TL;DR: Passwords remain one of the top two initial access vectors, while banks face account takeover fraud, credential stuffing, and relay attacks that bypass SMS and push-based MFA, according to RSA Security and the 2026 Verizon DBIR. FIDO2 passkeys and post-quantum planning shift the control point from shared secrets to cryptographic assurance and regulatory readiness.
NHIMG editorial — based on content published by RSA Security: Passwordless Banking in 2026: FIDO2, PSD3 Compliance, and Post-Quantum Security
By the numbers:
- PSD3 and PSR1 reached political agreement in 2025 and are in active implementation, with transition timelines extending into 2027 and 2028.
Questions worth separating out
Q: How should banks implement phishing-resistant authentication without breaking recovery flows?
A: Banks should remove passwords from the primary path and then harden enrollment, reset, and recovery with the same assurance level.
Q: Why do passwords and SMS-based MFA remain high-risk in banking?
A: Passwords and SMS are high-risk because they depend on shared secrets or interceptable delivery channels.
Q: When should banking teams prioritise device-bound passkeys over synced passkeys?
A: Banking teams should prioritise device-bound passkeys for privileged users, high-value transactions, and any flow where stronger assurance matters more than convenience.
Practitioner guidance
- Map every password dependency in authentication flows Inventory enrollment, recovery, reset, and help desk paths, not just the primary login journey.
- Validate phishing-resistant SCA end to end Test whether your implementation supports possession plus inherence or knowledge, then confirm that transaction signing is bound to the payment amount and beneficiary where required.
- Design multi-authenticator fallback policy Support different authenticator types for retail users, corporate users, branch staff, and privileged administrators so that compliance, usability, and recovery are governed together.
What's in the full article
RSA Security's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step explanation of how FIDO2 passkeys work in browser and banking flows.
- Implementation guidance for PSD3 and PSR1 strong customer authentication, including dynamic linking.
- Practical comparison of synced passkeys, device-bound passkeys, and hardware security keys.
- Post-quantum roadmap considerations for authentication teams planning cryptographic migration.
👉 Read RSA Security’s analysis of passwordless banking, PSD3, and post-quantum security →
Phishing-resistant banking authentication: what IAM teams need to know?
Explore further
Phishing-resistant banking is now an identity governance problem, not just an authentication problem. The article correctly shows that passwords, SMS OTPs, push approvals, recovery paths, and third-party contracts all sit inside the same control plane. Once regulators expect phishing resistance, the boundary shifts from login design to programme governance across the full identity lifecycle. The implication is that banking IAM teams must own recovery, auditability, and authenticator policy as one architecture.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when phishing-resistant authentication is available but not deployed?
A: Accountability sits with the identity, risk, and security owners who set authentication policy and justify exceptions. If regulators expect phishing resistance and the institution keeps weaker methods in place, the burden shifts to the programme owner to explain the residual fraud exposure and the business decision behind it.
👉 Read our full editorial: Passwordless banking now depends on phishing-resistant identity