Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Phishing-resistant MFA for credit unions: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10965
Topic starter  

TL;DR: Small banks and credit unions remain exposed because passwords, legacy systems, and incomplete MFA coverage still create account takeover paths, while regulators are tightening expectations for stronger authentication across financial services, according to Secret Double Octopus. The real problem is not MFA adoption alone but whether workforce access can be made phishing-resistant across VPN, desktops, and legacy applications.

NHIMG editorial — based on content published by Secret Double Octopus: Credit unions and small banks deserve phishing-resistant MFA too

By the numbers:

Questions worth separating out

Q: How should financial institutions roll out phishing-resistant MFA without breaking legacy systems?

A: Start by segmenting access paths instead of treating the workforce as one login population.

Q: Why do weak passwords still matter when MFA is already deployed?

A: MFA reduces risk only when the second factor is genuinely resistant to phishing and replay.

Q: What breaks when MFA covers cloud apps but not VPN and legacy desktops?

A: The control breaks at the weakest path because attackers do not need to defeat every login route.

Practitioner guidance

  • Map every workforce access path Catalogue desktops, VPN, cloud apps, and legacy banking systems separately, then record which ones still allow password-led authentication or fallback flows.
  • Prioritise phishing-resistant MFA for high-risk entry points Move first on VPN, remote admin, and finance-user access where credential theft produces the fastest path to sensitive systems and regulated data.
  • Remove stale credentials on a lifecycle clock Tie offboarding, contractor exit, and role changes to immediate revocation checks so old credentials cannot remain valid after the business relationship changes.

What's in the full article

Secret Double Octopus' full post covers the operational detail this post intentionally leaves for the source:

  • How the vendor positions phishing-resistant MFA across applications, desktops, and VPN for financial services environments.
  • Why older Fiserv and Jack Henry deployments create implementation constraints for passwordless authentication.
  • How the vendor frames audit and regulatory expectations for NYDFS, FFIEC, and GLBA-aligned identity controls.
  • The user-experience and help desk implications of removing password-related authentication steps.

👉 Read Secret Double Octopus' analysis of phishing-resistant MFA for credit unions and small banks →

Phishing-resistant MFA for credit unions: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10520
 

Phishing-resistant MFA is now a baseline control problem, not a premium capability. Passwords continue to act as the hinge point for account takeover because they are easily reused, phished, and replayed. In financial services, that weakness matters more because regulated access paths, customer data, and third-party connectivity converge on the same identity controls. The practitioner conclusion is straightforward: if authentication still depends on password recoverability, the environment remains vulnerable.

A few things that frame the scale:

A question worth separating out:

Q: Who is accountable when old credentials remain active after offboarding?

A: The accountable teams are IAM, application owners, and identity governance functions together, because offboarding is a lifecycle control, not a one-time IT task. If former employee access remains valid, the organisation has failed to couple joiner-mover-leaver processes with revocation and verification of downstream access.

👉 Read our full editorial: Phishing-resistant MFA gaps keep small banks exposed to takeover risk



   
ReplyQuote
Share: