TL;DR: Financial-services identity security is being reshaped by MFA compliance pressure, phishing-resistant authentication, and passwordless adoption, with the source report surfacing where current controls still fall short across regulated environments. The practical issue is not whether MFA exists, but whether it meaningfully resists phishing and scales across real workforce and contractor workflows.
NHIMG editorial — based on content published by Secret Double Octopus: New Report on 2026 state of identity security in finance
By the numbers:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: How should financial services teams implement phishing-resistant MFA at scale?
A: Start by replacing weak second factors with methods that resist phishing and replay, then remove fallback paths that undermine them.
Q: Why do organisations still fail MFA compliance even when MFA is deployed?
A: Because deployed MFA can still rely on weak authentication methods, inconsistent enrollment, or insecure recovery.
Q: What do security teams get wrong about passwordless authentication?
A: They often treat passwordless as a sign-in upgrade instead of a governance change.
Practitioner guidance
- Map authentication to attack resistance Review whether your current MFA methods resist phishing, replay, and session theft under realistic attack conditions, not just audit criteria.
- Inventory recovery and exception paths Document every password reset, device recovery, and alternate login path, then score each one for identity assurance loss.
- Tie passwordless rollout to lifecycle controls Do not evaluate passwordless in isolation.
What's in the full report
Secret Double Octopus's full report covers the operational detail this post intentionally leaves for the source:
- Sector-specific findings on MFA compliance pressure across financial-services environments.
- Practical discussion of passwordless and phishing-resistant authentication in regulated identity programmes.
- The report's own framing of standards, regulations, and authentication expectations for finance teams.
- Additional source context on authentication, access management, and the finance identity stack.
👉 Read Secret Double Octopus's report on identity security gaps in finance →
Finance MFA compliance gaps: what identity teams need to fix?
Explore further
Phishing-resistant authentication is the real control boundary, not MFA adoption itself: In regulated finance, the difference between a checked box and a resilient identity programme is whether the authentication method can survive phishing, replay, and token theft. MFA that still allows weak fallback flows leaves the organisation exposed to the same account takeover paths it claims to control. Practitioners should treat assurance level, not MFA presence, as the governing standard.
A few things that frame the scale:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, a reminder that identity trust failures turn into measurable loss quickly.
A question worth separating out:
Q: Who is accountable when finance authentication controls fail?
A: Accountability sits with the identity, security, and risk owners who approve the authentication design, recovery model, and exception handling. Regulators care less about brand names than whether the control prevented unauthorized access and whether the organisation can prove governance across the lifecycle.
👉 Read our full editorial: Identity security in finance is colliding with MFA compliance gaps