Ideem has partnered with Unifonic, the region's leading AI-native customer engagement platform, to bring passwordless, phishing-resistant authentication to enterprises across the GCC. The partnership pairs Unifonic's reach with Ideem's MPC-based device binding to move the region's banks and brands beyond the password and SMS OTP burden.

FBI 2024 data shows 982 SIM-swap complaints and $26M U.S. losses. The UK reported a 1,055% surge. A $33M arbitration against T-Mobile in March 2025 has priced the legal exposure. The 2026 economics of SMS OTP bypass attacks and what it will take to retire SMS from financial services authentication.

The FIDO Metadata Service lets a bank tell exactly which authenticator created any passkey presented during onboarding. How banks turn MDS metadata into risk-tiered onboarding decisions, build a filtered BLOB, and capture the audit evidence regulators are starting to expect.

QCB announced its Data Handling and Protection Regulation in February 2025, joining a cybersecurity framework that mirrors the trajectory SAMA and UAE Central Bank are already on. What Qatari banks should be doing now to prepare for the inevitable authentication-specific directives.

Most passkey programs are launched on a security argument and extended on a CFO argument. The four cost categories that move when passkeys arrive, grounded in published 2025-2026 industry data, and the payback math that makes the spend defensible.

Conditional UI is the WebAuthn feature that turns passkeys into autofill suggestions and the single biggest lever for bank passkey adoption. An honest engineer's tour of where it works, where it breaks, and how to ship it cleanly.

Adversary-in-the-Middle phishing kits are bypassing bank MFA in real time by relaying live traffic and stealing session cookies. What EvilProxy and Tycoon 2FA actually do, why traditional MFA falls down, and what stops them.

NIST SP 800-63-4 is the most significant update to U.S. digital identity guidelines in nearly a decade. A practical guide for U.S. banks on what changed, where passkeys fit at AAL2 and AAL3, and how to build a 2026-2027 alignment program.

Over two months we compared passkeys against every major banking authentication method — SMS OTP, TOTP, hardware keys, fingerprinting, magic links, and synced passkeys. Here is the full series, the cross-cutting takeaways, and where to start by role.

Today is World Passkey Day, and for the first time, the data tells a story that actually matches the hype.

Banks deploying passkeys are facing a new governance challenge: not all passkeys carry the same weight. A framework for vetting passkey providers, mapping them to trust tiers, and enforcing policy at the authentication layer.

Magic links solved a real friction problem for consumer SaaS. They have not held up well for financial services. The security of the link is the security of the email account, the link itself is phishable, and the model has no device binding. Here is what comes next.

Synced passkeys solve a real usability problem and are a clear upgrade from OTP, TOTP, and push. But sync moves the security boundary of the credential to the user's cloud account. For financial services, that matters. Here is why device-bound passkeys close the gap.

Device fingerprinting is a useful fraud signal, not a possession factor for authentication. It is probabilistic, spoofable at scale, and excluded from the regulatory definition of strong authentication. Here is where it fits in a 2026 financial services architecture.

Real-time payment systems settle transactions in seconds, eliminating fraud detection windows banks traditionally relied on. Mature instant payment markets show fraud rates 2-3x higher than traditional rails when authentication doesn't match settlement velocity.

Hardware security keys introduce deployment, cost, and usability barriers impractical for consumer banking at scale. Software passkeys deliver equivalent cryptographic security through device secure enclaves while reducing support costs by 75%.

PSD3 builds on PSD2's authentication foundation with tighter fraud prevention standards, reduced exemption thresholds, and explicit guidance on phishing-resistant methods. EU financial institutions should prepare for implementation starting 2027-2028.

Mula-X is rolling out Ideem's Passkeys+ across its Thailand digital wallet platform, replacing SMS-based OTPs with biometric, device-bound authentication built on the FIDO standard.

Account takeover in 2026 looks different from 2022. AiTM phishing kits sell as a service, deepfake voice clones bypass call-center verification, and OTP and lone biometrics no longer hold up. Here is what works in 2026 and what does not.

TOTP and authenticator apps were a meaningful upgrade from SMS OTP, but the underlying threat model has not changed. AiTM phishing defeats TOTP, the seed is exposed at enrollment, and cloud-synced apps create a single point of failure. Here is what comes next.

SAMA is advancing authentication requirements beyond traditional OTPs through the National Cybersecurity Authority's framework. Financial institutions should prepare for stricter standards prioritizing FIDO2 protocols and device-bound credentials.

NIST has classified SMS OTP as a restricted authenticator, adversary-in-the-middle phishing routinely defeats both SMS and email codes, and financial services authentication is moving to phishing-resistant, device-bound credentials. Here is a practical roadmap for the migration.

The BSP has confirmed the June 2026 Circular 1213 deadline stands. Philippine banks face a tight window to phase out SMS and email OTPs, deploy real-time fraud management systems, and earn AFASA liability protection. Here is the practical playbook.

AI agents are beginning to act on behalf of users inside banking applications - initiating transfers, checking balances, filing disputes. But the authentication infrastructure those agents rely on was designed for humans, not autonomous software. That gap is the next major security problem in financial services authentication.

