Use risk-based authentication so low-risk sessions stay friction-light while suspicious logins trigger stronger checks. Pair that with device reputation, behavioural signals, and safer recovery methods. The aim is not to block every customer path, but to reserve hard stops for the moments when identity risk rises sharply.
Why This Matters for Security Teams
account takeover is rarely a single-control problem. Attackers increasingly combine stolen passwords, session theft, MFA fatigue, device spoofing, and social-engineering against recovery workflows. For banks, the tension is clear: stronger friction can reduce fraud, but blanket step-up checks can damage conversion, frustrate customers, and push help desk demand into the wrong channels. Current guidance suggests treating login as a risk decision, not a binary gate.
That means banks need controls that adapt to session context, device history, behavioural anomalies, and transaction intent. NIST Cybersecurity Framework 2.0 is useful here because it frames identity assurance as part of continuous risk management rather than a one-time authentication event. NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now reinforces the broader lesson that identity compromise is often operationally invisible until abuse is already underway.
In practice, many security teams encounter account takeover only after fraudulent transfers, account lockouts, or recovery abuse have already occurred, rather than through intentional detection design.
How It Works in Practice
The practical model is risk-based authentication, but it works best when the bank separates three decisions: initial login, step-up challenge, and post-login privilege or transaction approval. Low-risk sessions can stay friction-light with passwordless or remembered-device paths, while suspicious logins trigger stronger checks such as passkeys, device binding, or out-of-band verification. The key is to keep the strongest friction for the highest-risk moments, not for every customer every time.
Good implementations combine multiple signals rather than over-relying on one. These usually include device reputation, geovelocity, impossible-travel patterns, behavioural biometrics, IP reputation, session age, and whether the customer is attempting a risky action such as adding a payee or changing recovery details. The most effective programs also treat account recovery as part of the attack surface. Recovery flows often become the easiest route around MFA, so they need the same policy scrutiny as primary login.
For identity governance, NIST guidance supports continuous evaluation, while NHIMG’s Top 10 NHI Issues highlights a recurring operational pattern: credentials, tokens, and recovery paths fail when they are managed as static assets instead of time-bound trust decisions. That same lesson applies to customer identity controls in banking, where session assurance should degrade or strengthen in real time. In parallel, policy teams can align with NIST Cybersecurity Framework 2.0 by mapping authentication assurance, fraud response, and account recovery into a single control loop.
- Use low-friction login for low-risk sessions and reserve step-up for anomalies.
- Bind high-value actions to stronger assurance than initial sign-in.
- Harden recovery with the same scrutiny as authentication.
- Continuously tune thresholds using fraud outcomes and false-positive review.
These controls tend to break down when banks use static rules across all customer segments because fraud patterns, device diversity, and legitimate travel behaviour vary too widely.
Common Variations and Edge Cases
Tighter login controls often increase abandonment and support overhead, requiring banks to balance fraud reduction against customer experience and operational load. That tradeoff becomes sharper for mobile-first customers, business account users, and assisted channels where device consistency is weaker and recovery is more frequent. Best practice is evolving, and there is no universal standard for the exact risk score or challenge threshold that should trigger step-up.
One edge case is high-value but infrequent users, such as treasury staff or affluent customers who log in from multiple locations and devices. Another is trusted-device abuse, where attackers hijack long-lived cookies or session tokens and bypass the password step entirely. In those cases, continuous session monitoring and re-authentication on sensitive actions matter more than login prompts alone. Banks should also treat service teams, branch-assisted reset flows, and call-centre override procedures as part of the same control design.
For broader governance context, NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks is a useful reminder that identity systems fail most often at the boundaries between policy, lifecycle, and exception handling. That same pattern applies here: the weakest point is often not the login screen, but the exception path that bypasses it.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA | Risk-based authentication fits continuous access assurance and identity verification. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential lifecycle discipline matters when recovery and session secrets are abused. |
| NIST AI RMF | The question involves adaptive, risk-aware decisioning under operational uncertainty. |
Govern model-driven authentication decisions with monitoring, accountability, and human oversight.
Related resources from NHI Mgmt Group
- How should retailers reduce login friction without increasing account takeover risk?
- How can teams reduce account takeover risk in apps outside SSO coverage?
- How can organisations reduce account takeover risk without hurting user experience?
- How should security teams reduce account recovery risk without making sign-in harder?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
