Much has been spoken about, with the IT community, about Multi-Factor Authentication (MFA). This is a security measure that requires users to provide two or more verification factors to gain access to a resource, such as an application or online account. This method, on paper, enhances security by reducing the likelihood of unauthorised access, as it goes beyond just asking for a username and password.
MFA can include various forms of verification, such as passwords, biometric data (like fingerprints), or security tokens. By implementing MFA, organizations can significantly improve their identity and access management policies.
However, are CISOs falling out of love with this approach to business security? The answer is leaning towards ‘yes’. This is the finding from the company Portnox, which has released the first set of findings from its latest survey – “CISO Perspectives for 2026.”
The survey polled 200 CISOs from companies with revenues exceeding $500 million, and it was conducted by Wakefield Research.
The results highlight a rapid shift in strategic priorities in terms of the approach CISOs are taking towards passwords over the past year:
- Passwordless Momentum Hits Critical Mass: A significant 92% of CISOs report their organizations have implemented, are implementing, or are planning to implement passwordless authentication. This is large increase from just 70% in 2024, moving passwordless from a nice-to-have to the standard. Over the past year, the number who’ve completed their implementation doubled from 7% to 14% and the number planned to implement has jumped from 38% to 52%.
- Distrust of MFA: Nearly all CISOs express major concerns about MFA’s efficacy; 96% say MFA cannot keep pace with evolving threats, and 98% worry it does not sufficiently protect employees (on par with 99% in 2024). This widespread concern is justified, as 58% of CISOs believe high-profile security breaches are very or extremely likely due to compromised passwords or authentication.
- A Win for Employee Experience: The shift to passwordless is being driven in part by employee feedback. CISOs cite improved employee productivity (41%) and enhanced user experience (39%) as top benefits. This is a welcome change for staff, with 50% of CISOs reporting employee complaints that security measures interfere with or slow their work.
“MFA, while better than nothing, is a threat mitigation tool. By removing passwords entirely, passwordless authentication reduces the attack surface for cybercriminals and eliminates the risks associated with phishing, credential stuffing, and brute-force attacks,” Denny LeCompte, CEO of Portnox says in a statement sent to Digital Journal.
“In addition, Passwordless provides a better user experience and aligns the most secure path with the path of least resistance for users.”
With two in five CISOs (40%) having already begun or completed their passwordless implementation, and a completion rate that has doubled from 2024 to 2025, the trend toward a passwordless future is undeniable; it just probably won’t be MFA.
