TL;DR: Japan’s securities industry is moving to require phishing-resistant authentication after unauthorised trading driven by intermediary attacks and stolen credentials reached about 676.8 billion yen across 2025 to August, according to Cybertrust Japan. Password-based multi-factor alone is no longer a sufficient control boundary for high-risk financial accounts.
NHIMG editorial — based on content published by Cybertrust Japan: Multi-factor password use prohibited? Financial services guidance revised after securities account takeover attacks
By the numbers:
- The monthly number of unauthorised securities transactions peaked at 5,424 in April 2025.
Questions worth separating out
Q: What breaks when securities firms rely on phishable MFA for high-risk accounts?
A: Phishable MFA still allows an attacker to intercept the login ceremony, steal session material, and reuse it immediately.
A: Financial accounts have immediate monetary consequence, so a successful login can create loss before the user or provider can react.
Q: What do security teams get wrong about multi-factor authentication in browser-based login flows?
A: They often assume MFA stops account takeover by itself.
Practitioner guidance
- Prioritise phishing-resistant authentication for securities access Move high-risk customer journeys to FIDO2 or certificate-based authentication where the service can verify the proof is bound to the intended relying party.
- Remove weak fallback routes from critical customer journeys Review recovery flows, device replacement, and helpdesk resets so they do not silently downgrade the assurance level.
- Align fraud containment with IAM policy Connect authentication events to session revocation, transaction holds, and anomaly response so suspicious logins do not remain active long enough to be monetised.
What's in the full article
Cybertrust Japan's full article covers the operational detail this post intentionally leaves for the source:
- The exact wording of the Japanese Financial Services Agency update and the related industry guidance.
- The full breakdown of how intermediaries and phishing can defeat ordinary multi-factor login flows.
- The securities-specific examples of where phishing-resistant authentication is expected to apply first.
- The supporting links to related security guidance and the article's original regulatory context.
👉 Read Cybertrust Japan’s analysis of phishing-resistant login requirements for securities accounts →
Multi-factor login rules for securities accounts: what changes now?
Explore further
Phishable MFA is no longer an adequate assurance model for high-value consumer IAM. The problem is not authentication presence but authentication resistance. When an intermediary can steal the login flow, the control that looked strong on paper still leaves the account open to real-time abuse, especially where access can trigger immediate financial actions. Practitioners should treat phishing resistance as the real policy boundary, not MFA adoption alone.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when account takeover fraud causes downstream losses?
A: Accountability sits with the teams that own authentication, session management, fraud detection, and incident response together. If an organisation treats account takeover as only a user problem or only a security problem, it will miss the handoff points where abuse becomes loss. Frameworks such as NIST CSF 2.0 and Zero Trust help define shared responsibility.
👉 Read our full editorial: Multi-factor use is being banned for securities logins in Japan