TL;DR: The European Accessibility Act now extends into consumer banking authentication, so login and transaction security controls must also be usable by elderly users and people with disabilities, according to OneSpan. For IAM teams, accessibility is no longer separate from authentication design, which changes how banks evaluate devices, interfaces, and back-end compatibility.
At a glance
What this is: This is an analysis of how the European Accessibility Act pushes accessibility requirements into banking authentication and digital identity workflows.
Why it matters: It matters because IAM, NHI, and customer identity teams now have to treat accessible authentication as a governance requirement, not just a UX enhancement.
👉 Read OneSpan's article on EAA-compliant banking authentication and Digipass
Context
The European Accessibility Act changes the baseline for consumer banking identity controls because authentication must now be usable by people with a wide range of abilities. In practical terms, that means login and transaction security can no longer be designed only around cryptographic strength or fraud resistance.
For identity teams, the issue is not just interface polish. Banking authentication sits at the intersection of customer identity, regulatory compliance, and secure transaction approval, so accessibility failures can become compliance failures as well as adoption failures.
OneSpan frames this through its Digipass accessibility example, but the underlying governance question is broader: can your authentication stack satisfy regulatory accessibility obligations without weakening assurance or excluding users?
Key questions
Q: How should banks make authentication accessible without weakening security?
A: Banks should treat accessibility as a design constraint inside the authentication control, not as an add-on after launch. That means testing real login and transaction flows for perceivability, operability, understandability, and robustness, while preserving assurance, fraud resistance, and auditability. The goal is a control that more customers can complete independently without reducing security standards.
Q: Why does accessibility matter in consumer identity and access management?
A: Accessibility matters because consumer IAM controls only work if customers can actually use them. In banking, inaccessible authentication creates compliance exposure, higher support demand, and weaker adoption of secure channels. A control that excludes users with disabilities is not just poor UX. It is a governance problem because the identity journey is no longer usable by all intended users.
Q: What do security teams get wrong about accessible authentication?
A: Teams often assume that accessibility is mainly a front-end or design-team issue. In practice, authentication accessibility depends on device behaviour, backend compatibility, error handling, language support, and transaction confirmation paths. If any of those layers break, the control can still fail even when the primary interface appears compliant.
Q: Who is accountable when banking authentication fails accessibility tests?
A: Accountability usually sits across IAM, security architecture, compliance, and customer experience teams, because the failure spans control design and regulated service delivery. The key question is whether the organisation can demonstrate that the authentication path was tested, approved, and maintained against accessibility obligations throughout its lifecycle.
Technical breakdown
How the European Accessibility Act reaches authentication flows
The European Accessibility Act is not limited to public websites or help pages. In consumer banking, it reaches the identity and security methods used for access and transaction approval, which means authentication itself must be perceivable, operable, understandable, and robust. Those are the four WCAG POUR principles. The practical shift is that security controls now need to work across assistive technologies, different input methods, and diverse user abilities without creating dead ends in the authentication journey.
Practical implication: review authentication and step-up flows against WCAG POUR, not only against fraud and assurance requirements.
Accessible authentication design in hardware tokens and back ends
Accessible authentication is not only about the front-end screen. Device design, voice support, display readability, button layout, and back-end compatibility all shape whether a user can complete a secure transaction independently. A hardware authenticator can be technically strong and still fail if the user cannot perceive instructions, interact with challenge prompts, or confirm a transaction in a usable way. Accessibility therefore becomes an end-to-end property of the authentication stack, not a single product feature.
Practical implication: validate the full authentication path, including device, application, and backend interactions, before treating a control as accessible.
Authentication assurance and inclusive banking journeys
The core architectural tension is between strong authentication and inclusive access. Banks still need resistance to fraud and account takeover, but they also need controls that remain understandable and operable for older users and people with disabilities. That means inclusive design choices such as adjustable audio, large displays, clear prompts, and alternative input paths are not cosmetic additions. They are part of how the identity control remains usable without degrading its security purpose.
Practical implication: treat accessibility testing as part of authentication assurance testing, not as a separate UX review.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Emerald Whale breach — exposed Git config files led to 15K secrets stolen and 10K repo compromises.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Accessibility has become a control requirement inside consumer identity, not an external UX concern. The European Accessibility Act pushes identity teams to treat login and transaction approval as regulated user journeys. That changes the boundary of IAM governance because the control now has to be both secure and accessible to remain valid. Banks that still separate compliance, customer identity, and accessibility ownership will keep creating gaps that surface at the point of authentication.
