TL;DR: Enterprise MFA in 2026 is fragmented because workforce segments now have different device, network, and lifecycle constraints, according to Avatier’s 2026 buyer’s guide. The practical answer is not one best product but a method-to-workforce fit that avoids desk-worker assumptions becoming enterprise-wide policy.
NHIMG editorial — based on content published by Avatier: a 2026 buyer’s guide to enterprise MFA solutions segmented by workforce type
By the numbers:
- CISA’s 2023 guidance on phishing-resistant MFA names two main categories: FIDO/WebAuthn and PKI-based authenticators.
Questions worth separating out
Q: How should security teams choose MFA for mixed workforces?
A: Security teams should choose MFA by workforce segment, not by a single enterprise default.
Q: Why do frontline workers often fail standard MFA programmes?
A: Frontline workers often fail standard MFA programmes because the control assumptions are wrong.
Q: What do organisations get wrong about MFA recovery and reset flows?
A: Organisations often make recovery easier than authentication, which creates an attack path.
Practitioner guidance
- Map MFA by workforce segment Separate desk, frontline, contractor, and customer populations before comparing products.
- Prioritise phishing-resistant methods for privileged access Use passkeys, hardware security keys, or other phishing-resistant methods for high-value accounts, then reserve weaker methods only where the environment makes stronger options impractical.
- Design frontline authentication around shared-device constraints Choose deviceless or shared-device-compatible methods where workers cannot carry personal phones or use push prompts.
What's in the full article
Avatier's full buyer's guide covers the operational detail this post intentionally leaves for the source:
- Vendor-by-vendor comparisons across desk, frontline, contractor, and customer identity scenarios.
- Method-by-method guidance on push, TOTP, passkeys, hardware keys, and deviceless challenge cards.
- Deployment trade-offs for Microsoft-first, cloud-first, regulated, and shared-device environments.
- Shortlist guidance that maps each vendor to the workforce segment it supports best.
👉 Read Avatier’s buyer’s guide to enterprise MFA solutions by workforce type →
Enterprise MFA in 2026: what workforce mix changes for IAM teams?
Explore further
Workforce-mismatched MFA is a governance failure, not a feature gap. The article shows that MFA breaks when programmes assume every user behaves like a desk worker with a phone, a laptop, and persistent sessions. That assumption does not hold for frontline staff, contractors, or shared-device environments. The implication is that identity governance has to start with workforce conditions, because policy built on the wrong user model will produce false confidence.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: What is the difference between passkeys and hardware security keys in enterprise MFA?
A: Passkeys and hardware security keys both support phishing-resistant authentication, but they fit different operational needs. Passkeys are more convenient for broad adoption, while hardware keys remain stronger for privileged users, recovery, and environments that need a physical possession factor. The right choice depends on assurance target, lifecycle, and device model.
👉 Read our full editorial: Enterprise MFA in 2026 fails when workforce assumptions break