VYPR
advisoryPublished Jul 10, 2026· 1 source

Financial Sector Lags in Phishing-Resistant MFA Adoption, Report Finds

A new report reveals that only 28% of financial sector employees use phishing-resistant multi-factor authentication, leaving the industry vulnerable to credential theft.

A significant gap in identity security persists within the financial sector, with a mere 28% of employees utilizing phishing-resistant multi-factor authentication (MFA), according to a recent report by Secret Double Octopus. The study highlights that many financial organizations still rely on passwords and less secure one-time password (OTP) methods, leaving them susceptible to credential theft and sophisticated phishing attacks.

The report, which surveyed workforce authentication trends, found that while MFA has become standard for workforce access, the type of MFA deployed varies widely. Password plus OTP remains more prevalent in smaller organizations (up to 500 employees) compared to larger enterprises. Conversely, single-factor passwords and magic links are rarely employed, indicating a general move towards stronger authentication, but not necessarily the most secure forms.

Financial institutions are prioritizing the modernization of workforce MFA primarily to combat phishing and credential-based attacks. Other key drivers include standardizing authentication processes across diverse systems and environments, enhancing overall security posture, addressing MFA coverage gaps in legacy and on-premises infrastructure, and meeting increasingly stringent regulatory compliance requirements.

"Strong-sounding MFA is not the same as phishing-resistant MFA, and partial coverage leaves the most sensitive systems exposed," stated Raz Rafaeli, CEO of Secret Double Octopus. "The encouraging part is that these gaps are solvable today, including on legacy and on-prem systems, without rearchitecting or replacing the infrastructure organizations already rely on."

The adoption of MFA is notably uneven across different application types. While approximately 74% of Software-as-a-Service (SaaS) applications are protected by MFA, this figure drops to around 50% for legacy systems. This disparity is significant given that over half of the surveyed organizations reported that their infrastructure comprises more than 50% legacy systems, a common challenge for those driven by regulatory compliance.

Phishing-resistant MFA methods, which typically employ cryptographic authentication or eliminate credentials entirely, are only used by 28% of the financial workforce. Passwordless authentication, a subset of these advanced methods, accounts for only 15% of current authentication flows. The primary obstacles to wider adoption include technical complexity, budget constraints, the persistence of legacy infrastructure, and fragmented identity management environments.

Concerns about supporting legacy applications and infrastructure appear to be more pronounced among team leads and managers than among directors and executive leaders, suggesting a potential disconnect in understanding the full scope of the challenge or the available solutions. The report underscores the urgent need for financial organizations to bridge this MFA coverage gap to effectively defend against evolving cyber threats.

Synthesized by Vypr AI