Authentication and security

Learn how organizations are addressing
today’s diverse security challenges

Businesses at Work 2025 → Authentication and security

Security categories
and factors

For the one-millionth year in a row, 123456 is the world’s most popular password. Thankfully, Okta customers continue to invest in securing their assets and workforces. They are leaning into powerful security tools and moving away from weaker factors with phishable credentials (we’re looking at you, passwords) and toward higher-assurance authentication factors such as biometric authentication.

Authentication and security → Security categories and factors

MOST POPULAR SECURITY TOOL CATEGORIES

Tools for securing an infinite perimeter

Companies — and their people, data, workflows, and other assets — need increasing layers of protection in an AI-enhanced threatscape.

Between November 2022 and October 2023, there were 30,458 real-world security incidents, according to Verizon’s 2024 Data Breach Investigations Report. Of that number, 10,626 — a record high — were confirmed data breaches. But companies are adapting fast. Here’s a look at the most popular security-focused tools for keeping marauders at bay.

Authentication and security → Security categories and factors

Firewall deployment is up: VPN/firewall is the most popular security tool (as it has been since 2020), deployed by more than half of Okta customers that deploy security tools through the OIN. Adoption is up another 2% this year. This category includes popular products such as Palo Alto Networks GlobalProtect and Prisma Access, OpenVPN, AWS ClientVPN, Zscaler, Cisco AnyConnect, and Tailscale (one of our fastest-growing apps). By industry, the government sector is leading the VPN/firewall charge, with an impressive 11% YoY growth in adoption.

Compliance on the rise: The number of companies deploying data compliance tools grew 50% YoY, after 120% the year prior — by far the fastest growth among security tools. Currently, 11% of Okta customers that deploy security tools through the OIN deploy a data compliance tool. The rise of automation and data gathering (and data-hungry AI algorithms) has led to shifts in the regulatory landscape that will surely keep this category hot.

Defeating deepfakes: ID proofing tools, which help ensure secure onboarding in this age of AI-powered deepfakes, posted 11% YoY growth. Deepfake attacks occurred an average of every five minutes in 2024.

Managing mayhem: Low-assurance passwords remain unshakably ubiquitous across the digital space. As a result, password management tools remain popular. One-third of Okta customers that deploy security tools through the OIN currently deploy password management tools (representing 9% YoY growth).

Authentication and security → Security categories and factors

Tech startups

Data compliance and training: Tech startups can’t afford a hefty fine for violating government regulations. Data compliance adoption grew 45% YoY among startups. Training is another hot topic, growing 13% YoY among tech startups eager to get new employees quickly up to speed.

Infrastructure monitoring: Infrastructure monitoring ranks higher among tech startups, just below the password management and endpoint management and security tool categories. That makes sense, considering downtime can cost smaller enterprises $100,000 per hour.

Password management: Companies of all sizes prioritize training tools (No. 3) and password management tools (No. 4) behind VPN/firewall and endpoint management and security. Tech startups, however, place a higher value on password management tools (No. 3), while training tools rank further down their list at No. 6.

Fortune 500 companies

Infrastructure monitoring: Keeping systems up and running is an even bigger priority for large companies, which can lose $300,000 or more in a single hour of downtime. In the overall population, infrastructure monitoring ranks No. 5. Among Fortune 500 companies, it ranks No. 2.

Security analytics: The interconnected systems of Fortune 500 companies generate mountains of security data. But what good is data if you can’t make sense of it or act on it quickly? Security analytics rank No. 3 for Fortune 500 companies, six places higher than among companies of all sizes.

Authentication and security → Security categories and factors

FASTEST-GROWING SECURITY TOOL CATEGORIES

Countries load up on data compliance and VPNs

_Note:_{In this view of app usage, we count the number of customers deploying one or more apps or tools in each category.}_Note:_{Data reporting the use of Okta products is not included in this chart.}

Evolving data privacy regulations, a widening attack surface, and the steep price of downtime are weighing heavily on nations around the world. These concerns are reflected in the fastest-growing security categories among our featured countries.

Authentication and security → Security categories and factors

Canada protects privacy: Canada is looking to add a Consumer Privacy Protection Act to its books. Companies are getting ahead of expected regulations by adding data compliance tools to their security arsenals.

