Listed MFA pricing and plans vary based on several factors, which increases the costs:
- Number of users: The size of the user base.
- Single sign-on (SSO): The size of users who can log in with an SSO ID to several systems.
- Number of additional services: Threat detection, granular admin controls, and end-to-end encryption.
- Adaptive MFA capabilities: Dynamic authentication based on contextual factors like device type, IP address, and user behavior.
| Vendor | Price (user/month) | Free basic plan | Free trial |
|---|---|---|---|
| ManageEngine ADSelfService Plus | $245 – $5,920 (100 users) | ✅ (50 users) | ✅ – 30 days |
| Okta Workforce Identity Cloud* | Custom pricing: | ✅ (With Microsoft cloud subscriptions) | ✅ – 30 days |
| LastPass | €2.90 – €6.50 (billed annually) | ✅ | ✅ – 30 days |
| 1Password | $3.99 – $19.95 | ❌ | ✅ – 14 days |
| Cisco Duo | $3 – $9 (10+ users) | ✅ (1-10 users) | ✅ – 30 days |
| Microsoft Entra ID | $6 – $12 | ❌ | ✅ |
*$1,500 annual contract minimum.
How to select the right MFA plan?
An MFA solution that is sufficient for individual usage may not be suitable for a large enterprise with several customers, partners, and business consumers. It is critical to address how the solution fits your organization’s structure and specific use cases. For example:
- Simple use case: If you are an individual user or a small company looking for a lightweight solution that asks you to enter a code sent to your email, you can choose an MFA tool with a free basic plan such as LastPass or Cisco Duo.
- Complex use case: If your organization needs to tackle more complex multi-factor authentication (MFA) challenges, you should look into solutions like Okta Workforce Identity Cloud, which includes enterprise-level capabilities such as:
- Lifecycle management — automates user provisioning and de-provisioning processes.
- Privileged access management (PAM) — provides elevated access for critical systems and manages permissions for sensitive resources.
For more see our data-driven research about MFA:
ManageEngine ADSelfService Plus
ManageEngine ADSelfService Plus is available in free (for 50 users), standard, and professional plans. For the standard and professional plans the minimum number of domain users should be 100. These models are based on annual subscriptions (or custom quotes).
The total annual cost for:
- Standard plan (100 users) ranges between $245 – $5,920.
- Professional plan (100 users) ranges between $345 – $6,120.
Here’s a comparison of the standard and professional editions of ADSelfService Plus:
| Feature | Standard | Professional |
|---|---|---|
| Self-service password reset | ✅ | ✅ |
| Password and expiration notifier | ✅ | ✅ |
| Password synchronizer | ✅ | ✅ |
| Directory update | ✅ | ✅ |
| Password reset using iOS and Android app as well as mobile browser | ❌ | ✅ |
| Password reset from Windows/macOS/Linux login screens | ❌ | ✅ |
| Conditional access | ❌ | ✅ |
| Number of authenticators | 8 | 20 |
| Failover and secure gateway | Add-on ($395) | Add-on ($395) |
| SMS | Add-on ($595) | Add-on ($595) |
You can also purchase MFA support for $195 per endpoint (applicable for standard and professional plans). Supported environments:
- Windows, macOS (including offline MFA), and Linux
- VPN and other network endpoints using RADIUS
- OWA and other IIS web applications
Okta Workforce Identity Cloud
Okta requires a baseline annual contract of $1,500, volume discounts are available for enterprises managing over 5,000 users. Okta Workforce Identity Cloud has a pay-per-user model pricing for different service tiers:
- Core services include single sign-on (SSO), multi-factor authentication (MFA), lifecycle management, and API access management, each priced separately.
- Enterprise-grade services include core services and additional capabilities such as identity governance and identity threat protection.
In addition to core and enterprise-grade services users can purchase workflow access to all starting at $4 per user per month up to 50 flows. Accessing workflows will enable you to:
- Automate complex processes: Build no-code workflows for identity management tasks.
- Implement automated actions like provisioning, de-provisioning, and access revocation to reduce human error.
