AI & TechBusinessCybersecurityFintechNewswire

Financial Workforce: Only 28% Use Phishing-Resistant MFA

Originally published on: July 11, 2026
▼ Summary

– Financial organizations still rely on passwords and vulnerable authentication methods, making phishing and credential theft major security risks.
– Password-plus-OTP is more common in smaller organizations (up to 500 employees), while MFA has become the standard for workforce access overall.
– The primary driver for modernizing workforce MFA is reducing phishing and credential-based attacks, along with standardizing authentication and meeting regulatory requirements.
– MFA adoption is higher for SaaS applications (74%) than for legacy systems (50%), and more than half of organizations have legacy systems comprising 50-74% of their infrastructure.
– Only 28% of workforce MFA is phishing-resistant, and passwordless authentication accounts for just 15% of flows, with barriers including technical complexity, budget, and legacy infrastructure.

The financial sector is still grappling with a fundamental identity security problem: passwords. According to new research from Secret Double Octopus, a significant portion of workforce authentication flows in banks and financial organizations still rely on passwords, leaving them dangerously exposed to phishing and credential theft.

Workforce Authentication Trends

Financial firms employ a patchwork of authentication methods, blending phishing-resistant technologies with older, vulnerable approaches. Notably, the combination of a password and a one-time passcode (OTP) is more common in organizations with fewer than 500 employees than in larger enterprises. While single-factor passwords and magic links are seldom used, indicating that multi-factor authentication (MFA) is now the baseline for workforce access, the quality of that MFA varies widely.

The primary driver for modernizing workforce MFA is reducing phishing and credential-based attacks. Other key priorities include standardizing authentication across different systems and environments, boosting overall security, closing MFA coverage gaps in legacy and on-premises systems, and meeting strict regulatory requirements.

“Strong-sounding MFA is not the same as phishing-resistant MFA, and partial coverage leaves the most sensitive systems exposed,” said Raz Rafaeli, CEO of Secret Double Octopus. “The encouraging part is that these gaps are solvable today, including on legacy and on-prem systems, without rearchitecting or replacing the infrastructure organizations already rely on.”

Uneven MFA Coverage

Adoption of MFA is not uniform across an organization’s technology stack. On average, 74% of SaaS applications are protected by MFA, compared to only 50% of legacy applications. This disparity creates a significant security gap. More than half of surveyed organizations reported that between 50% and 74% of their applications and infrastructure are legacy systems. Organizations driven by regulatory compliance tend to have even larger legacy environments, making the challenge more acute.

Perhaps the most striking finding is that only 28% of workforce MFA is phishing-resistant. These methods rely on cryptographic authentication or completely eliminate the credentials that phishing attacks are designed to steal. Passwordless authentication accounts for just 15% of workforce authentication flows. The main barriers to wider adoption, according to respondents, are technical complexity, budget constraints, legacy infrastructure, and fragmented identity environments. Interestingly, support for legacy applications is a more pressing concern for team leads and managers than for directors and executive leaders, suggesting a disconnect between operational challenges and strategic priorities.

(Source: Help Net Security)

Topics

phishing risks 95% mfa adoption 93% phishing-resistant mfa 91% Legacy Systems 89% credential theft 87% passwordless authentication 85% Regulatory Compliance 83% mfa coverage gaps 81% authentication standardization 79% technical complexity 77%