An FCA-regulated wealth manager in the City rolled out Microsoft Authenticator to 400 staff last quarter, ticked the MFA box on their internal risk register, and reported "phishing risk mitigated" to the board. Six weeks later, a finance team member approved an MFA prompt during a vendor impersonation call. The attacker drained a client settlement account before lunch.
This is the gap our consultants find every week: MFA is deployed, but it is the wrong type, configured weakly, or routed around through legacy authentication paths nobody audited. The Financial Conduct Authority's expectations under PS21/3 Operational Resilience and Consumer Duty obligations now extend to authentication controls protecting client money. SMS codes and push-to-approve prompts no longer meet that bar.
Below are the seven configuration mistakes the Pyralink team encounters most often when auditing UK financial services environments — and the fixes that actually hold up against modern adversary-in-the-middle (AiTM) tooling.
Why MFA Alone Is No Longer the Win It Was in 2021
The threat landscape has shifted. Evilginx, Tycoon 2FA, and similar phishing kits proxy the entire authentication flow in real time, capturing session tokens after the user enters a code or taps "Approve." The NCSC updated its multi-factor authentication guidance for online services in 2024 to explicitly recommend phishing-resistant methods — FIDO2 security keys and platform passkeys — for high-value accounts.
For UK financial services firms, "high-value" now includes anyone with access to client data, payment systems, or privileged cloud consoles. That is most of your workforce.
The Seven Configuration Mistakes
1. Treating SMS and Voice OTP as Acceptable Second Factors
SIM-swap attacks against UK mobile numbers are routine. SMS-based MFA should be removed as an option for any account touching production systems, finance workflows, or admin consoles. Disable it at the tenant level in Entra ID rather than relying on user choice.
2. Allowing Push Notification Approval Without Number Matching
Plain "Approve / Deny" push prompts are defeated by MFA fatigue attacks. Microsoft enforced number matching by default in Authenticator from May 2023, but Pyralink consultants still find Conditional Access policies that exempt service accounts, contractors, or "VIP users" from this control. Audit the exclusions list this week.
3. Legacy Authentication Left Open
POP, IMAP, SMTP AUTH, and legacy EWS bypass modern authentication entirely. Microsoft retired Basic Authentication for Exchange Online in 2023, but on-premises connectors, hybrid configurations, and SMTP submission for printers and line-of-business apps frequently keep a back door open. Run a sign-in log query filtered on "Other clients" — anything appearing there is your unprotected attack surface.
4. Conditional Access Without Risk-Based Triggers
Static "require MFA from outside the office" policies miss the modern attacker, who logs in from a residential UK IP through a compromised endpoint. Use Entra ID Protection sign-in risk and user risk signals to trigger step-up authentication or block. Combine with named locations for sensitive applications — not as the only control.
5. No MFA on Break-Glass and Service Accounts
Emergency access accounts are often exempted from Conditional Access — necessary, but they then need FIDO2 keys stored in a tamper-evident safe with sign-in alerting. Service principals and managed identities need certificate-based authentication, not shared secrets in a key vault that half the engineering team can read.
6. MFA Enrolment Without Identity Verification
An attacker who phishes a password and reaches an unprotected enrolment page registers their own device as the second factor. Game over. Restrict MFA registration to trusted networks or require Temporary Access Pass tokens issued by IT after identity verification. This is the single most overlooked control in our audits.
7. No Coverage of Third-Party SaaS Outside SSO
Finance teams sign up for Stripe, DocuSign, payroll portals, and trading platforms directly. If those accounts use only password plus SMS, your Entra ID rollout protects nothing. Inventory every SaaS app handling client data and enforce SSO with phishing-resistant MFA — or block direct sign-up at the network egress.
What Phishing-Resistant Actually Means
Two methods qualify under current NCSC and CISA guidance: FIDO2/WebAuthn security keys (YubiKey, Token2, Feitian) and platform passkeys synced through Apple, Google, or Microsoft ecosystems. Both bind the authentication ceremony to the legitimate domain, making AiTM proxies useless.
A pragmatic passwordless strategy for a UK financial services firm looks like this: hardware keys for privileged administrators and finance approvers, platform passkeys for general staff on managed devices, Windows Hello for Business on corporate laptops, and Temporary Access Pass for onboarding and recovery. Passwords stay only as a fallback recovery path, gated behind verified identity proofing.
MFA Implementation Best Practice: The 30-Day Move
If your firm is still running push-based MFA across the board, here is what we recommend doing in the next month:
- Pull Entra ID sign-in logs and identify every authentication using SMS, voice, or "Other clients." Build a remediation list.
- Roll out FIDO2 keys to the top 20 privileged accounts — Global Admins, finance approvers, M&A team, board members.
- Enforce number matching with no exclusions, and enable Authenticator location and app context.
- Restrict MFA registration to compliant devices or trusted IPs.
- Inventory third-party SaaS and migrate critical apps to SSO with phishing-resistant authentication.
How Pyralink Helps
Pyralink Innovation Ltd is a UK cybersecurity firm led by Michael Adedeji (CISM, CISA, CC, MSc Data Science). Our consultants have rolled out FIDO2 and passwordless authentication across FCA-regulated firms, fintechs, and professional services practices — including the messy hybrid Active Directory and Entra ID estates most playbooks ignore.
Through our CloudAuditX platform,