Summary: Banks lead all sectors in consumer digital trust — but that lead is fragile. Authentication is the moment where trust is won or lost, and legacy methods are failing on both counts: they expose customers to phishing and account takeover while creating the friction that drives abandonment. This article examines how FIDO-based passkeys resolve the UX-security tension for banking customers, which passkey model fits which use case, and what two real-world deployments reveal about getting it right at scale.
Authentication Is Now a Revenue Problem
Banking leads all sectors in consumer digital trust, with 57% of consumers most comfortable sharing personal information with financial institutions, according to the 2026 Thales Digital Trust Index. But that lead is not structural — it is earned at every login, every onboarding flow, every step-up prompt. The same research finds that 68% of consumers have abandoned or switched providers due to poor digital experiences, with authentication friction among the most commonly cited causes. A further 33% will not complete the sign-up process because they perceive it as too complex, and 36% will defer or switch to a different method entirely.
For FIDO banking customers, the implication is direct: authentication design is no longer a security decision with UX consequences. It is a revenue decision with security requirements.
The UX vs. Security Trade-Off Is a Legacy Problem
The assumption that stronger security means more friction persists in banking. But it is an artefact of legacy authentication, not an inherent property of strong authentication.
Passwords require creation, storage, and periodic reset. OTPs introduce delay and interception risk.. Each of these methods fails on both dimensions simultaneously: they are vulnerable to phishing, adversary-in-the-middle attacks, and credential stuffing, while also being slower and more effortful than customers expect from a modern digital service.
FIDO-based authentication breaks that trade-off structurally. By replacing shared secrets with device-bound cryptographic keys, it eliminates the attack vectors that make legacy MFA inadequate; credentials cannot be phished, replayed, or stuffed because they are never transmitted. At the same time, the authentication gesture itself, a biometric or device unlock, is faster and more intuitive than any password or OTP flow.
Security and usability improve together, not at each other’s expense.
The Thales report reinforces this: consumers reward security that is visible and understandable. Passkeys, once experienced, are recognised as more secure than OTP codes and password prompts. That recognition translates directly into trust.
Choosing the Right Passkey for the Right Context
Not all passkeys offer the same assurance level, and banking deployments need to deliberately match the credential type to the use case. The two primary models:
| Device-bound passkey | Synced (multi-device) passkey | |
| How it works | Private key stored on a single device or hardware token; cannot be exported or synced | Credential synced across devices via cloud ecosystem platform |
| Assurance level | High: credential cannot leave the enrolled device | Moderate: dependent on cloud account security |
| Best for | Transaction authorisation, strong customer authentication (SCA), and high-value account access | Lower-risk consumer access, multi-device convenience, and onboarding |
| Banking use case | Corporate customers, high-value retail segments, and regulated SCA requirements | Retail banking login, broad consumer base deployment |
For most retail banking customers, synced passkeys offer a meaningful security improvement over passwords while dramatically reducing friction, particularly for users who authenticate across multiple devices.
For corporate customers, high-value account holders, and any scenario requiring regulatory-grade strong customer authentication, device-bound passkeys, including hardware FIDO security keys and Mobile Authentication solutions provide the assurance level and control that those contexts demand.
The strategic opportunity is in orchestrating both: a risk-based authentication layer that applies the appropriate passkey type based on the user segment, transaction value, and contextual signals, rather than enforcing a single method across the entire customer base.
Why FIDO Adoption Improves Conversion and Trust
The commercial case for passwordless banking login is increasingly well evidenced. Beyond the abandonment figures, FIDO-based authentication addresses three distinct drivers of banking revenue and cost:
Eliminating password friction at sign-up and login directly reduces abandonment at the points where it is most commercially damaging: account opening, onboarding, and first transaction. Fewer drop-offs mean more completed journeys without changing marketing or acquisition spend.
Passkeys are also trust-visible in a way that backend security controls are not. Consumers who use mobile authentication or a hardware key intuitively understand that the bank has invested in their protection. That perception sustains the trust premium that banking currently holds, and which competitors in adjacent financial services are actively working to erode.
Finally, phishing-resistant authentication directly reduces account takeover fraud. Fewer successful attacks mean lower investigation costs, fewer fraud write-offs, and reduced operational load on fraud and customer service teams. These are benefits that compound as deployment scales.
FIDO in Practice: Two Bank Deployments
Reducing account takeover for digital banking customers
A large European bank faced a sustained increase in phishing attacks targeting its retail customer base. Incumbent authentication (passwords and OTP card readers) was proving inadequate against adversary-in-the-middle (AitM) proxies that intercepted one-time codes in real time. Account takeover fraud was rising, and customer confidence was under pressure.
The bank deployed FIDO hardware security keys delivered directly to digital banking customers on demand, supported by a FIDO server securing access to its online banking platform. Because the hardware key’s cryptographic response is bound to the legitimate domain, phishing proxies cannot intercept usable credentials. Account takeover rates fell, and the bank was able to offer a personalized, high-assurance delivery model that became a visible signal of customer protection rather than a hidden backend control.
Modernizing retail and corporate access across a mixed customer base
A digital bank in America needed to retire an end-of-life on-premises authentication platform that served both retail and corporate customers using different legacy methods, such as a mobile OTP app for retail, hardware OTP tokens for corporate. The replacement had to improve security, reduce operational cost, and accommodate the different risk profiles of its two customer populations.
The bank deployed a cloud-based identity platform with mobile device-bound passkeys for retail customers and hardware FIDO tokens for corporate customers. Retail customers gained a familiar, frictionless biometric login that eliminated OTP delays; corporate customers retained hardware-grade assurance with a more manageable credential lifecycle than legacy tokens. The cloud migration reduced infrastructure costs, and the risk-based model ensured authentication strength matched the sensitivity of the customer segment and the transaction, rather than being applied uniformly across a diverse base.
Authentication at the Heart of the Customer Relationship
For FIDO banking customers, the authentication moment is no longer a backstage infrastructure concern. It is the opening interaction of every digital banking session, and the point at which trust is most directly tested. Banks that treat it as such — deploying passkeys that match credential type to customer segment and transaction risk, simplifying enrollment, and making security visible rather than invisible — will find that phishing resistance and customer satisfaction move in the same direction.
In a sector where the trust lead is real but not guaranteed, passwordless banking login is not a security upgrade. It is a customer experience decision with security built in.
Author bio:
Sarah is a true team player who works in product marketing for enterprise authentication and access management solutions. Her passions lie in discovering how companies can secure access to their data and protect themselves from cyber-attacks. When not solving problems for big business, she likes distracting her 14-year-old son from his Nintendo Switch, singing and playing guitar with friends.
Sarah leads technology alliances within Thales’s IAM product marketing team. For the past several years, she has been fully involved in the Go to Market activities of Thales Passwordless FIDO Authentication solutions for Enterprises, contributing to several roundtables, presentations and demos around passwordless authentication in major events like RSA, FIC and Gartner.
Sarah contributes to the FIDO Alliance Marketing Committee. Before joining Thales IAM and focusing on cybersecurity, Sarah led Telecom & IOT marketing initiatives in Gemalto.
