Cookie Consent by Free Privacy Policy Generator

UK banks leave accounts vulnerable by making MFA optional

UK financial institutions are putting customers at risk by continuing to make multi-factor authentication optional rather than mandatory, according to analysis published by The Register. The report highlights that many banks allow customers to access online banking using only a password, despite widespread recognition that single-factor authentication is insufficient to protect against credential theft, phishing and account takeover attacks. The decision to keep MFA optional is often justified on the grounds of customer convenience and reducing friction during login, but it leaves accounts exposed to straightforward attacks that MFA would prevent. The Register notes that while some banks have introduced MFA for certain high-risk actions, such as setting up new payees, many still do not enforce it for routine account access, creating an inconsistent and inadequate security posture across the sector.

Why this matters for UK organisations

This reflects a broader tension between security, usability and customer experience that many UK organisations face. The banking sector's reluctance to mandate MFA demonstrates how convenience can be prioritised over security even in high-risk environments where financial fraud is a daily reality. For UK businesses, this is a reminder that optional security controls are often not used, and that relying on users to make the right security decision is not a reliable defence. Organisations should review whether MFA is enforced across all access points to critical systems, whether legacy authentication methods are still in use, and whether customer-facing services are protected by controls that reflect the actual threat environment rather than historical assumptions about user behaviour. The operational challenge is balancing security with usability, but the evidence from the banking sector suggests that leaving security controls optional is not an acceptable compromise when the risks are well understood and the mitigations are readily available.

What to review

Organisations should review whether multi-factor authentication is enforced rather than optional across all systems that handle sensitive data or financial transactions. This includes checking whether legacy single-factor authentication methods remain in use, whether customer-facing services are protected by MFA, and whether there are clear policies on when and how MFA should be applied. It is worth considering whether MFA is enforced for all users, including privileged accounts, and whether there are exceptions or workarounds that undermine the control. For organisations that have made MFA optional, this is a prompt to review whether that decision reflects current threat levels and whether the convenience argument is still valid given the frequency and impact of credential-based attacks.

Source: The Register

News and blog posts
The National Crime Agency has issued a public warning urging parents not to...
The NHS in England is introducing AI-powered triage functionality within the...
UK financial institutions are putting customers at risk by continuing to make...
The ransomware landscape is consolidating around a smaller number of major...