Banking Sector: Where Security Meets Customer Experience
Case Study: DBS Bank (Singapore)
DBS Bank, Southeast Asia's largest bank with over 280 million customers, faced a critical challenge in 2024: SMS-based one-time passwords (OTPs) were no longer secure. The Singaporean government announced plans to phase out SMS OTPs entirely due to rampant SIM-swap fraud and phishing attacks. Banks had to find alternatives—fast.
DBS chose to deploy FIDO2-based passwordless authentication across its mobile banking platform, leveraging biometric authentication on smartphones. The implementation focused on three pillars: security, accessibility, and operational efficiency.
Implementation Timeline:
- Q1 2024: Pilot program with 50,000 high-value customers
- Q2 2024: Phased rollout to 5 million active digital banking users
- Q3 2024: Full deployment with SMS OTP as fallback only
- Q4 2024: SMS OTP deprecated for most transactions
Measured Results After 12 Months:
- Fraud Reduction: 87% decrease in account takeover incidents compared to SMS OTP baseline
- Login Success Rate: Improved from 78% (password + SMS) to 96% (biometric passkey)
- Authentication Speed: Average login time reduced from 42 seconds to 8 seconds
- Customer Support Calls: Password reset requests dropped 63%, saving an estimated $4.2 million annually in support costs
- User Adoption: 82% of eligible customers activated passkeys within 6 months
The DBS implementation is particularly noteworthy because it addressed a regulatory requirement while simultaneously improving user experience. Most security mandates create friction—passwordless authentication reduced it.
"We initially feared customer pushback when we announced the deprecation of SMS OTPs. Instead, we received overwhelmingly positive feedback. Customers loved the speed and convenience of biometric login. Security became invisible—the best kind of security." — Jimmy Ng, Head of Consumer Banking Technology, DBS Bank
Case Study: NatWest Bank (UK)
NatWest, one of the UK's largest retail and commercial banks, took a different approach: FIDO2 security keys for high-risk corporate clients combined with biometric authentication for retail customers.
The bank identified that corporate banking customers—particularly those managing large transactions—represented asymmetric risk. A compromised corporate account could result in multi-million dollar fraud losses. Meanwhile, retail customers needed convenience for everyday banking tasks.
Dual Implementation Strategy:
- Corporate Clients: Hardware security keys (YubiKey, Google Titan) required for transactions above £50,000
- Retail Customers: Biometric passkeys on mobile devices for standard banking operations
- Hybrid Fallback: Secure authenticator app for customers without biometric-capable devices
Corporate Banking Results (24 Months):
- Zero successful phishing attacks against security key users (compared to 23 incidents in the prior 24-month period using password + SMS)
- Transaction approval time reduced from 5.3 minutes to 1.8 minutes on average
- Customer satisfaction scores for online banking increased from 7.2/10 to 8.9/10
- Deployment cost: £850,000 for 12,000 corporate clients (£71 per user including hardware, training, support)
Retail Banking Results (18 Months):
- Mobile banking adoption increased 34% as login friction decreased
- Account takeover fraud declined 72% year-over-year
- Support ticket volume for authentication issues dropped 58%
NatWest's case demonstrates that passwordless authentication isn't one-size-fits-all. Risk-based approaches—matching authentication strength to threat level—optimize both security and user experience.
Banking Sector Lessons Learned
1. Regulatory Pressure Accelerates Adoption: Singapore's SMS OTP phase-out forced rapid deployment. Banks that moved early gained competitive advantage.
2. Biometrics Beat Hardware Keys for Consumer Banking: While security keys offer maximum security, biometric authentication on smartphones delivers better user experience for retail customers.
3. Fraud Reduction Justifies Investment: Both DBS and NatWest achieved ROI within 18 months through reduced fraud losses and support costs.
4. Customer Education Matters Less Than Expected: When authentication "just works," users don't need to understand the underlying technology—they just appreciate the convenience.
