Passwords – authentications’ weakest link
Passwords and login credentials have long been a leading cause of data breaches. Industry research consistently shows this trend – for example Mastercard has reported that 80% of its confirmed data breaches are linked to weak or stolen passwords. And breaches aren’t limited to large banks or global institutions. Small local banks and credit unions are increasingly targeted, because attackers can exploit credential and password weaknesses to access internal systems and sensitive customer data.
Recent examples
In a recent breach involving a fintech company that serves over 700 small financial institutions, attackers stole personal data – including names, dates of birth, card numbers, and social security numbers, affecting over 780,000 people. By exploiting a vulnerability in a 3rd party firewall, the attackers obtained VPN usernames, passwords, and seeds to generate one-time passcodes. Even after the vulnerability was patched, the attackers were still able to access systems because many organizations were slow to reset their VPN credentials.
Another recent breach impacted 689,000 individuals, and it didn’t require sophisticated hacking. A former employee used their existing credentials to access customer personal data after their employment ended.
These examples show how “good old” workforce passwords often become the weakest link, an easy entry point for attackers.
Multi-Factor Authentication (MFA) and passwordless authentication
Implementing MFA is an important step toward reducing the risk of passwords as a single authentication factor. Regulators are also raising expectations and increasingly requiring MFA for financial institutions. For example, the New York State Department of Financial Services (NYDFS) amended its landmark cybersecurity regulation 23 NYCRR Part 500 to strengthen MFA requirements. Starting November 1st 2025, all covered entities are required to use MFA for any individual accessing any of its information systems.
Other regulators and frameworks also emphasize MFA, including FFIEC guidance and requirements under Gramm-Leach-Bliley Act (GLBA) safeguards. And while regulations like Sarbanes-Oxley (SOX) may not explicitly mandate MFA, it is increasingly difficult to pass audits without strong access controls. The National Credit Union Administration (NCUA) as a member agency of the FFIEC, aligns with these expectations.
However, MFA implementations that still rely on passwords as the first authentication factor can remain vulnerable to phishing attacks and account takeover. Gartner, a leading global technology research and advisory firm, recommends IAM leaders migrate to passwordless authentication methods wherever possible.
Challenges small financial organizations face
For many small financial organizations, implementing phishing-resistant MFA across the entire workforce isn’t simple, especially when legacy systems are involved. Many institutions still rely on on-premise banking applications, including older platforms from providers such as Fiserv or Jack Henry. These systems were not always designed for passwordless authentication and may not support enterprise SSO (single sign-on).
As a result, organizations may roll out MFA for cloud apps and digital services, but still fall short of universal coverage across desktops, VPN, and legacy applications. That leaves gaps that attackers can exploit, and can also create compliance risk.
Non-compliance can lead to consequences beyond remediation costs. For example, enforcement actions have included multi-million dollar penalties (e.g. cases involving PayPal, Healthplex, and National Security Corporation). These penalties are in addition to breach response costs, customer notification, legal exposure, and reputational impact.
Universal phishing-resistant MFA to the rescue
Octopus Passwordless MFA for financial services helps banks and credit unions deploy universal phishing resistant MFA across applications, desktops and VPNs, including legacy applications such as older Fiserv or Jack Henry deployments. By eliminating passwords for workforce authentication, it reduces account takeover risk and helps support regulatory and audit requirements, without requiring organizations to redesign or replace existing applications.
It also supports zero-trust identity verification aligned with NIST AAL3 requirements. Additional benefits include a smoother user experience and reduced help desk costs by eliminating password related tickets.
Read our new guide: 5 reasons financial organizations are modernizing MFA — and learn why phishing-resistant MFA is becoming the new standard.