Identity-security provider Okta has released its 2025 Businesses at Work Report, compiling application data from its thousands of client organizations around the world and marking 10 years since the first Businesses at Work report in 2015.
"The business landscape has evolved dramatically, bringing us smartphone saturation, global remote work, a cloud-based lifestyle, and the rise of professional cybercrime," says Okta CEO and co-founder Todd McKinnon in the report introduction. "We've been right there all along, tracking the world's workforces as they invest in new technologies and expand their use of existing ones to keep up with the changing times."
There were some surprising revelations in the Okta data, such as a remarkable number of companies that chose to license best-of-breed solutions even though they had already obtained similar solutions as part of a bundle. And the increase in purchases of compliance platforms has been astonishing.
Some other findings were not so noteworthy: The most popular application in 2015 was Microsoft Office 365, and the most popular one in 2024 was Microsoft (no more Office) 365. The most popular security application was KnowBe4, as anyone who's failed a workplace phishing test could tell you. (Data for the 2025 report was collected from Nov. 1, 2023 through Oct. 31, 2024.)
Let's delve into the details.
Some of the same familiar faces
The top six most popular applications (i.e., those used by the most organizations) among Okta's customer base in 2024 look a lot like the top six from 2015.
We've already mentioned Microsoft 365, which remains unchallenged at the top. Google Workspace (formerly Google Apps) jumped from No. 4 to No. 2 over the past decade, swapping places with Salesforce. Meanwhile, Amazon Web Services rose from No. 6 to No. 3.
But there are a couple of new entries. Zoom is at No. 5, and Atlassian's product suite (Bitbucket, Confluence, Jira, Trello, etc.) is No. 6. And 2015's No. 3 (Box) and No. 5 (SAP Concur) have fallen out of today's Top 15 entirely.
Credit: Okta
From No. 7 down to No. 15, other once-mighty, now-missing apps read like a who's who of the mid-teens: Dropbox, LinkedIn, GoDaddy, Workday, GoToMeeting. They've been replaced by Slack, GitHub and the visual collaboration platform Lucid.
Perhaps most significantly, no security-related applications were in 2015's Top 15, but 2024 had three: the aforementioned KnowBe4, the Mac/iOS management platform Jamf Pro, and Palo Alto Networks' bundle of the GlobalProtect VPN, the Prisma Access SASE/SSE platform and the Cloud Identity Engine.
It also isn't shocking that the average number of applications per Okta client organization has broken the three-digit barrier at 101. It was bubbling around 90 for several previous years, but this is a small uptick.
Somewhat surprising news
Four of the top 10 fastest-growing apps in the 2025 report are related to security or compliance: compliance platform Vanta, with a whopping 72% year-over-year growth; password manager Bitwarden, at 63% YoY; VPN solution TailScale, with 59% YoY; and tied for fourth, spending-tracking platform Ramp and, surprisingly, Uber, both with 56% YoY growth. (The Okta report notes that Uber's "recent drive toward corporate travel seems to be a five-star strategy.")
Credit: Okta
Vanta's compliance-platform rival Drata (an Okta partner) is No. 8; Ramp's rival Zip is No. 6. And it cheers us to see the venerable Autodesk, founded in 1982, at No. 9 with 37% YoY growth. Okta chalks that last one up to a surge in design software overall.
Also interesting is what's changed, and what hasn't changed, among the multi-factor authentication methods used by Okta clients.
In 2015, the most used second factor in MFA was the dreaded security question, like "What was your mother's maiden name?" Thankfully, that's at the very bottom of the Top 10 list of 2024 factors.
Unfortunately, the almost-as-dire SMS texted one-time passcode dropped only two ranks, from No. 2 to No. 4, over the entire past decade. That's just depressing. So is the fact that the equally weak voice call and emailed one-time passcode are Nos. 7 and 8 in the 2024 Top 10. They weren't on the 2015 list at all.
Credit: Okta
We're a little more cheered that Google Authenticator rose from No. 5 to No. 3. It and its fellow open-standards one-time-passcode-generators can be phished, but they're still an improvement over texted codes and security questions.
