Strong authentication regulations are shifting digital banking and workforce IAM

At a glance

What this is: This is an analysis of new strong-authentication regulatory moves across banking and workforce access, showing a clear shift away from weak OTP-based methods toward phishing-resistant MFA and device-aware controls.

Why it matters: It matters because IAM, NHI, and workforce teams must align authentication policy, device trust, and fraud controls across regulated and non-regulated environments instead of treating them as separate programmes.

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.

👉 Read OneSpan's analysis of strong authentication regulations for banking and workforce access

Context

Strong authentication is no longer a narrow banking implementation detail. The article shows regulators converging on the same governance problem: weak factors such as SMS OTP and email OTP create avoidable exposure when they are treated as sufficient protection for high-risk access and transaction flows.

For IAM teams, the real issue is control consistency across human users, workforce access, and digitally mediated banking journeys. That includes phishing-resistant MFA, device confidence, fraud detection, and policy exceptions for accessibility or smart-device-only models, all of which need to be governed as part of one authentication strategy.

Key questions

Q: How should organisations replace SMS OTP without creating user friction?

A: Move high-risk access to phishing-resistant MFA, then keep one accessible alternative that does not depend on an interceptable delivery channel. Use FIDO-based methods for primary journeys, add device trust where context matters, and reserve weaker factors only for tightly controlled fallback paths. The goal is not more prompts. It is less exploitable authentication.

Q: When does OTP become too weak for regulated access?

A: OTP becomes too weak when the channel can be intercepted, replayed, or socially engineered, especially for remote access, privileged accounts, and transaction approval. Regulators are increasingly treating SMS and email OTP as last-resort options rather than default strong authentication. If the factor can be harvested outside the session, it is not strong enough for high-risk use.

Q: How do device checks improve authentication governance?

A: Device checks add context that a password or token cannot provide on its own. Rooting, jailbreak detection, app shielding, and device fingerprinting help determine whether the access attempt comes from an expected endpoint and channel. That reduces the chance that valid credentials are accepted from an untrusted environment.

Q: Who is accountable when weak authentication remains in use?

A: Accountability sits with the organisation that owns the access policy, the regulated business process, and the exceptions. Boards, security leaders, and identity teams need to treat weak authentication as a governance decision, not just a technical choice. Where regulation defines minimum controls, the programme must prove that exceptions are limited, documented, and risk accepted.

Technical breakdown

Why weak OTP remains a governance problem

One-time passwords are not equal to strong authentication when the delivery channel is interceptable or the factor can be replayed. SMS and email OTP still rely on shared telecom and mailbox trust, which creates exposure to phishing, SIM swap, mailbox compromise, and session hijack. Regulators are increasingly separating factor presence from factor resistance, because a code that can be intercepted does not meaningfully reduce account takeover risk. The PSR, UAE notice, and ENISA guidance all point in the same direction: authentication must resist real-world attack paths, not just satisfy a checkbox definition.

Practical implication: replace OTP-only flows for sensitive access with phishing-resistant MFA and document where OTP remains a limited fallback.

Device trust and channel binding in digital banking

The article highlights a shift from factor-centric thinking to device-aware authentication. Device fingerprinting, app shielding, secure-channel confirmation, and restrictions on rooted or jailbroken devices all try to answer the same question: is this session originating from a trusted device and an expected channel? That matters because strong authentication is weakened when the endpoint itself is not trusted. For banking and enterprise access alike, the control objective is not just proving a user knows something or has something. It is proving that the interaction context is sufficiently trustworthy for the transaction being approved.

Practical implication: tie high-risk approvals to trusted-device signals and require a separate secure channel for confirmation where the channel itself matters.

Phishing-resistant MFA as a baseline for workforce and privileged access

ENISA’s guidance under NIS2 reflects a broader trend in identity governance. For remote access, privileged account use, and workstation logon, the control question is no longer whether MFA exists. It is whether the method is resistant to phishing and adversary-in-the-middle attacks. FIDO-based authenticators materially change that equation because they bind authentication to origin and device rather than exposing reusable secrets. The practical effect is that workforce IAM and privileged access controls are increasingly converging on the same standard: low-friction does not matter if the factor can be harvested.

Practical implication: prioritise phishing-resistant MFA for privileged and remote access first, then standardise the same method across broader workforce journeys.

Breaches seen in the wild

• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Strong authentication is becoming a governance baseline, not a banking feature. The article shows regulators treating weak OTP methods as insufficient for high-risk access and transaction flows. That matters because the control problem is now shared across consumer banking, workforce access, and privileged use cases. IAM teams should read this as a policy convergence signal, not a sector-specific exception.

