Why CISOs are saying MFA isn’t enough

Something you know, something you have, something you are. MFA has been the safety net of enterprise access controls for years now; but that safety net is beginning to tear. 

Portnox just released its new survey of 200 US CISOs at companies with over $500 million in annual revenue. And 96% of them said MFA can’t keep up with today’s evolving threats; while 98% said it doesn’t sufficiently protect employees. 

The attacks bear this out. CISOs cited MFA fatigue (push bombing), SIM-swap fraud, and OTP interception among the techniques eroding trust in traditional factors.

As Denny LeCompte (CEO at Portnox) said in a press release:

“MFA, while better than nothing, is a threat mitigation tool.” 

And now, he added, we need to move beyond that mitigation and reduce the attack surface for criminals by removing passwords entirely. The fix will come from changing the trust model; not from layering more factors. 

Passwordless becomes the new default

When we asked Umer Khan (Chief Information Officer and Senior Vice President of Software Engineering at Relativity Space) about the power of passwordless authentication, he said: 

“Passwords... seriously... suck! Because they are transmitted across the network and stored in some sort of file or database (even though they may be hashed and possibly even salted), there are many ways in which they can be exploited. They can be guessed, intercepted, phished, cracked, or stolen.” 

And he noted that “In recent years, MFA is commonly and easily bypassed. Attackers often use malicious websites that look exactly like a company’s single sign-on portal to trick the end user into entering both their password and the second factor.” 

The survey from Portnox shows that MFA is under more pressure than ever; and as a result, passwordless authentication is taking its place. Of the CISOs surveyed, 92% have implemented, are implementing, or plan to implement passwordless authentication – up sharply from 70% in 2024. And importantly, that adoption is being driven by tangible gains:

• 52% cite reduced risk of password phishing or reuse.
• 41% see improved productivity through fewer login resets.
• 39% note better user experience.

Passwordless is part of a wider shift towards zero-trust access, where every connection is continuously verified. In Khan’s words, “Passwordless fits well into my philosophy of ‘secure by default’.” 

Securing AI identities inside zero trust

The rise of AI agents and service accounts is now an identity management issue in its own right. Portnox found that 78% of CISOs expect AI to increase their workload – yet that same 78% admit they lack a formal strategy to manage AI identities within their zero trust frameworks. 

That leaves a growing blind spot in access policy and audit trails: machine-to-machine authentication is multiplying faster than governance controls are catching up.

The zero trust reality check 

Identity and access control now sit at the heart of zero trust.

• 97% of CISOs say network access control (NAC) is essential to any zero trust framework.
• 77% believe achieving zero trust will require either significant updates or a complete overhaul of their current stack.
• 93% plan to replace VPN access by 2027 (two thirds by the end of 2026).

These figures point to the major re-architecture of enterprise access; we’re less likely to see incremental changes. 

For CISOs, it’s absolutely time to re-evaluate MFA. We need to fold identity into zero trust, and tie authentication strength to device posture and contextual risk, not just user credentials. And as we head into 2026 CISOs need to budget for convergence – as identity, NAC and AI-governance tooling merge into a single line item. 

We don’t like clickbait at BHMEA, and we’re not going to shout that MFA is dead. But as CISOs push towards passwordless and zero trust models, it’s no longer the cornerstone of identity security. 

The organisations that adapt fastest will shrink their attack surface – and future-proof their defences for a world where not all users are human.