Multi-Factor Authentication (MFA) Pricing and Plans
Listed MFA pricing and plans vary based on several factors which increase costs:
- Number of users: The size of the user base.
- Single sign-on (SSO): The number of users who can log in with an SSO ID across multiple systems.
- Number of additional services: Threat detection, granular admin controls, and end-to-end encryption.
- Adaptive MFA capabilities: Dynamic authentication based on contextual factors like device type, IP address, and user behavior.
Vendor | Price (user/month) | Free basic plan | Free trial |
|---|---|---|---|
Okta Workforce Identity Cloud* | Custom pricing: – MFA: $3 – $6 – SSO: $2 – Access gateway: $3, etc. | ✅ (With Microsoft cloud subscriptions) | ✅ – 30 days |
LastPass | €2.90 – €6.50 (billed annually) | ✅ | ✅ – 30 days |
1Password | $3.99 – $19.95 | ❌ | ✅ – 14 days |
Cisco Duo | $3 – $9 (10+ users) | ✅ (1-10 users) | ✅ – 30 days |
Microsoft Entra ID | $6 – $12 | ❌ | ✅ |
*$1,500 annual contract minimum.
How to select the right MFA plan?
An MFA solution that is sufficient for individual usage may not be suitable for a large enterprise with several customers, partners, and business consumers. It is critical to address how the solution fits your organization’s structure and specific use cases. For example:
- Simple use case: If you are an individual user or a small company looking for a lightweight solution that asks you to enter a code sent to your email, you can choose an MFA tool with a free basic plan, such as LastPass or Cisco Duo.
- Complex use case: If your organization needs to tackle more complex multi-factor authentication (MFA) challenges, you should look into solutions like Okta Workforce Identity Cloud, which includes enterprise-level capabilities such as:
- Lifecycle management: automates user provisioning and de-provisioning processes.
- Privileged access management (PAM): provides elevated access for critical systems and manages permissions for sensitive resources.
For more, see our data-driven research about MFA:
Okta Workforce Identity Cloud
Okta Workforce Identity Cloud uses suite-based per-user pricing with a $1,500 annual contract minimum. Volume discounts apply for organizations managing 5,000+ users.1
Starter Suite ($6/user/month) provides the foundation for identity management, including:
- Single sign-on (SSO) across cloud and on-premises applications
- Multi-factor authentication (MFA)
- Universal Directory
- Workflows (5 flows)
Essentials Suite ($17/user/month) adds advanced capabilities for growing organizations:
- Adaptive MFA with context-aware policies (location, device, risk level)
- Lifecycle management (automated user provisioning and de-provisioning via SCIM)
- Access governance (access certification campaigns, entitlement management)
- Privileged access (just-in-time access to critical infrastructure)
- Workflows (50 flows)
Core services
Professional and Enterprise Suites: Custom pricing. Include all Essentials features plus Device Access, Identity Threat Protection with Okta AI, Identity Security Posture Management, and sandbox environments. Contact Okta for a quote.
Add-on modules available separately across all tiers:
- Identity governance ($9–$11/user/month): Access certifications, SCIM lifecycle management, and audit campaigns.
- Identity threat protection (from $4/user/month): Session risk detection using ML models, AWS/Azure/GCP server access, and security risk dashboards.
- Workflows (from $4/user/month for up to 50 flows): No-code automation for provisioning, de-provisioning, and access revocation workflows integrated with third-party platforms.
LastPass
LastPass uses tiered pricing for individuals through enterprises. A free version is available with core password management features.2
Security context: In November 2025, the UK Information Commissioner’s Office fined LastPass UK Ltd £1,228,283 for insufficient technical controls following the 2022 breach. A class action settlement of $24.5 million was reported in February 2026, with $16 million set aside for cryptocurrency theft losses linked to cracked vault data from that incident.3 Organizations should factor this history into their vendor evaluation.
Free plan
Free users receive:
- Device-specific access (one device type: desktop or mobile)
- One-to-one password sharing
- Encrypted password vault
- Password generator
- Multi-factor authentication via the LastPass Authenticator app
Paid plans
Comparison for price (billed annually), number of users, add-ons, and MFA bundle:
*Enhanced MFA includes:
- Adaptive MFA allows trusted devices to log in with minimal friction by stepping up (increasing) or stepping down (decreasing) the authentication process based on the user’s context while adding extra layers of security for unusual or suspicious activity.
- Passwordless login (use of face/fingerprint for authentication).
- Contextual policies (including geofencing, recovery, and authentication policies).
Comparison of multifactor authentication (MFA) capabilities:
All plans, including Free, Premium, Families, Teams, and Business, allow users to use the mobile app, leverage 2FA, and provide MFA for the password Vault.
1Password
1Password offers personal and business plans. All plans include client-side encryption data is encrypted before transmission to 1Password servers, meaning the company cannot access stored credentials.4
Personal plans (monthly billing)
Individual ($3.99/user/month):
- Password generator, login autofill, cross-device sync
- Watchtower security breach checker
Families ($6.95/month for up to 5 users):
- All Individual features, plus family vault management and account recovery
Business plans
Teams Starter Pack ($19.95/month flat for up to 10 users):
- Password sharing, security alerts, 1Password Developer tools, self-service onboarding
Business ($9.99/user/month):
- All Teams Starter features plus:
- Integrations with identity providers: Okta, Microsoft Entra ID, OneLogin, Duo
- Customized reporting and granular admin controls
- End-to-end encryption
Enterprise (custom, volume-based):
- All Business features plus dedicated account manager, onboarding and customer success support for accounts with 75+ users, and employee training programs
Cisco Duo
Cisco Duo uses tiered per-user pricing. Each plan builds on the previous tier.5
Free plan
Supports up to 10 users. Covers basic MFA (code entry, security question, fingerprint) to protect against credential theft and account takeover.
