The Evolution of Digital Banking Authentication – Part 2 – The Digital Banking Revolution

Last updated: 10 November 2022

2007 was the year that changed banking forever. It was the year we saw Apple launch the iPhone and in no time, feature phones were a thing of the past. Smartphones were everywhere, bringing with them mobile apps which went on to pave the way for the digital banking revolution that we know and use today.

In my last blog we delved into the evolution of remote financial services, exploring the steps that led us up to this point. But even since then, in just 15 years, the digital banking landscape has evolved even further, and continues to do so. So how did the smartphone era impact digital banking?

The rise of soft-tokens

The first use case from the banking industry, among others, of mobile apps brought us “soft-tokens”. Soft-tokens were the software version of a hardware OTP token turned into a mobile app. The user would still access the banking server through a PC or laptop presenting password as a first authentication factor. But now they would open a dedicated “authenticator” app, issued by the bank (or a bank´s trusted 3rd party) to get an OTP on their smartphone. Switching from a tamperproof offline device to a software token generator running on a multipurpose, and very much online device was, again, a major concession of security in the name of better UX whilst lowering costs. The innovation was received reluctantly… yet quickly embraced by more and more banks. The phone, whether through apps or through SMS OTP, became mainstream as a possession authenticator during the 2010’s.

But smartphones had an even bigger impact than that. They became not just an authenticator, but a channel. Banks started to replicate their digital web services in the form of mobile apps. Mobile banking (m-banking) was born as an alternative to internet banking (e-banking) and users were fast to embrace both the UX offered through apps and above all the “anytime, anywhere” access to digital banking services.

Integration of Software Development Kits

Mobile in-band strong customer authentication

Mobile banking apps also needed to be protected with SCA, and so they started to incorporate OTP generation capabilities, often by integrating Software Development Kits (SDKs) from security specialists like, Thales. These SDKs evolved to implement many software security features to protect the sensible OTP generation process, and even add over

all protection to the m-banking app – so, overtime, security of the apps improved.

But the improvement on UX was even higher. The mobile app could now generate an OTP and send it silently to the authentication backend to validate the possession factor, in real time and transparently to the end user.

Biometrics become mainstream

Mobile in-band strong customer authentication with biometrics

In 2013 Apple launched Touch ID on the iPhone 5S, and in 2017, Face ID on the iPhone X. The smartphone industry quickly followed suit, and along the second half of the 2010’s, biometrics became mainstream on mobile devices. For mobile banking, biometrics quickly came to replace knowledge as the “first” authentication factor of choice for end users – a solution fully compliant with the most demanding banking regulations, such as PSD2 in Europe.

Out of band

Out of band strong customer authentication

The security, and especially the UX, offered by mobile banking apps got so good, that banks wanted to leverage them to offer better access experience through all other channels available to their users. Mainly, of course, e-banking via PC/laptop, but also other channels such as voice calls or even ATM. For example, to start e-banking on a PC/laptop, where biometric support adoption was not as fast as on mobile, in 2020 a user is still asked to enter username and password. But thanks to out of band, there is no need to type an OTP anymore. Instead, when the user clicks enter, the banking server will trigger a push notification to wake up the bank’s mobile app on the user´s smartphone. The user will open the app and the app will silently generate an OTP and will send it to the backend as proof of possession. “Out of Band” (OOB) refers to the fact that the authenticator is a different device than the one used to access the service. This on itself brings in enhanced security. As for the UX, the OOB implies more friction than what we achieve for m-banking, but it is significantly better than having to type in an OTP.

Banking today

In band out of band SCA comparison

This long journey has brought us to where we stand today. We have started the 2020’s with all the different legacy authentication methods mentioned above still in use by banks all over the world. But the state of the art SCA in banking at the start of the 2020s can be summarised as:

  • Biometrics + in band mobile app OTP for m-banking
  • Password + OOB mobile app OTP for e-banking and any other channel

Technology advances have allowed us to greatly improve both UX and security over time. Not always in a straight line. For over a decade we faced a compromise between security and UX, and FIs had to accept degrading one in order to improve the other. But with the arrival of smartphones we have been able to leverage the connectivity and power of these devices to improve both UX and security to where we stand today.

The future of banking

While FIs were implementing all these changes on their banking services, and users were being exposed to them, something else has been going on behind the scenes over the last 8 years. Something that was revealed to the grand public in the summer of 2022, but that will change the way we access digital services over the next decade.

We are indeed on the brink of a major paradigm shift for authentication to digital services.

The arrival of FIDO Passkeys

Evolution of strong customer authentication

Experience from the past tells us that the arrival of FIDO Passkeys is likely to drive financial institutions to address end user demand for an even better UX, as well as associated legitimate security and service continuity concerns.

This October (18th), I will speak at the FIDO authenticate conference in Seattle about the evolution of security and UX in financial services – along with the technology solutions that have helped this to grow.

Stay tuned for my next blog post where we will look at what FIDO, WebAuthn and Passkeys are, and what impact they will have on digital banking services in the coming years.

For further reading, visit:

Leave a Reply

Your email address will not be published. Required fields are marked *