25+ Regulators Can't Be Wrong: The Global Shift to Phishing-Resistant Auth

TL;DR

Regulators across more than two dozen jurisdictions globally have moved toward phishing-resistant authentication requirements - spanning the US, EU, Middle East, South Asia, Southeast Asia, and beyond. The mandates differ in language and enforcement mechanism, but they converge on the same technical destination: authentication that cannot be stolen, replayed, or socially engineered. NIST, UAE Central Bank, RBI, SAMA, BSP, SBV, ENISA, and NYDFS represent different regulatory traditions arriving at the same conclusion. For financial institutions, the question is no longer whether to adopt phishing-resistant authentication - it's how to build it once and satisfy the entire global mandate landscape.

There's a particular kind of clarity that comes when independent actors - operating under different legal traditions, in different markets, with different political pressures - arrive at the same conclusion. It's the kind of clarity that should end internal debates.

Regulators worldwide have now moved toward phishing-resistant authentication requirements. They used different language to get there. They're enforcing it on different timelines. But they're pointing at the same thing: authentication methods that cannot be compromised through phishing, SIM swap, credential theft, or social engineering. The global financial services sector is being asked, from every direction, to leave passwords and SMS OTP behind.

This post maps that regulatory landscape - where the mandates are, what they require, and what it means for institutions building authentication infrastructure that has to work everywhere.

How We Got Here

The regulatory convergence on phishing-resistant authentication didn't happen suddenly. It's the product of a decade of mounting fraud losses, increasingly sophisticated attack tooling, and the growing realization that credential-based authentication - passwords, OTPs, knowledge-based answers - shares a fundamental structural weakness: the credential can be stolen.

That weakness became undeniable as mobile banking scaled. The attack surface grew with the user base. SIM swap fraud, phishing kits that defeat OTP in real time, and AI-assisted social engineering have made the economics of credential theft increasingly favorable for attackers. Regulators watching fraud incident reports accumulate drew the obvious conclusion: requiring banks to use authentication that can be stolen is no longer a defensible baseline.

Phishing-resistant authentication - specifically, FIDO2/WebAuthn-based passkeys and hardware security keys - solves the structural problem. The credential never leaves the device, is bound to the specific relying party, and cannot be replayed. You cannot phish something that was never transmitted.

Regulators figured this out. What's remarkable is how many of them figured it out at roughly the same time.

The United States: NIST and NYDFS Set the Technical Standard

In the US, the National Institute of Standards and Technology's SP 800-63-4 - finalized in 2024 - made the definitive technical statement: synced passkeys meet Authenticator Assurance Level 2 (AAL2). This classification matters because AAL2 is the benchmark that federal agencies and regulated industries reference when specifying authentication requirements. NIST's endorsement of synced passkeys as AAL2-compliant closed a debate that had slowed enterprise adoption and gave compliance teams the cover they needed to move forward.

The New York Department of Financial Services, through its Part 500 cybersecurity regulation, has driven parallel progress in the financial sector specifically. NYDFS Part 500 requires covered entities to implement multi-factor authentication for critical systems and has been progressively updated to reflect the evolving threat landscape. For the financial institutions operating under NYDFS jurisdiction - which includes many of the largest banks, insurers, and money transmitters in the country - phishing-resistant MFA isn't a future aspiration; it's a current compliance expectation.

Europe: PSD2, PSD3, and ENISA's Position

The European regulatory picture is shaped primarily by the Payment Services Directive framework. PSD2's Strong Customer Authentication requirements established binding technical standards for payment authentication across the EU - requiring multi-factor authentication for electronic payments with specific requirements on the independence of authentication factors. The framework effectively outlawed the weakest forms of authentication for payment transactions across the European banking sector.

PSD3, the revision currently working through the European legislative process, is expected to strengthen those requirements further, with passkey-based authentication well positioned to satisfy the enhanced standards. ENISA - the EU Agency for Cybersecurity - has highlighted passkeys as a strong authentication approach in its cybersecurity guidance, adding institutional weight to the technical case.

The European trajectory is clear: the SCA framework that PSD2 established is not the ceiling. PSD3 will raise it.

The Middle East: UAE Central Bank Mandates OTP Phase-Out

The UAE Central Bank's mandate to phase out OTP-based authentication for digital banking represents one of the most direct regulatory statements in the global landscape. Rather than specifying authentication standards through a technical framework, the UAECB identified the problem directly - OTP is the vulnerability - and required financial institutions to move away from it.

The mandate reflects the UAE's position as a financial hub acutely aware of the fraud patterns targeting its market. SIM swap fraud, in particular, has been a significant driver of account takeover losses across Gulf financial markets. The regulator's response was characteristically direct: if OTP is the attack surface, eliminate OTP.

