One Of The World's Largest Banks Goes Passwordless
How a global financial institution transformed workforce authentication for 200,000+ employees with SecureAuth Workforce Authority—achieving 75% faster logins and eliminating the friction of complex passwords and RSA tokens.
About The Organization
One of the world's largest financial institutions with operations spanning retail banking, investment banking, asset management, and commercial banking across multiple continents. As a systemically important institution, security and compliance are paramount to every technology decision.
Authentication Was Broken
Before SecureAuth, employees faced daily friction that impacted productivity and actually weakened security through workarounds.
Password Fatigue
Employees were required to create and remember complex passwords with changed regularly. This led to constant reset requests and frustration, impacting productivity.
Clunky RSA Token Workflows
Every login required a separate RSA hardware token, generating one-time codes. Employees had to carry tokens everywhere, wait for codes to sync, and deal with battery failures and lost tokens.
Helpdesk Overload
Password resets and token issues consumed significant IT support resources. Each forgotten password or malfunctioning token meant downtime and frustrated employees waiting for help.
Security vs. Usability Tradeoff
Traditional MFA created friction that hindered productivity.
Business Outcomes
Measurable impact across security, productivity, and IT operations
Logins are now lightning-fast compared to the previous password+token process, boosting employee productivity across all regions.
70% of the workforce (~100k users) migrated to fully password-free workflows using biometrics or FIDO2 passkeys.
The solution scaled to the entire organization across 10+ global regions, demonstrating robust enterprise readiness.
Password reset and token-related support calls have plummeted thanks to self-service recovery options.
Why SecureAuth Was Chosen
The bank evaluated multiple identity providers and selected SecureAuth Workforce Authority for these key differentiators.
Adaptive Risk-Based Approach
Unlike static MFA, SecureAuth continuously evaluates risk and adjusts authentication requirements in real-time. Low-risk logins are frictionless; anomalies trigger step-up verification.
Microsoft Infrastructure Integration
Seamless integration with existing Active Directory, ADFS, and ADCS investments. No rip-and-replace required—SecureAuth extends and enhances what's already deployed.
Financial Industry Compliance
Proven track record meeting strict regulatory requirements including SOX, GLBA, PCI-DSS, and OCC guidance on authentication and access controls.
Enterprise Scale & Readiness
Demonstrated ability to handle 200,000+ users across global regions with high availability, redundancy, and 24/7 support for mission-critical financial operations.
The Challenge
The institution faced mounting authentication friction and security concerns that impacted both employee productivity and security posture:
- Password fatigue from complex passwords causing daily friction and constant resets
- Clunky RSA token workflows creating delays during critical operations and trading hours
- Rising security demands from regulators requiring stronger authentication without degrading user experience
- Need to modernize without disrupting existing Microsoft infrastructure investments (AD, ADFS, ADCS)
- Helpdesk overload from password reset and token-related support calls consuming IT resources
- Requirement for continuous, adaptive security—not just point-in-time MFA that can be bypassed post-login
- Global deployment complexity spanning 10+ regions with different compliance requirements
The New Authentication Experience
From 20+ seconds with password and RSA token to 3-5 seconds with a simple QR scan or passkey tap.
QR Code Login
Scan with mobile app, verify with biometrics, instantly logged in
Passkey Authentication
FIDO2 passkey with Face ID or fingerprint—no codes to type
Hardware Key
YubiKey tap for privileged users who prefer physical tokens
SecureAuth Workforce Authority Deployment
A comprehensive identity platform with multiple components working in concert to enable passwordless, secure access across the enterprise.
Smart Logon
An enterprise authentication app (SecureAuth mobile app) integrated with ADFS that enables passwordless login via QR code scanning and FIDO2 passkeys. At login, users simply scan a QR code or use a registered passkey on their device to authenticate. Smart Logon binds a passkey credential to each user's device (creating a 'device-bound' passkey) for seamless ADFS single sign-on. An AD password fallback is available only if needed for non-enrolled users.
