New international cybersecurity advisory urges stronger MFA protections

1 minute read

A first-ever global call for stronger workforce authentication

For the first time, eleven of the world’s leading cybersecurity authorities, including agencies from the US, UK, Germany, Czech Republic, Poland, Australia, Canada, Denmark, Estonia, France, and the Netherlands, have issued a joint advisory in May 2025 urging immediate action to accelerate the adoption of phishing-resistant multi-factor authentication (MFA), particularly for administrators, IT personnel, remote and third party access, and users with elevated privileges in critical sectors.

This unprecedented coordinated guidance targets urgent weaknesses in how organizations secure access to sensitive systems.

Why this advisory matters

  • Push-based MFA and OTPs are now considered high risk

    The advisory warns that traditional MFA methods like SMS codes, one-time passcode (OTP) apps, and push notifications are vulnerable to phishing, social engineering

  • Phishing-resistant MFA is now the baseline

    Security agencies explicitly recommend FIDO2-based MFA, including passkeys and hardware-backed authenticators, that confirm user identity through strong possession factors.

  • Enterprise IT and security teams must prioritize workforce authentication

    Strong authentication is no longer limited to consumer access. It must now protect internal systems, remote access, DevOps, and privileged users.

  • This is a global security shift

    It reflects the direction of major regulatory frameworks: NIS2, DORA, GLBA, SEC rules, and others, which all call for stronger, more modern authentication controls.

Why act now

Threat actors are increasingly targeting IT service providers, infrastructure operators, and organizations that support critical supply chains. Passwords and legacy MFA leave gaps that can, and are, being exploited. If your admins, contractors, or privileged users rely on outdated authentication, you are in scope.

OneSpan: Your partner for passwordless, phishing-resistant MFA

OneSpan delivers the industry’s most compliance-aligned, flexible MFA portfolio, trusted by governments, banks, and organizations in critical sectors worldwide. This includes:

  • Phishing-resistant MFA using FIDO2 and Cronto
  • Passwordless access across your workforce applications
  • Hardware security keys and mobile authenticators for flexible deployment
  • Compliance-ready solutions aligned with NIS2, DORA, GLBA, MAS TRM, and more

Assess your MFA readiness today

  • Are you confident your current MFA setup meets this new bar?
  • Are your current controls truly phishing-resistant?
  • Are passkeys part of your workforce authentication plan?
  • Can you deploy stronger MFA without disrupting users?

We can help. Schedule your MFA gap assessment with our security team today and take the first step toward stronger, compliant authentication.