Notifications
Clear all
Topic starter
08/06/2026 4:41 pm
TL;DR: Regulators in the EU, UAE, and Philippines are tightening strong-authentication requirements for digital banking and workforce access, with PSR, UAE banking rules, and ENISA guidance all pushing away from weak methods like SMS OTP and toward phishing-resistant MFA and device-aware controls, according to OneSpan. The shift makes authentication governance a cross-domain IAM issue, not just a banking security concern.
NHIMG editorial — based on content published by OneSpan: Regulatory updates on strong authentication for digital banking and the enterprise workforce
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
Questions worth separating out
Q: How should organisations replace SMS OTP without creating user friction?
A: Move high-risk access to phishing-resistant MFA, then keep one accessible alternative that does not depend on an interceptable delivery channel.
Q: When does OTP become too weak for regulated access?
A: OTP becomes too weak when the channel can be intercepted, replayed, or socially engineered, especially for remote access, privileged accounts, and transaction approval.
Q: How do device checks improve authentication governance?
A: Device checks add context that a password or token cannot provide on its own.
Practitioner guidance
- Retire OTP-only authentication for high-risk access Remove SMS OTP and email OTP as sole authenticators for login, transaction approval, and privileged operations.
- Standardise phishing-resistant MFA for workforce and privileged access Adopt FIDO-based methods for remote access, workstation logon, and privileged sessions.
- Add device integrity checks to authentication policy Block rooted, jailbroken, emulated, or otherwise insecure devices from sensitive mobile access paths.
What's in the full article
OneSpan's full article covers the regulatory detail this post intentionally leaves for the source:
- The exact wording of PSR Article 85(10), 88(1), and 88(2) and how each clause affects authentication design.
- The UAE notice requirements for web banking confirmation through a separate secure channel and real-time fraud detection.
- The Philippines circular guidance on rooted devices, app shielding, and FIDO-based passwordless authentication.
- ENISA's risk-ranked MFA categories and how they map to NIS2 compliance decisions.
👉 Read OneSpan's analysis of strong authentication regulations for banking and workforce access →
Strong authentication rules are changing banking MFA and workforce access?
Explore further
08/06/2026 6:27 pm
Strong authentication is becoming a governance baseline, not a banking feature. The article shows regulators treating weak OTP methods as insufficient for high-risk access and transaction flows. That matters because the control problem is now shared across consumer banking, workforce access, and privileged use cases. IAM teams should read this as a policy convergence signal, not a sector-specific exception.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when weak authentication remains in use?
A: Accountability sits with the organisation that owns the access policy, the regulated business process, and the exceptions. Boards, security leaders, and identity teams need to treat weak authentication as a governance decision, not just a technical choice. Where regulation defines minimum controls, the programme must prove that exceptions are limited, documented, and risk accepted.
👉 Read our full editorial: Strong authentication regulations are shifting digital banking and workforce IAM
