Mitigating human risk (and frustration) in banking and enterprise transactions

Sarah Van De Vyver,

Flexibility is built into OneSpan’s innovative new DIGIPASS CX authenticators 

A recent Verizon report indicates that up to 82% of data breaches involved human elements such as social engineering or human error, in the 12-month period ending November 2021. The financial sector was particularly hard hit, by almost a quarter of all attacks. Couple that with over a million social engineering attacks in the first quarter of 2022 alone, and you get the impression of an industry under siege.  

The fact is, identity theft, credential theft, and social engineering fraud continue to rise, and customers are the number one target, particularly as the value of remote agreements continues to increase.  

These attacks can cause reputational damage, customer churn, and billions in lost revenue, to say nothing of the impact on operational costs and brand reputation. This is borne out by the stats: up to 67% of consumers who suffer fraud will switch their bank or credit union as a result

To make matters worse, fraud is not the only business risk. For banks and other financial institutions (FIs), being perceived as obsolete may result in even greater customer churn than fraud—up to 81% of adults say the quality of their online experience determines who they bank with.  

This is why security tends to be on one end of a dangerous game of see-saw, with ease of use at the opposite end.  

Putting the onus on the client doesn’t work 

Too often, the see-saw lands with a clunk.  

That’s because most traditional authentication approaches rely on the consumer to do the right thing, and result in customer frustration during login and when conducting day-to-day transactions. They’re also insufficient. 

Static passwords, knowledge-based authentication (KBA), email verification, SMS and voice/ call back authentication cause high friction. They can be prone to social engineering fraud such as adversary-in-the-middle, keylogging, credential stuffing, smishing and brute force attacks. Solutions such as strong two-factor authentication can be circumvented when the user is tricked in revealing their one-time password (OTP). 

The point is, these rigid security measures are frictional and susceptible to attack, which means clients are both frustrated and vulnerable. See-saws clearly make for a poor operational model. 

Our mission is to accelerate our customer’s digital transformations by enabling secure, compliant, and refreshingly easy digital customer agreements and transactions. In other words, the way we see things, security doesn’t have to be a tradeoff for the customer experience—or for the enterprise experience, for that matter.  

That’s where our next-gen DIGIPASS CX® smart devices come in. 

Making things much more flexible 

As we developed the concept of connected smart authenticators, flexibility was our guiding principle. Fundamentally, our new DIGIPASS CX devices provide a passwordless solution that reduces social engineering fraud – without adding friction to the user journey.  

See DIGIPASS CX devices in action here:

It was critical for us that DIGIPASS CX devices be refreshingly easy to adopt and configure. That’s why a single device can meet a range of different business needs, from authentication and transaction authorization, to document signing and credential storage. 

What’s really revolutionary, however, is their remote update capability. Secure remote updates can be installed even after DIGIPASS CX devices have been deployed and distributed, thanks to their connectivity with the DIGIPASS Cloud Console. The console manages the secure communication channel without needing to rely on the security of the underlying transport layers (Bluetooth or Wi-Fi), which ensures message authenticity, confidentiality, and replay resistance. 

This cloud configurability is an industry first, and it means organizations have the flexibility to activate new features, or customize the user journey, or modify configuration or security parameters. This is important in a threat environment where enterprises must adapt quickly to evolving technology, changing business needs, and ever-more sophisticated attacks.​  

Such configuration and lifecycle options can be deployed with the DIGIPASS Cloud Console. For instance, enterprises and FIs may wish to customize and adapt authentication and transaction flows and languages, and publish them directly to their users. With support for multiple authentication methods – including FIDO2 and OATH – DIGIPASS CX smart devices enable organizations to secure their applications and services using the appropriate protocol for each environment.  

At any time, organizations can create, configure, update, delete, or reassign devices to their user base.  

Enterprises and FIs can also easily scale their roll-out of DIGIPASS CX devices, with a straightforward subscription-based pricing model that includes the management console. DIGIPASS CX devices also play nicely with OneSpan’s back-end solutions and mobile app solutions, so organizations can develop hybrid deployment models as needed.  

Now let’s dig into security and ease of use. 

How DIGIPASS CX smart devices work to protect — and delight — your clients  

DIGIPASS CX devices work in connected mode, so one-time passwords are never disclosed. Instead, they are encrypted and transferred in the back end. As there are no passwords to steal, there is reduced exposure to schemes that rely on passwords, such as adversary-in-the-middle and adversary-in-the-browser attacks, account takeover, and replay attacks.  

Eliminating passwords improves usability, and friction is further reduced thanks to stronger, more convenient authentication with fingerprint biometrics. 

Users can also log on and sign transactions and documents anywhere. While DIGIPASS CX devices can be connected to the desktop via USB, they are also Bluetooth/NFC-enabled. This means they work seamlessly with any user laptop, desktop computer, tablet, or phone, to ensure maximal user adoption.  

At the actual point of transaction, users are presented with contextual information about the service they want to log onto or the transactions they sign (WYSIWYS): all transaction details are encrypted and presented for verification by the user before signing.  

In the context of complex, high-value agreements, DIGIPASS CX devices also support OneSpan’s broader portfolio, including Virtual Room. This is the most secure way to authenticate all parties during virtual video signing sessions.  


OneSpan continues to innovate across our entire portfolio, with the philosophy that a secure client experience is a good client experience. However, you simply don’t get there if your authentication security solutions do not reflect your processes and applications: these are cases where one size cannot fit all. That’s why DIGIPASS CX devices have been designed to provide maximum flexibility to enterprises, banks, and other FIs – both before and after deployment. As for security, the arrival of DIGIPASS CX devices could not be timelier, with whole industry sectors essentially under siege from social engineering threats. With no passwords to disclose, DIGIPASS CX devices resist identity and credential theft, and mitigate the human risk in social engineering attacks. 


DIGIPASS CX Smart Devices
Product overview

Introducing the new DIGIPASS CX smart devices

Meet a flexible solution designed to strengthen trust and improve the integrity of online transactions.









Sarah is Product Marketing Manager at OneSpan and responsible for OneSpan’s FIDO, hardware and server solutions. She has over 15 years of experience in ICT and Communications and held previous positions within OneSpan’s Corporate Communications department.

Popup default