A study by HYPR found that most financial institutions did not update their authentication methods even after suffering data breaches.
According to The State of Authentication in the Finance Industry report, 80% of financial institutions suffered at least one data breach in the last 12 months.
Additionally, 72% experienced multiple breaches, with each institution recording an average of 3.4 intrusions valued at up to $2.19 million, excluding intangible and hidden costs.
However, nearly two-thirds (63%) did not upgrade their authentication systems after the breach. Additionally, an overwhelming majority (92%) of the institutions felt that their authentication methods were satisfactory.
The researchers posited that the false perception of security was responsible for the high number of data breaches on financial institutions.
The study interviewed 500 data management and IT security professionals across finance-related industries such as banking, investment, FinTech, insurance, and wealth management.
Financial institutions are frequently targeted and breached
The report found that financial institutions increasingly faced evolving threats, with 94% experiencing some type of attack in the last 12 months. Phishing remained the most prevalent threat, accounting for 36% of all the attacks.
Malware and credential stuffing (31% each), push notification (29%), and Man-in-the-middle attacks (MitM) (27%) were among the top five threats the financial institutions faced.
However, the evolution of financial institutions’ authentication methods did not keep up with the evolving threats.
“While improvements in perimeter, network, and behavioral analytics have advanced, authentication security has not moved at the same pace,” David Reilly, a security and financial services advisor and former CIO and CTO at Bank of America, said.
However, Reilly recognizes the financial institutions’ contribution to adopting various cybersecurity products. It would be impressive if they could replicate the same in adopting passwordless MFA solutions.
“As one of the most targeted sectors for attack, financial services companies have an impressive track record of adopting new, innovative defense technologies.”
Legacy authentication methods are rampant in financial institutions
The report found that most financial employees still depended on legacy and insufficient authentication methods.
According to the study, 32% of the employees still use traditional MFA methods such as SMS and OTPs, 43% depend on password managers, while 22% rely on usernames and passwords only.
“A few years ago, multi-factor authentication (MFA) would have been the de-facto cybersecurity recommendation for businesses. But while traditional MFA methods were once considered best practice, increasingly sophisticated attackers have worked to circumvent it, making it much less effective as a defense measure.”
The report also found security professionals did not “practice what they preach.” While 90% believed desktop-level authentication was the preferred authentication method, most financial institutions relied on application-level authentication.
While 99% of the respondents agreed that their organizations’ authentication methods needed an upgrade, they faced various obstacles that prevented this reality.
Three-quarters (75%) of the respondents cited IT-related obstacles such as management complexity (33%) and integration issues (27%). Another 62% cited user experience issues, making the authentication methods challenging to use and causing resistance (29%) from employees. Similarly, 57% cited security issues preventing seamless authentication of remote employees (25%).
Organizations are satisfied with insufficient authentication methods
There was a disconnect between actual and perceived security, perhaps explaining the high number of breaches.
Nine of ten data and security professionals believed their organizations’ authentication methods were “mostly or completely” secure.
“The disconnect between perceived and actual levels of authentication security makes more sense when we see respondents’ attitudes toward traditional MFA,” the researchers wrote. “The vast majority (84%) feel that traditional MFA provides complete security.”
The researchers stated that attackers had developed automated tools and potent social engineering tactics to bypass traditional MFA methods used by financial institutions.
They warned that 92% of security professionals erroneously believed financial institutions should use phishing-resistant multi-factor authentication methods.
According to the study, 47% of financial institutions believe phishing-resistant MFA methods are a crucial authentication strategy, while 51% believe it plays a role.
“There is obvious confusion here, highlighting a need for better education and training around which authentication methods are and aren’t phishable. It also further suggests that organizations are not as secure as they think that they are and that their current authentication methods need attention.”
The future is passwordless MFA
Although misconceptions about passwordless authentication persist, the researchers designated it the “gold standard for authentication.”
In addition to the security benefits of passwordless MFA authentication, it improves the user experience. Subsequently, a third (34%) of the respondents plan to eliminate passwords to make authentication more user-friendly.
The researchers listed various problems associated with password authentication. These include challenges in remembering because of complexity (37%), frequent resetting (36%), and the number of passwords required to perform a job (35%). Furthermore, passwords carry a financial cost, with 15% of the annual helpdesk budget spent on password reset.
“The problem is the passwords themselves. We need to remove passwords altogether. They’re costly to maintain, a gaping security issue, and prevent legitimate users from gaining access to what they need.” – Jim Taylor, Chief Product Officer at RSA.
Taylor recommended FIDO, biometrics, and “contextual or risk-based authentication,” which assess other signals such as the device’s identity, time, location, and IP addresses.
“Taking these steps advances security, creates a more pleasant and productive user experience and moves organizations closer to zero trust.”
According to the respondents, other benefits of passwordless authentication include increased cybersecurity (33%), compliance with cyber insurance requirements (31%), and securing the supply chain (31%).
However, despite its inherent advantages, passwordless authentication was still widely ignored. Only about a third of financial institutions used the method all the time for their employees (32%) and customers (36%).
Fortunately most respondents believed that passwordless authentication was the way forward, with 90% citing cost benefits, improved security (89%), and user satisfaction (89%).
“Financial services organizations need to take up their mantle as security innovators and fully embrace phishing-resistant passwordless authentication technology,” the researchers concluded.

