TL;DR: Phone-centric identity uses mobile, telecom, and bank signals to support digital identity verification, reduce reliance on OTPs, and meet PSD2/SCA requirements with less friction, according to Prove Identity. The governance issue is not whether mobile signals can improve assurance, but how banks and fintechs avoid turning device possession into a proxy that outlives its real trust boundary.
NHIMG editorial — based on content published by Prove Identity: Why Top Banks and FinTechs Are Adopting Phone-Centric Identity for Frictionless PSD2 SCA
By the numbers:
- Top banks and FinTechs reported a 25% increase in day-one digital registrations.
- Prove states its platform serves over 1,000 enterprises across 195 countries.
- Prove says 9 of the top 10 US financial institutions use its platform.
Questions worth separating out
Q: How should banks use phone-centric identity without overtrusting device possession?
A: Banks should treat device possession as one authentication signal, not as proof of full identity legitimacy.
Q: When does phone-centric authentication create more risk than it reduces?
A: It creates more risk when teams let a phone-linked signal become a standing trust anchor after onboarding.
Q: What do security teams get wrong about replacing OTPs with mobile intelligence?
A: They often assume the problem is solved once OTPs disappear.
Practitioner guidance
- Define where possession checks are authoritative Map which authentication journeys can rely on a phone possession check and which must always require additional step-up, especially for payment changes, recovery, and high-risk transactions.
- Rebuild recovery flows around device change Require explicit re-verification when a user changes phone number, replaces a device, or triggers account recovery, because those are the points where phone-linked identity weakens.
- Audit fallback paths for OTP dependence Find every recovery, exception, or call-centre path that still depends on OTPs or shared secrets, then remove the social engineering exposure they create.
What's in the full article
Prove Identity's full article covers the operational detail this post intentionally leaves for the source:
- Real-world examples of how phone-centric identity is applied in banking and fintech onboarding flows.
- The specific ways Prove describes possession-based checks as a binary yes or no outcome.
- Use cases for reducing OTP reliance while preserving PSD2 SCA compliance.
- The vendor's explanation of how phone-number-based identity tokens persist across the customer journey.
👉 Read Prove Identity's article on phone-centric identity for PSD2 SCA →
Phone-centric identity for PSD2 SCA: what changes for IAM teams?
Explore further
Phone possession is not the same as identity assurance: The article correctly treats the mobile device as a possession signal, but that signal is only one control layer in a broader identity decision. A trusted handset can support authentication, yet it does not by itself prove account legitimacy, user intent, or transaction integrity. Practitioners should therefore separate possession evidence from policy decisions that govern step-up, recovery, and transactional risk.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who should own phone-based identity policy in a financial institution?
A: Ownership should sit jointly with IAM, fraud, and compliance, but one team needs final authority over authentication thresholds and exception handling. Without that governance, the same phone signal can be accepted in one workflow and rejected in another.
👉 Read our full editorial: Phone-centric identity reframes PSD2 SCA for banking and fintech