- Integrate Okta Workforce Identity Cloud with third-party applications and services, including ticketing platforms, and IT management tools.
Core services
| Service | Price (user/month) | Details |
|---|---|---|
| Single sign-on (SSO) | $2 | Unified login across multiple systems. |
| Multi-factor authentication (MFA) | $3 | Basic MFA for added security. |
| Adaptive MFA | $6 | Context-based authentication (location, device). |
| Universal directory | $2 | Centralized user directory. |
| Lifecycle management | $4 | Automates user provisioning and deprovisioning. |
| API access management | $2 | Secures API integrations with customizable authorization servers. |
| Device access | $4 | Enforces secure device usage for Windows and MacOS. |
Enterprise-grade services
Identity governance: Pricing ranges from $9–$11/user/month. This service ensures compliance and governance with customizable limits. Key features include:
- Access certifications to create audit campaigns to review your users’ access to resources periodically.
- Lifecycle management with System for Cross-domain Identity Management (SCIM), an open standard that simplifies cloud identity management and allows user provisioning to be automated across multiple domains.
Identity threat protection: Starts at $4/user/month. This service detects and prevents identity-based threats. Key features include:
- AWS, Azure, GCP, on-premise server access, threat sharing across extended detection and response, and cloud Access Security Brokers (CASBs).
- Security risk dashboards that provide insights into potential risks with visualized data.
- Session risk detection (ML models for session hijacking).
- Context-aware device and IP protection by analyzing device and IP context.
LastPass
LastPass uses a tiered pricing model to address the varying needs of its users, from individuals to enterprises. In addition to its paid plans, LastPass offers a free version, designed for basic users who need essential password management features.
Free plan
Free version users gain access to:
- Device-specific access: Users can choose one device type (either desktop PC/Mac or mobile) for managing passwords.
- One-to-one password sharing: Enables secure sharing of individual passwords with another trusted person.
- Encrypted vault: A secure repository to store and manage site passwords and secure notes.
- Password generator: Creates unique passwords.
- Multifactor authentication (MFA): Adds an extra layer of security, including the use of the LastPass Authenticator for account access.
Paid plans
Comparison for price (billed annually), number of users, add-ons, and MFA bundle:
| Plan | Price (user/month) | # of users | Add-ons | MFA bundle |
|---|---|---|---|---|
| Free | Free | 1 | ❌ | ❌ |
| Premium | €2.90 | 1 | ❌ | ❌ |
| Families | €3.90 | 6 | ❌ | ❌ |
| Teams | €3.90 | 50 | ❌ | ❌ |
| Business | €6.50 | No limit | SSO (€2.00/user/month) | Enhanced MFA (€3.00/user/month)* |
*Enhanced MFA includes:
- Adaptive MFA allows trusted devices to log in with minimal friction by stepping up (increasing) or stepping down (decreasing) the authentication process based on the user’s context while adding extra layers of security for unusual or suspicious activity.
- Passwordless login (use of face/fingerprint for authentication).
- Contextual policies (including geofencing, recovery, and authentication policies).
Comparison of multifactor authentication (MFA) capabilities:
| Plan | Hardware MFA | Authentication for SSO and cloud apps | Contextual authentication policies | Universal proxy |
|---|---|---|---|---|
| Free | ❌ | ❌ | ❌ | ❌ |
| Premium | ✅ | ❌ | ❌ | ❌ |
| Families | ✅ | ❌ | ❌ | ❌ |
| Teams | ✅ | ❌ | ❌ | ❌ |
| Business | ✅ | ✅ | With enhanced MFA | With enhanced MFA |
All plans, including Free, Premium, Families, Teams, and Business, allow users to use the mobile app, leverage 2FA, and provide MFA for the password Vault.
