AI agents are beginning to act on behalf of users inside banking applications - initiating transfers, checking balances, filing disputes. But the authentication infrastructure those agents rely on was designed for humans, not autonomous software. That gap is the next major security problem in financial services authentication.

Secure Payment Confirmation, expanding Visa and Mastercard passkey programs, and FIDO2's growing role in 3DS flows are converging toward a single credential layer at checkout. For financial institutions, understanding how these pieces fit together is no longer optional - it is a core architectural question.

The FIDO Alliance's 2025 consumer survey found that 69% of consumers have enabled passkeys on at least one account. That single data point changes the entire internal business case for passwordless authentication — shifting the CFO conversation from 'will users adopt?' to 'why haven't we deployed yet?'

Vietnam and the Philippines have moved decisively on authentication reform. Thailand, Malaysia, and Singapore are close behind. Southeast Asia is quietly becoming one of the most active regulatory environments for authentication in the world — and financial institutions need to be paying attention.

The UAE mandated it. Regulators globally are signaling it. Telcos are moving away from it voluntarily. SMS OTP has become the weakest link in financial authentication — and the industry's pivot away from it is happening faster than most anticipated.

More than 25 regulators worldwide have moved toward phishing-resistant authentication mandates. This isn't a trend — it's a wave. Here's what's driving the global convergence, which frameworks matter most, and what it means for financial institutions building authentication strategy today.

BSP Circular 1213 raised the authentication bar for Philippine financial institutions. More than two years on, compliance across the sector is uneven. Here's an honest assessment of the gaps, what full compliance actually looks like, and why the BSP's direction of travel won't reverse.

India's UPI processes billions of transactions monthly across vastly different devices, literacy levels, and connectivity conditions. Explore how RBI and Indian financial institutions are pioneering authentication approaches that serve both security and inclusion.

The five practices that separate high-adoption passkey deployments from stalled ones. A practitioner's playbook grounded in FIDO Alliance guidance and real implementation patterns.

AI has supercharged fraud. Voice cloning, deepfake KYC bypass, and LLM-crafted phishing all exploit one weakness: authentication built on shared secrets. Here's why cryptographic methods are the only ones AI can't beat.

The FIDO Alliance reports over 15 billion accounts can now use passkeys. That number changes the calculus for every bank still debating whether to deploy.

The conventional wisdom says account takeover is an endless arms race. That's wrong. The asymmetry is finally shifting, and here's why.

Saudi Arabia's central bank built one of the most actionable authentication regulatory frameworks in global financial services. Explore what SAMA got right — specificity, collaboration, and measurable outcomes — and why regulators worldwide are now studying its approach.

This fourth blog in a five-part series that explores the current state of passkeys and why enhanced implementations, what we call Passkeys+, are essential for meeting the security and compliance demands of

For decades, passwords were the default key to the digital world. Easy to implement and familiar to users, they offered convenience, but at a steep cost. As our digital footprints grew, passwords became both a security liability and a user burden. Complex requirements, frequent resets, and rampant reuse opened the floodgates to breaches, phishing attacks, and endless frustration.

In this episode of Smart Friends, Toby Rush shares the rollercoaster journey behind four startups and a nine-figure exit. From childhood influences to strategic sabbaticals, the conversation dives deep into the motivations behind serial entrepreneurship. Toby also unpacks the thinking behind his newest venture, Ideem, and how it’s aiming to make 2FA obsolete by bringing passkey-level security to payments and identity verification—without friction.

Let’s be honest, most two-factor authentication (2FA) methods are kind of a pain. Whether it’s scrambling to find your phone, entering a one-time code, or figuring out how to register a passkey, the process usually asks something of you. That’s fine for tech-savvy users. But what about everyone else?

Europe’s digital payments landscape is evolving—again. With the introduction of PSD3 and its companion regulation (PSR), the European Union is not only responding to rising fraud but also setting the stage for a more secure and inclusive financial future. At the heart of this shift lies a reimagining of Strong Customer Authentication (SCA) and the role that modern, passwordless solutions like passkeys might play in it.

When the internet exploded into a marketplace, battlefield, and everything in between, one of the biggest challenges became identity. How do you tell the difference between a legitimate user and a fraudster, especially when both show up from the same IP range, use the same browser, or even share similar behavior patterns?

For businesses operating online, getting a customer to the checkout page is hard enough. But getting them past it? That’s where payment acceptance becomes make-or-break.

In the ongoing battle against fraud and digital identity theft, Strong Customer Authentication (SCA) has emerged as a critical safeguard. Mandated in regions like the EU under the PSD2 directive and gaining traction globally, SCA aims to ensure that users are who they say they are before transactions are approved or sensitive information is accessed.

The future of checkout is fast, secure, and invisible. Passkeys are changing the way we log in, replacing clunky passwords with cryptographic credentials that are easier for users and harder for attackers to exploit. But when it comes to one-click checkout, relying on a single factor—even a passkey—isn’t always enough to ensure the transaction is legitimate. That’s where Ideem comes in.

One-click checkout should feel fast, effortless, and secure. Many platforms try to deliver this by leaning on device fingerprinting to recognize returning users. On paper, it seems efficient. But in practice, it introduces risk, friction, and a fragile trust model that simply cannot scale.