Strong customer authentication rules are tightening across regions

At a glance

What this is: This is an analysis of how new banking and critical-sector authentication rules are reshaping strong MFA expectations for customers and staff.

Why it matters: It matters because IAM teams must align human authentication, privileged access, and policy enforcement with regional rules that are moving away from weak one-time passwords.

👉 Read OneSpan's analysis of stronger authentication rules across the EU, UAE, and Philippines

Context

Strong customer authentication is no longer a narrow banking control. Regulators are increasingly treating the choice of factor, device, and fraud-detection layer as part of the security baseline for digital access, especially where account takeover and transaction fraud are the main concerns.

For IAM teams, this changes the design problem across human identity, privileged access, and adjacent non-human workflows that support banking operations. The practical question is not whether MFA exists, but whether it is phishing resistant, channel-aware, and defensible under local regulation.

Key questions

Q: How should security teams phase out SMS OTP in regulated environments?

A: Start by identifying every business flow where SMS OTP is used for login, transaction approval, or recovery. Replace those paths first with phishing-resistant MFA for the highest-risk users and actions, then keep SMS only as a constrained fallback where regulation still permits it. The goal is to reduce interception exposure without breaking user access.

Q: Why does phishing-resistant MFA matter more than adding more factors?

A: Adding another factor does not help if both factors can be intercepted, replayed, or relayed in a phishing attack. Phishing-resistant MFA matters because it binds the authentication event to the correct device and origin, which makes credential capture far less useful to an attacker. That is why regulators are increasingly favouring it for sensitive access.

Q: How do you know if your authentication model is actually strong enough?

A: A strong model should withstand interception, replay, and remote phishing without depending on user judgement at every step. If the control still works only when users notice a suspicious message or reject an OTP prompt, it is not strong enough for high-risk access. Measure this by testing whether the factor survives real adversary-in-the-middle conditions.

Q: Who is accountable when weak authentication remains in place after a regulatory update?

A: Accountability sits with the control owners who approve the authentication standard, the IAM team that implements it, and the business owners who accept residual risk. In regulated environments, that means keeping a clear policy record for exceptions, fallback methods, and migration timelines so the organisation can defend its decisions during audit or incident review.

Technical breakdown

Why SMS OTP is being pushed out of the strong authentication baseline

SMS OTP remains attractive because it is familiar, but it is weak against interception, SIM swapping, and real-time phishing. Regulators are drawing a sharper line between merely second-factor authentication and authentication that can resist active attacker relay. In the EU discussion, the key issue is whether authentication factors belong to genuinely different categories rather than two variations of the same weak class. In the UAE and Philippines, the guidance goes further by restricting OTP-by-SMS and OTP-by-email for sensitive actions. Practical implication: treat SMS OTP as a legacy fallback, not as the control around which banking authentication is designed.

Practical implication: demote SMS OTP to fallback status and map every sensitive flow to a stronger, phishing-resistant option.

Phishing-resistant MFA and FIDO-based authentication

Phishing-resistant MFA changes the threat model because the credential cannot be replayed in the way a password or OTP can. FIDO-based methods bind authentication to a specific device and relying party, which reduces the value of credential capture and session relay. That is why technical guidance from European authorities classifies FIDO-style authentication as the strongest category, while push OTP and hardware tokens sit below it and SMS or email OTP sit at the bottom. The regulatory signal is not just about user convenience, but about whether the factor can survive modern adversary-in-the-middle attacks. Practical implication: prioritise authentication methods that are origin-bound and resistant to replay.

Practical implication: prefer origin-bound, replay-resistant factors for remote login, privileged access, and transaction approval.

Fraud detection is becoming part of the authentication control plane

Several of the updated rules do not stop at factor choice. The UAE guidance explicitly requires real-time fraud detection, while also encouraging behavioural analytics and biometric signals for suspicious activity. That matters because authentication alone cannot absorb every risk when device trust, user behaviour, and transaction context all matter. In practice, the control plane is shifting from a single login event to a chained set of checks across device, user, and transaction. For IAM architects, this blurs the old divide between identity verification and fraud monitoring. Practical implication: integrate authentication telemetry with fraud and risk engines, especially for high-value or anomalous actions.

Practical implication: connect authentication events to fraud analytics so policy can react to device, behaviour, and transaction context.

Breaches seen in the wild

• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
• Emerald Whale breach — exposed Git config files led to 15K secrets stolen and 10K repo compromises.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Weak second factors are becoming a governance liability, not just a technical weakness. The article shows regulators moving in the same direction across retail banking and critical sectors: reduce SMS OTP dependence, prefer phishing-resistant MFA, and require stronger transaction assurance. That means the old assumption that any second factor is “good enough” no longer holds under scrutiny. The practitioner conclusion is that authentication assurance now has to be defensible as a policy choice, not just a feature choice.