SMS OTP is being pushed into legacy status because the delivery channel, not just the factor, is the weakness. The UAE and the Philippines both point away from SMS and email OTP, while ENISA places them at the bottom of its risk-ranked guidance. The practical conclusion is that factor inventory alone is no longer a defensible assurance model.

Device trust is now part of authentication governance, not an adjacent mobile security concern. The article’s focus on rooted devices, app shielding, and secure-channel confirmation shows that the authentication boundary extends into endpoint integrity and channel assurance. Organisations that separate IAM from device trust will keep finding gaps at the point of access.

Accessibility and usability requirements are shaping authentication architecture as much as threat models are. The Council’s requirement to provide at least one suitable authentication mechanism free of charge, including for people with disabilities, shows that secure authentication must also be inclusive. Practitioners need policies that satisfy both assurance and accessibility without defaulting to the weakest common denominator.

Phishing-resistant MFA is increasingly the common denominator across regulated environments. The same control pattern appears across banking, workforce access, and critical-sector regulation. That creates a useful standardisation opportunity for IAM programmes, but only if they stop treating user population, device posture, and transaction risk as separate design problems.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• For the lifecycle side of this problem, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for how governance, rotation, and offboarding change once access is treated as a managed lifecycle.

What this signals

Strong authentication policy is converging with broader identity governance. As regulators narrow the acceptable set of factors, IAM teams will need to standardise assurance levels across banking, workforce, and privileged workflows. The programme risk is no longer whether MFA exists, but whether the chosen method actually resists modern interception and phishing paths.

Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security, which is a warning sign for adjacent authentication programmes too. If organisations struggle to govern machine identities, they are likely to overestimate the maturity of their human authentication controls as well. The same governance gap shows up when teams confuse factor presence with factor assurance.

Authentication and endpoint trust are moving closer together. Programmes that keep device posture outside IAM will miss the growing overlap between mobile security, fraud detection, and access governance. For teams aligning to NIST Cybersecurity Framework 2.0, the next step is to treat trusted-device assurance as part of identity protection rather than a separate mobile concern.

For practitioners

• Retire OTP-only authentication for high-risk access Remove SMS OTP and email OTP as sole authenticators for login, transaction approval, and privileged operations. Keep a narrow fallback only where regulators explicitly allow it and where compensating controls are documented.
• Standardise phishing-resistant MFA for workforce and privileged access Adopt FIDO-based methods for remote access, workstation logon, and privileged sessions. Prioritise roles with administrative rights, external connectivity, or high transaction authority.
• Add device integrity checks to authentication policy Block rooted, jailbroken, emulated, or otherwise insecure devices from sensitive mobile access paths. Combine device fingerprinting with app shielding and secure-channel confirmation for higher-risk actions.
• Separate accessibility coverage from weak-factor dependence Provide at least one suitable authentication mechanism that is usable by the full customer base, including people with disabilities, without forcing the organisation back to SMS OTP as the default safe option.

Key takeaways

• Regulators are narrowing the acceptable definition of strong authentication by pushing OTP-only methods toward the edge of high-risk access.
• The evidence points to a broader governance shift, where device integrity, channel assurance, and phishing resistance now sit inside IAM design decisions.
• Practitioners should standardise stronger methods for privileged and remote access first, then build accessible fallback paths that do not depend on interceptable factors.

Key terms

• Phishing-resistant MFA: Multi-factor authentication that cannot be easily replayed or intercepted by common phishing and man-in-the-middle techniques. In practice, this usually means origin-bound authenticators such as FIDO-based methods, where the credential is tied to the legitimate site and device rather than sent as a reusable code.
• Device fingerprinting: A technique that uses a combination of device signals to recognise whether an access attempt comes from a known or trusted endpoint. It helps security teams detect anomalous devices, but it should be treated as one signal among several, not as proof of identity by itself.
• Secure channel confirmation: A control that requires a sensitive action to be confirmed through a separate trusted channel rather than the same path used to initiate the request. It reduces the chance that a compromised browser, session, or message channel can approve its own transaction.
• Strong customer authentication: An authentication approach that uses more than one category of factor and is designed to raise assurance for sensitive consumer actions. In regulated banking contexts, it is increasingly interpreted through the lens of phishing resistance, channel integrity, and transaction context, not just factor count.

Deepen your knowledge

Strong authentication, phishing-resistant MFA, and device trust are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is being pulled in the same direction by banking, workforce, or critical-sector requirements, it is worth exploring.

This post draws on content published by OneSpan: Regulatory updates on strong authentication for digital banking and the enterprise workforce. Read the original.