1Password
1Password includes personal plans and business plans. See the pricing comparison for all plans:
| Plan | Monthly payments (user/month) | Support | Best for |
|---|---|---|---|
| Individual | $3.99 | Email support | Individual users |
| Families | $6.95 | Email support | Families up to 5 users |
| Teams Starter Pack | $19.95 | Email support | Small teams up to 10 users |
| Business | $9.99 | Phone support (9–5 PM EST) | Growing organizations |
| Enterprise | Custom pricing | Customer success team | Large-scale enterprises with 75+ users |
Personal plans
Individual plan is $3.99 per user per month (monthly payment). It includes:
- Password generator
- Login autofill and sharing
- Use on all of your devices
- Watchtower security breach checker
Families plan is $6.95 per user per month (monthly payment). It includes all the features of the Individual plan but supports up to 5 users.
Business plans
Teams Starter Pack is ideal for small teams of up to 10 members, this plan is priced at $19.95 per month for up to 10 users. It provides essential features like:
- Password sharing
- Security alerts
- Access to 1Password Developer tools.
The Teams Starter Pack includes self-service onboarding resources and is suitable for smaller organizations.
Business plan is priced at $9.99 per user per month. It is ideal for small to mid-size organizations. The business plan includes all the features of the Teams Starter Pack, along with:
integrations with identity providers like Okta, Entra ID, OneLogin, and Duo
- Customized reporting
- Granular admin controls
- End-to-end encryption
Enterprise plan is designed for large-scale organizations and provides more adaptive and customized MFA security features. Its pricing is custom and volume-based. This plan includes everything from the business plan, along with:
- Account manager
- Onboarding and customer success support for accounts with 75+ users
- Employee training, and extended trial periods for large implementations
Cisco Duo
Cisco Duo offers a tiered pricing. Each plan builds on the last, offering progressively more features, see the comparison for all Cisco Duo plans:
| Feature & price | Free | Essentials | Advantage | Premier |
|---|---|---|---|---|
| Price (user/month) | Free (1-10 users) | $3 | $6 | $9 |
| MFA | ✅ | ✅ | ✅ | ✅ |
| Single Sign-On (SSO) | ❌ | ✅ | ✅ | ✅ |
| Passwordless access | ❌ | ✅ | ✅ | ✅ |
| Device health | ❌ | ❌ | ✅ | ✅ |
| Risk-based authentication | ❌ | ❌ | ✅ | ✅ |
| Threat detection | ❌ | ❌ | ✅ | ✅ |
VPN | ❌ | ❌ | ❌ | ✅ |
Free plan
Organizations looking to implement basic multi-factor authentication (MFA), which requires users to enter a code, answer a secret question, or scan a fingerprint, to protect against credential theft and account takeovers can start with the Free plan, which supports up to 10 users.
Essentials plan
Small to medium-sized businesses can choose the Essentials plan ($3/user/month), which delivers additional features such as:
- Protection against phishing attacks: Block attackers from bypassing MFA using phishing-resistant FIDO2 authenticators.
- Passwordless login capabilities: Log in without a password using Duo Mobile or FIDO2 authenticators.
- Single sign-on (SSO): Log in only once to access multiple applications.
Advantage plan
The Advantage plan ($6/user/month) is tailored for companies needing risk-based security, including features such as:
- Device health monitoring: Check the device’s security posture before granting access. Provide visibility into the security status of devices attempting to gain access.
- Risk-based authentication: Dynamically adjusts authentication requirements in real-time in response to risk signals.
Premier plan
The Premier plan ($9/user/month) is ideal for enterprises seeking high-security measures, it includes all previous features along with:
- Threat detection and machine learning-based monitoring: Detect potential ongoing attack attempts using machine learning-based monitoring.
- Secure remote access without a VPN: Access private resources without a VPN using Duo Network Gateway.
