Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Phishing-resistant MFA in finance: are controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: A 2026 survey of 200 IAM leaders at US and Canadian financial organisations found 82% believe current controls can stop account takeover, even as 94% report more phishing, only 28% of workforce MFA is phishing-resistant, and just 15% of authentication flows are passwordless, according to Secret Double Octopus. Confidence is now the blind spot, because legacy coverage and phishable methods leave the sector exposed.

NHIMG editorial — based on content published by Secret Double Octopus: 82% of Financial Firms Feel Protected From Account Takeover. A New 2026 Survey Says Otherwise

By the numbers:

Questions worth separating out

Q: What breaks when financial firms rely on MFA that is not phishing-resistant?

A: The control fails at the point attackers target most often, because phishable MFA can still be relayed, approved under pressure, or bypassed through social engineering.

Q: Why do legacy applications create outsized identity risk in financial services?

A: Legacy applications often cannot enforce modern authentication cleanly, which leaves gaps that attackers can target through weaker factors or exceptions.

Q: How can security teams tell whether passwordless is real or just branded MFA?

A: True passwordless removes the password from the authentication flow entirely.

Practitioner guidance

  • Map authentication by method, not just by coverage Separate phishing-resistant MFA from phishable factors in every workforce and administrative flow, then report the results by application family and user population.
  • Prioritise legacy applications as the highest-risk exception set Create a distinct remediation track for legacy apps that cannot support modern authentication, and track compensating controls until full replacement or upgrade is feasible.
  • Validate passwordless claims against actual secret removal Confirm whether the password has been eliminated from the authentication flow or only hidden behind another factor.

What's in the full report

Secret Double Octopus's full report covers the operational detail this post intentionally leaves for the source:

  • Breakdowns of authentication methods by organisation size, which help teams benchmark where phishable factors remain concentrated.
  • Detailed legacy application findings that show how MFA coverage changes under real architectural constraints.
  • Adoption obstacles by job seniority, useful when planning remediation ownership across IAM, architecture, and operations.
  • The report's full confidence-gap analysis, which is the most useful material for board reporting and programme prioritisation.

👉 Read Secret Double Octopus's 2026 survey on identity security in financial organisations →

Phishing-resistant MFA in finance: are controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Confidence in account takeover protection is the control problem, not the metric. Financial firms may have MFA, monitoring, and policy language in place, but the survey shows that control presence is being mistaken for control effectiveness. When 82% feel protected while only 28% of MFA is phishing-resistant, the governance failure is epistemic: teams are measuring deployment, not resistance. The practitioner conclusion is that authentication assurance must be evaluated by method quality and coverage gaps, not by checkbox adoption.

A few things that frame the scale:

  • 94% of financial firms report more phishing, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: Who is accountable when phishing-resistant MFA remains only partial across a financial estate?

A: Accountability sits with the identity and application owners who approved exceptions, tolerated phishable factors, or allowed legacy coverage gaps to persist. In regulated financial environments, that also creates governance exposure because a control that is incomplete in critical workflows is not operationally sufficient.

👉 Read our full editorial: Financial identity security confidence is outrunning real protection



   
ReplyQuote
Share: