Identity-based attacks account for 80% of reported breaches—even though most organizations use MFA. That gap leaves financial institutions vulnerable to attacks, compliance failures, and financial loss—especially as the updated NYDFS mandate takes effect in 2025.
In a recent webinar, veteran CISO Selim Aissi and Secret Double Octopus identity strategist Don Shin explored why traditional MFA is falling short—and how modern phishing-resistant solutions can help close the gap.
“What We’re Doing Isn’t Working”
The Problem: Phishing Has Outpaced Traditional MFA
Identity is the top target in cyberattacks—and phishing remains the primary weapon. So why hasn’t MFA stopped it? Aissi points to rapid innovation on the attacker side.
“I’ve seen my share of phishing attacks and observed lots of attacks on MFA and the authentication flow using different social engineering techniques,” he said. “Not only phishing via email but also vishing, using SMS and other social engineering techniques like calling the support team and asking to have phone numbers changed.”
Despite increased training and awareness efforts, results have plateaued.
“A lot of my colleagues in the CISO community are looking at reasons why things aren’t getting better,” Aissi added.
“One reason may be that the training isn’t as effective as we expect it to be, or maybe the frequency of phishing simulations isn’t enough. So instead of seeing the click rate come down to 1–2%, we’re still seeing rates of 5–10%.”
And now, the threat is evolving. “AI is being leveraged quite well by adversaries as we speak,” he warned, citing tools like Deepfake AI, Fraud GPT, Worm GPT, and Phishing Frenzy that have accelerated attack sophistication in the past 12–18 months.
NYDFS Raises the Bar
The amended NYDFS Section 500.12 now mandates: “Multi-factor authentication shall be utilized for any individual accessing any information systems of a covered entity.”
This simple change has broad implications: no more exceptions. Every user, access point, and location must now be protected—including third-party access and privileged service accounts.
The problem? Not all MFA is created equal. Most MFA solutions fall short in three key ways:
- User friction: Managing multiple passwords, authenticators, and access flows
- Partial coverage: Inability to secure systems like VPN, RDP, or legacy apps
- Integration cost: Rolling out MFA across the enterprise often requires heavy custom development and resources
“FIDO2 keys only work out of the box with online or browser-based applications,” Shin noted. “Extending them beyond that takes significant time and investment.”
Aissi agreed:
“The biggest challenge we’ve seen when deploying MFA is supporting cross-platform requirements. Finding the right MFA solution that works everywhere – with the same experience across Mac OS, Windows, Linux, VPN, RDP—has often been a challenge for my team and I.”
Without a unified solution, organizations fall back on a fragmented approach—strong MFA where it’s easy, passwords everywhere else.
Why Traditional MFA Fails
The core issue is simple: most MFA still depends on passwords. Passwords are forgotten, reused, phished, and increasingly sold on the dark web. Even layered defenses struggle as phishing becomes more advanced—especially with AI in the mix.
“Many companies governed by NYDFS are also subject to Federal Financial Institutions Examination Council (FFIEC) requirements,” Aissi noted, which recommend phishing-resistant MFA alongside a layered, risk-based approach.
As more regulators and cyber insurers align on phishing resistance as the standard, the pressure to modernize grows.
What Does Phishing-Resistant MFA Actually Mean?
The cybersecurity community agrees that modern MFA should be phishing resistant-but definitions vary.
According to CISA, phishing-resistant MFA must defend against impersonation, MITM attacks, and social engineering. That requires eliminating passwords and replacing them with factors like cryptographic credentials, biometrics, and proximity verification.
“To achieve phishing-resistant MFA, we need to start thinking differently”
“We must use stronger techniques than just passwords and password salutations that obviously can be bypassed”. Aissi explained. “The best way to protect authentication is to leverage cryptographic techniques, but even though public key cryptography has been around since the early ‘70s, it hasn’t been used that much in authentication flows.”
Modern authentication approaches can bridge the gaps traditional MFA leaves behind.
Shin shared three real-world use cases where the Octopus authentication solution helped financial institutions modernize authentication, meet NYDFS requirements, and roll out phishing-resistant MFA across their environments:
1. Remote Admin Access
A global insurance provider needed to secure remote server access—without relying on physical FIDO key presence at the remote server. Using Octopus’ proprietary technology, a lightweight agent enabled RDP authentication, using FIDO keys at the local admin’s desktop and cryptographic verification at the remote server, meeting both security and usability needs. Read more.
2. Remote Workforce Using VDI
A mortgage lender used Octopus to extend phishing-resistant MFA to remote employees using virtual desktop infrastructure (VDI), combining FIDO credentials with secure push notifications—without retraining or VDI golden VM repackaging. Read more.
3. Universal desktop login
A global bank with 80,000+ employees leveraged Octopus to roll out a desktop-based, passwordless login that allowed access to all enterprise apps with a user, computer, and authenticator proximity-verified session—delivering both user convenience and NIST AAL3-level assurance. Read more.
Practical Path to Compliance—Without the Tradeoffs
By working with existing identity directories and password-based apps, modern MFA solutions like those from Secret Double Octopus allow organizations to meet NYDFS requirements quickly and efficiently.
Secret Double Octopus allows organizations to avoid ripping and replacing legacy systems or investing in costly new hardware. Instead, it integrates into existing infrastructure to extend phishing-resistant authentication to systems typically beyond the reach of traditional MFA, such as RDP, VPN, VDI, and legacy business applications.
This approach helps organizations accelerate time-to-compliance, eliminate password-related vulnerabilities, improve user experience, and reduce helpdesk burden.
“If you are using weak authentication, all the cybersecurity tools in the world will not help you”. (Global Cyber Alliance)
3 Key Takeaways
- Phishing-resistant MFA is the new standard.
NYDFS and other mandates are driving this shift—and organizations must catch up. - Password-based MFA is no longer enough.
AI-enhanced phishing and fragmented coverage put security and compliance at risk. - Effective solutions must:
- Cover every user, system, and use case
- Eliminate passwords entirely
- Integrate with existing infrastructure
- Cover every user, system, and use case
Want to see how other financial firms are closing the MFA gap?
Download the ebook: “Five Ways Financial Services IT Leaders Use MFA to End the Identity Crisis.”
Learn how Secret Double Octopus helps financial institutions meet compliance goals with phishing-resistant MFA across legacy, cloud, and hybrid environments. Explore more here.