Notifications
Clear all
Topic starter
06/06/2026 1:46 am
TL;DR: Authentication now has to extend beyond login to the session and transaction layer, using passkeys, FIDO2, device and behavioural signals, and transaction signing to protect high-risk actions, according to OneSpan. For IAM teams, the shift matters because static authentication alone no longer matches how attacks target users, sessions, and transactions.
NHIMG editorial — based on content published by OneSpan: authentication and security across access, sessions, and transactions
By the numbers:
- More than 500 million users are protected through OneSpan's authentication offerings.
Questions worth separating out
Q: How should security teams handle authentication after login in high-risk workflows?
A: They should treat authentication as a session and transaction control, not only an access check.
Q: When do passkeys and FIDO2 reduce risk most effectively?
A: They matter most where phishing, credential replay, and password reuse are realistic threats, especially for employees or customers who approve sensitive actions.
Q: What breaks when organisations rely on MFA alone for digital interactions?
A: MFA can confirm the user once, but it does not automatically protect the active session or the transaction being approved later.
Practitioner guidance
- Shift high-risk populations to phishing-resistant authentication Prioritise passkeys and FIDO2 for employees and customers who approve sensitive actions, especially where password reuse and phishing exposure remain high.
- Add session-level assurance signals Collect device, behavioural, and contextual signals during active sessions so abnormal patterns can trigger adaptive authentication before a sensitive action completes.
- Bind approval to the transaction itself Require transaction signing or dynamic linking for high-value transfers, administrative actions, and other critical workflow steps.
What's in the full article
OneSpan's full article covers the operational detail this post intentionally leaves for the source:
- How the passkey, FIDO2, and authenticator options fit into specific deployment environments
- The app shielding and mobile protection capabilities used to extend security into active sessions
- How transaction signing and dynamic linking are applied to high-value workflows
- Customer examples that show where the authentication model is being used in practice
👉 Read OneSpan's analysis of continuous authentication for sessions and transactions →
Continuous authentication for sessions and transactions: what teams need now?
Explore further
06/06/2026 3:05 am
Authentication has become a runtime control, not a one-time event. The article reflects a broader shift in identity security: login is no longer the end of assurance, because attackers increasingly operate inside valid sessions. That changes the governance model for human IAM and connected application flows alike. Practitioners should treat authentication as an ongoing trust decision across the full interaction path, not as a single gate at the front door.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- A separate finding from the same research shows that 71% of NHIs are not rotated within recommended time frames, which keeps exposure windows open longer than most teams expect.
A question worth separating out:
Q: How can teams prove that their transaction approval controls are working?
A: Look for evidence that approvals are bound to the exact transaction context, not just the user session. In practice, that means test whether changing the amount, destination, or action invalidates the approval path. If the approval still succeeds after the action changes, the control is too loose.
👉 Read our full editorial: Continuous authentication for sessions and transactions in modern IAM
