Workforce-specific MFA in 2026: what changes for IAM teams?

TL;DR: Enterprise MFA buying in 2026 depends on workforce composition because desk, frontline, contractor, and customer populations have different device realities and lifecycle constraints, according to Avatier’s buyer’s guide. The real governance issue is that one-size-fits-all authentication assumptions no longer match how modern work is actually performed.

NHIMG editorial — based on content published by Avatier: 2026 buyer's guide to enterprise MFA solutions segmented by workforce type

By the numbers:

• Most analyses of the deskless or frontline workforce fall in the range of 60 to 80 percent of the global workforce.
• CISA's 2023 guidance on implementing phishing-resistant MFA names two main categories: FIDO/WebAuthn and PKI-based authenticators.

Questions worth separating out

Q: How should organisations choose MFA methods for different workforce groups?

A: Organisations should choose MFA methods based on the user population, the device context, and the lifecycle of the account.

Q: Why do frontline and shared-device environments break standard MFA assumptions?

A: Frontline and shared-device environments break standard MFA assumptions because they rarely provide the personal smartphone, persistent workstation, or corporate email address that many MFA products assume.

Q: What do security teams get wrong about MFA recovery flows?

A: Security teams often treat recovery as an administrative function instead of a security control.

Practitioner guidance

• Segment MFA by workforce type Build separate authentication requirements for desk, frontline, contractor, and customer populations.
• Prioritise phishing-resistant methods for privileged users Adopt passkeys or hardware keys for administrators and other high-risk roles before expanding to the wider population.
• Redesign recovery around equal assurance Treat password resets, MFA re-enrolment, and help-desk escalation as part of the authentication control.

What's in the full report

Avatier's full buyer's guide covers the operational detail this post intentionally leaves for the source:

• Side-by-side vendor coverage for desk, frontline, contractor, and customer identity segments.
• Method-by-method comparison of passkeys, hardware keys, push, TOTP, and deviceless challenge-card options.
• Vendor notes on where each platform fits in shared-device and frontline workflows.
• Practical buyer guidance on narrowing the shortlist after segmenting your workforce.

👉 Read Avatier's 2026 buyer's guide to enterprise MFA by workforce type →

Workforce-specific MFA in 2026: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →