Transitioning to a Passwordless Future

Written By Franklin Donahoe

This article outlines the necessity for financial institutions to move away from traditional password-based authentication due to rising cybersecurity threats and the demand for enhanced user experiences. It discusses the growth of the passwordless authentication market, explores various technologies like FIDO2, biometrics, and passkeys, and addresses the challenges and strategic framework for implementing these solutions in a global financial context.

A Strategic Imperative for Global Financial Services

1. Executive Summary

The global financial services industry stands at a critical juncture where the traditional reliance on passwords for authentication is no longer tenable. Escalating cybersecurity threats, particularly those targeting user credentials, coupled with the increasing demand for seamless and secure user experiences, necessitate a fundamental shift towards passwordless authentication. This transition represents more than a mere technological upgrade; it is a strategic imperative that will redefine security postures, enhance operational efficiency, and unlock new avenues for digital innovation. The move is driven by the stark reality that a vast majority of security incidents, reportedly as high as 81%, stem from compromised credentials, making passwords the weakest link in the security chain.1 The global passwordless authentication market is experiencing robust growth, with projections indicating a substantial increase in market size from approximately $19.14 billion in 2024 to over $82.50 billion by 2034, reflecting a compound annual growth rate (CAGR) of around 15.73%.2 Other estimates suggest the market could reach nearly $9 trillion by 2033 with an even higher CAGR of 28.7%.3 This underscores a widespread industry movement towards adopting these more resilient authentication mechanisms.

This report provides a comprehensive analysis of current innovations in passwordless authentication, including FIDO2/WebAuthn standards, advanced biometrics, and the burgeoning role of passkeys. It delves into the significant implementation challenges confronting global financial institutions, such as the integration with entrenched legacy systems, the complexities of a fragmented and evolving regulatory landscape, and the critical need to ensure user adoption across diverse customer and workforce demographics. Finally, it proposes a strategic framework designed to guide the institution through this transformative journey.

Key findings indicate that FIDO2 and passkeys are rapidly emerging as the cornerstone of phishing-resistant authentication, offering substantial security and usability benefits. Advanced biometric technologies, particularly when enhanced by Artificial Intelligence (AI) and Machine Learning (ML), are enabling more sophisticated and continuous authentication methods. However, the path to a passwordless environment is not without obstacles. Integrating modern solutions with legacy core banking platforms requires careful planning and often a hybrid approach. Navigating disparate international regulations concerning data privacy, Strong Customer Authentication (SCA), and biometric data handling demands a proactive and adaptable compliance strategy. Furthermore, ensuring that all users, regardless of their digital literacy or access to specific devices, can seamlessly and securely transition to new authentication methods is paramount.

The strategic recommendations emphasize a phased, persona-based rollout that prioritizes high-risk areas and user segments. Strong executive sponsorship is identified as a critical success factor, alongside robust change management programs focusing on clear communication and comprehensive user education. Proactive engagement with regulatory bodies and a commitment to continuous monitoring and adaptation are also highlighted as essential components of a successful transition. The move to passwordless authentication should be viewed not merely as a security enhancement but as a strategic enabler that can differentiate the institution in a competitive market by fostering greater customer trust and operational agility. The convergence of mature FIDO2 standards, the ubiquity of smartphones equipped with biometric capabilities, and heightened user awareness of password vulnerabilities creates an opportune moment for financial institutions to successfully embrace this passwordless future.3

2. The Evolving Authentication Landscape in Financial Services

The authentication landscape within the financial services sector is undergoing a profound transformation, driven by the inadequacies of traditional password-based systems and the escalating sophistication of cyber threats. This evolution is not merely a technological shift but a strategic response to protect sensitive financial data, comply with stringent regulations, and meet the growing expectations of customers for secure and frictionless digital interactions.

2.1 The Case for Moving Beyond Passwords: Current Threat Landscape and Inherent Risks

Traditional password-based authentication, once the bedrock of digital security, has become a significant liability for financial institutions. Passwords suffer from a multitude of inherent vulnerabilities that are relentlessly exploited by malicious actors. Users frequently resort to weak, easily guessable passwords, reuse credentials across multiple platforms, or store them insecurely, creating a vast attack surface.5 These practices expose institutions to a range of cyber threats, including:

  • Phishing and Spear Phishing: Attacks designed to trick users into revealing their login credentials remain a leading cause of data breaches.6

  • Credential Stuffing: Automated attacks that use stolen usernames and passwords from one breach to attempt unauthorized access to other accounts.6

  • Brute-Force Attacks: Attempts to guess passwords through systematic trial and error.6

  • Malware and Keyloggers: Malicious software designed to capture keystrokes, including passwords, from infected devices.

The impact of credential theft is severe. Industry reports consistently indicate that compromised credentials are the primary vector in a significant majority of data breaches, often cited as being involved in over 80% of such incidents.1 The financial ramifications are substantial, with the average cost of a data breach reaching millions of dollars, encompassing direct costs like forensic investigations and regulatory fines, as well as indirect costs such as reputational damage and loss of customer trust.2 For instance, the average cost of a data breach hit a record high in 2024, reaching $4.88 million.2

Compounding these traditional threats is the emergence of new attack vectors powered by Generative AI (GenAI) and deepfake technologies. These sophisticated tools enable attackers to create highly convincing phishing lures, impersonate individuals with alarming accuracy, and automate the creation of synthetic identities, further undermining the security of password-dependent systems.12 The increasing "industrialization" of cyberattacks, including Malware-as-a-Service (MaaS) which has seen a 4,000% surge, means that financial institutions face a persistent and evolving barrage of attacks.13 This escalating threat landscape underscores the urgent need for a proactive shift towards more robust identity assurance mechanisms, with passwordless authentication at the forefront. Reactive security measures are no longer sufficient; a fundamental change in how identities are verified and protected is essential for resilience.

2.2 Market Trends and Growth Projections for Passwordless Authentication

The global market for passwordless authentication is experiencing substantial growth, reflecting a clear industry-wide shift away from traditional password-based security. Market size estimates vary, but all point towards a rapidly expanding market. One projection indicates the market accounted for $19.14 billion in 2024 and is estimated to surpass $82.50 billion by 2034, growing at a CAGR of 15.73%.2 Another report suggests the market was valued at $923.3 million in 2024 and is projected to reach $8.944.3 million by 2033, with a CAGR of 28.7%.3 This significant growth is propelled by several key drivers:

  • Increased Adoption of FIDO2 Protocols: The FIDO2 standards, including WebAuthn, are gaining traction across digital banking solutions, offering a standardized and interoperable framework for strong, phishing-resistant authentication.3

  • Rising Demand from Retail and E-commerce: These sectors are increasingly integrating biometric-based identity verification systems to enhance security and streamline customer experiences.3

  • Enhanced User Readiness: The ubiquity of smartphones equipped with biometric sensors (fingerprint, facial recognition) has fueled user familiarity and acceptance of passwordless authentication methods for secure transactions.3

  • Growing Awareness of Password Vulnerabilities: Both organizations and consumers are increasingly aware of the inherent weaknesses of passwords and the risks associated with them.5

The financial services sector is a prominent leader in the adoption of passwordless authentication.1 This is driven by the critical need to protect sensitive financial data, comply with stringent regulatory mandates, and meet customer expectations for secure and convenient digital banking experiences. The strong market growth is not solely a reaction to security imperatives; it is also fueled by the significant operational cost savings and improvements in user productivity and satisfaction that passwordless solutions offer. For instance, password-related issues account for 20-50% of IT help desk calls, with each reset costing an average of $70.18 Microsoft reported an 87% reduction in authentication costs after moving to passwordless methods.1 This compelling business case, combining risk mitigation with tangible ROI, makes the transition to passwordless authentication a strategic priority for financial institutions.

2.3 The Role of Passwordless Authentication in a Zero Trust Architecture

Passwordless authentication is a foundational component of a modern Zero Trust security architecture, a paradigm that is increasingly critical for financial institutions. Zero Trust operates on the principle of "never trust, always verify," meaning that no user or device is implicitly trusted, regardless of whether it is inside or outside the traditional network perimeter.20 Access decisions are made dynamically based on the verified identity of the user, the security posture of the device, the application being accessed, and the sensitivity of the data involved, adhering to the principle of least privilege.23

Passwordless authentication strengthens a Zero Trust framework in several key ways:

  • Enhanced Identity Verification: By replacing passwords with stronger authentication factors such as biometrics, hardware security keys, or device-bound passkeys, passwordless methods provide a higher assurance of user identity at every access attempt.24 This aligns directly with the "always verify" tenet of Zero Trust.