Phishing-resistant MFA is now the clearest shared language between compliance, fraud, and access governance. The EU, UAE, and Philippines are converging on the same practical answer from different angles, even if their legal texts differ. That convergence matters because IAM teams often treat customer authentication, workforce MFA, and privileged access as separate design tracks. The signal here is that those tracks are being pulled toward the same control standard: replay resistance and origin binding.

Factor diversity alone is not enough if both factors are still easy to intercept. The Council’s push to keep authentication elements in different categories highlights a common governance error, which is confusing variety with assurance. Two weak factors do not become strong MFA just because they look different on paper. Practitioners should treat factor composition as a risk decision, not a compliance checkbox.

Fraud analytics is becoming an identity dependency, not an optional add-on. The UAE requirement for continuous fraud detection shows that authentication policies are now expected to work in concert with behavioural and transaction monitoring. That changes identity programme design because security teams can no longer isolate login assurance from downstream risk scoring. The practitioner conclusion is that identity governance must include fraud telemetry in its control model.

Authentication policy is now a regional design problem with enterprise-wide consequences. The article makes clear that compliance timelines, device rules, and factor restrictions differ by jurisdiction, but the architectural impact lands in one IAM stack. Multi-country organisations need a consistent baseline that can vary by policy without fragmenting the user experience. The practitioner conclusion is to standardise on the strongest common denominator and add policy exceptions only where regulation permits.

From our research:

• Companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, with US organisations leading at 40.8%, according to The State of Secrets in AppSec.
• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities.
• For a broader identity baseline, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for how lifecycle controls reduce standing exposure.

What this signals

Phishing-resistant authentication is moving from niche hardening to baseline identity architecture. For organisations operating across banking, payments, and critical infrastructure, the real shift is that policy can no longer treat SMS OTP as a default second factor. The control model needs to assume jurisdiction-specific factor restrictions, device trust checks, and stronger recovery paths, especially where privileged access is involved.

The practical signal for IAM leaders is that workforce MFA, customer authentication, and step-up approval are converging on the same assurance question: can the factor resist interception and relay? That makes authentication design inseparable from device posture, fraud telemetry, and exception governance. Teams that separate those disciplines will create policy drift even if each team believes it is compliant.

For practitioners

• Inventory every SMS OTP dependency Map customer, workforce, and privileged flows that still rely on SMS or email OTP as a primary or fallback factor. Prioritise login, transaction approval, account recovery, and privileged elevation paths where interception risk is highest.
• Set a phishing-resistant MFA baseline for sensitive access Define which access paths require FIDO-based or otherwise origin-bound authentication, especially for remote access, privileged accounts, and high-value customer actions. Treat push OTP as intermediate, not as the end state for critical use cases.
• Align fraud detection with identity events Feed authentication telemetry, device signals, and transaction context into fraud controls so suspicious access can be challenged or blocked in real time. This is especially important where regulators expect continuous detection rather than point-in-time login checks.
• Build jurisdiction-aware authentication policy Maintain a control matrix that maps each region’s requirements to approved factors, fallback options, and account types. Use that matrix to avoid one-size-fits-all rollout decisions that create compliance gaps in cross-border banking operations.

Key takeaways

• The article shows regulators converging on one conclusion: weak OTP-based authentication is no longer a durable baseline for sensitive access.
• The operational shift is not just factor choice, but the integration of phishing-resistant MFA, device trust, and fraud detection into one control model.
• IAM teams should treat regional authentication rules as design constraints now, not as future compliance work.

Key terms

• Phishing-resistant MFA: Authentication that is designed to resist credential capture, replay, and adversary-in-the-middle attacks. It typically binds the factor to a specific origin or device, which makes stolen tokens far less useful than passwords or SMS one-time codes.
• Strong customer authentication: A higher-assurance authentication model used for sensitive consumer access and payment actions. It usually requires multiple independent elements and stronger protections against interception, fraud, and session relay than basic login security.
• Origin-bound authentication: An authentication method that only works for the intended website, application, or relying party. This reduces the value of phishing pages and proxy attacks because the factor cannot be easily replayed against a different destination.

Deepen your knowledge

Strong customer authentication and phishing-resistant MFA are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are modernising identity controls for regulated access, it is worth exploring.

This post draws on content published by OneSpan: Mises à jour réglementaires sur l'authentification forte pour clients et personnel. Read the original.