Adobe Stock
A customer gets a text message from their bank. It looks real. The branding is familiar.
They tap.
A moment later, a one-time passcode arrives.
Another message prompts them to enter it to “verify unusual activity.”
By the time the bank’s fraud system flags the behavior, the attacker has already drained the account. This isn’t a rare case. It’s today’s reality.
SMS-based identity and push notifications are no longer a shield; they’re an open door.
For years, SMS one-time passwords and push notifications were seen as the quick fix to password problems. They’re cost-effective, fast and easy to deploy at scale. But the numbers and the breaches tell a different story. Attackers have caught up, and what was once “good enough” for two-factor authentication is now a liability. From SIM swaps to push fatigue attacks, mobile identity signals built on phone numbers and notifications
Nowhere has the failure of mobile-based identity been felt more acutely than in financial services. Over the past year, banks and fintechs have seen
Banking regulators and security agencies are now mandating a shift away from SMS-based authentication, citing its vulnerability to interception, spoofing and social engineering. CISA (the U.S. Cybersecurity and Infrastructure Security Agency) has formally warned that SMS-based authentication is no longer secure and advocated for phishing‑resistant alternatives like passkeys. NIST’s guidelines deprecated SMS as an authentication method back in 2016, and even the U.S. Patent and Trademark Office phased out SMS and voice‑based multifactor authentication, or MFA, earlier this year.
Push-based MFA was meant to be an upgrade. Instead, it shifted the vulnerability from software to human behavior. Hackers no longer need to break into systems; they just exhaust people. A flood of approval requests, now known as MFA fatigue, has become one of the most successful social engineering tactics in use today. All it takes is one accidental tap on “approve,” and the attacker is in.
Meanwhile, cybercriminals are getting more organized. From phishing kits that intercept one-time passwords in real time to telecom network breaches that expose SMS traffic, the assumption that these mobile channels are secure has been shattered.
Is it time for a fundamental shift? What if the most secure identity signal isn’t something your customer remembers or approves, but something already embedded in their device?
While SIM cards have historically been exploited through SIM-swapping, their hardware foundation, particularly in eSIMs, can serve as a secure and tamper-resistant anchor for identity. When paired with telecom network signals, they enable cryptographic proof of device control and user presence, turning what was once a vulnerability into a trusted layer of authentication.
In many ways, that shift is already happening.
Today’s smartphones include secure hardware: SIMs, eSIMs, secure enclaves, and cryptographic chips that can anchor identity in ways that are tamper-resistant, invisible to malware, and immune to phishing. Instead of relying on what people know or do, the next generation of authentication is built on what they have.
Technologies like eSIM-based identity attestation,
So, what’s unique about these new technologies? They work outside the app layer, making them invisible to malware. They can’t be phished, since there’s nothing for the user to enter or approve. They provide cryptographic proof that the person still controls the device. And, they fit seamlessly into onboarding, payments and day-to-day authentication.
For financial institutions, this isn’t just a security upgrade. It’s a competitive edge. When fraud prevention becomes seamless and invisible, the customer experience improves alongside risk posture. Trust becomes a product feature, not just back-end control.
Early adopters are already phasing out SMS-delivered one-time passwords, retiring push-only MFA and tapping into telecom-level signals to power smarter fraud controls. The next wave of innovation won’t come from better passwords or smarter alerts. It will come from cryptographic trust that starts at the chip.
In a world where trust is currency, securing identity at the hardware level may be the only way to stay ahead.
Financial services leaders now face a choice: Continue patching a broken model or shift to a hardware-rooted foundation for identity, one that eliminates spoofable signals, shrinks fraud losses and rebuilds trust at the point of interaction.
This isn’t just a security imperative but rather a strategic one. In a world where trust is currency, financial institutions that have identity experience will own the customer.
Trust can’t be bolted on anymore. It must be built in, starting at the chip.