Technology Sector: Innovation at Scale
Case Study: Shopify
Shopify, powering over 4.6 million e-commerce stores globally, faced unique authentication challenges. Merchants needed secure access to admin panels handling sensitive customer data and financial transactions. Simultaneously, Shopify employees required secure authentication for internal systems.
In 2023, Shopify began deploying passkeys across both merchant-facing and internal systems, prioritizing phishing resistance after several high-profile e-commerce platform breaches at competitors.
Implementation Approach:
- Phase 1 (Internal): Mandatory passkeys for all 10,000+ Shopify employees accessing production systems
- Phase 2 (High-Value Merchants): Passkey option for Shopify Plus merchants (enterprise tier)
- Phase 3 (General Availability): Passkey authentication available to all merchants
Merchant Platform Results (15 Months):
- Passkey adoption: 41% of active merchants (1.89 million users) created passkeys
- Account takeover attempts: Declined 91% among passkey users compared to password-only users
- Login success rate: 97.3% for passkeys vs. 82.1% for password + 2FA
- Support tickets: Password-related support requests down 67% overall as adoption increased
- Merchant satisfaction: Net Promoter Score for authentication experience increased from +32 to +58
Internal Systems Results (24 Months):
- Zero successful phishing attacks against employees using passkeys (down from 12 successful phishing incidents in prior 24 months)
- Mean time to authenticate: Reduced from 23 seconds to 4 seconds for internal tool access
- VPN authentication: 89% faster for remote employees using passkeys vs. password + hardware token
Shopify's implementation highlights the dual benefit: protecting both employee access to sensitive systems and merchant access to their stores. The company estimates it prevented approximately $47 million in potential fraud losses across its merchant base in the first year of deployment.
Similar to how platform authentication systems balance security with user experience, Shopify's approach demonstrates that enterprise-grade security can coexist with consumer-grade simplicity.
Case Study: Cloudflare
Cloudflare, a company obsessed with security (they literally protect millions of websites from attacks), deployed hardware security keys to all 3,000+ employees in 2018—one of the earliest large-scale passwordless implementations.
After five years, Cloudflare published comprehensive data on their passwordless journey, offering rare transparency into long-term passwordless operations.
Implementation Details:
- Hardware: YubiKey 5 series distributed to all employees (two keys per person—primary + backup)
- Scope: Mandatory for all internal systems, VPN access, and administrative tools
- Fallback: Temporary TOTP codes available only through in-person IT verification (intentionally high friction)
- Coverage: 100% of employees, 100% of critical systems
Long-Term Results (5 Years):
- Phishing attacks: Zero successful credential phishing incidents over 5 years (eliminated as attack vector)
- Lost key incidents: 127 total across all employees (2.5% annual loss rate), resolved within 24 hours using backup keys
- Employee onboarding: New hire authentication setup reduced from 45 minutes to 8 minutes
- Support burden: Authentication-related IT tickets decreased 94% after initial 6-month learning curve
- Total cost: $285,000 over 5 years (hardware, replacement keys, management infrastructure) = $19 per employee per year
"We stopped worrying about phishing. Not 'reduced concern'—we literally stopped worrying about it as a viable attack vector. That mental shift alone changed how we think about security." — Grant Bourzikas, Former CISO, Cloudflare
Cloudflare's data proves passwordless authentication works at scale over extended periods. The 94% reduction in support tickets wasn't a temporary post-launch bump—it sustained for five years. The phishing resistance wasn't theoretical—they experienced zero successful attacks despite being a high-value target.
Technology Sector Lessons Learned
1. Mandatory Deployment Works: Both Shopify and Cloudflare made passwordless mandatory for employees. Optional adoption creates support burden for maintaining parallel systems.
2. Hardware Keys for High-Risk Users, Biometrics for Convenience: Cloudflare's employees use hardware keys; Shopify's merchants prefer biometric passkeys. Match technology to use case.
3. Backup Strategies Matter: Cloudflare's two-key-per-person approach prevented lockouts. Lost key incidents remained low and recoverable.