Accessible authentication is a lifecycle issue, not a one-time product choice. Device configuration, language support, voice guidance, and backend compatibility all need to survive procurement, rollout, support, and refresh cycles. A control that is accessible on paper but fails in one locale, one device state, or one browser combination is not governance complete. Practitioners should treat this as an operating model question, not a feature checklist.
Perceivable, operable, understandable, and robust are governance criteria as much as design criteria. WCAG POUR gives identity teams a clear way to test whether authentication can be used by the populations the law is meant to protect. That matters because authentication failures for disabled users are not edge cases in a regulated consumer banking programme. The programme has to prove that security does not depend on excluding part of the customer base.
Inclusive authentication expands the definition of risk acceptance for IAM teams. If a bank cannot explain how a customer with limited vision, hearing, or dexterity completes authentication independently, then the identity control is not fully fit for purpose. That makes accessibility a board-relevant control discussion, not a niche implementation issue. Practitioners need to fold accessibility evidence into authentication governance, exception handling, and audit readiness.
Digital banking accessibility and secure authentication now share the same failure domain. When the login or transaction path is inaccessible, customers are pushed into workarounds that can increase abandonment, support burden, or unsafe behaviour. The implication is that IAM teams, accessibility teams, and security architects have to manage one shared control surface rather than separate programme silos.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to Oasis Security & ESG.
- For a broader control baseline, see the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for lifecycle, rotation, and offboarding alignment.
What this signals
Accessible authentication is quickly becoming part of the identity control plane for regulated consumer services. As customer journeys merge security and service delivery, the governance test is no longer whether a bank can authenticate users, but whether it can do so without excluding users who rely on assistive technologies. That shift will force IAM and compliance teams to collaborate earlier in design and evidence gathering.
Inclusive access and secure access now need the same assurance language. If an authentication method cannot be operated independently by the intended population, the control is incomplete even if it is cryptographically strong. Practitioners should expect more audit attention on documented testing, exception handling, and usability evidence across the identity journey.
For practitioners
- Map authentication journeys to accessibility obligations Inventory all consumer login, step-up, and transaction approval flows and map them to the relevant accessibility requirements. Include device prompts, error states, timeout handling, and language support so the review covers the full journey, not just the sign-in screen.
- Test authentication against WCAG POUR criteria Evaluate whether each authentication path is perceivable, operable, understandable, and robust for users relying on assistive technologies. Use real device configurations and browser combinations so the assessment reflects the environments customers actually use.
- Validate backend compatibility before rollout Check that accessible authentication devices or methods remain reliable across the bank's supported operating systems, browsers, and customer channels. Include support desk procedures, because inaccessible fallback handling can undo an otherwise compliant deployment.
- Build accessibility evidence into IAM governance Document how accessibility is tested, approved, and revalidated across the lifecycle of the authentication control. Keep this evidence alongside security assurance material so compliance, audit, and IAM teams are working from the same record.
Key takeaways
- The European Accessibility Act pushes accessibility into the authentication control itself, not just the surrounding user interface.
- For banking IAM teams, the practical risk is a control that is secure in theory but unusable for part of the customer base.
- Practitioners should test authentication against WCAG POUR, document lifecycle evidence, and align accessibility assurance with IAM governance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Accessible authentication must still manage who can access what in consumer banking. |
| NIST SP 800-63 | Consumer authentication must remain usable and secure for different user populations. | |
| NIST Zero Trust (SP 800-207) | 3.1 | Zero Trust requires continuous, usable verification across access journeys. |
Align authentication design with continuous verification without excluding legitimate users.
Key terms
- Accessible Authentication: Authentication that users can complete independently regardless of sensory, cognitive, or physical limitations. In banking, it must preserve assurance while remaining perceivable, operable, understandable, and robust across devices, channels, and assistive technologies.
- WCAG POUR: The four accessibility principles used to judge whether digital content can be used by a broad range of people: perceivable, operable, understandable, and robust. For identity systems, the model helps teams test whether login and approval flows remain usable without weakening security controls.
- Consumer Identity Journey: The end-to-end path a customer follows to register, authenticate, approve actions, and recover access. For regulated services, this journey is part of the control environment, so failures in usability, accessibility, or fallback handling can become governance and compliance issues.
Deepen your knowledge
Authentication accessibility under the European Accessibility Act is covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building identity controls for regulated consumer journeys, the course gives useful governance context.
This post draws on content published by OneSpan: Meeting the European Accessibility Act with Digipass Compliance. Read the original.
Published by the NHIMG editorial team on 2025-07-25.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
