Most apps sit outside MFA
A recent survey found that 89% of deployed applications are not centrally managed by an MFA platform, suggesting large parts of the app estate lack consistent authentication governance. The finding implies organisations cannot assume blanket MFA coverage across their cloud and on‑prem apps and should treat app-level visibility as incomplete until proven otherwise. (securityboulevard.com)
Multifactor authentication is the extra proof step after a password, but a new Ponemon survey says most enterprise apps never reach that checkpoint. In a study of 614 United States information technology and security leaders, 89% of deployed applications were not centrally managed through a multifactor authentication platform. (securityboulevard.com) The same survey found 70% of applications were not configured for single sign-on, the system that lets one identity provider handle logins across many services. Cerby, which sponsored the research, said the respondents worked at organizations with more than 500 employees in the United States. (securityboulevard.com, cerby.com) These gaps sit in what identity teams call “disconnected applications” — software that does not support common sign-in and account-management standards such as Security Assertion Markup Language, OpenID Connect, or System for Cross-domain Identity Management. Cerby said those apps include software as a service tools, on-premises systems, legacy products, and newer artificial intelligence tools that cannot be federated into a central identity provider. (cerby.com, learn.microsoft.com, scim.cloud) That leaves access to many apps handled with tickets, spreadsheets, direct administrator logins, and passwords set inside each app instead of through one central control plane. Cerby said disconnected applications account for 30% of enterprise apps on average, and teams spend 31.2 hours a week managing workarounds around them. (cerby.com, cerby.com) The survey also found a confidence gap: 57% of respondents rated their ability to apply consistent security controls across all applications at 7 or higher on a 10-point scale. In the same dataset, 77% said their organization had at least one incident involving disconnected applications in the past two years, and 39% said those incidents caused operational disruption. (securityboulevard.com) Audit records were weak too. Nearly two-thirds, or 63%, said their organization had failed at least one internal or external audit involving disconnected applications, and only 34% said they could consistently produce accurate access records. (securityboulevard.com) Multifactor authentication still reduces account-takeover risk, but federal guidance says not all methods stop modern phishing. The Cybersecurity and Infrastructure Security Agency says phishing-resistant multifactor authentication is the most secure form, while the National Institute of Standards and Technology says newer guidance adds options designed to resist phishing and automated attacks. (cisa.gov, pages.nist.gov) That means a company can enforce strong login rules on its main identity provider and still leave dozens of apps outside the system entirely. Cerby said 58% of respondents saw the number of disconnected applications rise in the last year, while 56% said urgency to address their security had increased. (securityboulevard.com) The thread running through the survey is not that multifactor authentication failed, but that coverage stopped short of the full application estate. Until every business-critical app can plug into central identity controls or gets an equivalent compensating control, “multifactor enabled” remains an incomplete inventory label. (cerby.com, securityboulevard.com)
