TL;DR: Small banks and credit unions remain exposed because passwords, legacy systems, and incomplete MFA coverage still create account takeover paths, while regulators are tightening expectations for stronger authentication across financial services, according to Secret Double Octopus. The real problem is not MFA adoption alone but whether workforce access can be made phishing-resistant across VPN, desktops, and legacy applications.
NHIMG editorial — based on content published by Secret Double Octopus: Credit unions and small banks deserve phishing-resistant MFA too
By the numbers:
- 80% of its confirmed data breaches are linked to weak or stolen passwords.
- Starting November 1st 2025, all covered entities are required to use MFA for any individual accessing any of its information systems.
Questions worth separating out
Q: How should financial institutions roll out phishing-resistant MFA without breaking legacy systems?
A: Start by segmenting access paths instead of treating the workforce as one login population.
Q: Why do weak passwords still matter when MFA is already deployed?
A: MFA reduces risk only when the second factor is genuinely resistant to phishing and replay.
Q: What breaks when MFA covers cloud apps but not VPN and legacy desktops?
A: The control breaks at the weakest path because attackers do not need to defeat every login route.
Practitioner guidance
- Map every workforce access path Catalogue desktops, VPN, cloud apps, and legacy banking systems separately, then record which ones still allow password-led authentication or fallback flows.
- Prioritise phishing-resistant MFA for high-risk entry points Move first on VPN, remote admin, and finance-user access where credential theft produces the fastest path to sensitive systems and regulated data.
- Remove stale credentials on a lifecycle clock Tie offboarding, contractor exit, and role changes to immediate revocation checks so old credentials cannot remain valid after the business relationship changes.
What's in the full article
Secret Double Octopus' full post covers the operational detail this post intentionally leaves for the source:
- How the vendor positions phishing-resistant MFA across applications, desktops, and VPN for financial services environments.
- Why older Fiserv and Jack Henry deployments create implementation constraints for passwordless authentication.
- How the vendor frames audit and regulatory expectations for NYDFS, FFIEC, and GLBA-aligned identity controls.
- The user-experience and help desk implications of removing password-related authentication steps.
👉 Read Secret Double Octopus' analysis of phishing-resistant MFA for credit unions and small banks →
Phishing-resistant MFA for credit unions: are your controls keeping up?
Explore further
Phishing-resistant MFA is now a baseline control problem, not a premium capability. Passwords continue to act as the hinge point for account takeover because they are easily reused, phished, and replayed. In financial services, that weakness matters more because regulated access paths, customer data, and third-party connectivity converge on the same identity controls. The practitioner conclusion is straightforward: if authentication still depends on password recoverability, the environment remains vulnerable.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when old credentials remain active after offboarding?
A: The accountable teams are IAM, application owners, and identity governance functions together, because offboarding is a lifecycle control, not a one-time IT task. If former employee access remains valid, the organisation has failed to couple joiner-mover-leaver processes with revocation and verification of downstream access.
👉 Read our full editorial: Phishing-resistant MFA gaps keep small banks exposed to takeover risk