By NHI Mgmt Group Editorial TeamPublished 2026-06-29Domain: Governance & RiskSource: Secret Double Octopus

TL;DR: A 2026 survey of 200 IAM leaders at US and Canadian financial organisations found 82% believe current controls can stop account takeover, even as 94% report more phishing, only 28% of workforce MFA is phishing-resistant, and just 15% of authentication flows are passwordless, according to Secret Double Octopus. Confidence is now the blind spot, because legacy coverage and phishable methods leave the sector exposed.


At a glance

What this is: A 2026 survey shows financial firms feel protected against account takeover even as phishing rises, phishing-resistant MFA remains limited, and passwordless adoption stays low.

Why it matters: IAM teams in finance need to treat authentication confidence as a control gap, because partial MFA coverage and phishable methods leave both human and administrative access paths exposed.

By the numbers:

👉 Read Secret Double Octopus's 2026 survey on identity security in financial organisations


Context

Financial identity security is often measured by the controls organisations say they have, not by the attack paths those controls still leave open. In this survey, the gap is between confidence in account takeover protection and the reality of phishable authentication, partial MFA coverage, and legacy systems that remain harder to modernise.

For IAM teams, the issue is not whether MFA exists, but whether it meaningfully resists phishing across the full application estate. The survey points to a sector where control presence is being mistaken for control effectiveness, especially where legacy applications and mixed authentication methods still shape the user experience.


Key questions

Q: What breaks when financial firms rely on MFA that is not phishing-resistant?

A: The control fails at the point attackers target most often, because phishable MFA can still be relayed, approved under pressure, or bypassed through social engineering. In finance, that means account takeover remains viable even when MFA is technically deployed, so coverage metrics can look healthy while real resistance stays weak.

Q: Why do legacy applications create outsized identity risk in financial services?

A: Legacy applications often cannot enforce modern authentication cleanly, which leaves gaps that attackers can target through weaker factors or exceptions. When legacy systems make up a large share of the environment, the gap is structural, not incidental, and it often becomes the easiest route to account compromise.

Q: How can security teams tell whether passwordless is real or just branded MFA?

A: True passwordless removes the password from the authentication flow entirely. If a password still exists behind the scenes, can be recovered, or is used as a fallback, the organisation still carries credential theft risk and should not count that flow as passwordless.

Q: Who is accountable when phishing-resistant MFA remains only partial across a financial estate?

A: Accountability sits with the identity and application owners who approved exceptions, tolerated phishable factors, or allowed legacy coverage gaps to persist. In regulated financial environments, that also creates governance exposure because a control that is incomplete in critical workflows is not operationally sufficient.


Technical breakdown

Phishing-resistant MFA versus phishable MFA

Phishing-resistant MFA uses authenticators that bind the login to the legitimate site or device, such as FIDO2 and other methods that do not expose reusable secrets to an attacker. Phishable MFA, including SMS OTP and push approval, can still be relayed, tricked, or fatigued into approval. The survey’s core message is that many firms count MFA coverage without separating resistant from non-resistant methods, which creates false assurance. In practice, the control name is less important than whether the method can survive modern phishing workflows.

Practical implication: inventory MFA by method, not just by deployment, and retire phishable factors from high-risk finance workflows.

Legacy applications and uneven authentication coverage

Legacy applications are a recurring identity problem because they often lack native support for modern authentication patterns. When legacy systems represent more than half of the environment, a 50% MFA coverage rate in that segment becomes a structural gap, not an edge case. Organisations often end up with layered exceptions, compensating controls, and inconsistent user journeys that attackers can target. This is where authentication architecture and application modernisation collide, and where finance often discovers that policy intent has outpaced technical reality.

Practical implication: map legacy app exceptions separately and prioritise compensating controls where modern MFA cannot yet be enforced.

Passwordless adoption and hidden password dependence

Passwordless means the password is removed from the authentication flow, not merely hidden behind another login step. Many deployments marketed as passwordless still preserve the underlying password, which can remain phishable or recoverable. That matters because the sector’s low passwordless rate means the password remains the anchor for many workforce logins. The practical issue is not user convenience, but whether the authenticating secret can still be stolen and replayed in a phishing campaign.

Practical implication: distinguish true passwordless from password-wrapper approaches when assessing whether credential theft risk has actually been reduced.


Threat narrative

Attacker objective: The attacker’s objective is to take over trusted user accounts and use legitimate access to reach financial systems, data, or transactions.

  1. Entry begins with phishing campaigns that target users through phishable authentication methods such as SMS OTP, push notifications, or password-based login flows.
  2. Escalation occurs when attackers reuse stolen credentials or tricked approvals to authenticate into SaaS or legacy applications where MFA coverage is incomplete or weak.
  3. Impact follows when account takeover succeeds inside financial workflows, enabling fraudulent access, data exposure, or further internal movement under a legitimate identity.
  • MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Confidence in account takeover protection is the control problem, not the metric. Financial firms may have MFA, monitoring, and policy language in place, but the survey shows that control presence is being mistaken for control effectiveness. When 82% feel protected while only 28% of MFA is phishing-resistant, the governance failure is epistemic: teams are measuring deployment, not resistance. The practitioner conclusion is that authentication assurance must be evaluated by method quality and coverage gaps, not by checkbox adoption.

