Jessica Entwistle
July 6 2026
UK financial institutions are putting customers at risk by continuing to make multi-factor authentication optional rather than mandatory, according to analysis published by The Register. The report highlights that many banks allow customers to access online banking using only a password, despite widespread recognition that single-factor authentication is insufficient to protect against credential theft, phishing and account takeover attacks. The decision to keep MFA optional is often justified on the grounds of customer convenience and reducing friction during login, but it leaves accounts exposed to straightforward attacks that MFA would prevent. The Register notes that while some banks have introduced MFA for certain high-risk actions, such as setting up new payees, many still do not enforce it for routine account access, creating an inconsistent and inadequate security posture across the sector.
This reflects a broader tension between security, usability and customer experience that many UK organisations face. The banking sector's reluctance to mandate MFA demonstrates how convenience can be prioritised over security even in high-risk environments where financial fraud is a daily reality. For UK businesses, this is a reminder that optional security controls are often not used, and that relying on users to make the right security decision is not a reliable defence. Organisations should review whether MFA is enforced across all access points to critical systems, whether legacy authentication methods are still in use, and whether customer-facing services are protected by controls that reflect the actual threat environment rather than historical assumptions about user behaviour. The operational challenge is balancing security with usability, but the evidence from the banking sector suggests that leaving security controls optional is not an acceptable compromise when the risks are well understood and the mitigations are readily available.
Organisations should review whether multi-factor authentication is enforced rather than optional across all systems that handle sensitive data or financial transactions. This includes checking whether legacy single-factor authentication methods remain in use, whether customer-facing services are protected by MFA, and whether there are clear policies on when and how MFA should be applied. It is worth considering whether MFA is enforced for all users, including privileged accounts, and whether there are exceptions or workarounds that undermine the control. For organisations that have made MFA optional, this is a prompt to review whether that decision reflects current threat levels and whether the convenience argument is still valid given the frequency and impact of credential-based attacks.
Source: The Register