abandoning the principle of layered defense—they’re evolving it.
What’s replacing standalone MFA is a more adaptive, identity-aware access strategy that combines:
- Passwordless authentication: usually certificate-based or cryptographic device-bound methods
- Real-time risk evaluation: contextual signals like location, device posture, and behavior
- Dynamic enforcement: such as block access, step-up auth, or limit session scope based on risk
This modern stack delivers stronger security and a better user experience. Instead of relying on multiple clunky steps, it builds trust continuously—and invisibly.
The Rise of Passwordless
Our survey shows 92% of CISOs are already implementing or planning to implement passwordless authentication, up from 70% the year prior. Why the increase?
Because passwordless authentication:
- Reduces the risk of phishing attacks (no password = nothing to phish)
- Ties authentication to device + certificate for higher assurance
- Reduces help desk tickets from password resets and MFA failures
- Improves user experience, which increases adoption and lowers security workarounds
Portnox solutions, which leverage certificate-based authentication and posture-aware access controls, are helping organizations enforce zero trust without enforcing friction.
MFA may still have a role—but only when integrated into a broader, adaptive access strategy. On its own, it’s too rigid, too vulnerable, and doesn’t provide the best user experience.
Bottom line
The era of relying on MFA for access-based security is coming to a close. 96% of CISOs are signaling it can’t keep up, and they’re shifting their strategies accordingly.
What’s next is already available: passwordless-first, certificate-based, risk-aware access control that delivers better protection—and a better experience. CISOs aren’t looking to add more steps. They’re looking to add more certainty—and finally leave passwords and static MFA behind.