A new 2026 survey of 200 IAM leaders at financial organizations across the US and Canada maps the real state of identity security in financial services: the trends, the challenges, and the gaps. The headline finding is a dangerous mismatch between how protected firms feel and how protected they actually are.
Most identity security leaders at banks, credit unions, investment firms, and loan providers believe their authentication controls can stop an account takeover. According to the 2026 State of Identity Security in Financial Organizations survey, 82% are confident their current controls can mitigate account takeover risk.
That confidence does not survive contact with the rest of the data.
Key findings from the 2026 survey
The survey of 200 IAM leaders and stakeholders across US (80%) and Canadian (20%) financial organizations surfaced four findings that define the sector’s identity security posture in 2026:
- 94% of financial firms report more phishing. Phishing attacks increased over the past 12 months, with 20% calling the increase significant.
- Only 28% of MFA is phishing-resistant. Most workforce MFA still relies on phishable methods like SMS one-time passwords and push notifications.
- Legacy apps are half-covered. SaaS applications average 74% MFA coverage, but legacy applications sit at just 50%, even though more than half of all apps and infrastructure in the sector are legacy.
- Only 15% of authentication flows are passwordless. The vast majority of workforce logins still depend on a password that can be stolen or phished.
Set those numbers against the 82% confidence figure and the problem is clear. Financial firms feel protected while the data shows their actual defenses against the rising threat are thin.
Why is the confidence misplaced?
Phishing is not slowing down. It is accelerating, and AI is part of the reason. Attackers no longer need specialized skills to run convincing campaigns at scale, which is why 94% of financial organizations reported more phishing over the past year.
The defense has not kept pace. Only 28% of the MFA deployed for workforce authentication is genuinely phishing-resistant. The rest leans on methods that modern attackers are specifically built to defeat. So the threat is up across nearly every organization, real phishing resistance covers roughly a quarter of MFA, and four out of five firms still feel safe. That is not security. It is a blind spot.
Why isn’t MFA enough on its own?
Having MFA in place feels like the job is done. The survey shows it is not.
Coverage is partial and uneven. SaaS applications are protected at a 74% average, already lower than it should be given how easy SaaS MFA is to enable. Legacy applications are far worse at only 50% protected on average. In an industry where more than half of all applications and infrastructure are legacy, that is not a rounding error. It is the front door.
Many organizations also run strong and weak authentication methods side by side. FIDO2 or biometrics deployed alongside SMS and OTP does not average out to decent security. The weak method is the one an attacker targets, and it drags down everything around it.
What is the biggest barrier to phishing-resistant MFA?
Legacy systems are where the risk concentrates and where the work is hardest. In the 2026 survey, the top reported obstacles to universal phishing-resistant MFA were technical and architectural complexity (79%), cost and budget constraints (53%), and the inability to support legacy apps and infrastructure (51%).
There is also a perception problem. Many stakeholders assume legacy authentication cannot be modernized without ripping out and replacing old systems. That assumption keeps organizations stuck, and it is not true.
How many financial firms have gone passwordless?
Almost none. Just 15% of workforce authentication flows in financial organizations are passwordless.
It is worth being precise about what that means. Many tools marketed as passwordless only hide the password from the user most of the time. The password still exists behind the scenes, the user still knows it, and it can still be phished. True passwordless removes the password from the authentication flow entirely. That is the difference between a smoother login and an actual defense.
What the 2026 data is really saying
The picture across the survey is consistent. Attacks are rising. Phishing-resistant coverage is thin. Legacy systems are largely exposed. Passwords are still everywhere. And most organizations feel fine about it.
The confidence is the risk. A team that believes it is protected does not prioritize closing the gaps that leave it exposed. The first step is not a new tool. It is an honest map: which applications have MFA, which are phishing-resistant, where passwords still live, and what a short- and long-term plan to close those gaps looks like.

Frequently asked questions
What is the 2026 State of Identity Security in Financial Organizations survey? It is a 2026 survey of 200 IAM leaders and stakeholders at financial organizations across the US and Canada, covering banks, credit unions, investment firms, and loan providers. It benchmarks the trends, challenges, and gaps in identity security across financial services.
How much did phishing increase against financial firms in 2026? 94% of surveyed financial organizations reported that phishing attacks increased over the past 12 months, and 20% described the increase as significant.
How much workforce MFA in financial services is phishing-resistant? On average, only 28% of the MFA used for workforce authentication in financial organizations is phishing-resistant. The rest relies on phishable methods such as SMS OTP and push notifications.
What share of financial services authentication is passwordless? On average, only 15% of workforce authentication flows in financial organizations are passwordless.
Why do legacy systems matter for identity security in finance? More than half of applications and infrastructure in the sector are legacy, yet only 50% of legacy apps are protected by MFA. The inability to support legacy apps is one of the top barriers to phishing-resistant MFA.
Get the full 2026 benchmark
The 2026 State of Identity Security in Financial Organizations report breaks all of this down in detail, including authentication methods by company size, the legacy footprint by compliance pressure, adoption challenges by job seniority, and the full confidence gap analysis. If you lead identity security at a financial organization, it is the benchmark for measuring where you stand against the rest of the industry.