Saudi Arabia's SAMA has taken a similar direction through its cybersecurity frameworks, building authentication requirements into the broader technology risk standards that Saudi financial institutions must satisfy. SAMA has been one of the more engaged regulators in the FIDO Alliance ecosystem, and its frameworks reflect a genuine understanding of the authentication technology landscape.

South Asia: RBI's 2FA Mandate and India's Scale

The Reserve Bank of India's two-factor authentication requirements for digital financial services represent one of the most consequential regulatory mandates in the world simply by virtue of the market size they cover. India's digital payments infrastructure - built on UPI, which processes billions of transactions monthly - operates at a scale that makes authentication architecture a systemic concern, not just an institutional one.

RBI's requirements have evolved as the threat landscape has evolved, with progressively stronger expectations for transaction authentication as mobile banking has grown. The direction is consistent with the global trend: toward device-bound, biometric authentication that eliminates the credential-theft attack vector that OTP-based systems leave open.

Southeast Asia: BSP, SBV, and the ASEAN Wave

The Philippines' BSP Circular 1213 and Vietnam's SBV Decision 2345 represent the leading edge of an ASEAN regulatory wave that is moving the region's fast-growing digital banking markets toward stronger authentication standards. Both regulators have moved toward biometric, device-bound authentication requirements - and both are operating in markets where digital banking adoption is accelerating faster than the legacy authentication infrastructure was designed to handle.

Thailand's Bank of Thailand and Malaysia's Bank Negara Malaysia have been developing parallel frameworks. Singapore's MAS has long maintained strong technology risk guidelines that push financial institutions toward robust authentication practices. The ASEAN picture is a region in active authentication transition, with regulators competing, in the best sense, to set standards that protect their growing digital financial markets.

Canada and Australia: OSFI and the Essential Eight

Canada's Office of the Superintendent of Financial Institutions has addressed authentication through its B-13 Technology and Cyber Risk Management guideline, which sets expectations for federally regulated financial institutions on authentication controls as part of broader cyber risk management. OSFI B-13 reflects the Canadian regulator's approach: principle-based requirements that push institutions toward stronger authentication without mandating specific technical implementations.

Australia's approach combines sector-specific guidance from APRA and ASIC with the government's broader Essential Eight cybersecurity framework, which includes phishing-resistant MFA in its maturity model. Australian financial institutions are operating under converging guidance from multiple directions - all pointing toward authentication that survives the modern threat landscape.

What the Convergence Means for Authentication Strategy

Regulators arriving at the same technical destination across so many jurisdictions creates a specific kind of strategic opportunity for financial institutions. The institutions that recognize the convergence for what it is - a global alignment on a single authentication architecture - can build once and satisfy the entire landscape. The institutions that continue treating each regulatory jurisdiction as a separate compliance project will build the same solution multiple times, at much greater cost, with much greater technical debt.

The architecture that satisfies NIST AAL2, PSD2 SCA, UAE Central Bank requirements, RBI mandates, BSP Circular 1213, and SBV Decision 2345 is the same architecture: FIDO2/WebAuthn-based passkeys, device-bound, with biometric verification and phishing-resistant credential design. That's not a coincidence. It's what happens when independent regulators all look at the same fraud data and draw the same conclusion.

The compliance complexity is real - different timelines, different enforcement mechanisms, different documentation requirements. But the underlying technical requirement has converged. For financial institutions building or rebuilding authentication infrastructure, that convergence is the most important fact in the landscape.

The Remaining Question

For some institutions, the internal debate about phishing-resistant authentication is still nominally open. The questions tend to cluster around user experience, implementation complexity, and the cost of moving off legacy systems. Those are real considerations. They're also the same considerations that were raised about every major authentication transition in history - and they've never, ultimately, stopped the transition.

When regulators across six continents have moved in the same direction, the question of whether to adopt phishing-resistant authentication has already been answered. The only question left is how to implement it well - at scale, across markets, in a way that serves customers and satisfies regulators simultaneously.

That's a harder question. But it's a much better one to be working on.

Sources

NIST SP 800-63-4 - Digital Identity Guidelines

NYDFS Part 500 Cybersecurity Regulation

EBA - PSD2 Strong Customer Authentication RTS

ENISA - NIS2 Directive

UAE Central Bank - centralbank.ae

Saudi Arabian Monetary Authority - sama.gov.sa

Reserve Bank of India - rbi.org.in

Bangko Sentral ng Pilipinas - bsp.gov.ph

State Bank of Vietnam - sbv.gov.vn

OSFI B-13 - Technology and Cyber Risk Management

FIDO Alliance - Passkeys