Only 28% of financial workforce MFA is phishing-resistant

Passwords remain part of many workforce authentication flows in financial organizations, making phishing and credential theft major identity security risks, according to a new Secret Double Octopus report.

financial identity security trends

Key challenges preventing universal implementation of phishing-resistant MFA (Source: Secret Double Octopus)

Workforce authentication trends

Banks and financial organizations use a mix of authentication methods, combining phishing-resistant technologies with methods that remain vulnerable to phishing attacks.

Password plus OTP remains more common among organizations with up to 500 employees than among larger enterprises. Single-factor passwords and magic links are rarely used, indicating that MFA has become the standard for workforce access.

Reducing phishing and credential-based attacks is the primary reason organizations are modernizing workforce MFA. Other priorities include standardizing authentication across systems and environments, improving security, closing MFA coverage gaps in legacy and on-premises environments, and meeting regulatory requirements.

“Strong-sounding MFA is not the same as phishing-resistant MFA, and partial coverage leaves the most sensitive systems exposed. The encouraging part is that these gaps are solvable today, including on legacy and on-prem systems, without rearchitecting or replacing the infrastructure organizations already rely on,” said Raz Rafaeli, CEO of Secret Double Octopus.

Uneven MFA coverage

MFA adoption is higher for SaaS applications than for legacy systems. On average, 74% of SaaS applications are protected by MFA, compared with 50% of legacy applications.

More than half of surveyed organizations said that between 50% and 74% of their applications and infrastructure consist of legacy systems. Organizations that cite regulatory compliance as a key driver for MFA modernization tend to have larger legacy environments.

Only 28% of workforce MFA is phishing-resistant. These methods rely on cryptographic authentication or eliminate credentials that phishing attacks can steal.

Passwordless authentication accounts for 15% of workforce authentication flows. Respondents identified technical complexity, budget constraints, legacy infrastructure, and fragmented identity environments as the main barriers to broader adoption.

Support for legacy applications and infrastructure is a more common concern among team leads and managers than among directors and executive leaders.

Don't miss