US states regulate: As in Canada, new federal and state regulations are contributing to the rise in data compliance tool adoption across America. There are now 19 US states with privacy laws on the books, and measures are in front of additional state legislatures.

Japan prioritizes firewalls: Network security is prized highly in Japan, where the adoption of firewall/VPN tools is expected to grow at a compound annual rate of 6.8% from 2024 to 2030.

France strengthens infrastructure monitoring: France bolsters infrastructure monitoring as it experiences an increase in cyberattacks. Another reason for more monitoring? The country is working to meet EU-set compliance directives such as NIS 2 (cybersecurity) and DORA (financial entities).

Authentication and security → Security categories and factors

MOST POPULAR TYPES OF FACTORS

Stronger authentication factors soar

_Note:_{Dot sizes indicate the relative number of customers using these factors.}_Note:_{“Okta Verify (OTP and Push)” includes Okta Verify with One-Time Passcodes and Okta Verify with Push Notifications. WebAuthn is rolled up with YubiKey in the grouping of “security key or biometric factors.” Google Authenticator, Duo Security, RSA SecurID, HMAC-based one-time passwords (HOTP), YubiKey OTP, and Symantec VIP are rolled up as “other OTP authenticators.” We group SMS with voice call authentication for a factor grouping of “phone.”}_Note:_{This data is limited to Okta Workforce Identity customers.}

Multi-factor authentication (MFA) is only as strong as the factors you’re using. Lower-assurance factors, such as phone and email, make it easier for hackers to crack through defenses. Sixty-three percent of last year’s breaches were linked to organizations’ authentication processes. Thankfully, companies of all sizes are strengthening their mix of authentication factors.

Authentication and security → Security categories and factors

A move toward stronger factors: The adoption of higher-assurance, phishing-resistant factors such as Okta FastPass, security keys, and biometrics is on the rise. Medium-assurance factor Okta Verify (OTP and Push) — already the most highly deployed factor grouping by number of customers — grew 3% by number of customers and 16% by unique users this year.

FastPass takes the fast lane: The high-assurance solution grew 52% YoY by number of customers and 160% YoY by unique users. Phishing-resistant Okta FastPass can be deployed with or without biometrics. The volume of FastPass authentications with biometrics grew 288% YoY.

Authentication and security → Security categories and factors

The weak get weaker: Companies are backing away from lower-assurance factors such as phone and security questions. Security questions are declining for the second straight year, down 12% YoY by number of customers and down 5% YoY by unique users. Phone factor adoption (SMS/voice call) has cooled significantly as a security factor, down 14% by number of customers and down 1% by unique users this year after more than doubling unique users last year.

Email adoption increases: While the trend toward higher-assurance factors is positive, low-assurance email adoption has grown again, increasing 23% YoY by unique users. It’s a significant slowdown from the 155% YoY growth by unique users that email posted last year, though. We’ll call it a win.

Authentication and security → Security categories and factors

MOST POPULAR TYPES OF FACTORS, BY COMPANY SIZE

Factor priorities shift by organization size

_Note:_{“Okta Verify (OTP and Push)” includes Okta Verify with One-Time Passcodes and Okta Verify with Push Notifications. WebAuthn is rolled up with YubiKey in the grouping of “security key or biometric factors.” Google Authenticator, Duo Security, RSA SecurID, HMAC-based one-time passwords (HOTP), YubiKey OTP, and Symantec VIP are rolled up as “other OTP authenticators.” We group SMS with voice call authentication for a factor grouping of “phone.”}_Note:_{This data is limited to Okta Workforce Identity customers.}

Companies of all sizes are finally flocking to phishing-resistant factors to thwart cyberattacks, fraud, identity theft, and data breaches.

Inherence-based factors, such as biometrics, and possession-based factors, such as security keys, are generally tougher for cybercriminals to fake than knowledge-based factors, such as security questions. But some interesting patterns emerge when we compare the overall factor shifts among tech startups and Fortune 500 companies.

