Notifications
Clear all
Topic starter
08/06/2026 4:41 pm
TL;DR: Financial regulators in the EU, UAE, and Philippines are tightening strong authentication requirements by limiting SMS OTPs, expanding phishing-resistant MFA guidance, and pushing more resilient customer and workforce controls, according to OneSpan. The direction is clear: identity programmes that still rely on weak second factors will struggle to meet emerging compliance and fraud expectations.
NHIMG editorial — based on content published by OneSpan: Mises à jour réglementaires sur l'authentification forte pour clients et personnel
Questions worth separating out
Q: How should security teams phase out SMS OTP in regulated environments?
A: Start by identifying every business flow where SMS OTP is used for login, transaction approval, or recovery.
Q: Why does phishing-resistant MFA matter more than adding more factors?
A: Adding another factor does not help if both factors can be intercepted, replayed, or relayed in a phishing attack.
Q: How do you know if your authentication model is actually strong enough?
A: A strong model should withstand interception, replay, and remote phishing without depending on user judgement at every step.
Practitioner guidance
- Inventory every SMS OTP dependency Map customer, workforce, and privileged flows that still rely on SMS or email OTP as a primary or fallback factor.
- Set a phishing-resistant MFA baseline for sensitive access Define which access paths require FIDO-based or otherwise origin-bound authentication, especially for remote access, privileged accounts, and high-value customer actions.
- Align fraud detection with identity events Feed authentication telemetry, device signals, and transaction context into fraud controls so suspicious access can be challenged or blocked in real time.
What's in the full article
OneSpan's full article covers the regulatory detail this post intentionally leaves for the source:
- The exact article-by-article PSR changes under discussion in the European trilogue process
- The full wording of the UAE central bank notice and its implementation deadlines
- The Philippines circular requirements for mobile banking device hardening and authentication methods
- ENISA's factor-strength categories and the technical rationale behind phishing-resistant MFA
👉 Read OneSpan's analysis of stronger authentication rules across the EU, UAE, and Philippines →
Phishing-resistant MFA is becoming the new regulatory baseline?
Explore further
08/06/2026 6:26 pm
Weak second factors are becoming a governance liability, not just a technical weakness. The article shows regulators moving in the same direction across retail banking and critical sectors: reduce SMS OTP dependence, prefer phishing-resistant MFA, and require stronger transaction assurance. That means the old assumption that any second factor is “good enough” no longer holds under scrutiny. The practitioner conclusion is that authentication assurance now has to be defensible as a policy choice, not just a feature choice.
A few things that frame the scale:
- Companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, with US organisations leading at 40.8%, according to The State of Secrets in AppSec.
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities.
A question worth separating out:
Q: Who is accountable when weak authentication remains in place after a regulatory update?
A: Accountability sits with the control owners who approve the authentication standard, the IAM team that implements it, and the business owners who accept residual risk. In regulated environments, that means keeping a clear policy record for exceptions, fallback methods, and migration timelines so the organisation can defend its decisions during audit or incident review.
👉 Read our full editorial: Strong customer authentication rules are tightening across regions