4. Long-Term Data Validates Short-Term Promises: Cloudflare's 5-year retrospective proves passwordless benefits persist and compound over time.
Healthcare Sector: Compliance Meets Usability
Case Study: Mercy Health (US Hospital System)
Mercy Health, operating 44 hospitals across seven states with 40,000+ employees, faced brutal authentication challenges. HIPAA compliance demanded strong access controls for electronic health records (EHR). Physicians needed fast authentication during emergencies. Nurses shared workstations, logging in and out dozens of times per shift. Password fatigue was epidemic.
In 2023, Mercy deployed passkeys using proximity badges equipped with FIDO2 capabilities plus biometric authentication on mobile devices used for electronic prescribing and patient record access.
Implementation Strategy:
- Clinician Badges: FIDO2-enabled proximity badges for workstation login (tap badge + PIN)
- Mobile Devices: Biometric passkeys on hospital-issued smartphones and tablets
- Administrative Staff: Standard biometric passkeys on workstations
- Emergency Override: Secure break-glass authentication for critical situations
Operational Results (18 Months):
- Login time: Reduced from average 38 seconds (password + badge) to 6 seconds (badge tap + PIN)
- Daily authentications: 1.2 million logins across system, saving approximately 640 employee-hours per day (6.4 seconds × 1.2 million)
- Annualized productivity gain: $18.7 million (based on average clinical staff hourly cost)
- Password reset tickets: Decreased 88% (from ~2,400/month to ~290/month)
- HIPAA audit compliance: 100% authentication events properly logged and traceable (vs. 94.3% with shared passwords)
- Unauthorized access incidents: Zero verified cases (down from 7 incidents in prior 18 months)
The productivity gains are staggering. When nurses authenticate 40+ times per shift, saving 32 seconds per login translates to 21 minutes per shift—time spent on patient care instead of typing passwords.
"We implemented passkeys to improve security and compliance. What we didn't anticipate was the overwhelming positive feedback from clinical staff. Doctors and nurses told us it was the best IT change we'd made in years. That never happens." — Dr. Michael Schumacher, Chief Medical Information Officer, Mercy Health
Case Study: CVS Health (Pharmacy & Benefits)
CVS Health, serving over 100 million pharmacy customers annually with 300,000+ employees, deployed passkeys across its MinuteClinic telehealth platform and internal employee systems.
The telehealth use case presented unique challenges: patients needed easy authentication on personal devices, often while sick or stressed. Healthcare providers needed secure authentication across multiple locations and devices. Pharmacy staff required fast authentication for prescription verification and insurance processing.
Multi-Tier Deployment:
- Patient Access: Optional passkeys for CVS.com and MinuteClinic virtual visits
- Pharmacy Staff: Mandatory passkeys for prescription system access
- Corporate Employees: Gradual passkey rollout for internal systems
Patient-Facing Results (12 Months):
- Passkey creation rate: 28% of active digital users (18.2 million patients)
- Repeat visit rate: 43% higher for passkey users vs. password users (easier re-authentication drives engagement)
- Prescription refill completion: Increased 19% among passkey users (reduced login friction)
- Account recovery requests: Down 71% among passkey adopters
Employee System Results (15 Months):
- Pharmacy system authentication: 67% faster for prescription verification workflows
- Insurance verification: Login time reduced from 29 seconds to 5 seconds (34,000+ daily verifications)
- Data breach risk: Eliminated password-based vectors (previous year saw 3 incidents of credential stuffing attacks)
CVS's experience demonstrates that even voluntary patient-facing passkey adoption delivers value. The 43% increase in repeat visit rates suggests authentication friction significantly impacts healthcare engagement—patients who can easily log in are more likely to use digital health services.
Just as security verification systems must balance protection with accessibility, healthcare authentication requires the same careful equilibrium.
Healthcare Sector Lessons Learned
1. Productivity Gains Exceed Security Benefits: Healthcare implementations saw unexpected productivity improvements that dwarfed security benefits in dollar terms.
