Beyond Passwords – Why Identity Must Evolve to Keep Up With the World
Another notable moment at the FTT Fintech Festival 2025 was a session examining what it truly takes to move beyond passwords. It was a lively, honest, and sometimes slightly alarming discussion about the future of authentication, identity signals, biometrics, and security in a world that is becoming more digital, more connected, and more vulnerable.
If chargebacks taught us how easily financial systems can be misused, this panel revealed how fragile our identity systems still are and how urgently they need to evolve. The old authentication methods, such as passwords, memorable words, and PINs, no longer match the reality we live in. Fraud has evolved. Customer expectations have shifted. Banks have mastered the onboarding process, but the challenge lies in everything that follows. Every login, transaction, device change, or attempt to reset an email address or transfer large sums of money introduces risk. Organisations increasingly depend on a blend of behavioural indicators, mobile network signals, device intelligence, and biometrics. Nearly every industry, from banking to telecoms to gaming, now faces the same question: How do you verify a person securely without compromising their experience?
The Rise of Mobile Identity Signals
One of the most interesting parts of the discussion was how the mobile industry is emerging as a trust anchor in its own right. Your phone number and SIM card have become a digital bridge between your offline and online identities. Mobile operators now provide real-time network signals that can help confirm if a device is genuine, active, recently swapped, stolen or behaving unusually. These signals are incredibly powerful because they work quietly in the background with no friction, no selfies, no codes to type in. They simply improve confidence.
We’re already seeing a significant shift in adoption. More businesses now rely on telecom data to strengthen fraud prevention, reduce account takeover and add “invisible security” into digital journeys. Yet, as the panel highlighted, signals alone aren’t enough. They raise the floor but they don’t secure the ceiling.
Biometrics, Deepfakes and the New Reality of Trust
Biometrics remain a sensitive topic, and rightly so. They’re powerful, but they come with enormous responsibility. If stolen, they cannot be replaced. Historically, most biometric systems required storing biometric templates on servers and that is a major risk and a potential honeypot for attackers. This is why banks continue to rely on call centres, SMS codes, and other outdated methods, even though they frustrate customers and cost organisations millions.
Emerging privacy-preserving biometric technologies are beginning to change this. Zero-knowledge proofs, multi-party computation and privacy-enhancing cryptography now allow biometric matching without ever storing the biometric itself. If deployed correctly, it could be a game-changer; however, deepfakes are now part of the threat landscape. As one speaker put it, “The genie is out of the bottle. Authentication is digital now, so impersonation is digital too.” This makes biometrics necessary, but not sufficient. They must be layered with device verification, behavioural patterns and cryptographic trust.
The Right Amount of Friction — A Moving Target
A recurring theme was the idea of “the right friction”. We all want security, but we don’t want constant interruptions. And what counts as acceptable friction varies wildly:
- Someone transferring their life savings expects strong checks.
- Someone buying groceries online expects almost none.
- A wealthy client transferring £10,000 may find friction irritating; an average customer might find a lack of friction worrying.
Banks are realising that knowing each customer’s habits, risk profile, and expectations is more important than using one-size-fits-all rules. The future isn’t frictionless. The future is intelligent friction applied only when signals fall out of pattern.
The Phone Is Powerful, But Is It Enough?
One of the most thought-provoking questions came from the audience: have we pushed the smartphone too far?
We treat it as a wallet, identity provider, authentication device, payment tool, travel pass and life organiser but it has limits. Batteries die. Devices get stolen. Children use them. Deepfakes exploit them. Device-native biometrics can be easily replaced by anyone who has temporary access to the phone.
Some countries, like Singapore, are already reverting to physical tokens for high-assurance authentication. This sparked a fascinating conversation about whether the industry eventually needs a dedicated digital identity device, separate from the consumer phone, especially if identity becomes critical infrastructure. It’s a big question and one the fintech world will need to grapple with.
Multiple Layers, Not One Silver Bullet
Despite the differences in industry, geography and regulation, the panellists agreed on one thing: there is no single solution to identity.
The future lies in layering:
- behavioural signals
- device cryptography
- mobile network intelligence
- secure biometrics
- dynamic risk-based decisioning
- continuous authentication
Not everything will be automated. Not everything should be automated. When something looks unusual, a human will still need to intervene. Identity verification is an active, ongoing relationship rather than just a doorway.
Where Research Is Still Missing
The session raised several deep questions that the industry has yet to solve. These are powerful areas for academic research and exactly the “wicked problems” that networks like UKFin+ can help address:
1. How do we detect and defend against deepfake-powered identity attacks at scale? What behavioural, cryptographic or environmental signals can reliably distinguish real users from synthetic ones?
2. What does “continuous authentication” look like in a way that is ethical, private and transparent? How can we ensure customer safety without raising surveillance concerns?
3. How should identity systems treat teenagers, elderly people and other groups who cannot rely on phones as secure devices? What new device categories or trust models could support digital inclusion?
4. How can privacy-preserving biometrics be standardised and audited across industries? What governance is needed to ensure biometric systems remain safe even as cryptography evolves?
5. What is the optimal blend of friction and seamlessness for different risk levels, user profiles and transaction types? Can we quantify “the right friction” in a way that supports both security and customer experience?
These questions cut across technology, psychology, law, human behaviour and ethics — making them ideal for academic–industry collaboration.
Final Thoughts
This session captured a truth that cuts across every digital service we use: security used to be more about what you know, but now it’s more about who you are, how you behave, and the signals that surround you.
And because those signals are constantly changing, the systems that protect us must change just as quickly. We are moving towards a world where identity is dynamic, multi-layered and highly contextual. A world where mobile networks, biometrics, cryptography and behavioural intelligence work together. A world where passwords finally fade into the background, but only if we build identity systems that balance trust, privacy and usability for everyone.