- QR code-based web authentication
- FIDO2 passkey support with biometrics
- Device-bound credential binding
- Seamless ADFS SSO integration
- Push notifications for approvals
Device Authority Agent
A lightweight agent on workstations and VDI (virtual desktop) endpoints that provides passwordless desktop access. It leverages ephemeral smartcard certificates to allow users to log in and lock/unlock shared workstations with a tap or mobile approval instead of typing passwords. The agent integrates with the bank's Active Directory Certificate Services (ADCS) to issue short-lived certificates ('ephemeral smartcards') for each login session.
- Ephemeral smartcard certificate issuance
- ADCS integration via Certificate Gateway
- VDI and shared workstation support
- One-touch unlock via mobile app
- Seamless Windows domain login
Enterprise Passkey Management
A centralized system to manage employees' WebAuthn/FIDO2 credentials (passkeys) across the organization. This allows the bank to issue, bind, and revoke passkeys for users at scale—whether stored on users' smartphones (via Smart Logon) or on hardware security keys—all tied back to the user's Active Directory identity for governance and audit.
- Centralized credential lifecycle management
- AD identity binding and governance
- Mobile and hardware key support
- Enterprise-wide passkey revocation
- Compliance audit trail
YubiKey Credential Storage
Support for hardware security keys (like YubiKeys) as a second form of passwordless authentication. Privileged users and employees who prefer a physical key can use YubiKeys to store cryptographic credentials (FIDO2 keys or X.509 certificates), which integrate seamlessly with SecureAuth's login flows. This provides an extra layer of security and a convenient alternative to mobile-based auth.
- FIDO2 key storage on hardware
- X.509 certificate support
- Privileged access security
- Password-free hardware authentication
- Backup authenticator option
Risk-Based Authentication
Continuous risk evaluation is built into every login and device access attempt. SecureAuth evaluates contextual signals—device posture, location, user behavior, time of access, network characteristics—during authentication. If risk is low, users get a frictionless experience; if higher risk is detected (e.g. anomalous device or behavior), the system steps up with additional verification or restricts access in real time.
- Contextual signal analysis
- Adaptive step-up prompts
- Behavioral analytics and anomaly detection
- Real-time risk scoring
- Action-level enforcement post-login
Mobile-First Credential Recovery
SecureAuth's mobile-first credential recovery process enables users to re-prove their identity via the mobile app or an ADFS plugin flow (e.g. scan ID, facial biometrics)—without calling the helpdesk. This self-service recovery is both secure and convenient, eliminating helpdesk bottlenecks.
- Self-service identity re-proofing
- ID document + biometric verification
- No helpdesk required for recovery
- Secure new passkey enrollment
- Old credential revocation
Meeting Financial Industry Regulations
SecureAuth Workforce Authority was proven to meet strict financial-industry regulations, a critical requirement for a systemically important institution.
Sarbanes-Oxley access controls and audit requirements
Gramm-Leach-Bliley customer data protection
Payment Card Industry authentication standards
Office of the Comptroller of the Currency guidance
Federal Financial Institutions authentication guidance
NIST 800-63 digital identity guidelines
Key Takeaways
In summary, SecureAuth's Workforce Authority deployment at this leading bank showcases how a large, regulated enterprise can successfully embrace passwordless, continuous authentication at scale. By integrating Smart Logon, device trust, and adaptive risk-based security into the bank's existing environment, the solution delivered a more secure yet simpler login experience for over 300,000 employees.
This case exemplifies the business value of marrying strong security with frictionless usability—passwordless is not only possible at scale, it's transformative.
Explore Workforce Authority
Learn more about the platform powering this transformation—Smart Logon, Device Trust, Enterprise Passkey Management, and Mobile-First Recovery.
Ready To Go Passwordless?
See how SecureAuth Workforce Authority can transform authentication for your organization—eliminating passwords while strengthening security.