Passkeys make SMS OTP bans a governance turning point

At a glance

What this is: This is HYPR's take on the CBUAE SMS and OTP ban, arguing that passkeys should replace legacy factors as the default for financial authentication.

Why it matters: It matters because financial IAM teams now have a regulatory catalyst to rework customer authentication, transaction assurance, and helpdesk burden around phishing-resistant methods.

By the numbers:

• By March 2026, the era of the SMS and One-Time Passwords will be over for the nation's financial institutions.

👉 Read HYPR's analysis of the CBUAE SMS and OTP ban

Context

The core issue is customer authentication assurance, not just convenience. When SMS and OTP are still used as primary or step-up factors, banks inherit familiar failure modes such as phishing, SIM swapping, and social engineering, which weakens the identity layer supporting digital banking.

For IAM and CIAM teams, the CBUAE mandate turns passwordless authentication from a roadmap item into a governance decision. The question is now how to move from interceptable factors to phishing-resistant assurance without breaking onboarding, transaction security, or operational resilience.

That starting point is typical across financial services, where legacy OTP remains common even when teams know it is fragile.

Key questions

Q: How should security teams replace SMS OTP in banking authentication?

A: Start by moving the highest-risk customer journeys to phishing-resistant passkeys, then redesign recovery, device binding, and step-up for sensitive actions. Do not swap factors in isolation. The strongest programmes treat login, account recovery, and transaction approval as one governance problem, with assurance levels rising as the business impact rises.

Q: Why do SMS and OTP fail for high-risk financial access?

A: They fail because the code is only as trustworthy as the delivery channel. Phishing, SIM swapping, and social engineering can intercept or redirect the factor, which means the bank is no longer verifying the intended customer. In high-risk banking workflows, that makes SMS and OTP a weak basis for account takeover prevention.

Q: What do teams get wrong about passwordless customer authentication?

A: They often focus on login convenience and ignore recovery, fallback, and transaction step-up. If those paths still allow weaker proof, attackers will target them instead. Passwordless works only when the organisation governs the full customer lifecycle, including registration, device loss, and high-value transaction approval.

Q: Who is accountable when a weak authentication factor enables fraud?

A: Accountability sits with the organisation that chose the assurance model, not the attacker and not the customer. In regulated banking, IAM, fraud, risk, and digital product leaders all share responsibility for proving that authentication controls match the threat level and the transaction value.

Technical breakdown

Why SMS and OTP fail as identity assurance

SMS and OTP are possession factors, but possession is only as strong as the channel carrying the code. If an attacker can phish the code, divert the SIM, or socially engineer a reset path, the factor no longer proves the authentic user. In practice, the authentication signal is detached from the protected application and depends on a third-party delivery path that IAM teams do not control. That makes the control fragile in high-risk financial workflows where fraud attempts are targeted and adaptive.

Practical implication: stop treating SMS and OTP as durable assurance for customer access or high-value actions.

How passkeys change customer identity security

Passkeys use public key cryptography and are bound to the legitimate website or app, which prevents replay on lookalike phishing sites. The private key stays on the user's device, often protected by biometrics or device unlock, while the service stores only the public key. That changes the trust model from shared secrets and code delivery to origin-bound cryptographic proof. For CIAM, this also reduces password reset demand and allows stronger step-up flows for sensitive transactions without reintroducing the weaknesses of OTP.

Practical implication: design passkey rollout around registration, recovery, and step-up paths, not only login replacement.

Why transaction step-up matters more than login alone

Many organisations focus on the sign-in event and miss the transaction layer, where fraud impact concentrates. Risk-based authentication should not end at the first successful login. For banking, the real control question is whether a high-risk payment, account change, or beneficiary update can trigger stronger proof without forcing a poor customer experience. Passkeys make that possible because they can support seamless, device-bound step-up events that are harder to phish than codes sent over SMS.

Practical implication: map passkey assurance to transaction risk and reserve stronger checks for high-impact actions.

Threat narrative

Attacker objective: The attacker aims to impersonate the customer and authorise fraudulent activity that appears legitimate to the bank's identity controls.