Authentication and security → Security categories and factors

Big companies add strength: Companies of all sizes are ratcheting up their deployment of high-assurance authentication factors, but adoption among Fortune 500 companies is rising the fastest. Security key or biometrics usage is up 30% YoY by number of customers among Fortune 500 companies. Okta FastPass usage is up 69% by customers and 334% by unique users.

Smaller companies shed weakness: Similarly, companies across the board are hanging up on their low-assurance phone factors, but the change is starkest among small tech startups. For the first time, tech startups are reducing their use of phone factors: Adoption declined 21% YoY by customers (versus just 2% for Fortune 500 companies) and 30% by unique users.

Where these segments buck trends: Fortune 500 companies continue to add security questions (up 6% by customers). Tech startups are still adding email (up 21% by customers and 31% by users) at a much higher rate than overall.

Businesses at Work 2025 → Authentication and security

Passwordless authentication with FastPass

Digital passwords have been with us since the early 1960s. But knowledge-based authentication is inherently risky because personal information may easily be discovered via social media and other public records. In the face of rising AI-powered cyberthreats, organizations around the world are leaving passwords behind.

Okta FastPass is a phishing-resistant authenticator whose deployment (often enhanced with biometrics) provides insight into the swift adoption of passwordless authentication. For more details, please see our Methodology section.

Authentication and security → Passwordless authentication with FastPass

PASSWORDLESS AUTHENTICATION, BY DEVICE TYPE

Biometric authentication is on the rise

_Note:_{This data is based on one year of cumulative Okta FastPass data from Okta Workforce Identity customers.}

Not long ago, mobility was tied to devices. Now it defines how we work. We access company assets from anywhere, at any time, on any device.

Passwordless authentication has made this a smoother experience for dispersed global workforces, with biometrics adding a layer of security to any operating system. Our data shows that the overall volume of Okta FastPass authentications has increased significantly from a year ago. The total number of FastPass authentications grew 377% YoY. The number of FastPass authentications using biometrics, such as fingerprints or facial recognition, increased 288% YoY.

Sixteen percent of FastPass authentications use biometrics, but biometrics deployment varies greatly by device type and operating system.

Authentication and security → Passwordless authentication with FastPass

Android secures remote logins: Though Android devices accounted for the fewest FastPass authentications, they registered the highest percentage with biometrics (21%).

macOS leads Windows: This year, the total volume of authentications from macOS is greater than that from Windows. For the second year running, devices running macOS yield a higher percentage of FastPass authentications with biometrics than Windows (18% to 13%.)

Phones don’t run the world yet: End users are still much more likely to log in via computers than phones.

Authentication and security → Passwordless authentication with FastPass

PASSWORDLESS AUTHENTICATION, BY COUNTRY

Countries move toward passwordless options

_Note:_{This data is based on one year of cumulative Okta FastPass data from Okta Workforce Identity customers.}

Around the world, passwordless authentication is rising fast. The use of biometrics to strengthen those authentications is growing, too, but not as quickly. Possible reasons for the lag: Some enterprise laptops don’t yet enable thumbprint or camera functionality, and IT departments may be stretched too thin to deliver biometrics-backed passwordless tech all at once. Here’s how the progress is going so far.

Authentication and security → Passwordless authentication with FastPass

Biometrics boom: One in five passwordless authentications are now backed by biometrics in Canada, Germany, South Korea, Israel, the UK, and Australia. What drives the higher percentages? One study in Germany finds that nearly half of the respondents (49%) work in companies where the use of biometric authentication is mandated by the employer to enhance cybersecurity.

France tightens security: France has the highest average number of Okta FastPass authentications per account. Phishing is the main identity threat in France. Interest in passwordless might be tied to a significant uptick in phishing scams that surged while the country hosted the 2024 Olympics. However, France has one of the lowest average rates of FastPass leveraging biometrics, at 12%.

US lags behind: The US registers the second-highest number of FastPass authentications per account this year. But America trails most of our featured nations when it comes to biometrics-backed authentication, at just 17%.

Japan closes the gap: Japan, similarly, has a high rate of passwordless authentications per account but a low rate of biometrics use — 11% — the lowest on this list. (Japan’s digital transformation has been slower than that of many countries for complex reasons.)

