🟠 High | Source: The Register — Security
A number of banks are offering multi-factor authentication (MFA) as an optional rather than mandatory control, leaving customer accounts vulnerable to credential-based attacks. This practice prioritises user convenience over security, creating an easily exploitable gap that threat actors can abuse through phishing, credential stuffing, or brute force. Given the sensitivity of financial data and the regulatory environment in the UK, this represents a significant risk to both consumers and institutions.
Security Architect’s Take: If your organisation provides or integrates with banking APIs or financial services, audit whether MFA enforcement is contractually and technically mandated at every authentication boundary — optional MFA is effectively no MFA from a threat modelling perspective. Push for step-up authentication controls and ensure any third-party financial integrations enforce MFA as a baseline, not a user preference.
Original advisory: MFA-optional banks leave safe doors (and accounts) wide open for thieves to pillage