MFA-Optional Banks Are Handing Thieves the Keys
Many banks still make MFA optional for customers, and that gap is costing account holders. Here's what IAM practitioners can take from it.
A report from The Register is calling out financial institutions for leaving MFA as an opt-in feature rather than a requirement. The result is predictable: customers who never enable it get their accounts drained. The institutions absorb the fraud costs and the reputational hit, and the cycle repeats.
This is a CIAM problem, not a technology problem. The capability exists. Every major banking platform supports TOTP, push notifications, or passkeys. The decision to keep MFA optional is a product decision — someone weighed friction against risk and chose friction reduction. That's a reasonable thing to optimize for, until it isn't. What I've seen repeatedly is that "optional" in a consumer context means the vast majority of users never turn it on. Optional MFA is effectively no MFA for most of your population.
For those of us running identity at scale, the lesson here cuts both ways. If you're managing a consumer-facing platform — even one that isn't a bank — you need to ask honestly whether your MFA enrollment rate is high enough to matter. Fifty percent enrollment sounds decent until you realize half your users are one credential-stuffing campaign away from account takeover. Adaptive controls help, but they're not a substitute for enrollment. Risk-based step-up auth only fires when your signals are good. Credential stuffing at scale can look surprisingly clean if the attacker is patient and rotating IPs.
The harder question is about mandate versus nudge. Banks have regulatory pressure that most other sectors don't, and they're still choosing convenience. If you're in a less regulated space, your default posture is probably softer. What's your enrollment rate for high-value accounts specifically? Do you have a policy that requires MFA for accounts above a transaction threshold, or for accounts with access to sensitive data? If you're not sure, that's your Monday morning audit.
Here's what to do: pull your MFA enrollment numbers segmented by account type and risk tier, not just as a flat percentage. If high-privilege or high-value accounts have gaps, close them with enforcement, not nudges. Set a deadline. If your platform allows MFA to be disabled post-enrollment, review whether that off-ramp is still justified.
Be the first to comment
Members only — sign up if you have something worth saying.
Want to weigh in? Sign in or create a free account.
No comments yet.