TL;DR: Small banks and credit unions remain exposed because passwords, legacy systems, and incomplete MFA coverage still create account takeover paths, while regulators are tightening expectations for stronger authentication across financial services, according to Secret Double Octopus. The real problem is not MFA adoption alone but whether workforce access can be made phishing-resistant across VPN, desktops, and legacy applications.
At a glance
What this is: This is an analysis of why small financial institutions remain vulnerable to credential-driven compromise even when MFA is in place, with phishing-resistant authentication and legacy application coverage identified as the key gap.
Why it matters: It matters because IAM, PAM, and identity governance teams must close gaps across human access, VPNs, and legacy apps before attackers turn weak authentication into regulatory and operational exposure.
By the numbers:
- 80% of its confirmed data breaches are linked to weak or stolen passwords.
- Starting November 1st 2025, all covered entities are required to use MFA for any individual accessing any of its information systems.
👉 Read Secret Double Octopus' analysis of phishing-resistant MFA for credit unions and small banks
Context
Passwords remain a weak point in workforce identity because once a credential is stolen, the attacker inherits the same access path a legitimate user would use. In financial services, that risk is amplified by legacy banking platforms, VPN access, and partial MFA rollouts that protect some channels but not all of them.
The primary identity problem here is not authentication in isolation. It is whether an organisation can enforce phishing-resistant verification across every access path, including desktops, remote access, and older applications that were never designed for modern identity controls.
Key questions
Q: How should financial institutions roll out phishing-resistant MFA without breaking legacy systems?
A: Start by segmenting access paths instead of treating the workforce as one login population. Protect VPN, admin, and high-risk financial workflows first, then add brokered or adapter-based controls for legacy applications that cannot natively support passwordless sign-in. The goal is consistent assurance across every path, not a uniform UI.
Q: Why do weak passwords still matter when MFA is already deployed?
A: MFA reduces risk only when the second factor is genuinely resistant to phishing and replay. If passwords remain the first step, attackers can still harvest credentials, steal sessions, or exploit recovery flows. In practice, incomplete coverage and weak fallback paths let one compromised password become a working entry point.
Q: What breaks when MFA covers cloud apps but not VPN and legacy desktops?
A: The control breaks at the weakest path because attackers do not need to defeat every login route. If one environment still allows password-based entry or weaker fallback authentication, that path becomes the preferred intrusion point. Partial MFA creates an inconsistent trust boundary that is easy to exploit.
Q: Who is accountable when old credentials remain active after offboarding?
A: The accountable teams are IAM, application owners, and identity governance functions together, because offboarding is a lifecycle control, not a one-time IT task. If former employee access remains valid, the organisation has failed to couple joiner-mover-leaver processes with revocation and verification of downstream access.
Technical breakdown
Why passwords still create account takeover risk
Passwords remain effective for attackers because they are reusable, phishable, and often shared across access paths that were never designed for strong identity proofing. When a system accepts a password as the first factor, the attacker only needs one successful harvest or reuse event to move into the environment. In small financial institutions, that risk is compounded by outsourced services, remote access tools, and legacy applications that preserve old login patterns long after the organisation has modernised elsewhere.
Practical implication: inventory every access path that still accepts password-based entry and treat it as an account takeover exposure, not just an authentication inconvenience.
Phishing-resistant MFA and NIST AAL3 expectations
Phishing-resistant MFA changes the assurance model by making the authenticator itself resistant to interception, replay, and proxy attacks. NIST AAL3 is the relevant benchmark when organisations want stronger proof that the person or subject at the point of login is the intended user. The practical issue for financial institutions is not whether MFA exists, but whether the deployed method can survive modern phishing kits, session hijacking, and credential replay across VPN and desktop entry points.
Practical implication: measure authentication strength by phishing resistance and assurance level, not by MFA presence alone.
Legacy applications and incomplete MFA coverage
Legacy banking applications often predate SSO and passwordless design, which means they force organisations into partial controls. Teams may secure cloud apps while leaving desktops, VPN, or older line-of-business systems on weaker flows, creating a fragmented identity perimeter. That fragmentation is where attackers look for the weakest path, especially when an external dependency, such as a third-party firewall or old platform integration, exposes residual credentials that remain valid after patching or offboarding.
Practical implication: map which systems still depend on legacy authentication flows and prioritise them for adapter-based or brokered phishing-resistant access.
Threat narrative
Attacker objective: The attacker wants durable access to financial institution systems and customer data by turning weak or stale authentication into legitimate-looking entry.
- Entry begins when attackers obtain valid credentials or authentication material through password theft, exposed VPN access, or residual login secrets that remain usable after a vulnerability is patched.
- Escalation follows when those credentials let the attacker enter internal systems, maintain access after slow credential resets, or continue using accounts after employment has ended.
- Impact occurs when legitimate-looking access is used to reach customer records, personal data, and other regulated information at scale.
Breaches seen in the wild
- Emerald Whale breach — exposed Git config files led to 15K secrets stolen and 10K repo compromises.
- CI/CD pipeline exploitation case study — full server takeover via exposed .git directory and mismanaged CI/CD pipeline secrets.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Phishing-resistant MFA is now a baseline control problem, not a premium capability. Passwords continue to act as the hinge point for account takeover because they are easily reused, phished, and replayed. In financial services, that weakness matters more because regulated access paths, customer data, and third-party connectivity converge on the same identity controls. The practitioner conclusion is straightforward: if authentication still depends on password recoverability, the environment remains vulnerable.
Legacy application coverage is where MFA programmes usually fail operationally. Cloud apps are often the first to receive stronger controls, but desktops, VPN, and older banking systems are where real residual exposure persists. That creates a policy illusion: the organisation can say MFA exists while the attacker still has a working path through the least modern system. The practitioner conclusion is to evaluate control coverage by access path, not by product rollout.
Credential persistence after patching or offboarding is a lifecycle failure, not just an incident detail. When VPN secrets, user accounts, or former employee credentials remain usable, the issue is lifecycle governance, not only authentication design. The governance gap is that access outlives the reason it was granted. The practitioner conclusion is to tie authentication hardening to joiner-mover-leaver enforcement and revocation discipline.
Universal access assurance is the named concept this article exposes. Organisations can no longer treat MFA as secure if some channels are strong and others are still password-mediated. Assurance collapses whenever one pathway can bypass the intended standard, because attackers only need the weakest authenticated route. The practitioner conclusion is to govern assurance at the system-of-access level, not at the application-by-application marketing level.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
- For a deeper look at attack patterns and control failure, review the 52 NHI breaches Report alongside this authentication risk analysis.
What this signals
Phishing-resistant access will keep expanding from high-risk users into whole-workforce policy. Financial institutions are being pushed to prove that authentication is resilient across every access path, not just the ones easiest to modernise. For teams still carrying legacy applications, the programme signal is clear: treat authentication coverage as a control map, not a product deployment.
Credential lifecycle failures and human login weaknesses are converging into the same governance problem. When former employee accounts, stale VPN secrets, or password fallback routes remain active, the organisation is depending on exceptions that attackers can operationalise. Identity teams should expect audits to focus more heavily on revocation evidence, assurance consistency, and access-path completeness.
Universal access assurance becomes the practical benchmark for mature IAM programmes. If one channel can still accept weaker authentication, the enterprise trust model is only as strong as that exception. Teams that use a control baseline tied to phishing resistance, legacy coverage, and revocation discipline will have a defensible story for both security and compliance.
For practitioners
- Map every workforce access path Catalogue desktops, VPN, cloud apps, and legacy banking systems separately, then record which ones still allow password-led authentication or fallback flows.
- Prioritise phishing-resistant MFA for high-risk entry points Move first on VPN, remote admin, and finance-user access where credential theft produces the fastest path to sensitive systems and regulated data.
- Remove stale credentials on a lifecycle clock Tie offboarding, contractor exit, and role changes to immediate revocation checks so old credentials cannot remain valid after the business relationship changes.
- Use AAL3 as the assurance target Benchmark authentication methods against phishing resistance and assurance strength, then document where current flows fall short of NIST AAL3 expectations.
Key takeaways
- Passwords remain a persistent attack surface because they can still be harvested, reused, or left active after business changes.
- The evidence points to partial control coverage as the real problem, especially where legacy systems and VPN access create weaker authentication paths.
- Financial institutions should treat phishing-resistant MFA, lifecycle revocation, and legacy coverage as one governance issue, not separate projects.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63B | The article centers on stronger authenticator requirements and phishing resistance. |
| NIST CSF 2.0 | PR.AC-1 | Access control and identity proofing are the core governance issues in this article. |
| NIST SP 800-53 Rev 5 | IA-2 | Identification and authentication requirements directly relate to the MFA rollout problem. |
| ISO/IEC 27001:2022 | A.5.15 | Access control policy is relevant where MFA coverage is incomplete across systems. |
| GDPR | Art.32 | The post discusses access to personal data held by financial institutions. |
Treat strong authentication as part of personal data security under Art.32 when sensitive records are accessible.
Key terms
- Phishing-resistant MFA: Phishing-resistant MFA is multi-factor authentication designed to prevent credential interception, replay, and proxy attacks. In practice, it relies on authenticators that bind the login to the intended session or device, reducing the chance that stolen passwords can be converted into usable access.
- Legacy authentication flow: A legacy authentication flow is a login path built for older applications or infrastructure that cannot natively support modern identity controls. These flows often preserve passwords, fallback prompts, or partial MFA, which creates weaker assurance and more exposure than the rest of the environment.
- Assurance level: An assurance level is the confidence an organisation can place in an authentication event. For identity teams, the question is not simply whether a user logged in, but how strongly the system verified that the authenticating party was the intended subject and not an attacker.
- Lifecycle revocation: Lifecycle revocation is the process of removing access when a user, contractor, or role no longer justifies it. It is a governance control, not a single technical action, and it depends on joiner-mover-leaver discipline, downstream system updates, and verification that old credentials cannot still authenticate.
What's in the full article
Secret Double Octopus' full post covers the operational detail this post intentionally leaves for the source:
- How the vendor positions phishing-resistant MFA across applications, desktops, and VPN for financial services environments.
- Why older Fiserv and Jack Henry deployments create implementation constraints for passwordless authentication.
- How the vendor frames audit and regulatory expectations for NYDFS, FFIEC, and GLBA-aligned identity controls.
- The user-experience and help desk implications of removing password-related authentication steps.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance, it is worth exploring.
Published by the NHIMG editorial team on 2026-01-21.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org