Phishing-resistant MFA is the relevant control class for finance, and phishable MFA is a residual risk source. The survey makes clear that SMS OTP and push approval remain common, even as phishing increases across the sector. That means the sector still treats user convenience as an acceptable trade-off in places where identity compromise carries direct financial impact. The practitioner conclusion is to align authenticator choice with attack likelihood, not with migration convenience.

Legacy application exceptions are where identity programmes quietly lose integrity. A 74% average MFA rate for SaaS can coexist with a 50% rate for legacy systems, and that asymmetry is enough to preserve a viable attack path. This is not a minor gap because more than half of the sector’s applications and infrastructure are legacy. The practitioner conclusion is that legacy exceptions must be governed as a risk class, not absorbed into aggregate identity reporting.

True passwordless adoption is still too limited to change the sector’s threat model. Only 15% of workforce authentication flows are passwordless, which means the password remains the dominant fallback secret in most environments. That leaves organisations exposed to phishing, credential replay, and recovery-path abuse even where MFA is present. The practitioner conclusion is that passwordless has to be defined precisely, or programme reporting will overstate actual reduction in credential risk.

From our research:

  • 94% of financial firms report more phishing, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
  • The same research shows 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is why identity confidence and identity visibility cannot be treated as separate problems.

What this signals

Financial services teams should expect account takeover defences to be judged less by policy adoption and more by method-level resistance, especially as phishing pressure continues to rise. The governance shift is toward proving that critical journeys use resistant authenticators, not just reporting that MFA exists.

Authentication assurance debt: this is the gap that appears when organisations count coverage while phishable methods remain in place. For finance, the practical response is to replace aggregate identity reporting with control evidence tied to specific applications, recovery paths, and legacy exceptions.


For practitioners

  • Map authentication by method, not just by coverage Separate phishing-resistant MFA from phishable factors in every workforce and administrative flow, then report the results by application family and user population. Use the inventory to expose where a control exists on paper but not in attack-resistant form.
  • Prioritise legacy applications as the highest-risk exception set Create a distinct remediation track for legacy apps that cannot support modern authentication, and track compensating controls until full replacement or upgrade is feasible. Do not average these systems into enterprise-wide MFA metrics.
  • Validate passwordless claims against actual secret removal Confirm whether the password has been eliminated from the authentication flow or only hidden behind another factor. If the secret still exists, treat the flow as password-dependent and therefore still phishable.
  • Rebuild account takeover reporting around attacker paths Measure how many identity journeys can still be reached through phishing, credential replay, or approval fatigue, then use that view to set remediation priorities for high-impact financial workflows.

Key takeaways

  • Financial firms are overestimating account takeover protection because control presence is being confused with control resistance.
  • The survey shows a sector where phishing is up, phishing-resistant MFA is limited, and passwordless adoption remains too low to change the attack model.
  • The fastest risk reduction comes from method-level inventory, legacy exception governance, and precise validation of true passwordless flows.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST Zero Trust (SP 800-207), NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63BAuthentication assurance and phishing resistance are central to this survey.
NIST Zero Trust (SP 800-207)Zero Trust requires stronger identity verification than phishable factors provide.
NIST CSF 2.0PR.AC-7Identity assurance and authentication management are directly implicated by the survey.
NIST SP 800-53 Rev 5IA-2Identification and authentication controls govern the MFA and passwordless issues raised here.

Treat each authentication flow as a trust decision and remove weak methods from high-risk paths.


Key terms

  • Phishing-Resistant MFA: Multifactor authentication that cannot be easily relayed, tricked, or reused by an attacker using a fake login page or social engineering. In practice, this usually means the authenticator is bound to the legitimate domain or device, making account takeover much harder than with SMS or push-based methods.
  • Passwordless Authentication: An authentication flow that removes the password from the login process entirely instead of simply hiding it from the user. The practical security value depends on whether the underlying secret is truly eliminated, because a password that still exists can still be stolen, reset, or abused in phishing paths.
  • Legacy Application Exception: A deliberate allowance for an older application that cannot support modern identity controls without additional engineering or replacement work. These exceptions matter because they often become the places where MFA coverage weakens, control consistency breaks down, and attackers find the easiest route into the environment.
  • Account Takeover: A compromise where an attacker gains control of a legitimate user account and uses it as if they were the authorised user. In identity programmes, account takeover is especially dangerous because it blends into normal activity and can bypass controls that focus only on login success.

What's in the full report

Secret Double Octopus's full report covers the operational detail this post intentionally leaves for the source:

  • Breakdowns of authentication methods by organisation size, which help teams benchmark where phishable factors remain concentrated.
  • Detailed legacy application findings that show how MFA coverage changes under real architectural constraints.
  • Adoption obstacles by job seniority, useful when planning remediation ownership across IAM, architecture, and operations.
  • The report's full confidence-gap analysis, which is the most useful material for board reporting and programme prioritisation.

👉 The full Secret Double Octopus report breaks down MFA coverage, legacy exposure, and confidence-gap findings in detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org