2. Physical + Digital Hybrid Works: Mercy's FIDO2-enabled badges solved the shared workstation problem elegantly—physical possession + PIN knowledge.
3. Patient Engagement Increases: CVS's data shows easier authentication drives higher digital health service utilization—a public health benefit.
4. Compliance Gets Easier: HIPAA audit trails improved because passkeys eliminate password sharing and provide individual accountability.
Cross-Industry Patterns and Insights
Common Success Factors
Analyzing these case studies reveals patterns that predict successful passwordless deployments:
1. Executive Sponsorship: Every successful implementation had C-level support (CISO, CIO, or CFO). Passwordless migration isn't a tactical IT project—it's a strategic security and user experience initiative requiring organizational commitment.
2. Phased Rollout: No organization went from zero to full deployment overnight. Pilots, early adopter programs, and gradual expansion allowed refinement before full-scale deployment.
3. Clear Metrics: Successful organizations defined success criteria upfront: fraud reduction percentages, support ticket decreases, login speed improvements. Measurable goals drove accountability.
4. User Education (But Less Than Expected): Organizations worried about extensive training needs. Reality: when authentication is intuitive, minimal education suffices. "Tap your badge" or "use your fingerprint" requires little explanation.
5. Fallback Authentication Matters: Every deployment maintained escape hatches for edge cases—lost keys, biometric sensor failures, legacy systems. Good fallbacks prevent lockouts without undermining primary security.
Common Implementation Challenges
1. Legacy System Integration: Organizations with decades-old infrastructure struggled to retrofit passwordless authentication. Solutions ranged from gradual migration to authentication proxy layers.
2. Device Coverage: Not all users had biometric-capable devices. Organizations either distributed compatible hardware or maintained parallel authentication paths during transition periods.
3. Offline Authentication: Some scenarios required authentication without internet connectivity. Solutions included locally-stored passkeys with periodic synchronization.
4. Account Recovery: Passwordless doesn't eliminate the "forgot password" problem—it becomes "lost passkey." Organizations developed clear recovery workflows, typically involving identity verification through alternative channels.
ROI Patterns Across Sectors
Financial justification varied by industry but followed predictable patterns:
- Banking: ROI driven primarily by fraud reduction (87-91% decrease), with support cost savings as secondary benefit
- Technology: ROI from eliminated phishing risk plus productivity gains (authentication time reductions)
- Healthcare: ROI overwhelmingly from productivity (clinical time savings) with compliance improvement as critical but unquantified benefit
Average payback periods ranged from 9 months (healthcare) to 18 months (banking), with technology sector falling in between at 12-14 months.
What These Case Studies Teach Us
The enterprise passwordless revolution is real, measurable, and accelerating. These case studies demolish several myths:
Myth: "Users won't adopt new authentication." Reality: DBS achieved 82% adoption in 6 months. Shopify saw 41% merchant adoption with zero coercion. When authentication improves user experience, adoption follows.
Myth: "Passwordless costs too much." Reality: Cloudflare spent $19 per employee per year. DBS saved $4.2 million annually. Mercy Health gained $18.7 million in productivity. ROI is demonstrable and significant.
Myth: "It only works for tech companies." Reality: Banks, hospitals, and retailers succeeded. Passwordless authentication works across industries, geographies, and user sophistication levels.
Myth: "Security and convenience are incompatible." Reality: Every organization reported simultaneous security improvements and better user experience. Phishing resistance doesn't require user friction.
Organizations considering passwordless authentication now have extensive real-world evidence. The question is no longer "Does it work?" but "When do we start?"
Much like how modern platforms balance multiple stakeholder needs, successful passwordless implementations balance security, usability, operational efficiency, and regulatory compliance—proving that well-designed systems can optimize across seemingly conflicting requirements.
The enterprise passwordless future isn't coming—it's already here. These case studies prove it works. The only question remaining is how quickly your organization will join the revolution.