Now for the good stuff: WebAuthn-compliant factors and Yubikey hardware keys, both phishing-resistant factors, make appearances at Nos. 6 and 9, respectively, for 2024. And Okta's own solutions, as you might expect among Okta customers, have risen a lot: Okta Verify from No. 4 to No. 1, and Okta Verify with Push from No. 8 to No. 2.
Okta Verify FastPass, its passwordless solution, wasn't available in 2015, but it was No. 5 in 2024.
It appears that Okta's own solutions have pushed out rival proprietary MFA solutions. The one-time-password generator Symantec VIP (No. 3 in 2015), the authenticator app Duo Security (No. 6 in 2015) and the OTP-generating physical token RSA SecureID (No. 7 in 2015) don't appear in 2024's Top 10 at all.
Bigger and wealthier companies, as you might expect, have the best protection. Year-over-year growth of Okta Verify FastPass was 69% among Fortune 500 Okta customers, 44% among tech startups, and 52% overall.
There was a similar but smaller pattern with security keys and biometrics: 30% growth among Fortune 500 firms, 21% among tech startups, and 16% overall.
Notably, email notifications were up 21% among startups, but only 10% among Fortune 500 organizations. And most other factors had either anemic or negative growth. This includes Okta Verify with Push, which grew only 3% overall.
The shocking truth
We're quite surprised to see that among Okta's clients, it's not the banking, finance, healthcare or pharmaceutical companies that are most frequently attacked by cybercriminals — or, more specifically, those who had the highest rates of malicious login attempts.
Instead, the natural-resources industries — energy, mining, oil and gas — were the most targeted, with 32% of all authentication attempts classified as threats.
"Power grids and oil, gas, and mining operations are sometimes less digitally secure," notes the Okta report, "and they’ve become popular targets for activists and state-sponsored criminal groups."
Credit: Okta
Far behind in second place was the nonprofit sector, with 18% of attempts deemed malicious. Perhaps the nonprofit sector is perceived as not having strong security protections, but the healthcare industry is as well, and the malicious authentication attempt rate for the healthcare and pharmaceutical sector was only 1.7%.
It could be that healthcare organizations are just not asking for a lot of authentication — or that the pharmaceutical side of the sector is making up the difference with exceptionally strong security.
More significantly, the rate of malicious authentication attempts seems to be growing overall. In this report, the U.S., U.K., Germany and the Netherlands all had rates over 5%. Last year's chart-topper was Israel with 2%, a number that wouldn't even have put in the top five for this year's report.
Only the best
Finally, we've heard a lot in the past several months about the virtues of vendor consolidation and platformization, especially in cybersecurity. Why spend a lot of money on dozens of narrowly focused solutions, the theory goes, when you can save money by buying a few bundles that combine several different tools or limiting your number of vendors?
That sounds logical, but Okta's data points in exactly the opposite direction. It seems that many organizations that can afford it are willing to spring for the best-of-breed solution, even if they already have a tool or application with similar functionality that was obtained as part of a bundle.
As a contrast to one-stop-shopping, Okta calls this "multi-stop shopping." For example, among Okta's customers who use Microsoft 365 customers, large percentages used tools that duplicated an application found in the M365 bundle:
- 50% used AWS, which duplicates Azure
- 48% used Zoom, even though they have Teams
- 40% used Slack, whose functions mirror Teams and Viva Engage
- 26% used Box, when they could have easily used OneDrive
In fact, 48% of Microsoft 365 clients — and 46% of those in the Fortune 500 — also use Google Workspace, which duplicates the most commonly used Office applications but permits easy collaboration.
Microsoft's customer-relationship-management suite, Dynamics 365, doesn't come standard with Microsoft 365, but licensees of the latter can often get a discount on the former. Nonetheless, 48% of Okta clients who have Microsoft 365 use Salesforce instead, a rate that rises to 73% among Fortune 500 companies — 68% of whom also use AWS.
"Among Okta customers deploying Microsoft 365," the report notes, "39% now deploy four or more of our eight featured best-of-breed apps — a number that's consistently grown each year."
Credit: Okta