  • Improved Device Trust: Many passwordless solutions inherently link authentication to a specific, trusted device. This allows for the incorporation of device security posture checks into access decisions, ensuring that only healthy and compliant devices can access sensitive financial systems and data.22

  • Support for Continuous Authentication: While not all passwordless methods are inherently continuous, they provide a stronger foundation for implementing continuous authentication strategies. Behavioral biometrics, for example, can continuously monitor user activity post-login to detect anomalies that might indicate a compromised session.20

  • Reduced Reliance on Network Perimeters: Zero Trust shifts the focus from network-based defenses to protecting individual resources. Passwordless authentication supports this by ensuring that access to applications and data is granted based on strong identity verification, irrespective of network location.

  • Evolution of Multi-Factor Authentication (MFA): Passwordless authentication is often described as an evolution of MFA within a Zero Trust context.24 Instead of relying on a password as one of the factors, "passwordless MFA" combines inherently strong, phishing-resistant factors – typically something the user has (e.g., a device with a private key) and something the user is (e.g., a biometric) or knows (e.g., a device PIN) – to provide robust security without the password vulnerability.17

For financial institutions, integrating passwordless authentication into a Zero Trust architecture is crucial for defending against sophisticated attacks, protecting sensitive data, and meeting regulatory expectations for strong access controls. It enables a more granular, adaptive, and resilient security posture fit for the modern digital landscape.

3. Innovations in Passwordless Authentication Technologies

The journey towards a passwordless future is paved with a diverse and rapidly evolving array of authentication technologies. For a global financial institution, understanding these innovations is key to selecting the most appropriate solutions that balance security, user experience, and operational feasibility. Key technologies at the forefront include FIDO2/WebAuthn, various forms of biometric authentication (including behavioral biometrics), passkeys, and other emerging methods like mobile push authentication.

3.1 FIDO2 and WebAuthn

The FIDO (Fast Identity Online) Alliance, through its FIDO2 project, has established a set of open and interoperable standards designed to provide strong, phishing-resistant authentication. FIDO2 comprises two main components: the Web Authentication (WebAuthn) API, a World Wide Web Consortium (W3C) standard, and the Client to Authenticator Protocol (CTAP).4

  • Technical Architecture: FIDO2 leverages public key cryptography. During registration with a relying party (RP), such as a bank's website or application, the user's authenticator (e.g., a smartphone, hardware security key) generates a unique cryptographic key pair: a private key stored securely on the authenticator and a public key sent to the RP and associated with the user's account.4 For authentication, the RP sends a challenge to the authenticator, which uses the private key to sign the challenge. The RP then verifies this signature using the stored public key.4 CTAP enables communication between the client device (e.g., a computer or smartphone) and an external authenticator (like a USB security key).9

  • Security Benefits: The primary security advantage of FIDO2 is its inherent resistance to phishing, man-in-the-middle (MitM) attacks, and replay attacks.4 Because the private key never leaves the user's device and credentials are bound to specific origins (websites/apps), stolen credentials from one service cannot be used to access another. This significantly mitigates the risks associated with password reuse and credential theft. FIDO2 standards are endorsed by NIST as providing high-assurance, phishing-resistant MFA.4

  • User Experience (UX) Benefits: FIDO2 aims to simplify the login experience by reducing or eliminating the reliance on passwords. Users can authenticate using familiar device-based mechanisms like biometrics (fingerprint, face scan) or a PIN to unlock their FIDO authenticator.4 This offers a more seamless and convenient login process compared to manually typing complex passwords.

  • Financial Sector Applications: FIDO2 is gaining significant traction in the financial services industry. Examples include PayPal and Dropbox, which have implemented FIDO2 for enhanced security.4 Many digital banking platforms are adopting FIDO2-compliant solutions to offer frictionless and secure logins.3 A notable case study is ABANCA, a Spanish bank that successfully rolled out FIDO-based passkeys (ABANCA Key) to over 42% of its mobile banking users, protecting over 11 million high-risk transactions and achieving a high Customer Effort Score (CES) of 4.7, indicating excellent user experience.34

3.2 Biometric Authentication

Biometric authentication verifies a user's identity based on unique physiological or behavioral characteristics. It is a cornerstone of many passwordless solutions, often used in conjunction with FIDO2 standards.

  • Types of Biometrics:

  • Physiological Biometrics: These include fingerprint scanning, facial recognition, iris scanning, and palm vein recognition. Fingerprint and facial recognition are the most widely adopted due to their integration into smartphones and laptops.1

  • Behavioral Biometrics: This emerging field analyzes patterns in user actions, such as keystroke dynamics (typing rhythm), mouse movements, swipe patterns, device handling, transaction patterns, and even cognitive behavioral analysis.7 These systems create continuous authentication profiles that can verify identity throughout a session, not just at login.26

  • Trends in Biometric Authentication:

  • Contactless Biometrics: Gaining traction, especially post-pandemic, with methods like palm vein and advanced facial recognition (even with masks) seeing increased adoption. Market adoption is projected to grow significantly (e.g., by 154% by 2025 for some contactless methods).35

  • Multi-Modal Biometrics: Combining multiple biometric modalities (e.g., face and voice) to enhance security and reliability, addressing different use cases and improving accuracy.35 Financial institutions are expected to increasingly implement systems with at least three biometric markers.37

  • AI/ML Integration: AI and machine learning are revolutionizing biometrics by continuously analyzing data patterns to detect anomalies, identify fraud in real-time, improve accuracy, and adapt to subtle changes in biometric markers. For example, AI-enhanced facial recognition systems have demonstrated reduced false acceptance and rejection rates.37

  • Advanced Presentation Attack Detection (PAD): Sophisticated AI algorithms analyze subtle cues like micro-expressions to distinguish between live subjects and spoof attempts (e.g., photos, videos, masks), ensuring the integrity of the biometric authentication process.35

  • Edge Processing: Processing biometric data directly on user devices (edge computing) reduces latency, enhances privacy by minimizing data transmission, and allows for more efficient real-time authentication.35

  • Benefits in Financial Services: The adoption of biometric authentication in banking has shown compelling results:

  • Fraud Reduction: Financial institutions implementing comprehensive biometric systems report significant reductions in account takeover incidents (average 66%), payment fraud, and identity theft.35 Some report fraud reduction rates of 80%+ with multi-modal approaches.35

  • Improved User Experience and Trust: A high percentage of customers report feeling more secure (91%) and prefer biometric authentication over passwords (78%).35 This translates to higher mobile banking engagement rates and increased digital transaction volumes.35

  • Operational Efficiency: Reduction in customer support calls related to authentication issues (e.g., password resets) by up to 85% at early-adopting banks.37

The rapid innovation in AI-driven behavioral biometrics points towards a future where authentication becomes a continuous and largely invisible process. Instead of distinct login events, systems will constantly verify user legitimacy based on a multitude of subtle interactions. For a CISO, this shift offers the potential for less intrusive yet more robust security, capable of detecting sophisticated threats like mid-session hijacks. However, this continuous monitoring also brings to the forefront critical considerations around data privacy, the transparency of AI decision-making, and the complexity of managing these advanced systems.

3.3 Passkeys

Passkeys represent a significant evolution in user authentication, building upon FIDO standards to offer a more secure and user-friendly alternative to passwords. They are essentially digital credentials, typically device-bound cryptographic key pairs, that allow users to sign in to websites and applications using the same simple actions they use to unlock their devices (e.g., fingerprint, facial scan, PIN, or pattern).

  • Functionality:

  • Device-Bound Passkeys: The private key is stored securely on a single physical device (e.g., a specific smartphone or a hardware security key like a YubiKey). Authentication requires that specific device.33 This offers the highest level of security as the key cannot be easily copied or moved.

  • Synced Passkeys: To improve user convenience and cross-device usability, passkeys can be synchronized across a user's devices via cloud services provided by major platform vendors like Apple (iCloud Keychain), Google (Google Password Manager), and Microsoft. This allows users to access their passkeys on any of their trusted devices without needing to re-register each one.

  • Security Advantages: Passkeys are inherently phishing-resistant because the underlying FIDO protocols ensure that the cryptographic exchange only occurs with the legitimate website or application for which the passkey was created.5 This prevents attackers from tricking users into authenticating on fake sites. They are generally considered more secure than traditional passwords, even when combined with One-Time Passwords (OTPs), as there is no shared secret transmitted that can be intercepted.17

  • Ecosystem Support: Major technology players including Apple, Google, and Microsoft have embraced passkeys and integrated support into their operating systems and browsers, significantly driving adoption and ensuring broad compatibility. This widespread support is a key factor in their growing popularity. Over 7 billion online accounts were reported to use FIDO passkeys in 2023.1

While passkeys offer a compelling combination of security and usability, their reliance on device ecosystems for synchronization introduces a new form of dependency. Financial institutions must strategize for users who may operate outside these dominant ecosystems (Apple, Google, Microsoft) or harbor concerns about the centralized management of their credentials by these large technology providers. This necessitates offering a diversified portfolio of passwordless authentication options, including non-synced hardware security keys or other FIDO-compliant authenticators, to ensure inclusivity, user choice, and resilience against platform-specific issues.

The concept of "Passwordless MFA" is crucial here.17 True security in a passwordless paradigm stems from the inherent combination of multiple strong, phishing-resistant factors. The passkey itself (something the user has – the private key on the device) is unlocked by something the user is (biometric) or knows (device PIN).28 This built-in multi-factor nature is a significant departure from older MFA models that might have included a vulnerable password as one of the factors. For the CISO, this means that a well-implemented passkey solution can satisfy MFA requirements, such as those under PSD2 SCA, without adding extra steps or friction for the user.

3.4 Other Emerging Technologies

Beyond FIDO2/WebAuthn, biometrics, and passkeys, other technologies are contributing to the passwordless ecosystem, often serving as supplementary or transitional methods:

  • Mobile Push Authentication with Transaction Signing: This method involves sending a real-time alert (push notification) to a user's registered mobile device when a sensitive action, like a financial transaction, is initiated.48 The notification contains transaction details (amount, payee, etc.), and the user can approve or deny it with a simple tap or swipe. This is often secured with asymmetric cryptography for transaction signing, ensuring the integrity and non-repudiation of the approval. It is considered more secure than SMS-based OTPs, which are vulnerable to SIM swapping and interception.49 For enhanced security, the push notification and user response can be sent via independently secured encrypted channels.50

  • Magic Links and One-Time Passwords (OTPs):

  • Magic Links: These provide passwordless login by sending a unique, time-sensitive URL to the user's verified email address or phone number. Clicking the link authenticates the user for a single session.7

  • OTPs: These are temporary codes delivered via SMS, email, or authenticator apps (like Google Authenticator or Microsoft Authenticator).

  • Security Considerations: While convenient, the security of magic links and OTPs (especially SMS OTPs) is dependent on the security of the underlying communication channel (email or phone account). SMS OTPs are particularly vulnerable to SIM swapping and interception, leading regulatory bodies like FINRA to phase out their acceptance. Many organizations view these as transitional methods or as part of a multi-layered approach rather than standalone primary authenticators for high-security contexts.

The following table provides a comparative analysis of these key passwordless authentication technologies, offering a structured overview for strategic decision-making.

FIDO2/WebAuthn Based

  • FIDO2/WebAuthn Passkeys (Device-Bound):

    • Security Level: Very High (Excellent Phishing Resistance)

    • User Experience: High (Seamless with device unlock)

    • Implementation Complexity: Medium to High

    • Typical Cost: Medium

    • Regulatory Compliance Fit: Strong fit, especially for high assurance

    • Key Financial Services Use Cases: Secure login (employee/customer), High-value transaction authorization

  • FIDO2/WebAuthn Passkeys (Synced):

    • Security Level: High (Good Phishing Resistance)

    • User Experience: Very High (Seamless across ecosystem devices)

    • Implementation Complexity: Medium

    • Typical Cost: Medium

    • Regulatory Compliance Fit: Good fit, some ambiguity for SCA

    • Key Financial Services Use Cases: General login (employee/customer), Account recovery

  • Hardware Security Keys (Standalone FIDO2):

    • Security Level: Very High (Excellent Phishing Resistance)

    • User Experience: Medium (Requires physical key)

    • Implementation Complexity: Medium

    • Typical Cost: Medium

    • Regulatory Compliance Fit: Strong fit, especially for high assurance

    • Key Financial Services Use Cases: Privileged access, High-security accounts, Offline access

Biometrics

  • Fingerprint Authentication:

    • Security Level: Medium to High (Spoofing risk varies by sensor)

    • User Experience: High (Fast, convenient on enabled devices)

    • Implementation Complexity: Low to Medium

    • Typical Cost: Low to Medium

    • Regulatory Compliance Fit: Good, often part of FIDO flow

    • Key Financial Services Use Cases: Mobile banking login, ATM access, In-person payments (biometric cards)

  • Facial Recognition:

    • Security Level: Medium to High (Spoofing/bias risk varies by tech)

    • User Experience: High (Contactless, convenient)

    • Implementation Complexity: Medium

    • Typical Cost: Medium

    • Regulatory Compliance Fit: Good, often part of FIDO flow

    • Key Financial Services Use Cases: Mobile banking login, Remote onboarding (KYC), Self-service kiosks

  • Voice Recognition:

    • Security Level: Medium (Accuracy/background noise can be issues)

    • User Experience: Medium to High (Hands-free)

    • Implementation Complexity: Medium to High

    • Typical Cost: Medium

    • Regulatory Compliance Fit: Conditional fit

    • Key Financial Services Use Cases: Call center authentication, Voice banking

  • Behavioral Biometrics:

    • Security Level: Medium to High (Continuous, AI-dependent)

    • User Experience: Very High (Invisible to user)

    • Implementation Complexity: High

    • Typical Cost: High

    • Regulatory Compliance Fit: Emerging, complements other methods

    • Key Financial Services Use Cases: Continuous fraud detection, Risk-based authentication, Insider threat detection

Other Methods

  • Mobile Push Authentication (with Tx Signing):

    • Security Level: High (More secure than SMS OTP)

    • User Experience: High (Simple approve/deny)

    • Implementation Complexity: Medium

    • Typical Cost: Low to Medium

    • Regulatory Compliance Fit: Good fit for SCA transaction linking

    • Key Financial Services Use Cases: Transaction authorization, Step-up authentication

  • Magic Links:

    • Security Level: Low to Medium (Depends on email security)

    • User Experience: High (Convenient, no code entry)

    • Implementation Complexity: Low

    • Typical Cost: Low

    • Regulatory Compliance Fit: Limited, may not meet SCA alone

    • Key Financial Services Use Cases: Low-risk login, Password reset

  • SMS/Email OTPs:

    • Security Level: Low (Vulnerable to phishing, SIM swap, interception)

    • User Experience: Medium (Requires code entry)

    • Implementation Complexity: Low

    • Typical Cost: Low to Medium

    • Regulatory Compliance Fit: Increasingly not SCA compliant alone

    • Key Financial Services Use Cases: Legacy MFA, Fallback (being phased out by regulators like FINRA for primary use)

This items above outline an overview of available passwordless technologies. It allows for a quick assessment of the trade-offs between security, user experience, cost, and complexity, directly informing strategic decisions on which methods to prioritize for different user segments and use cases within the financial institution. It synthesizes a vast amount of disparate information into a digestible and actionable format. For a CISO, making informed choices is paramount. The research presents numerous options, each with distinct advantages and disadvantages concerning security (e.g., phishing resistance of FIDO2 4 versus vulnerabilities of SMS OTP 8), user experience (e.g., seamlessness of biometrics 35 versus potential friction of hardware tokens), cost and complexity of implementation 2, and suitability for regulatory compliance (e.g., PSD2 SCA 46). A systematic comparison against consistent criteria—security, UX, cost, complexity, compliance, and use cases—transforms this complex information into a powerful decision-making tool. It enables the CISO to discern, for example, that while passkeys offer high phishing resistance, their integration might be more involved than a push notification system, which in turn is less secure than FIDO2. This facilitates a risk-based approach to technology selection tailored to diverse scenarios, such as high-value transaction authorization versus general employee login access.

4. Implementation Challenges for a Global Financial Institution

Transitioning a global financial institution to a passwordless authentication environment is a significant undertaking, fraught with multifaceted challenges that span technology, regulation, user behavior, and cost. Successfully navigating these hurdles requires a deep understanding of the existing landscape and a carefully crafted strategy.

4.1 Integrating with Legacy Systems and Core Banking Platforms

One of the most formidable challenges is the integration of modern passwordless solutions with existing legacy systems and core banking platforms. Many financial institutions operate on aging infrastructure that was not designed to support contemporary authentication standards like WebAuthn or FIDO2.6

  • Technical Hurdles: Older banking platforms may lack the native APIs or architectural flexibility required for seamless integration. Upgrading these core systems can be prohibitively expensive, time-consuming, and risky, potentially disrupting critical banking operations.6 Ensuring interoperability between new passwordless front-ends and legacy back-ends often requires significant custom development or middleware solutions.

  • Modernization Strategies:

  • APIs and Middleware: A common approach involves utilizing Application Programming Interfaces (APIs) and middleware layers to act as a bridge between new authentication services and legacy systems.48 API gateways can manage authentication requests, routing them to appropriate new passwordless services or translating them for legacy backends.43 Open Banking APIs, built on standards like FAPI, OAuth 2.0, and OpenID Connect (OIDC), can further facilitate secure data access and integrate with passwordless authentication flows, enabling secure interactions even with older systems.56

  • Hybrid Models: During the transition, a hybrid model where password-based and passwordless authentication methods coexist is often necessary.6 This allows for a gradual rollout and accommodates systems or user groups that cannot immediately transition.

  • Passkey Layer Vendors: Specialized "Passkey Layer" vendors offer solutions that can overlay passkey functionality onto existing Identity Provider (IdP) or Identity and Access Management (IAM) systems without requiring a full data migration or overhaul of the core identity infrastructure.46 This can significantly reduce integration complexity and accelerate adoption.

  • Core Banking Platform Modernization: Some core banking platform providers, such as Temenos, are actively integrating passwordless authentication options into their offerings.60 Partners like HID Global are working with these platform providers to deliver integrated security solutions.62

  • Case Studies/Examples: RSA's ID Plus platform has assisted a large global bank in its transition from on-premises authentication to a cloud-based, FIDO2-supporting passwordless environment, illustrating a successful large-scale migration strategy.42 Finabank's selection of Temenos for its core banking modernization also points to the trend of adopting platforms with built-in modern authentication capabilities.61

The integration with legacy systems is often considered the Achilles' heel of passwordless projects in established financial institutions. A modular, API-first architectural approach, prioritizing interoperability and phased modernization, is crucial. This allows the institution to incrementally introduce passwordless capabilities without a disruptive "big bang" overhaul, leveraging middleware and specialized vendors where necessary to bridge the gap between old and new technologies.

4.2 Adapting IAM and PAM Systems for Passwordless Authentication

The shift to passwordless authentication necessitates a corresponding evolution in Identity and Access Management (IAM) and Privileged Access Management (PAM) systems. These systems must be adapted to manage new types of authenticators, enforce policies in a password-free context, and integrate seamlessly with a Zero Trust security model.

  • IAM Architecture for Passwordless: A modern IAM architecture must be capable of supporting a diverse range of passwordless authenticators (FIDO2 keys, biometrics, passkeys, mobile authenticators) and managing digital identities that are no longer solely reliant on usernames and passwords.20 Centralized IAM platforms that offer a unified view of identities and access policies are essential for consistency and manageability.63 The architecture should be designed for integration with Zero Trust principles, enabling continuous verification and adaptive access controls.

  • Technical Hurdles: Integrating FIDO2/WebAuthn standards and passkeys into existing IAM frameworks (e.g., solutions from Okta, Ping Identity, Microsoft Entra ID) can present technical challenges.63 This includes ensuring that the IAM system can correctly handle the registration, verification, and lifecycle management of these new credential types. Maintaining consistent policy enforcement across a hybrid environment of password-based and passwordless systems during the transition period is also a complex task.

  • PAM in a Passwordless Context: Privileged Access Management is critical for securing administrative accounts. In a passwordless environment, PAM solutions must adapt to secure privileged access without relying on traditional shared admin passwords. This can involve:

  • Just-in-Time (JIT) Access: Granting privileged access only when needed and for a limited duration, often provisioned using passwordless methods.66

  • FIDO2 for Admin Accounts: Utilizing strong FIDO2 authenticators (like hardware security keys) for administrators to access critical systems.

  • Credential Vaulting and Rotation (for residual passwords): For systems that cannot yet go fully passwordless, PAM solutions like CyberArk continue to play a role in vaulting and rotating these remaining privileged passwords, while access to the PAM system itself can be secured with passwordless MFA.66

  • Best Practices: Key best practices for adapting IAM/PAM systems include strictly enforcing the Principle of Least Privilege, implementing continuous monitoring of authentication events and user behavior (often integrated with SIEM and EDR tools), and ensuring robust auditing capabilities.

4.3 Navigating the Complex Regulatory and Compliance Landscape

Global financial institutions operate under a multifaceted and stringent regulatory environment. Transitioning to passwordless authentication requires careful navigation of these complex requirements, which vary across jurisdictions and are continually evolving.

  • Global and Regional Requirements:

  • PSD2/SCA (Europe): The Payment Services Directive 2 (PSD2) mandates Strong Customer Authentication (SCA) for many online payment transactions and account access operations. SCA typically requires two out of three factors: knowledge (something only the user knows), possession (something only the user possesses), and inherence (something the user is). While device-bound passkeys and FIDO2 authenticators generally align well with SCA by combining possession (the device/key) and inherence/knowledge (biometric/PIN to unlock), there has been some regulatory ambiguity regarding cloud-synced passkeys.7 The European Banking Authority (EBA) is expected to release updated guidelines under PSD3 by late 2024, which may provide further clarity.34 The FIDO Alliance has launched a Payments Working Group (PWG) to define FIDO solutions for payment use cases, including guidelines for integration with EMV 3-D Secure and addressing regulatory requirements.11

  • GDPR (Europe): The General Data Protection Regulation governs the processing of personal data. Biometric data is classified as "special category data," requiring explicit consent for processing and enhanced security measures.18 Institutions must ensure transparency in how biometric data is collected, used, stored, and protected.

  • CCPA/CPRA (California): The California Consumer Privacy Act and California Privacy Rights Act grant consumers rights over their personal information, including biometric data, and impose disclosure and security requirements on businesses.18

  • DORA (Europe): The Digital Operational Resilience Act imposes requirements on financial entities regarding ICT risk management, cybersecurity, and operational resilience, including strong authentication practices.14

  • FFIEC (US): The Federal Financial Institutions Examination Council provides guidance on authentication and access to financial institution services and systems. The latest guidance (2021) emphasizes risk assessment and the use of multi-factor authentication (MFA) or controls of equivalent strength where single-factor authentication is deemed inadequate.79

  • NIST (US): The National Institute of Standards and Technology Special Publication 800-63 Digital Identity Guidelines (currently SP 800-63B, with SP 800-63-4 in draft) strongly encourages phishing-resistant MFA and passwordless methods like passkeys and FIDO2 security keys. The draft SP 800-63-4 integrates guidance on syncable authenticators (passkeys) into normative text and expands fraud management requirements.73 The comment period for the second public draft of SP 800-63-4 ended October 7, 2024.81

  • AML/KYC: Anti-Money Laundering and Know Your Customer regulations demand rigorous identity verification and continuous monitoring, which passwordless solutions can support through strong initial proofing and ongoing authentication.

  • FINRA (US): The Financial Industry Regulatory Authority is retiring SMS OTPs, phone calls, and certain device-based biometrics (Windows Hello/Touch ID used as standalone) as acceptable MFA options by July 25, 2025. FINRA-compliant options include Duo Verified Push, Duo Mobile Passcode, and Security Keys (WebAuthn/FIDO2).

  • MAS (Singapore): The Monetary Authority of Singapore has been proactive in strengthening cybersecurity requirements and may accelerate guidance on passwordless authentication. Major Singaporean banks have already implemented various forms of biometric authentication, and the national digital identity, SingPass, provides a foundation.36 While no specific MAS guidance on passkeys was found for 2024-2025, they have issued consultation papers on AML/CFT notice amendments.82

  • OCC (US): The Office of the Comptroller of the Currency emphasizes cybersecurity risk management for banks. While no specific bulletin on passwordless authentication for 2024-2025 was found, their general guidance aligns with the need for strong authentication measures.13

  • Data Privacy for Biometrics: This is a critical concern. Institutions must ensure:

  • Secure Storage: Biometric templates must be encrypted and stored securely, ideally using tokenization or on-device storage to prevent reconstruction of original biometric data.8

  • Explicit Consent and Transparency: Clear disclosures about how biometric data is collected, used, stored, and protected, along with robust, granular consent mechanisms (e.g., Revolut's "Privacy Dashboard" allowing toggling permissions 76), are essential.35 Avoiding "dark patterns" or coercive opt-ins is crucial, as demonstrated by FTC actions.76

  • Bias Mitigation: Algorithmic bias in biometric systems (e.g., higher error rates for certain demographics 40) must be actively addressed through diverse training data and ongoing audits, as potentially required by emerging certifications like the EU's Ethical AI Certification.40

  • Data Minimization: Collect only necessary biometric information.37

  • Cross-Jurisdictional Data Flows and Localization: For a global institution, managing biometric and other authentication data across different legal jurisdictions, each with its own data sovereignty and privacy laws (e.g., GDPR in EU, CCPA in California, various Asian regulations), presents significant operational and compliance challenges.87 Strategies for data localization, secure cross-border transfer mechanisms (where permissible), and consistent application of high privacy standards are necessary.

  • Proactive Engagement with Regulators: Given the evolving nature of both technology and regulation, proactive engagement with financial authorities and industry bodies (like the FIDO Alliance Payments Working Group or FS-ISAC) is advisable. This can help clarify ambiguities, advocate for sensible standards, and ensure the institution's strategy aligns with regulatory expectations. Some institutions are already part of pilot programs or collaborative efforts with regulators.34

The fragmented and dynamic nature of global regulations necessitates that financial institutions build an adaptable compliance framework. This framework should be capable of incorporating new rules and interpretations as they emerge, rather than treating compliance as a one-time project. Continuous monitoring of the regulatory landscape and a flexible technology architecture are key to sustained compliance.

4.4 Addressing User and Workforce Diversity

A successful transition to passwordless authentication hinges on its acceptance and usability by a diverse range of users, including customers and the internal workforce. This requires addressing variations in digital literacy, device availability, and cultural attitudes, particularly towards biometrics.

  • Digital Literacy and Accessibility: Not all users possess the same level of comfort or familiarity with new technologies.

  • Strategies: Implementations should prioritize intuitive user interfaces and provide clear, simple instructions and support materials in multiple languages and formats. Accessibility standards (e.g., WCAG) should be considered to ensure solutions are usable by individuals with disabilities. Digital financial literacy programs, especially in regions like the Global South, can play a role in preparing users for new digital banking interactions, including passwordless methods.89 These programs often focus on digital financial risk and control, basic and advanced digital financial knowledge, and digital financial attitudes and behaviors.89

  • Device Availability and Ownership: Access to specific devices (e.g., modern smartphones with biometric sensors, hardware security keys) can vary significantly.

  • Strategies: Offer a range of passwordless options to accommodate different device capabilities. For employees, if specific hardware (like security keys) is mandated, the institution may need to provide these or offer reimbursements, especially if personal devices are not permitted for work purposes.31 For customers, fallback options or alternative passwordless methods that work on less advanced devices might be necessary. Inclusive design principles should ensure that solutions do not inadvertently exclude segments of the user base.35

  • Cultural Considerations for Biometrics: The acceptance of biometric authentication can vary across cultures.

  • Privacy Perceptions: Some cultures may have heightened concerns about the collection and use of biometric data due to fears of surveillance or misuse.6 For example, while EU regulations like GDPR provide strong protections for biometric data 74, user perceptions still matter. Research indicates cultural values can influence technology acceptance, though direct moderation effects on mobile shopping continuance were not strongly supported in one US-China study, espoused cultural values did act as antecedents.93

  • Trust and Familiarity: In some regions, particularly in developing Asian economies, there might be lower initial trust in digital financial services, which could extend to new authentication methods.93 However, biometrics like fingerprints can also foster comfort for populations with low literacy levels.91

  • Strategies: Financial institutions must adopt transparent data handling practices, provide clear explanations of how biometric data is secured (e.g., on-device storage, encryption, tokenization 37), and offer alternative authentication methods where biometric adoption is low or problematic.35 Tailoring biometric systems to local contexts, such as including local dialects in voice recognition or ensuring facial recognition algorithms are trained on diverse datasets to minimize bias, is also crucial.40 Mastercard's "Biometric Choice" program, which educates users on data usage via in-app micro-learning, boosted opt-in rates by 33%, demonstrating the power of transparency and education.76

User adoption is not a passive outcome; it must be actively cultivated. This involves understanding the diverse needs and concerns of both customers and employees, designing inclusive solutions, and communicating transparently about the benefits and safeguards associated with new passwordless authentication methods. For biometrics, in particular, building trust through clear consent mechanisms, robust data protection, and demonstrable fairness is paramount to overcoming cultural or individual reluctance.

4.5 Managing Costs and Complexity

The transition to passwordless authentication, while offering long-term benefits, involves upfront investments and inherent complexities that must be carefully managed.

  • Total Cost of Ownership (TCO) Analysis: A comprehensive TCO analysis is essential to understand the full financial implications.

  • Initial Investment Costs: These include the procurement of new hardware (e.g., security keys, biometric scanners if not leveraging existing device capabilities), software licenses for authentication platforms or middleware, integration costs with existing systems (IAM, PAM, core banking), and initial user training and onboarding programs. High initial costs can be a particular restraint for SMEs, though less so for large financial institutions which are leading adoption.2

  • Ongoing Maintenance Costs: These include software subscription renewals, hardware replacement, system updates and patches, and continuous monitoring.94

  • Potential Cost Savings (to offset TCO): Significant savings can be realized through reduced IT helpdesk calls for password resets (Gartner estimates 20-50% of calls are password-related, costing $70 per reset 9), decreased fraud losses due to stronger authentication (average data breach cost $4.88 million in 2024 2), improved user productivity (faster logins 1), and potentially lower cyber insurance premiums. Some ROI calculators estimate substantial gains, with workforce productivity improvements being multiples of the investment and significant dividends from attack surface reduction.95 One case study from a top 5 US financial institution reported reducing help desk costs by an estimated $1 million with HYPR's passwordless MFA.99 OwnID clients saw a 50% reduction in account access-related support costs.100

  • Resource Allocation and Skill Gaps: Implementing and managing a passwordless ecosystem requires skilled IT and security personnel. Financial institutions may need to invest in training existing staff or recruiting new talent with expertise in modern authentication technologies, IAM, and cybersecurity.

  • Complexity of Managing Diverse Solutions: Offering multiple passwordless options to cater to diverse user needs and legacy systems can increase the complexity of the authentication infrastructure. Centralized management platforms and clear governance are crucial to avoid creating new silos.63

4.6 New Attack Vectors and Security Considerations

While passwordless authentication aims to eliminate many traditional attack vectors, it is not a panacea and introduces new security considerations and potential vulnerabilities that must be addressed.

  • Biometric Spoofing and Presentation Attacks: Advanced spoofing techniques can potentially replicate biometric identifiers like fingerprints or facial features using high-resolution images, 3D models, or other methods, thereby bypassing biometric authentication systems.6 The effectiveness of Presentation Attack Detection (PAD) mechanisms, often AI-driven, is crucial to mitigate this risk.35

  • Device Compromise and Token Theft: Since many passwordless methods tie authentication to a physical device (smartphone, hardware key), the security of that device becomes paramount. If a user's device is lost, stolen, or compromised by malware, an attacker could potentially gain unauthorized access. Strong device security measures (encryption, remote wipe capabilities, MDM policies) and robust processes for reporting and revoking lost/stolen authenticators are essential.

  • Account Recovery Challenges: A significant challenge with passkeys and other device-bound credentials is secure account recovery if a user loses all their registered devices or forgets their recovery mechanisms.7 Financial institutions need to implement secure and user-friendly recovery options that do not reintroduce password-like vulnerabilities. This might involve social recovery, pre-designated recovery codes, or in-person verification for high-assurance recovery. Microsoft's Temporary Access Pass (TAP) is one such mechanism for initial enrollment or recovery.45

  • Security of Synced Passkeys: While convenient, passkeys synced via cloud providers (Apple iCloud Keychain, Google Password Manager) raise concerns for some regulators and users about the security of these centralized stores.33 A compromise of the cloud provider's account could potentially expose a user's passkeys. Financial institutions may need to offer non-synced, device-bound hardware key options for users requiring higher assurance or who are wary of cloud synchronization.

  • Vulnerabilities in Less Secure Factors: If transitional methods like SMS OTPs or magic links are used, their inherent vulnerabilities (SIM swapping for SMS, email account compromise for magic links) remain a concern. These should be phased out or used only for low-risk scenarios with appropriate compensating controls.

A robust passwordless strategy must therefore incorporate a multi-layered defense, including strong endpoint security, continuous threat monitoring, user behavior analytics, and comprehensive incident response plans to address these new and evolving risks.6

5. Strategic Framework for Transitioning to Passwordless Authentication

Transitioning a global financial institution to passwordless authentication is a complex, multi-faceted endeavor that requires a well-defined strategic framework. This framework should encompass clear business objectives, a phased implementation approach, robust change management, and continuous governance.

5.1 Phase 1: Assessment and Strategy Definition

The foundational phase involves a thorough assessment of the current environment and the clear definition of the passwordless strategy's goals and success metrics.

  • Defining Business Outcomes and Success Metrics (KPIs): It is crucial to define what success looks like beyond just technical implementation. Key Performance Indicators (KPIs) should be established across several domains:

  • Security KPIs:

  • Reduction in credential theft incidents (target: significant decrease from baseline).

  • Decrease in successful phishing attacks against employees and customers (e.g., YubiKey customers saw near 100% drop 1).

  • Reduction in account takeover (ATO) incidents (e.g., financial institutions report average 66% reduction with biometrics 37).

  • Lower rates of unauthorized access attempts.111

  • User Experience (UX) KPIs:

  • Reduced average login times (e.g., FIDO-based mobile/fingerprint logins ~7 seconds vs. >10 seconds for passwords 1).

  • Increased task success rate for authentication.112

  • Higher user satisfaction scores (CSAT) and Net Promoter Scores (NPS) related to authentication.35

  • Increased adoption rates of new passwordless methods.

  • Operational/Cost KPIs:

  • Significant reduction in password reset helpdesk tickets (Gartner: 20-50% of calls are password-related, $70/reset; Microsoft: 87% auth cost reduction; Accenture: 60% drop in phishing).

  • Reduced Total Cost of Ownership (TCO) for authentication systems. This includes initial investment, ongoing maintenance, and potential savings from reduced fraud and increased efficiency.95

  • Improved operational efficiency through streamlined authentication processes.2

  • Risk Reduction Metrics: Quantifiable reduction in the likelihood and impact of credential-related breaches. This can be tied to avoided costs of data breaches (e.g., average $4.88 million per breach in 2024 2) and potentially reduced cyber insurance premiums.

  • Inventory of Applications, User Groups, and Current Authentication Methods: Conduct a thorough audit of all applications (internal, external, cloud, legacy), identify all user groups (employees by role/department, customers by segment, third-party vendors), and map their current authentication methods and access patterns. This is Thales' "User Ecosystem Mapping" 33 and Microsoft's persona development.114

  • Risk Assessment and Prioritization: Evaluate the risks associated with current authentication methods for each application and user group. Prioritize use cases for passwordless adoption based on risk level, business impact, user readiness, and technical feasibility. This aligns with Thales' "risk-based assurance levels".33

  • Developing a Comprehensive IAM Modernization Roadmap: The passwordless transition should be part of a broader IAM modernization strategy. This includes adapting existing IAM and PAM systems to support new authenticators, integrate with Zero Trust principles, and manage digital identities effectively.20

  • Gaining Executive Sponsorship and Cross-Functional Alignment: Secure strong commitment and sponsorship from executive leadership (CEO, Board). Passwordless authentication is a strategic initiative impacting the entire organization, requiring buy-in and collaboration from IT, security, business units, HR, legal, and compliance teams. A Center of Excellence (CoE) can drive adoption and maintain expertise.115

5.2 Phase 2: Pilot Programs and Solution Selection

This phase focuses on testing solutions in a controlled environment and selecting the right vendors and technologies.

  • Identifying Pilot Groups: Select representative user personas for pilot programs

Works cited

  1. Passwordless Authentication Adoption Trends in 2025 - JumpCloud, accessed May 13, 2025, https://jumpcloud.com/blog/passwordless-authentication-adoption-trends

  2. Passwordless Authentication Market Size to Hit USD 82.50 Bn by 2034, accessed May 13, 2025, https://www.precedenceresearch.com/passwordless-authentication-market

  3. Passwordless Authentication Market to Surpass Valuation of, accessed May 13, 2025, https://www.globenewswire.com/news-release/2025/01/13/3008810/0/en/Passwordless-Authentication-Market-to-Surpass-Valuation-of-US-8-944-3-Million-By-2033-Fingerprint-to-Remain-Top-Segment-with-Growing-Adoption-of-Smartphones-Says-Astute-Analytica.html

  4. In-Depth Analysis of FIDO2 and WebAuthn - webcomm blog - 偉康科技, accessed May 13, 2025, https://www.webcomm.com.tw/blog/en/fido2/

  5. Digital Identity and Financial Security: Are We Ready for a Password-Free Future?, accessed May 13, 2025, https://www.globalbankingandfinance.com/digital-identity-and-financial-security-are-we-ready-for-a-password-free-future-

  6. Passwordless Authentication & Cybersecurity Challenges - Payoda, accessed May 13, 2025, https://www.payoda.com/passwordless-authentication-cybersecurity-challenges/

  7. Beyond Passwords: Embracing Passwordless Authentication in ..., accessed May 13, 2025, https://wendego.com/beyond-passwords-embracing-passwordless-authentication-in-2025/

  8. How Passwordless Authentication Works: A Complete Guide - Keyless, accessed May 13, 2025, https://keyless.io/blog/post/passwordless-authentication-works-complete-guide

  9. Workforce Passwordless Authentication: Beyond the Hype and Here ..., accessed May 13, 2025, https://www.cyberark.com/resources/blog/workforce-passwordless-authentication-beyond-the-hype-and-here-to-stay

  10. Passwordless Security for Financial Industry & Critical Infrastructure | Hideez, accessed May 13, 2025, https://hideez.com/pages/finance

  11. Securing Digital Identities in Financial Services | Ping Identity, accessed May 13, 2025, https://www.pingidentity.com/en/resources/blog/post/securing-digital-identities-financial-services.html

  12. Historic Shift: Passkeys Set to Become Leading Authentication ..., accessed May 13, 2025, https://blog.hypr.com/press-releases/hypr-2025-state-of-passwordless-identity-assurance-report

  13. Why Organizations Need Modern Passwordless Authentication to Stop Data Breaches, accessed May 13, 2025, https://www.rsa.com/resources/blog/passwordless/why-organizations-need-modern-passwordless-authentication-to-stop-data-breaches/

  14. Top Passwordless Identity Assurance Trends for 2025 - HYPR Blog, accessed May 13, 2025, https://blog.hypr.com/2025-state-of-passwordless-identity-assurance-report-recap

  15. Passwordless Authentication Market Size, Share | Report [2032], accessed May 13, 2025, https://www.fortunebusinessinsights.com/passwordless-authentication-market-109838

  16. FIDO Alliance Champions Widespread Passkey Adoption and a Passwordless Future on World Passkey Day 2025, accessed May 13, 2025, https://fidoalliance.org/fido-alliance-champions-widespread-passkey-adoption-and-a-passwordless-future-on-world-passkey-day-2025/

  17. The Ascendancy of Passwordless Authentication in the Future of Identity Management, accessed May 13, 2025, https://securityboulevard.com/2025/04/the-ascendancy-of-passwordless-authentication-in-the-future-of-identity-management/

  18. Passwordless Authentication: Business Cost-Benefit Analysis - otpless, accessed May 13, 2025, https://blogs.otpless.com/the-economics-of-passwordless-cost-benefit-analysis-for-businesses/

  19. Why Password-less Authentication is the Future of Cybersecurity?, accessed May 13, 2025, https://www.ilink-digital.com/insights/blog/why-password-less-authentication-is-the-future-of-cybersecurity/

  20. 6 Identity and Access Management Trends for 2025 - Scalefusion Blog, accessed May 13, 2025, https://blog.scalefusion.com/iam-trends/

  21. The Evolution of Zero Trust in the Financial Sector:… | Synpulse, accessed May 13, 2025, https://www.synpulse.com/en/insights/the-evolution-of-zero-trust-in-the-financial-sector-strengthening-cybersecurity

  22. What is Zero Trust Security? - Oracle, accessed May 13, 2025, https://www.oracle.com/security/what-is-zero-trust/

  23. Cyber Fundamentals - Financial Services Information Sharing and Analysis Center, accessed May 13, 2025, https://www.fsisac.com/cyber-fundamentals

  24. How Passwordless Authentication Supports Zero Trust | StateTech ..., accessed May 13, 2025, https://statetechmagazine.com/article/2024/02/how-passwordless-authentication-supports-zero-trust-perfcon

  25. Zero Trust Authentication and Identity and Access Management, accessed May 13, 2025, https://www.beyondidentity.com/reports-guides/zero-trust-authentication-and-identity-and-access-management

  26. How AI Can Revamp Behavioral Biometrics Security, accessed May 13, 2025, https://www.bankinfosecurity.com/how-ai-revamp-behavioral-biometrics-security-a-28376

  27. Passwordless authentication: Where security meets productivity ..., accessed May 13, 2025, https://www.cybersecuritydive.com/spons/passwordless-authentication-where-security-meets-productivity/747656/

  28. Passwordless authentication: your options explained - WorkOS, accessed May 13, 2025, https://workos.com/blog/passwordless-authentication

  29. Passwordless Authentication - What it Is and How it Works, accessed May 13, 2025, https://www.pingidentity.com/en/resources/identity-fundamentals/authentication/passwordless-authentication.html

  30. What Is FIDO2? | Microsoft Security, accessed May 13, 2025, https://www.microsoft.com/en-us/security/business/security-101/what-is-fido2

  31. A Practical Approach To Passwordless | Identity Defined Security ..., accessed May 13, 2025, https://www.idsalliance.org/blog/a-practical-approach-to-passwordless/

  32. NIST Password Guidelines: 2025 Updates & Best Practices, accessed May 13, 2025, https://www.strongdm.com/blog/nist-password-guidelines

  33. The passwordless future of finance - Technology Record |..., accessed May 13, 2025, https://www.technologyrecord.com/article/the-passwordless-future-of-finance

  34. Case Study: ABANCA - FIDO Alliance, accessed May 13, 2025, https://fidoalliance.org/case-study-abanca/

  35. 3 Key Statistics: Banking Growth Driven by Biometric Authentication, accessed May 13, 2025, https://www.numberanalytics.com/blog/biometric-stats-banking-growth

  36. ANZ's Passwordless Security Initiative - Maxthon | Privacy Private Browser, accessed May 13, 2025, https://blog.maxthon.com/2025/04/30/anzs-passwordless-security-initiative/

  37. Next Five Years: Biometric Security Redefining Bank Finance - Number Analytics, accessed May 13, 2025, https://www.numberanalytics.com/blog/next-five-years-biometric-security-bank-finance

  38. Comprehensive Guide to Passwordless Authentication Solutions ..., accessed May 13, 2025, https://mojoauth.com/blog/comprehensive-guide-to-passwordless-authentication-solutions-2025/

  39. Top 10 SSO Solutions for 2025 - AuthX, accessed May 13, 2025, https://www.authx.com/blog/top-sso-solutions/

  40. What's on the Horizon: 10 Biometric Trends for 2025 - HID Global Blog, accessed May 13, 2025, https://blog.hidglobal.com/whats-horizon-10-biometric-trends-2025

  41. Biometric Banking Trends: Securing Finance Over Next 5 Years - Number Analytics, accessed May 13, 2025, https://www.numberanalytics.com/blog/biometric-banking-trends-future-finance

  42. Deploying Passwordless at One of the World's Largest Banks with ..., accessed May 13, 2025, https://www.rsa.com/resources/reports/deploying-passwordless-at-one-of-the-worlds-largest-banks-with-rsa-id-plus/

  43. Top 6 API Integration Advancements for Secure Banking Services - Number Analytics, accessed May 13, 2025, https://www.numberanalytics.com/blog/secure-api-advancements-banking-services

  44. Deploying Passwordless at One of the World's Largest Banks with RSA ID Plus, accessed May 13, 2025, https://www.rsa.com/wp-content/uploads/deploying-passwordless-at-one-of-the-worlds-largest-banks-with-rsa-id-plus-rsa-case-study.pdf

  45. Plan a phishing-resistant passwordless authentication deployment ..., accessed May 13, 2025, https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-deploy-phishing-resistant-passwordless-authentication

  46. What Challenges do Banks face when implementing Passkeys, accessed May 13, 2025, https://www.corbado.com/blog/psd2-passkeys/challenges-banks-passkeys

  47. Get started with a phishing-resistant passwordless authentication deployment in Microsoft Entra ID, accessed May 13, 2025, https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-plan-prerequisites-phishing-resistant-passwordless-authentication

  48. Passwordless authentication: How financial institutions can solve ..., accessed May 13, 2025, https://www.onespan.com/blog/passwordless-authentication-how-financial-institutions-can-solve-password-problem

  49. What is Push Notification Authentication and How It Works? - LoginRadius, accessed May 13, 2025, https://www.loginradius.com/blog/identity/push-notification-authentication

  50. Empowering experience - Temenos, accessed May 13, 2025, https://www.temenos.com/blog/empowering-experience-driven-digital-banking-with-push-notification-and-transaction-signing/

  51. The Future of Passwordless Authentication: Benefits and Implementation Strategies - Prove, accessed May 13, 2025, https://www.prove.com/blog/passwordless-authentication

  52. Customer Successes & Case Studies | Entersekt, accessed May 13, 2025, https://www.entersekt.com/resources/customer-success-stories

  53. Financial KPIs for Measuring Your Business Success - Preferred CFO, accessed May 13, 2025, https://preferredcfo.com/insights/key-performance-indicators

  54. Multi-Factor Authentication (MFA) | FINRA.org, accessed May 13, 2025, https://www.finra.org/filing-reporting/multi-factor-authentication

  55. SMS OTP Replacement in 2025: What Leading Companies Are Implementing - Authsignal, accessed May 13, 2025, https://www.authsignal.com/blog/articles/sms-otp-replacement-in-2025-what-leading-companies-are-implementing

  56. What is Open Banking? | Open Banking Explained | Ping Identity, accessed May 13, 2025, https://www.pingidentity.com/en/resources/blog/post/what-is-open-banking.html

  57. How Financial Institutions Can Modernize Core Banking Systems - Fiserv, accessed May 13, 2025, https://www.fiserv.com/en/insights/articles-and-blogs/core-banking-modernization-how-financial-institutions-can-get-the-most-out-of-tech-upgrades.html

  58. API Gateway Authentication: 5 Strategies & Real Life Examples - Solo.io, accessed May 13, 2025, https://www.solo.io/topics/api-gateway/api-gateway-authentication

  59. Guide to Open Banking Authentication: Why It Matters in 2025, accessed May 13, 2025, https://blog.finexer.com/open-banking-authentication-explained/

  60. Identity & Access Management Services | Engagement Banking Platform - Backbase, accessed May 13, 2025, https://www.backbase.com/platform/engagement-banking-platform/identity-entitlements-services

  61. Finabank Selects Temenos for End-To-End Technology, accessed May 13, 2025, https://www.temenos.com/press_release/finabank-selects-temenos-for-end-to-end-technology/

  62. HID and Temenos: Accelerate Digital Transformation With Two Decades of Authentication Innovation, accessed May 13, 2025, https://blog.hidglobal.com/hid-and-temenos-accelerate-digital-transformation-two-decades-authentication-innovation

  63. 10 Best Practices for Effective Identity and Access Management, accessed May 13, 2025, https://supertokens.com/blog/identity-and-access-management-best-practices

  64. (PDF) Next-Generation Identity Security in Healthcare: A Passkey-Based Approach, accessed May 13, 2025, https://www.researchgate.net/publication/391591235_Next-Generation_Identity_Security_in_Healthcare_A_Passkey-Based_Approach

  65. How to Build an IAM Architecture | Lumos, accessed May 13, 2025, https://www.lumos.com/topic/identity-access-management-iam-architecture

  66. 7 Key Factors to Consider When Choosing a Modern PAM Solution in 2025 - CyberArk, accessed May 13, 2025, https://www.cyberark.com/resources/blog/7-key-factors-to-consider-when-choosing-a-modern-pam-solution-in-2025

  67. Securing the Throne: Privileged Access Management (PAM) Best Practices Unveiled, accessed May 13, 2025, https://www.loginradius.com/blog/identity/pam-best-practices

  68. Privileged Access Management (PAM) - CyberArk, accessed May 13, 2025, https://www.cyberark.com/products/privileged-access-manager/

  69. FIDO Alliance Launches Payments Working Group (PWG) - Corbado, accessed May 13, 2025, https://www.corbado.com/blog/fido-passkeys-payments-working-group

  70. FIDO Alliance Launches Payments Working Group - FIDO Alliance, accessed May 13, 2025, https://fidoalliance.org/fido-alliance-launches-payments-working-group/

  71. Which banks offer passkeys? - Corbado, accessed May 13, 2025, https://www.corbado.com/faq/banking-passkeys

  72. Security Compliance | Meet Regulatory Compliance Standards, accessed May 13, 2025, https://www.trustbuilder.com/en/solutions/security-compliance/

  73. NIST Special Publication 800-63-4, accessed May 13, 2025, https://pages.nist.gov/800-63-4/sp800-63.html

  74. www.europarl.europa.eu, accessed May 13, 2025, https://www.europarl.europa.eu/RegData/etudes/STUD/2021/697191/EPRS_STU(2021)697191_EN.pdf

  75. 15 Cybersecurity Regulations for Financial Services in 2025 - StrongDM, accessed May 13, 2025, https://www.strongdm.com/blog/cybersecurity-regulations-financial-industry

  76. Financial Data Consent Trends: Biometric Data and Dynamic Permissions in 2025, accessed May 13, 2025, https://secureprivacy.ai/blog/financial-data-consent-trends-biometric-data-dynamic-permisions-2025

  77. GDPR and CCPA Compliance: Key Differences and Requirements - LeapXpert, accessed May 13, 2025, https://www.leapxpert.com/gdpr-and-ccpa-compliance/

  78. Biometrics in the EU: Navigating the GDPR, AI Act | IAPP, accessed May 13, 2025, https://iapp.org/news/a/biometrics-in-the-eu-navigating-the-gdpr-ai-act

  79. Authentication and Access to Financial Institution Services and Systems - FFIEC, accessed May 13, 2025, https://www.ffiec.gov/sites/default/files/media/press-releases/2021/authentication-and-access-to-financial-institution-services-and-systems.pdf

  80. NIST Special Publication 800-63B, accessed May 13, 2025, https://pages.nist.gov/800-63-4/sp800-63b.html

  81. NIST SP 800-63 Digital Identity Standard: Updates & What It Means for Passkeys, accessed May 13, 2025, https://fidoalliance.org/event/nist-sp-800-63-digital-identity-standard-updates-what-it-means-for-passkeys/

  82. Consultation Paper on the Proposed Amendments to Anti-Money Laundering and Countering the Financing of Terrorism Notices for Financial Institutions and Variable Capital Companies - Monetary Authority of Singapore, accessed May 13, 2025, https://www.mas.gov.sg/publications/consultations/2025/consult-paper-on-aml-notice-and-guideline-amendments

  83. Monetary Authority of Singapore Outlines Enforcement Priorities for 2025–26 | Insights, accessed May 13, 2025, https://www.sidley.com/en/insights/newsupdates/2025/04/monetary-authority-of-singapore-outlines-enforcement-priorities-for-202526

  84. Consumer Password and Passkey Trends: World Passkey Day 2025 - FIDO Alliance, accessed May 13, 2025, https://fidoalliance.org/wpd-report-2025-consumer-password-passkey-trends/

  85. January 14, 2025 Via electronic mail California Privacy Protection Agency Attn: Legal Division – Regulations Public Comment 21 - Bank Policy Institute, accessed May 13, 2025, https://bpi.com/wp-content/uploads/2025/01/BPI-CPPA-cyber-privacy-and-AI-rulemaking-comment-2025.pdf

  86. Everything You Need to Know About Biometric Authentication – Hitachi, accessed May 13, 2025, https://www.securebrain.co.jp/eng/blog/biometric-authentication/

  87. Cybersecurity in 2025: What Financial Institutions Need to Know - Bank of Botetourt, accessed May 13, 2025, https://bankofbotetourt.com/wp-content/uploads/2025/03/Bank-of-Botetourt-January-2025-Newsletter.pdf

  88. Passwordless Authentication Market Growing at a CAGR of 18.85% During The Forecast Period 2025–2033 | Taiwan News, accessed May 13, 2025, https://www.taiwannews.com.tw/news/6063088

  89. Digital financial literacy and financial inclusion in the global south for a sustainable future: A scoping review - ResearchGate, accessed May 13, 2025, https://www.researchgate.net/publication/389526988_Digital_financial_literacy_and_financial_inclusion_in_the_global_south_for_a_sustainable_future_A_scoping_review

  90. Revolutionary Trends in Mobile Banking Technology and the Influence of Digital Financial Literacy on Consumer Adoption in the Un - AWS, accessed May 13, 2025, https://terra-docs.s3.us-east-2.amazonaws.com/IJHSR/Articles/volume7-issue2/IJHSR_2025_72_56.pdf

  91. Assessing the Role of Biometrics in Financial Inclusion Visa 2019 (1), accessed May 13, 2025, https://usa.visa.com/content/dam/VCOM/regional/na/us/about-visa/documents/assessing-the-role-of-biometrics-in-financial-inclusion-visa.pdf

  92. Passwordless Enterprise Technology | Case Study | Accenture, accessed May 13, 2025, https://www.accenture.com/us-en/case-studies/about/passwordless-journey

  93. Espoused Cultural Values and Acceptance of Biometrics-Based Identity Authentication Systems: A Mixed Methods Study - ResearchGate, accessed May 13, 2025, https://www.researchgate.net/publication/390289567_Espoused_Cultural_Values_and_Acceptance_of_Biometrics-Based_Identity_Authentication_Systems_A_Mixed_Methods_Study

  94. Comparing the Total Cost of Ownership of Two-Factor ... - Duo Security, accessed May 13, 2025, https://duo.com/blog/comparing-the-total-cost-of-ownership-of-two-factor-authentication-solutions

  95. Passwordless MFA ROI Calculator - Secret Double Octopus, accessed May 13, 2025, https://doubleoctopus.com/roi-calculator/

  96. Passwordless Authentication: The Ultimate How-to Guide, accessed May 13, 2025, https://faisalyahya.com/access-control/passwordless-authentication-the-ultimate-how-to-guide/

  97. Overcoming Resistance to Change on the Journey to Passwordless MFA - 1Kosmos, accessed May 13, 2025, https://www.1kosmos.com/insight/whitepaper/change-management.pdf

  98. What is Passwordless Authentication? - RSA Security, accessed May 13, 2025, https://www.rsa.com/fr/resources/blog/passwordless/what-is-passwordless-authentication/

  99. Top Five U.S. Financial Institution Case Study - HYPR, accessed May 13, 2025, https://get.hypr.com/top-five-us-financial-institution-case-study

  100. The ROI of Passkeys and Passwordless Authentication Technology - OwnID, accessed May 13, 2025, https://www.ownid.com/blog/the-roi-of-passkeys-and-passwordless-authentication-technology

  101. Multifactor Authentication Software - OpenText, accessed May 13, 2025, https://www.opentext.com/products/advanced-authentication

  102. OTP Alternatives: A 2025 Authentication Security Guide - ID Dataweb, accessed May 13, 2025, https://www.iddataweb.com/one-time-password-alternatives/

  103. Passkey Strategy: Why Your Passkey Implementation Will Fail - Corbado, accessed May 13, 2025, https://www.corbado.com/blog/why-passkey-implementations-fail

  104. Top 5 Open Source Identity and Access Management (IAM ..., accessed May 13, 2025, https://blog.logto.io/top-oss-iam-providers-2025

  105. Microsoft Named 2024 Leader in Access Management by Gartner, accessed May 13, 2025, https://www.threatscape.com/cyber-security-blog/microsoft-named-2024-leader-in-access-management-by-gartner/

  106. Passkeys - FIDO Alliance, accessed May 13, 2025, https://fidoalliance.org/passkeys/

  107. Challenges and Potential Improvements for Passkey Adoption—A Literature Review with a User-Centric Perspective - MDPI, accessed May 13, 2025, https://www.mdpi.com/2076-3417/15/8/4414

  108. Passkeys Buy vs. Build Guide - Corbado, accessed May 13, 2025, https://www.corbado.com/blog/passkeys-buy-vs-build-guide

  109. Charting an Enterprise Passwordless Authentication Strategy with Entra ID - 1Kosmos, accessed May 13, 2025, https://www.1kosmos.com/insights/whitepapers/charting-an-enterprise-passwordless-authentication-strategy-with-entra-id/

  110. 8 Passwordless Login Security Mistakes and How to Avoid Them - InfoSec Insights - Sectigo, accessed May 13, 2025, https://sectigostore.com/blog/passwordless-login-security-mistakes-and-how-to-avoid-them/

  111. Key Performance Indicators for Successful Privileged Access ..., accessed May 13, 2025, https://www.ssh.com/academy/pam/key-performance-indicators-for-privileged-access-management

  112. 7 UX KPIs You Should be Tracking (& How to Measure Them) | Maze, accessed May 13, 2025, https://maze.co/collections/ux-management/kpis/

  113. IAM Academy: Guide to Passwordless Authentication - Thales CPL, accessed May 13, 2025, https://cpl.thalesgroup.com/resources/access-management/iam-academy-passwordless-authentication-guide

  114. Passwordless strategy overview | Microsoft Learn, accessed May 13, 2025, https://learn.microsoft.com/en-us/windows/security/identity-protection/passwordless-strategy/

  115. Center of Excellence (Why Create One?) - OneSpan, accessed May 13, 2025, https://www.onespan.com/blog/center-excellence-what-it-and-why-create-one

Franklin Donahoe
Previous

CDAO's Blueprint for Strategic CISO Partnership
Next

The Emergence of User Adaptive Risk Management