MENA Banking’s Next Advantage: Passkeys+

TLDR

Fintech is booming in MENA, and banks face mounting pressure to modernize. Passkeys, a phishing resistant and device bound authentication method using public key cryptography and biometrics, offer both security and UX benefits. Regions such as the UK and tech giants like Microsoft show how early passkey adoption holds competitive advantage. The Central Bank of the UAE has issued a binding mandate requiring banks to phase out SMS and email one time passwords by March 31, 2026, replacing them with app based authentication. This accelerates the case for MENA banks to adopt stronger solutions. Standard syncable passkeys, while convenient for consumer apps, are not sufficient for regulated financial services. Banks need device bound, non-syncable implementations like Zero-Trust Secure Module (ZSM) technology. Passkeys+ combines passkey convenience with the control and compliance that MENA banks require.

The Growth Imperative in MENA

The Middle East and North Africa (MENA) region is witnessing explosive growth in fintech. From digital wallets to embedded finance and BNPL services, customers now expect fast, secure, and seamless digital banking. Traditional banks are under pressure to elevate their offerings or risk losing ground to more agile competitors.

What Are Passkeys and Why They Matter

Passkeys are a passwordless authentication method built on public key cryptography. A device generates a key pair: a private key stored securely on the device and a public key registered with the bank or service provider. Authentication is completed with a biometric check or PIN, without any password entry.

Passkeys deliver two clear benefits:

• Stronger security by eliminating phishing, credential reuse, and OTP fraud (daytoday.ae)
  
  
• Frictionless UX with Face ID, fingerprint, or device unlock (apnews.com)
  
  

The Limitation of Syncable Passkeys

While passkeys have gained global momentum, most consumer implementations are syncable, meaning they are stored in a cloud keychain and can be used across devices. This convenience is valuable for social apps or e-commerce logins, but it introduces risk in regulated financial services where device identity and control are critical.

If a user can sync their banking credential to multiple unmanaged devices, the bank loses visibility and assurance over the authentication environment. Regulators in regions like the UAE are moving away from OTPs for precisely this reason: too much exposure, not enough control.

This is why device bound passkeys are emerging as the gold standard for financial services. They cannot be synced across devices, ensuring that credentials remain tied to a trusted, verified endpoint.

Lessons from Other Regions

Microsoft’s redesign of its authentication flow emphasized passkeys and defaulted users into them, boosting adoption by 987 percent (microsoft.com).
In the UK, government services have demonstrated how passkeys reduce login times from over a minute to just seconds (thetimes.co.uk).
But in financial contexts, leaders in Singapore and the EU show that regulatory pressure consistently pushes banks toward non-syncable, device verified methods, not general consumer implementations.

Spotlight on the UAE’s CBUAE Mandate

The Central Bank of the UAE (CBUAE) announced in July 2025 that all banks must phase out SMS and email OTPs by March 31, 2026, with in-app and biometric approvals already rolling out in 2025 (corbado.com). The directive is explicit recognition that OTPs are no longer fit for purpose. For banks, this is both a compliance requirement and a strategic opening to leapfrog to stronger, phishing resistant authentication.

Why Passkeys+ is the Way Forward

Banks in MENA should not stop at generic passkey adoption. Passkeys+, built on technologies like Ideem’s Zero-Trust Secure Module (ZSM), combines the convenience of passkeys with the security and compliance of device binding. With Passkeys+:

• Credentials remain bound to the verified device, not synced to uncontrolled environments
  
  
• Regulatory requirements for strong customer authentication are met
  
  
• Fraud vectors like SIM swaps, phishing, and credential sharing are eliminated
  
  
• Customers still enjoy the simple biometric experience of a passkey
  
  

The Business Case for MENA Banks

Reduced fraud, faster onboarding, and higher customer retention all follow naturally from a secure, frictionless authentication method. With the CBUAE mandate setting the timeline, the banks that move first will enjoy the most competitive advantage.

Integration Roadmap

1. Launch pilot programs using device bound passkeys in mobile app logins.
   
   
2. Educate customers on the difference between passkeys and OTPs, highlighting security and speed.
   
   
3. Expand adoption to onboarding flows and transaction authorizations.
   
   
4. Deploy Passkeys+ with ZSM to lock credentials to verified devices.
   
   
5. Continuously refine flows with customer feedback.
   
   

Conclusion: Lead, Not Follow

The UAE mandate makes it clear that OTPs are finished. Standard syncable passkeys are a step forward but fall short of what financial services require. Passkeys+ gives banks the competitive edge, combining the convenience customers want with the control regulators demand.

MENA banks have a rare chance to set the pace globally in authentication innovation. Those that move now will define the future of digital banking in the region.

‍