Notifications
Clear all
Topic starter
06/06/2026 11:07 am
TL;DR: Passkey adoption in banking combines higher sign-in completion, faster authentication, and resistance to credential stuffing, phishing, and adversary-in-the-middle attacks, according to OneSpan’s RSAC 2026 discussion with The Defenders Initiative. The practical shift is not passkeys alone, but staged rollout, recovery design, and coexistence planning that make consumer behaviour change achievable.
NHIMG editorial — based on content published by OneSpan: Passkeys for banking, a conversation with CyberRisk TV Compliance
By the numbers:
- The passkey completion rate is 93%.
- The average time it takes for an end-user to complete an MFA is about 31.2 seconds.
Questions worth separating out
Q: How should banks roll out passkeys without disrupting customer access?
A: Banks should phase passkey rollout by platform, region, or customer segment and keep existing methods available during transition.
Q: Why do passkeys matter more in banking than in many other apps?
A: Banking combines high-value accounts, repeated login events, and strong attacker incentive, so password replay, phishing, and adversary-in-the-middle attacks are especially costly.
Q: What breaks when passkey recovery is not governed properly?
A: The programme falls back to the weakest legacy recovery path, which attackers often target first.
Practitioner guidance
- Design the full passkey journey Map onboarding, sign-in, and account recovery as one control chain.
- Phase adoption by channel and region Start with one platform or one geography and use the results to validate completion rate, latency, and help-desk impact before broadening scope.
- Keep a governed fallback strategy Allow coexistence with passwords, MFA, or other methods while passkey adoption matures, but set explicit conditions for when each alternative is used and when it is retired.
What's in the full article
OneSpan's full blog covers the operational detail this post intentionally leaves for the source:
- A practical breakdown of how banks can stage passkey adoption across web and mobile without forcing day-one migration.
- The specific metrics discussed for sign-in completion, MFA completion time, and passkey login time, useful for implementation baselines.
- The rollout advice on account recovery, opt-in design, and coexistence with existing authentication methods.
- The implementation context from a live RSAC 2026 conversation, including how a banking deployment should be sequenced in practice.
👉 Read OneSpan's discussion of passkeys for banking and phased adoption →
Passkeys in banking: what changes for IAM and fraud teams?
Explore further
06/06/2026 11:44 am
Passkeys solve a human authentication problem, not an identity governance problem. They reduce phishing, stuffing, and adversary-in-the-middle exposure, but they do not remove the need to govern enrollment, recovery, fallback, and channel coexistence. In banking, the security gain is real only when the operating model treats passkeys as part of the access lifecycle rather than a simple credential swap. The practitioner conclusion is that authentication modernization must be governed end to end, not deployed as a point control.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
Q: What is the difference between passkeys and traditional MFA in practice?
A: Passkeys remove shared secrets and bind authentication to the device, while traditional MFA often adds a second factor on top of a password. In practice, that means passkeys can reduce phishing and replay risk, but only if banks also manage recovery and coexistence carefully.
👉 Read our full editorial: Passkeys for banking reduce friction without weakening auth
