A Passwordless Future for Financial Services By Ben LeClaire, Plante Moran Major technology providers, including Microsoft, Google and Apple, are shepherding a new standard of user authentication: passwordless authentication — a security method for validating a user’s identity without using a password. This group of methods, including biometrics, passkeys, security keys and out-of-band authentication (such as via SMS or email), offers a more secure, efficient approach than conventional authentication methods. As cyberthreats grow more sophisticated, conventional authentication methods such as passwords and even multifactor authentication (MFA), once a best-practice improvement for passwords, have become targets for hackers, exposing credential-based systems to undue risk. Passwordless authentication eliminates the risk of a credential-based attack, enhancing overall security, usability and compliance. Financial institutions are exploring this new security strategy in an evolving compliance landscape, as Big Tech pushes for industry standards to reinforce passwordless solutions. Regulatory bodies have also begun updating their guidance to encourage passwordless (phishing-resistant) authentication as a stronger standard, reflecting a broader industry shift beyond traditional MFA. As the industry moves into a new era of security standards, institutions should anticipate and prepare for future security policies that support stricter authentication requirements. Early adopters will be better positioned to meet future compliance expectations while improving security and efficiency for their users. The Benefits of Going Passwordless Passwordless authentication can help protect your financial institution from security breaches, streamline operations and minimize noncompliance risk as the regulatory frameworks evolve to reflect modern authentication methods. Top benefits of this new approach include: • Enhanced Cybersecurity: Passwords are often the weakest link in an institution’s security chain, exposing your data and systems to phishing, account takeovers and other forms of credential-based attacks. Phishing-resistant authentication methods like biometrics, security keys or passkeys can help reinforce your security and guard against unauthorized users and cyberattacks. • Streamlined User Experience and Operations: Passwordless authentication removes the need for password resets, support tickets and security incidents related to compromised passwords. Going passwordless simplifies the login experience for employees and customers by eliminating password-fatigue and reducing drain on IT support and financial resources caused by password-related support requests. • Strengthened Compliance Posture: Passwordless authentication methods can help future-proof your authentication system as regulatory bodies and compliance rules evolve to reflect industry best practices for authentication. A Security Pivot Isn’t Without Challenges Strategic adoption is critical to minimize operational challenges and new risks that come with passwordless technology. Your implementation strategy should consider the following: • Outdated Compliance Standards: Many financial regulations refer to password-based controls, making it unclear how institutions should navigate compliance requirements like FDICIA, ICFR and FFIEC guidelines. However, as authentication methods evolve, so will regulatory guidance. Financial institutions need to review their authentication methods against the latest requirements and be prepared to adapt their systems and policies to remain compliant. • User Adoption: Employees and customers may be resistant to, or challenged by, new authentication methods. Comprehensive training and user education can help you achieve buy-in across your institution and minimize disruption. • Security Gaps: If not implemented correctly, passwordless solutions can create new security vulnerabilities. For instance, fallback mechanisms (password resets, security questions or 2FA) that are poorly implemented can easily be bypassed by hackers. • Legacy Systems: As passwordless becomes the overarching technology, more systems than not are going to be compatible with this new security approach. However, some institutions still have legacy systems in place that Colorado Banker 10
RkJQdWJsaXNoZXIy MTg3NDExNQ==