Microsoft Entra ID
Microsoft Entra ID offers 3 paid pricing plans and a free plan for organizations with Microsoft cloud subscriptions such as Microsoft Azure and Microsoft 365. See the comparison of all Microsoft Entra ID plans:
| Plan | Price (user/month) | Features |
|---|---|---|
| Microsoft Entra ID P1 | $6 | Conditional access, hybrid identity support, basic MFA |
| Microsoft Entra ID P2 | $9 | P1 features + identity governance |
| Microsoft Entra Suite | $12 | P1 + P2 features + enhanced identity governance + internet access + zero trust |
Microsoft Entra ID P1
Microsoft Entra ID P1 (formerly Azure Active Directory P1) costs $6.00 per user/month. It is available as a standalone solution or as part of Microsoft 365 E3 for enterprise customers and Microsoft 365 Business Premium for small and medium businesses. Key features include:
Group management:
- Dynamic groups: Automatically assign users to groups based on attributes (e.g., department, role).
- Group expiration: Automatically delete unused groups after a set period.
- Group classification: To enforce compliance and governance, label groups with classifications like “Confidential,” “Internal,” or “Public.”
Cross-tenant user synchronization and multitenant organizations:
- Cross-tenant user sync: Sync user identities between separate tenants for seamless collaboration.
- Multitenant organizations: Allow organizations with multiple tenants to centralize access management.
Session lifetime management:
- Define how long user sessions remain active before reauthentication is required.
- Includes configurations for:
- Session timeout settings.
- Conditional policies (e.g., shorter sessions for sensitive applications).
Global password protection and management:
- Custom banned passwords: Prevent users from setting too common or easily guessable passwords.
- Users synced from on-premises Active Directory: Synchronize on-prem AD password policies with cloud directories to maintain consistency.
Self-service features:
- Password change, and reset: Enable users to reset passwords, or change credentials without IT intervention.
- Sign-in activity search and reporting: Give users visibility into their recent login activity (e.g., location, time).
Security and usage reports:
- Generate reports on:
- Suspicious login attempts
- MFA usage
- Group memberships
- App usage pattern
Microsoft Entra ID P2
Microsoft Entra ID P2 (formerly Azure Active Directory P2) costs $9.00 per user/month and includes all the Microsoft Entra ID P1 features (listed above). Additional features of Microsoft Entra ID P2 include:
- Identity governance
- Access certifications and reviews: Identify and review user access rights.
- Entitlement management: Administers access to user privileges
- Privileged identity management: Control and monitor the activity of privileged users.
Microsoft Entra Suite
Microsoft Entra Suite ($12/user/month) combines network access, identity protection, governance, and verification solutions. It includes all features of P1 / P2 and additional features:
- Enhanced identity governance:
- Machine learning-assisted access certifications and reviews
- Face Check, facial matching verification
- Internet access:
- Traffic logging and policy monitoring
- Web category filtering
- Domain name filtering
- Zero Trust network access solutions:
- Identity-centric Zero Trust network access (ZTNA)
- Adaptive multifactor authentication
- Single sign-on (SSO) access
Microsoft Entra ID Free
Additionally, Microsoft offers a free plan, Microsoft Entra ID Free, which is included with Microsoft cloud subscriptions such as Microsoft Azure and Microsoft 365. Key features include:
- Support multifactor authentication, SSO across all SaaS apps, basic reports, and self-service password changes for cloud users.
- Manage users and groups in the cloud.
- Sync your on-premises directory with the Microsoft Entra ID.
What is adaptive MFA?
Adaptive MFA adjusts authentication requirements based on contextual parameters such as device type, IP address, and user behavior. This enables organizations to adjust authentication procedures to any device that seeks to connect to their apps, maintaining strong security while improving user experience.
Here is an example of user actions that may be evaluated as a trusted user vs. a suspicious user by adaptive MFA:
- Trusted user: A user logs in from their home device during normal business hours. The system recognizes the device and location as matching their previous login patterns. Because the risk is low, adaptive MFA enables the user to access the app using only their password, streamlining the login process and removing unnecessary friction. The user has a smooth and efficient experience, with quick access to the application that does not require any additional authentication steps.
- Suspicious user: A login attempt is made using the correct username and password but on an unfamiliar device running a different operating system than the user’s usual one. The adaptive MFA system recognizes that the login attempt is from a new device and that the browser’s or device’s characteristics do not match the user’s usual profile.
Comments
Your email address will not be published. All fields are required.