Notifications
Clear all
Topic starter
06/06/2026 11:14 am
TL;DR: Credential-based attacks keep MFA mandatory, while passkeys, adaptive policies, and AI agent access are reshaping what teams need from authentication providers, according to WorkOS. The real decision is no longer second-factor coverage alone, but whether the MFA layer fits enterprise identity, session control, and machine identity governance.
NHIMG editorial — based on content published by WorkOS: Top 5 MFA providers for securing your app in 2026
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.
Questions worth separating out
Q: How should app teams choose an MFA provider for B2B SaaS?
A: Choose the provider that fits your identity architecture, not just your login screen.
Q: Why do passkeys matter more than SMS for MFA?
A: Passkeys reduce phishing and interception risk because they use device-bound cryptographic authentication instead of reusable codes.
Q: How can security teams govern MFA for AI agents and machine identities?
A: Do not reuse human MFA assumptions for machine access.
Practitioner guidance
- Prioritise phishing-resistant factors first Move high-risk populations to FIDO2 or WebAuthn-based authentication before tightening lower-assurance controls.
- Validate tenant-level policy boundaries Test whether MFA rules can differ by customer, application, and guest relationship without custom code.
- Separate human and machine auth paths Document which identities are people, which are workloads, and which are AI agents.
What's in the full article
WorkOS's full article covers the operational detail this post intentionally leaves for the source:
- Provider-by-provider feature matrix with API, SDK, and enterprise integration specifics
- Implementation notes on per-organisation MFA policy, guest access, and session revocation
- Pricing and packaging differences that matter when MFA moves from pilot to production
- Developer workflow detail on how the MFA API fits into custom SaaS authentication flows
👉 Read WorkOS's comparison of the top MFA providers for app security in 2026 →
MFA providers in 2026: what should app teams prioritise?
Explore further
06/06/2026 11:54 am
MFA is no longer a login feature, it is an identity architecture decision. The article shows that provider choice now affects enterprise SSO, audit logging, tenant policy, and session control, not just second-factor prompts. That is why MFA cannot be evaluated as a standalone security widget. Practitioners should treat it as part of the control plane that shapes the rest of the identity programme.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
Q: What should organisations check before standardising on adaptive MFA?
A: Verify that the risk signals are reliable, the policy scope matches your tenancy model, and the platform can explain why authentication was stepped up or stepped down. Adaptive MFA works best when teams can audit the decision path and avoid hidden policy conflicts across apps, users, and external users.
👉 Read our full editorial: Top MFA provider trade-offs for app security in 2026
