Okta’s Mathew Graham on why India leads the world in MFA and why that’s not enough
India has reached nearly 90% MFA adoption, far ahead of global averages. What’s driving this surge?
India’s remarkable 89.4% MFA adoption is really the outcome of a perfect storm of digital acceleration and pragmatic regulation. Indian enterprises operate at cloud‑native scale and often avoid legacy infrastructure hurdles that slow down Western counterparts. In a mobile‑first economy, identity effectively is the perimeter.
At the same time, booming sectors like fintech and IT services depend on global trust. Security is no longer a backend function; it’s a trust dividend for international expansion. This adoption reflects a new generation of CXOs who see identity as fundamental to business continuity, not a secondary IT checkbox.
“India’s MFA boom is impressive but the next battleground is the quality of authentication, not the quantity.”
— Mathew Graham, Chief Security Officer, APAC, Okta
Does high MFA penetration actually make Indian enterprises safer or does it simply reflect compliance maturity?
A 90% adoption rate sets a world‑class baseline, but coverage isn’t the same as protection. Traditional MFA especially SMS and voice‑based OTPs is increasingly vulnerable to adversary‑in‑the‑middle attacks and social engineering.
India has achieved compliance leadership; now it must focus on translating that into truly high‑assurance security that stands up to modern, automated threats.
Why does Okta call traditional MFA “security debt”?
Because legacy, phishable factors give a false sense of safety. Organisations accumulate security debt when they treat MFA as a band‑aid while ignoring deeper issues like misconfigured permissions or orphaned accounts.
Unless enterprises shift to phishing‑resistant authentication, that debt becomes a liability attackers can easily exploit.
What steps should Indian enterprises take to move toward phishing‑resistant, passwordless authentication?
Treat it as a phased strategic migration. Start by securing high‑value identities admins, executives using WebAuthn or device‑bound biometrics.
Then actively retire low‑assurance factors like SMS or voice OTP. Integrate these controls into a Zero Trust architecture so that the safest sign‑in method becomes the most seamless for the user.
What should Indian CXOs prioritise over the next 12–18 months?
The next phase is about the quality of authentication. CXOs should focus on universal phishing‑resistant standards for critical access and aggressively reduce reliance on passwords.
As identity‑based attacks become more automated, organisations still using legacy factors will see diminishing returns. By pairing SSO with smart authentication, leaders can turn identity from a defensive requirement into a productivity engine.