Blog

Securing customer data is no longer just a technical concern — it’s a core part of building trustworthy banking products. As a product owner, you’re likely to encounter conversations about cryptographic techniques — terms like encoding, hashing, encryption, digital signing, and authentication codes often surface in discussions around security and compliance. However, these concepts can be complex and occasionally overwhelming, especially if you don’t work hands-on with the underlying technology.

A quiet but important standards update has helped make passkeys and FIDO2 authentication ready for the quantum era.

In our latest webinar, Wultra’s special guest, Jiří Pavlů, a Mathematical Security Expert at Raiffeisen Bank’s Cryptology and Biometrics Competence Centre, joined Petr Dvořák, Wultra’s CEO and founder, for an insightful discussion about post-quantum authentication.

The upcoming PSD3 and Payment Services Regulation (PSR) introduce new expectations for how banks and payment service providers approach strong customer authentication (SCA). One of the most significant changes is the requirement to offer an alternative authentication method for users who cannot—or choose not to—use smartphones.

By challenging common authentication-related excuses with critical thinking, your organization can take a proactive approach to security and strengthen your authentication.

The rise of quantum computing is reshaping the foundations of cryptography and, by extension, authentication. While many industries rely on authentication methods like FIDO2 tokens, X.509 certificates, RFID tokens, mobile push authentication, OTP tokens, and more, these mechanisms heavily depend on cryptographic algorithms that will soon be obsolete.

Recent advancements in quantum computing and the NIST standardization of quantum-resistant cryptography have motivated security-conscious organizations to assess the impact of the quantum threat across their digital ecosystems and explore innovative cyber-security solutions, including post-quantum authentication, to stay ahead of emerging threats.

With the advent of quantum computing, organizations must transition from legacy authentication methods to post-quantum authentication (PQA) before Q-Day — the point when quantum computers can break conventional encryption. However, switching to PQA isn’t just a technical upgrade; it’s a transformation that impacts user experience, security, and compliance.

European banks are already navigating complex regulatory changes, including PSD3/PSR and the EU Digital Identity Wallet. However, a third less visible but equally urgent challenge looms: Post-quantum cryptography (PQC). While compliance and digital identity projects dominate the conversation, banks must prepare for a cryptographic shift that will define the security of financial services in the next decade.

"Harvest now, decrypt later" has become the phrase on everyone’s lips when discussing post-quantum cryptography. The idea is simple: Adversaries collect encrypted data today and wait for the arrival of quantum computers that can break current encryption methods. But is this really the only threat we should focus on?