1. Entry begins when attackers use phishing, SIM swapping, or social engineering to intercept SMS or OTP-based authentication.
2. Escalation occurs when the stolen code lets the attacker complete account takeover or bypass a transaction step-up challenge.
3. Impact follows through fraudulent transfers, unauthorised account changes, and the resulting trust and reputational damage to the bank.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Zacks Investment Research breach — Zacks breach exposed 12M customer records including credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SMS OTP bans are not just channel changes, they are assurance-model corrections. The CBUAE mandate recognises that interceptable codes are too weak for modern financial risk. The deeper point is that customer identity programmes cannot keep treating delivery convenience as proof of identity. Practitioners should read the policy as a forced reassessment of what counts as acceptable authentication.

Passkeys expose the hidden cost of legacy identity recovery. OTP systems often look cheap until fraud, helpdesk resets, and delayed recovery are counted together. That is why device-bound authentication matters: it shifts security work away from code delivery and toward cryptographic proof, which is more consistent with zero-trust thinking. The practitioner conclusion is that recovery and registration now deserve the same governance attention as login.

Phishing-resistant authentication is now a financial control, not a user-experience feature. Once fraud attempts are targeting the identity layer itself, MFA design becomes a business-risk decision. The organisations that still frame passwordless as optional innovation will struggle to justify continued reliance on weaker factors. Practitioners should treat authentication assurance as a board-visible control surface.

Passkey adoption changes CIAM from authentication management to lifecycle orchestration. The challenge is no longer whether a user can sign in, but how the organisation governs device binding, recovery, step-up, and fallback paths across the customer journey. That is where IAM, CIAM, and fraud prevention converge. Practitioners should design the operating model before scaling the factor.

From our research:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• For a broader view of lifecycle risk, 52 NHI Breaches Analysis shows how weak identity governance turns into incident patterns.

What this signals

Banks that treat passkey adoption as a front-end authentication project will miss the governance work hiding behind recovery, fallback, and transaction authorisation. The operating model has to shift from code delivery to assurance orchestration across customer identity, fraud controls, and helpdesk workflows.

Recovery-path debt: the weakest part of passwordless programmes is often the path back into the account, not the first sign-in. That is where organisations need to focus if they want the security and customer-experience gains to hold under attack.

As passwordless becomes a regulated expectation in financial services, IAM leaders should expect stronger scrutiny of step-up policy, device binding, and fallback design. Teams that can evidence those controls will be better positioned to scale beyond pilot deployments without recreating OTP-era risk.

For practitioners

• Retire SMS and OTP from high-risk flows Remove SMS and OTP from customer journeys where account takeover or transaction fraud would create material loss, and keep only narrowly justified exceptions with documented risk acceptance.
• Redesign recovery before rollout Map how customers will recover access when they lose a device, fail biometric validation, or cannot complete registration, because recovery paths are where weak factors tend to re-enter the stack.
• Bind step-up controls to transaction risk Use passkeys for sign-in and for high-value actions such as beneficiary changes, payment approval, or profile edits, so assurance rises when business impact rises.
• Measure helpdesk and fraud impact together Track OTP delivery failures, reset volume, account takeover attempts, and fraud losses in one view so the business case reflects security and operational cost, not just authentication conversion.

Key takeaways

• The CBUAE mandate turns SMS OTP from a convenience pattern into a governance liability for financial institutions.
• Passkeys improve phishing resistance, but the real control question is whether recovery and transaction-step-up paths are governed with the same discipline as login.
• IAM teams should treat passwordless rollout as an assurance redesign across CIAM, fraud prevention, and customer lifecycle controls.

Key terms

• Passkey: A passkey is a phishing-resistant authenticator based on public key cryptography. The private key stays on the user’s device and the service verifies a signed challenge tied to the legitimate website or app, which makes replay and lookalike-site phishing materially harder.
• Customer Identity and Access Management: Customer Identity and Access Management is the governance layer for how external users register, authenticate, recover access, and complete sensitive actions. In practice, it must connect login assurance with onboarding, step-up, and recovery so the identity model holds across the full customer journey.
• Phishing-resistant authentication: Phishing-resistant authentication uses cryptographic proof that cannot be reused on a fake site or easily intercepted in transit. For financial services, it is the difference between a factor that can be copied and one that is bound to the real relying party and the user’s device.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity governance in your organisation, it is worth exploring.

This post draws on content published by HYPR: The CBUAE's SMS and OTP Ban is a Golden Opportunity. Read the original.