Authentication across banking channels: are your controls keeping up?

TL;DR: Financial institutions now need phishing-resistant authentication that works across web, mobile, contact centres, branches, wire approvals, and payment rails, because passwordless web login alone leaves the highest-loss channels exposed, according to Scramble ID. The real control gap is not authentication at the login page but cryptographic identity binding across every customer and employee touchpoint.

NHIMG editorial — based on content published by Scramble ID: Authentication for Financial Services

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should financial institutions implement phishing-resistant authentication across channels?

A: They should use one cryptographic identity pattern across web, mobile, contact centres, branches, and high-risk transactions, then reserve weaker methods only for low-risk fallback paths.

Q: Why do contact centre authentication flows fail so often in banking?

A: They fail because knowledge-based questions are easy to assemble from breached or publicly available data, especially when fraudsters are already impersonating the bank.

Q: When should banks require step-up authentication instead of relying on session login?

A: Banks should require step-up authentication whenever the action can create direct financial loss or irreversible account change, such as wires, new payees, branch withdrawals, or production access.

Practitioner guidance

• Map every authentication channel to one assurance standard Inventory web, mobile, contact centre, branch, wire, workforce, and machine-to-machine paths, then record which ones still rely on SMS, push OTP, or KBA.
• Remove KBA from high-risk caller verification Use cryptographic caller verification in IVR and agent workflows so the agent sees a verified caller identity before any sensitive action.
• Separate login from transaction authorisation Require fresh step-up authentication for wires, payee changes, branch cash movements, and production changes.

What's in the full article

Scramble ID's full article covers the operational detail this post intentionally leaves for the source:

• Channel-by-channel authentication patterns for online banking, mobile apps, contact centres, branches, and payment rails
• Worked compliance mapping across FFIEC, NYDFS Part 500, PCI DSS v4.0.1, PSD2 SCA, and related controls
• Detailed transaction-step-up patterns for wires, named payees, and dual-control approval
• Implementation examples for cryptographic caller verification and device-bound credentials

👉 Read Scramble ID's analysis of phishing-resistant authentication for financial services →

Authentication across banking channels: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →