Survey of 200 IAM Leaders Reveals a Dangerous Confidence Gap: 82% Trust Their Authentication Controls Even as Phishing Surges and Just 28% of MFA Is Phishing-Resistant


MENLO PARK, Calif.--(BUSINESS WIRE)--Secret Double Octopus (SDO), the leader in enterprise-grade passwordless authentication, today announced the release of its 2026 State of Identity Security in Financial Organizations report. The study, based on a survey of 200 IAM leaders and stakeholders at financial services firms across the US and Canada, exposes a sharp disconnect between how protected these organizations believe they are and what their own responses reveal about the maturity of their identity security controls.
The headline finding is a confidence gap that should concern every security leader in the sector. While 94% of respondents reported that phishing attacks increased over the past year and only 28% of the MFA they use for workforce authentication is phishing-resistant, a striking 82% said they are confident their current controls can mitigate account takeover risk. As phishing-resistant and passwordless authentication become the regulatory baseline for strong authentication, that confidence looks increasingly difficult to justify.
Coverage Is Partial, and the Gaps Are Hiding in Plain Sight
The study finds that MFA coverage across financial organizations is fragmented. SaaS applications are protected at a relatively high rate of 74%, but legacy systems lag far behind at just 50%. This matters because legacy still dominates the environment: 54% of organizations report that at least half their applications and infrastructure are legacy, rising to 79% among those who cite regulatory compliance as a top driver to modernize. Many organizations also run strong and weak authentication methods side by side, which masks gaps and creates a false sense of security.
Passwordless Adoption Remains Stalled
Only 15% of workforce authentication flows in financial services are passwordless. Many methods marketed as passwordless still keep the password behind the scenes, where users are sometimes still required to type it in or periodically change it, leaving it exposed to theft, phishing, or compromise. A true passwordless approach removes the password from the flow entirely rather than merely hiding it. The most-cited obstacles to universal phishing-resistant MFA are technical or architectural complexity (79%), cost and budget constraints (53%), and the inability to support legacy apps and infrastructure (51%).
"The most alarming finding in this report is not the size of the gaps but how confident financial organizations feel despite them," said Raz Rafaeli, CEO and Co-Founder of Secret Double Octopus. "Strong-sounding MFA is not the same as phishing-resistant MFA, and partial coverage leaves the most sensitive systems exposed. The encouraging part is that these gaps are solvable today, including on legacy and on-prem systems, without rearchitecting or replacing the infrastructure organizations already rely on."
About the Survey
The 2026 State of Identity Security in Financial Organizations report was administered online by Global Surveyz Research, an independent global research firm. Responses were collected during April 2026 from 200 IT, cybersecurity, and identity security decision-makers at banks, credit unions, investment firms, and loan providers across the US (80%) and Canada (20%), split evenly across four company-size bands.
The full report is now available at https://hubs.ly/Q04nJLTB0.
About Secret Double Octopus
Secret Double Octopus is a pioneer in enterprise-grade passwordless authentication. Its patented ZeroPassword™ technology eliminates all user-managed passwords and delivers phishing-resistant MFA for every login, even across legacy and on-prem systems. By removing passwords, SDO minimizes the attack surface and identity-related costs while improving user experience and operational efficiency. The company's solution is deployed by Fortune 500 companies and leading service providers across heavily regulated industries including finance, defense, and critical infrastructure.
Contacts
Media Contact: Fiorella Zeoli, Secret Double Octopus Fiorella.Zeoli@doubleoctopus.com