Businesses at Work 2025 → Authentication and security

Measuring cyberthreat growth

Automated cyberattacks are on the rise all over the world. Okta ThreatInsight evaluates legitimate and malicious sign-in activity across our customer base to detect risky IP addresses and thwart credential-based attacks such as password spraying, credential stuffing, and brute-force cryptographic attacks. Aggregated ThreatInsight data provides a good proxy for the current state of cyberthreats, which we dive into by industry and by country.

Authentication and security → Measuring cyberthreat growth

AUTOMATED THREAT DETECTION AND PREVENTION

Energy companies and nonprofits are under siege

_Note:_{This data is based on one year of cumulative ThreatInsight data from Okta Workforce Identity customers.}

All industries are under attack from threat actors today, but some sectors are targeted more than others. And it isn’t always the ones you’d expect. Finance and banking companies, for example, may seem like tempting targets, but ThreatInsight data shows they’re experiencing dramatically lower attack rates than other sectors.

Authentication and security → Measuring cyberthreat growth

Threats are growing: Attacks, as measured by the ratio of detected threats to all authentications, are up across the board. In May of 2024 alone (after a spike in credential stuffing activity against user accounts from March to April), Okta blocked 2.38 billion malicious requests. Okta data shows the number of detected threats has remained at a much higher level than the year prior.

Energy under attack: The energy, mining, oil, and gas industry has the highest rate of detected threats again this year, up tenfold from 3.3% to 32%. Power grids and oil, gas, and mining operations are sometimes less digitally secure, and they’ve become popular targets for activists and state-sponsored criminal groups.

Nonprofits at risk: Nonprofits was the second-most targeted industry, with detected threats accounting for 18% of authentications this year (up from 2.6% last year). In one survey of nonprofits, nearly two-thirds of respondents said they’d experienced a security breach or critical data incident in the past year. And while nonprofits are not formally recognized as critical infrastructure, hackers are treating them that way.

Finance breathes easier: Last year, finance and banking’s rate of detected threats (2.8%) ranked second among industries. That rate rose to 2.9% this year, but other industries had much higher growth rates, which pushed finance and banking down to No. 13. Finance and banking companies are hardening their defenses: System intrusion and social engineering attacks are both on the rise in the sector, indicating that attackers are having to work harder to pull off a breach.

Authentication and security → Measuring cyberthreat growth

AUTOMATED THREAT DETECTION AND PREVENTION

The US has the highest rate of detected threats

_Note:_{This data is based on one year of cumulative ThreatInsight data from Okta Workforce Identity customers.}

Our data shows that cyberattacks are increasing dramatically in countries all over the world. Last year, Israel’s 1.7% rate of detected threats to all authentications placed them at the very top of our chart. This year, that rate wouldn’t even land them in the top five of our featured countries.

Authentication and security → Measuring cyberthreat growth

US in the top slot: With a 6.6% rate of detected threats, the US — last year’s second-most attacked country — is now at the top of the chart.

EMEA is also a target: Germany and Netherlands, which had very low detected threat rates of 0.2% and 0.3% (respectively) a year ago, have risen into the top four along with the UK. For each of these countries, more than one out of every 20 authentications is detected as a possible threat.

APAC rates rise, as well: Australia, Japan, and South Korea are all experiencing higher rates of detected threats than last year. However, those rates appear low when compared with other countries, which have experienced much higher rates.

Never trust, always verify:
The journey to Zero Trust

Our data shows that security is a top priority for businesses across the globe. Beyond deploying security-focused tools, how else can companies keep their people, assets, and infrastructure safe?

Zero Trust is a security strategy that challenges the notion that there is a “trusted” internal network and an “untrusted” external network. Instead, organizations need to establish trust relationships to securely enable access for various people, from employees to suppliers, regardless of their location, device, or network. This strategy begins with secure identity.

While most organizations understand the key role Identity management plays in modern cybersecurity, it can be hard for a company to gauge its progress in a fast-evolving threatscape.

Okta has developed a four-stage Identity Maturity Model based on patterns and best practices observed across thousands of customers to help companies benchmark their journey to Zero Trust against that of their peers and chart a course toward meeting their own Identity management goals. What stage are you in? Find out in Okta’s A Guide for Your Identity Maturity Journey.