Secure Payment Confirmation, expanding Visa and Mastercard passkey programs, and FIDO2's growing role in 3DS flows are converging toward a single credential layer at checkout. For financial institutions, understanding how these pieces fit together is no longer optional - it is a core architectural question.

The FIDO Alliance's 2025 consumer survey found that 69% of consumers have enabled passkeys on at least one account. That single data point changes the entire internal business case for passwordless authentication — shifting the CFO conversation from 'will users adopt?' to 'why haven't we deployed yet?'

Vietnam and the Philippines have moved decisively on authentication reform. Thailand, Malaysia, and Singapore are close behind. Southeast Asia is quietly becoming one of the most active regulatory environments for authentication in the world — and financial institutions need to be paying attention.

The UAE mandated it. Regulators globally are signaling it. Telcos are moving away from it voluntarily. SMS OTP has become the weakest link in financial authentication — and the industry's pivot away from it is happening faster than most anticipated.

More than 25 regulators worldwide have moved toward phishing-resistant authentication mandates. This isn't a trend — it's a wave. Here's what's driving the global convergence, which frameworks matter most, and what it means for financial institutions building authentication strategy today.

BSP Circular 1213 raised the authentication bar for Philippine financial institutions. More than two years on, compliance across the sector is uneven. Here's an honest assessment of the gaps, what full compliance actually looks like, and why the BSP's direction of travel won't reverse.

India's UPI processes billions of transactions monthly across vastly different devices, literacy levels, and connectivity conditions. Explore how RBI and Indian financial institutions are pioneering authentication approaches that serve both security and inclusion.

The five practices that separate high-adoption passkey deployments from stalled ones. A practitioner's playbook grounded in FIDO Alliance guidance and real implementation patterns.

AI has supercharged fraud. Voice cloning, deepfake KYC bypass, and LLM-crafted phishing all exploit one weakness: authentication built on shared secrets. Here's why cryptographic methods are the only ones AI can't beat.

The FIDO Alliance reports over 15 billion accounts can now use passkeys. That number changes the calculus for every bank still debating whether to deploy.

The conventional wisdom says account takeover is an endless arms race. That's wrong. The asymmetry is finally shifting, and here's why.

Saudi Arabia's central bank built one of the most actionable authentication regulatory frameworks in global financial services. Explore what SAMA got right — specificity, collaboration, and measurable outcomes — and why regulators worldwide are now studying its approach.

This fourth blog in a five-part series that explores the current state of passkeys and why enhanced implementations, what we call Passkeys+, are essential for meeting the security and compliance demands of

For decades, passwords were the default key to the digital world. Easy to implement and familiar to users, they offered convenience, but at a steep cost. As our digital footprints grew, passwords became both a security liability and a user burden. Complex requirements, frequent resets, and rampant reuse opened the floodgates to breaches, phishing attacks, and endless frustration.

In this episode of Smart Friends, Toby Rush shares the rollercoaster journey behind four startups and a nine-figure exit. From childhood influences to strategic sabbaticals, the conversation dives deep into the motivations behind serial entrepreneurship. Toby also unpacks the thinking behind his newest venture, Ideem, and how it’s aiming to make 2FA obsolete by bringing passkey-level security to payments and identity verification—without friction.

Let’s be honest, most two-factor authentication (2FA) methods are kind of a pain. Whether it’s scrambling to find your phone, entering a one-time code, or figuring out how to register a passkey, the process usually asks something of you. That’s fine for tech-savvy users. But what about everyone else?

Europe’s digital payments landscape is evolving—again. With the introduction of PSD3 and its companion regulation (PSR), the European Union is not only responding to rising fraud but also setting the stage for a more secure and inclusive financial future. At the heart of this shift lies a reimagining of Strong Customer Authentication (SCA) and the role that modern, passwordless solutions like passkeys might play in it.

When the internet exploded into a marketplace, battlefield, and everything in between, one of the biggest challenges became identity. How do you tell the difference between a legitimate user and a fraudster, especially when both show up from the same IP range, use the same browser, or even share similar behavior patterns?

For businesses operating online, getting a customer to the checkout page is hard enough. But getting them past it? That’s where payment acceptance becomes make-or-break.

In the ongoing battle against fraud and digital identity theft, Strong Customer Authentication (SCA) has emerged as a critical safeguard. Mandated in regions like the EU under the PSD2 directive and gaining traction globally, SCA aims to ensure that users are who they say they are before transactions are approved or sensitive information is accessed.

The future of checkout is fast, secure, and invisible. Passkeys are changing the way we log in, replacing clunky passwords with cryptographic credentials that are easier for users and harder for attackers to exploit. But when it comes to one-click checkout, relying on a single factor—even a passkey—isn’t always enough to ensure the transaction is legitimate. That’s where Ideem comes in.

One-click checkout should feel fast, effortless, and secure. Many platforms try to deliver this by leaning on device fingerprinting to recognize returning users. On paper, it seems efficient. But in practice, it introduces risk, friction, and a fragile trust model that simply cannot scale.