Yubico reflects on DORA progress

The Digital Operational Resilience Act (DORA) may be a year old, but in the battle to build cyber resilience research is showing that many in the financial services remain slow to react to new and emerging risks arising from AI.  

According to Yubico’s recent Global State of Authentication Report, 62% of organizations are still primarily relying on username and password credentials, demonstrating the widespread use of weak authentication methods, despite their known insecurity compared to much stronger forms of multi-factor authentication (MFA).

“DORA is more than a compliance tick box; it’s an important framework for building cyber resilience,” says Nic Sarginson, Principal Product Manager, Yubico.  “As the use of digital identities becomes more commonplace, so too does the threat they face.  According to the World Economic Forum’s (WEF) Global Cybersecurity Outlook for 2026, phishing attacks and cyber fraud – in which threat actors impersonate trusted entities to steal credentials and individuals’ personal data – have overtaken ransomware as the top cybersecurity concern amongst CEOs.”

“Despite this, many organizations continue to rely on passwords and legacy authentication methods like SMS-based one-time passwords (OTPs).  These are inherently insecure and outdated types of authentication that cyber criminals can easily steal or guess.  No level of monitoring or incident response can fully compensate for such weak access controls. Recognizing this, DORA appropriately emphasises prevention as much as crisis management – and effective prevention starts with strong identity security.”
 
“While DORA doesn’t explicitly mandate the use of MFA, it requires the implementation of strong authentication policies and protocols.  After all, its overarching goal is to limit the risk of unauthorized access and bolster cybersecurity across the financial sector.  Modern, phishing-resistant MFA tools, such as hardware passkeys like physical security keys, play a pivotal role in digital operational resilience by significantly reducing the risk of cyber incidents and attacks,” continues Sarginson.
 
“For financial organizations, adopting phishing-resistant MFA aligns perfectly with DORA’s objectives, enhancing both customer protection and the security of critical financial infrastructure.  One year on from the directive’s implementation, the message is clear: operational resilience starts with identity.  Legacy MFA is no longer sufficient, and for financial institutions and their technology partners, phishing-resistant device-bound passkeys offer a practical way to pair regulatory compliance with meaningful risk reduction, delivering on DORA’s promise.”