Thales Sets MFA as Core Security Standard, Aligns With CISA

Thales has positioned multi-factor authentication (MFA) as a structural security standard to counter escalating cyber threats, reinforcing its commitment to the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure-by-Design pledge. The shift reflects growing recognition that traditional, password-based credentials represent a critical vulnerability in increasingly complex enterprise environments.

Once considered an optional control, robust authentication has moved to the core of operational resilience. Its adoption marks a broader shift in accountability, extending security responsibility beyond software vendors to include customer organizations that configure and operate digital systems.

"Security must be foundational — embedded into products and services by design, not bolted on as an afterthought," Thales’ Cloud Security division said in its 2025 research on identity management. “This principle underpins our commitment to CISA’s Secure-by-Design pledge, which calls on software manufacturers to make features such as multi-factor authentication standard across their product portfolios.”

The Erosion of the Traditional Security Perimeter

In today’s threat landscape, 49% of data breaches involve stolen credentials, according to Verizon, underscoring the declining effectiveness of password-only security models. Such systems remain highly vulnerable to phishing, social engineering, and brute-force attacks.

The 2025 Thales Data Threat Report highlights additional pressure from the rapid adoption of generative artificial intelligence and the expansion of digital attack surfaces. About 69% of organizations cited the pace of the generative AI ecosystem as their most significant security risk. While 83% of companies report using strong MFA more than 40% of the time, Thales noted a persistent gap between available security capabilities and consistent policy enforcement.

User friction remains a key challenge. The 2025 Digital Trust Index shows that 40% of corporate users reset their passwords at least twice a month, creating productivity losses and introducing vulnerabilities during account recovery. MFA adoption is increasingly viewed as a way to balance security requirements with user experience and regulatory compliance.

Toward a Passwordless Infrastructure

Aligned with CISA guidance, Thales advocates making MFA a default, built-in control rather than an optional feature. Under this shared-responsibility model, vendors deliver secure configurations by default, while organizations remain accountable for proper implementation and governance.

Thales recommends that enterprises carefully assess available authentication methods:

• Hardware security keys (FIDO2): Offer the highest level of protection and strong resistance to phishing, though they require physical devices such as smart cards or tokens.
   

• Authenticator applications: Generate one-time passwords independently of mobile networks, providing strong security without reliance on SMS.
   

• SMS and email: Provide limited protection and remain vulnerable to SIM-swapping and interception; CISA advises using these methods only as a last resort.
   

According to Thales, the long-term trajectory of MFA points toward passwordless authentication. Technologies such as FIDO2 passkeys and biometrics aim to eliminate the most common attack vector: human error in password creation, reuse, and management.

Thales’ SafeNet Trusted Access platform illustrates this approach by enabling adaptive authentication, which evaluates risk in real time based on user behavior, location, and device health before granting access. This risk-based model can strengthen security while reducing login friction.

Looking ahead, industry standards may increasingly require that MFA cannot be disabled for administrative accounts, raising the baseline for enterprise security. Thales also anticipates that quantum-resistant technologies will become the next frontier in digital identity protection, ensuring that authentication systems remain effective against future advances in computing power.