Essentials plan – $3/user/month
For small to medium-sized organizations. Adds:
- Phishing-resistant authentication: FIDO2 authenticators to block MFA bypass via phishing
- Passwordless login: Authentication via Duo Mobile or FIDO2 hardware keys
- Single sign-on (SSO): Single credential to access multiple applications
Advantage plan – $6/user/month
For organizations requiring risk-based security:
- Device health monitoring: Checks device security posture (patch level, configuration) before granting access
- Risk-based authentication: Dynamically adjusts authentication requirements in real time based on risk signals
Premier plan – $9/user/month
For enterprises requiring the highest security tier:
All Advantage features included
- ML-based threat detection: Machine learning monitoring for ongoing attack attempts
- Secure remote access without VPN: Private resource access via Duo Network Gateway
Microsoft Entra ID
Microsoft Entra ID offers three paid plans and a free plan included with Microsoft cloud subscriptions (Azure, Microsoft 365).6
Microsoft Entra ID P1
Microsoft Entra ID P1 (formerly Azure Active Directory P1) costs $6.00 per user/month. It is available as a standalone solution or as part of Microsoft 365 E3 for enterprise customers and Microsoft 365 Business Premium for small and medium businesses. Key features include:
Microsoft Entra ID Free
Included with Microsoft Azure and Microsoft 365 subscriptions. Covers:
- MFA, SSO across SaaS applications, basic reporting
- Self-service password reset for cloud users
- On-premises Active Directory synchronization
- User and group management in the cloud
Microsoft Entra ID P1 – $6/user/month
Available standalone or as part of Microsoft 365 E3 (enterprise) and Microsoft 365 Business Premium (SMB). Adds to Free:
Group management: Dynamic groups (auto-assign users based on attributes), group expiration, and group classification labels (Confidential, Internal, Public).
Cross-tenant collaboration: Cross-tenant user sync and multitenant organization management.
Session lifetime management: Configurable session timeouts and conditional policies for sensitive applications.
Global password protection: Custom banned password lists, on-premises AD password policy synchronization.
Self-service: User-initiated password reset/change and sign-in activity reporting.
Security reports: Suspicious login attempt reporting, MFA usage, group membership, and app usage analytics.
Microsoft Entra ID P2 – $9/user/month
Includes all P1 features, plus:
- Identity governance: Access certification campaigns and periodic access reviews
- Entitlement management: Administers user access privileges
- Privileged identity management (PIM): Controls and monitors privileged user activity
Microsoft Entra Suite – $12/user/month
Combines network access, identity protection, governance, and verification. Includes all P1 and P2 features, plus:
- ML-assisted access certifications: Automated review recommendations
- Face Check: Facial matching verification for high-assurance scenarios
- Internet access: Traffic logging, web category filtering, domain name filtering
- Zero Trust network access (ZTNA): Identity-centric access to private resources without VPN
FAQ
An MFA solution sufficient for individual use may not be appropriate for a large enterprise with employees, partners, and external customers. The right fit depends on organizational structure and specific use cases:
Simple use case: Individual users or small organizations looking for basic code-based MFA can start with a free plan. Cisco Duo covers up to 10 users at no cost. LastPass includes MFA in its free tier.
Complex use case: Organizations managing large user bases across hybrid environments, requiring lifecycle management, privileged access, and risk-based authentication should evaluate Okta Workforce Identity Cloud, which includes: Lifecycle management: Automates user provisioning and de-provisioning.
Privileged access management (PAM): Manages elevated access to critical systems and sensitive resources.
Adaptive MFA adjusts authentication requirements based on contextual parameters including device type, IP address, and user behavior. This allows organizations to reduce friction for trusted users while enforcing stricter controls for anomalous access patterns.
Example trusted user: A user logs in from their regular device during normal business hours. The system matches the device and location to their login history and grants access with password only, without triggering an additional factor.
Example suspicious user: A login attempt arrives with the correct credentials, but from an unfamiliar device running a different operating system than the user’s usual environment. Adaptive MFA detects the mismatch and requires step-up verification before granting access.
Adaptive MFA is available in Cisco Duo Advantage, Okta Essentials Suite, LastPass Business (Enhanced MFA), and Microsoft Entra ID P1 (via Conditional Access).
Further reading
- Top 10 Multi-Factor Authentication (MFA) Solutions
- Top 10 Open Source RBAC Tools Based on GitHub Stars
Reference Links
Cem's work has been cited by leading global publications including Business Insider, Forbes, Washington Post, global firms like Deloitte, HPE and NGOs like World Economic Forum and supranational organizations like European Commission. You can see more reputable companies and resources that referenced AIMultiple.
Throughout his career, Cem served as a tech consultant, tech buyer and tech entrepreneur. He advised enterprises on their technology decisions at McKinsey & Company and Altman Solon for more than a decade. He also published a McKinsey report on digitalization.
He led technology strategy and procurement of a telco while reporting to the CEO. He has also led commercial growth of deep tech company Hypatos that reached a 7 digit annual recurring revenue and a 9 digit valuation from 0 within 2 years. Cem's work in Hypatos was covered by leading technology publications like TechCrunch and Business Insider.
Cem regularly speaks at international technology conferences. He graduated from Bogazici University as a computer engineer and holds an MBA from Columbia Business School.
Be the first to comment
Your email address will not be published. All fields are required.