Passwords have protected enterprise systems for decades. They were the logical choice in a world built around fixed office networks, on-premises infrastructure, and a relatively contained set of users accessing systems from known locations. That world no longer exists.
Today, enterprise workforces are distributed, cloud platforms have replaced traditional data centers, and the attack surface has expanded dramatically. In this environment, the password, when used as a sole line of defense, is no longer sufficient. The data is unequivocal: compromised credentials remain one of the leading causes of enterprise security incidents year after year. The question is no longer whether identity-based attacks pose a serious threat, but how organizations respond to that reality.
For enterprise SaaS platforms, the answer is increasingly clear: multi-factor authentication is not a premium security feature but a baseline requirement. Accordingly, multi-factor authentication will now be required for all Anaplan users who rely on basic authentication.
Identity is the new security perimeter
For years, enterprise security strategy was organized around the network perimeter. The logic was straightforward: build a strong enough wall around your infrastructure, and you control what gets in and what gets out. Firewalls, VPNs, and perimeter-based defenses were the primary tools of the trade.
That model has been fundamentally disrupted. As organizations moved to cloud-first architectures, expanded remote and hybrid workforces, and built ecosystems of API integrations between platforms, the network boundary effectively dissolved. There is no longer a single, defensible perimeter to protect. Data moves. Users move. Access happens everywhere.
What has not moved is identity. In a distributed enterprise environment, identity has become the primary control point for security. Access to enterprise systems, data, and workflows is now determined not by where a user is sitting, but by who they can prove they are.
This shift is further accelerated by the emergence of AI agents as a new class of identity. Autonomous agents increasingly act on behalf of users, executing workflows, accessing data, and making decisions across systems. Each agent represents a new identity that must be authenticated, governed, and controlled.
AI is not only changing how enterprises operate; it is changing how they are attacked. For years, the window between a vulnerability being disclosed and it being weaponized at scale was measured in weeks. AI has compressed that window to hours. More recently, developments like Anthropic's Claude Mythos (a model which Anthropic has provided only through a restricted-access program because of concerns about its advanced cyber capabilities) signal that we are entering a new era of AI-driven threats. Evaluated by the UK's AI Safety Institute, Mythos demonstrated the ability to complete expert-level cybersecurity attack tasks with a success rate that no previous model had achieved. The implications for enterprise defenders are significant: the tools available to threat actors are advancing faster than most security programs are built to absorb. Foundational controls like MFA are not just good hygiene in this environment; they are a critical line of defense against attacks that are becoming increasingly automated, adaptive, and difficult to detect.
The data makes this unmistakably clear. According to the Verizon 2025 Data Breach Investigations Report, credential compromise remains the number one initial access vector for breaches, with 88% of attacks against web applications involving stolen credentials. The Identity Defined Security Alliance (IDSA) found that 90% of organizations experienced at least one identity-related incident in the past year, with stolen credentials identified as a leading cause. These are not edge cases. They are the dominant pattern of enterprise attack in 2025.
Zero trust — the principle of "never trust, always verify" — is the security framework built for this reality. And MFA is one of its most foundational mechanisms.
MFA is becoming the enterprise standard
The security industry has been signaling this shift for years, and the signal is now impossible to ignore.
Regulators and government agencies, including the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA), as well as data protection authorities across Europe and Asia-Pacific, have consistently identified multi-factor authentication as a core control for protecting user access. Major enterprise security frameworks and compliance standards now either strongly recommend or explicitly require it. Across the SaaS industry, leading platforms have moved from offering MFA as an optional feature to making it a condition of doing business at the enterprise level.
This is not a coincidence. It reflects a shared recognition across the security community that password-only authentication represents an unacceptable level of risk in modern enterprise environments. Identity attacks — credential stuffing, phishing, and account takeovers — have become sophisticated, scalable, and alarmingly effective. MFA directly disrupts these attack patterns by ensuring that a stolen or guessed password alone is not enough to gain access.
The major security frameworks have made this expectation explicit. NIST 800-53 identifies MFA as a baseline control for information systems handling sensitive data. ISO 27001 requires organizations to manage access through verified identity controls as part of a certified information security management system. SOC 2 — the benchmark audit standard that enterprise procurement teams rely on when evaluating SaaS vendors — treats MFA as a core component of the access control criteria auditors assess. These frameworks do not treat MFA as aspirational, instead they treat it as expected.
The consequences of inaction are no longer theoretical. In 2024, multiple high-profile breaches affecting major SaaS platforms were traced to accounts protected only by usernames and passwords, without enforced multi-factor authentication. In these cases, attackers did not bypass sophisticated defenses. They authenticated successfully using compromised credentials. Attackers did not need to defeat complex technical defenses; they simply walked through an unlocked door.
Anaplan's commitment to strong security
Anaplan has long invested in a security architecture built for the demands of enterprise customers. Our approach to identity and access management has always been grounded in the same principles that govern our broader platform: zero trust, least-privilege access, and rigorous auditability of every interaction.
That commitment extends well beyond policy. Our security team operates around the clock, monitoring our platform continuously, drawing on active threat intelligence to stay ahead of emerging attack patterns, and conducting regular testing to validate that our defenses hold under real-world conditions. We engage expert third parties to challenge our assumptions, probe our architecture, and independently verify our controls. And as the threat landscape evolves, so does our approach. We are deliberate about adopting proven innovation early, not waiting for the industry to force our hand. This is not a reactive security posture. It is an operational discipline built over years.
Requiring MFA for all Anaplan users is the next step in that commitment.
Over the coming months, we will be making MFA available across all customer accounts, with a mandatory requirement that will be phased out. If you currently access Anaplan using basic authentication - a username and password without a second factor - this change applies to you, and we encourage you to begin transitioning now. If your organization already authenticates through single sign-on (SSO), your existing setup is not affected by this requirement.
