Yubico urges EU financial firms to ditch legacy MFA

Yubico has urged financial organisations and their technology suppliers to tighten authentication practices under the European Union's Digital Operational Resilience Act, warning that continued reliance on passwords and legacy multi-factor methods leaves gaps in digital identity security.

The Digital Operational Resilience Act, known as DORA, sets requirements for operational resilience across financial services in the European Economic Area and for firms that provide services to EU-based customers. The rules cover areas such as ICT risk management, incident reporting, resilience testing and oversight of third-party technology suppliers.

Yubico said organisations have made progress during the first year of the regulation. The company also said many firms still lean on weaker authentication approaches, even as phishing and impersonation attacks gain pace.

Data from Yubico's Global State of Authentication Report found that 62 percent of organisations still primarily rely on username and password credentials. The company framed that figure as evidence of persistent dependence on approaches that attackers can compromise through credential theft, guessing, reuse and phishing.

Identity risk

Yubico linked the issue to the broader shift towards widespread use of digital identities across workforces, customers and supply chains. It said that identity-based attacks now sit at the centre of operational resilience for regulated firms and for technology providers that connect into financial systems.

Nic Sarginson, Principal Product Manager, Yubico, pointed to external research on the threat landscape and argued that identity-related fraud has risen in priority for business leaders.

"As the use of digital identities becomes more commonplace, so too does the threat they face. According to the World Economic Forum's (WEF) Global Cybersecurity Outlook for 2026, phishing attacks and cyber fraud - in which threat actors impersonate trusted entities to steal credentials and individuals' personal data - have overtaken ransomware as the top cybersecurity concern amongst CEOs," said Nic Sarginson, Principal Product Manager, Yubico.

He said many organisations still accept passwords and older one-time password methods for account access, which he described as vulnerable to interception or social engineering. He also drew a distinction between detection and prevention in security controls.

"Despite this, many organisations continue to rely on passwords and legacy authentication methods like SMS-based one-time passwords (OTPs). These are inherently insecure and outdated types of authentication that cyber criminals can easily steal or guess. No level of monitoring or incident response can fully compensate for such weak access controls. Recognising this, DORA appropriately emphasises prevention as much as crisis management - and effective prevention starts with strong identity security," said Sarginson.

DORA focus

DORA does not prescribe specific products. It sets expectations for controls and governance. Firms must document and manage ICT risks and demonstrate that they can withstand and recover from disruptions. Regulators also expect financial entities to manage risks introduced by suppliers that provide ICT services.

Yubico argued that authentication decisions sit within that broader risk management approach, because unauthorised access can lead to incidents that trigger reporting obligations and wider operational disruption.

"While DORA doesn't explicitly mandate the use of MFA, it requires the implementation of strong authentication policies and protocols. After all, its overarching goal is to limit the risk of unauthorised access and bolster cybersecurity across the financial sector. Modern, phishing-resistant MFA tools, such as hardware passkeys like physical security keys, play a pivotal role in digital operational resilience by significantly reducing the risk of cyber incidents and attacks," said Sarginson.

The company's comments come as financial services firms continue to evaluate what "strong authentication" means in practice across employee access, privileged accounts and customer-facing systems. Banks and insurers also need to align their authentication choices with their third-party supplier arrangements, particularly where access to internal tools, cloud platforms and administrative interfaces can act as a route into sensitive environments.

Passkey push

Yubico has promoted phishing-resistant authentication methods. These include device-bound passkeys and physical security keys. The company said firms should move away from legacy MFA approaches where the second factor can be intercepted, redirected or socially engineered.

It also framed changes in authentication as a way for financial firms to reduce the likelihood of cyber incidents that affect customer data and critical systems. Such incidents can cascade through payment operations, trading systems and customer service channels.

"For financial organisations, adopting phishing-resistant MFA aligns perfectly with DORA's objectives, enhancing both customer protection and the security of critical financial infrastructure. One year on from the directive's implementation, the message is clear: operational resilience starts with identity. Legacy MFA is no longer sufficient, and for financial institutions and their technology partners, phishing-resistant device-bound passkeys offer a practical way to pair regulatory compliance with meaningful risk reduction, delivering on DORA's promise," said Sarginson.

Yubico said financial entities and their technology partners will face continued scrutiny on authentication controls as operational resilience expectations mature across the EU regulatory perimeter.