Skip to main content

The Identity at the Core

The Definitive Chronicle of Identity & Access Management

Breach: BREACH: Major healthcare provider confirms 2.3M patient records exposed via misconfigured SCIM endpointVulnerability: CVE-2026-31847: Critical RCE in FortiAuthenticator — CVSS 9.8 — Patch immediatelyBreach: BREACH: European fintech platform leaks OAuth tokens affecting 890K usersAdvisory: ADVISORY: CISA warns of active exploitation of SAML implementation flaws in enterprise SSO productsBreach: BREACH: Major healthcare provider confirms 2.3M patient records exposed via misconfigured SCIM endpointVulnerability: CVE-2026-31847: Critical RCE in FortiAuthenticator — CVSS 9.8 — Patch immediatelyBreach: BREACH: European fintech platform leaks OAuth tokens affecting 890K usersAdvisory: ADVISORY: CISA warns of active exploitation of SAML implementation flaws in enterprise SSO products

BREACH: Major healthcare provider confirms 2.3M patient records exposed via misconfigured SCIM endpoint

CVE-2026-31847: Critical RCE in FortiAuthenticator — CVSS 9.8 — Patch immediately

BREACH: European fintech platform leaks OAuth tokens affecting 890K users

MFA-Optional Banks Are Handing Thieves the Keys

Many banks still make MFA optional for customers, and that gap is costing account holders. Here's what IAM practitioners can take from it.

By nightzxfx
2 min read

A report from The Register is calling out financial institutions for leaving MFA as an opt-in feature rather than a requirement. The result is predictable: customers who never enable it get their accounts drained. The institutions absorb the fraud costs and the reputational hit, and the cycle repeats.

This is a CIAM problem, not a technology problem. The capability exists. Every major banking platform supports TOTP, push notifications, or passkeys. The decision to keep MFA optional is a product decision — someone weighed friction against risk and chose friction reduction. That's a reasonable thing to optimize for, until it isn't. What I've seen repeatedly is that "optional" in a consumer context means the vast majority of users never turn it on. Optional MFA is effectively no MFA for most of your population.

For those of us running identity at scale, the lesson here cuts both ways. If you're managing a consumer-facing platform — even one that isn't a bank — you need to ask honestly whether your MFA enrollment rate is high enough to matter. Fifty percent enrollment sounds decent until you realize half your users are one credential-stuffing campaign away from account takeover. Adaptive controls help, but they're not a substitute for enrollment. Risk-based step-up auth only fires when your signals are good. Credential stuffing at scale can look surprisingly clean if the attacker is patient and rotating IPs.

The harder question is about mandate versus nudge. Banks have regulatory pressure that most other sectors don't, and they're still choosing convenience. If you're in a less regulated space, your default posture is probably softer. What's your enrollment rate for high-value accounts specifically? Do you have a policy that requires MFA for accounts above a transaction threshold, or for accounts with access to sensitive data? If you're not sure, that's your Monday morning audit.

Here's what to do: pull your MFA enrollment numbers segmented by account type and risk tier, not just as a flat percentage. If high-privilege or high-value accounts have gaps, close them with enforcement, not nudges. Set a deadline. If your platform allows MFA to be disabled post-enrollment, review whether that off-ramp is still justified.

#mfa#ciam#breach#identity-governance#policy#zero-trust
Share:XLinkedInFacebook

Be the first to comment

Members only — sign up if you have something worth saying.

Want to weigh in? Sign in or create a free account.

No comments yet.