From Touch to Clicks: Navigating the Rise of Non-Human Identities

Article Highlights

Identity may now include not only individuals but also devices and machines.
Trust may require continuous verification and monitoring, not one-time logins or interactions.
Device binding and biometrics can be critical methods of securing devices as well as trusted association between device and authorized account holder.
Risk-based access often enhances customer usability by recognizing trusted devices and interaction patterns while maintaining strong fraud protection.

For decades, U.S. financial institutions have focused on one simple question: is the person making a banking transaction who they claim to be? Identity traditionally was tied to elements such as names, passwords and physical documents. Today, verifying identity with only those items most likely is not enough. Financial institutions now face a more complex challenge: verifying not just the customers, but the smartphones, smartwatches, laptops or tablets making the transactions. These devices are not just tools. They can be active participants in the financial ecosystem. To keep transactions secure, financial institutions may want to consider verifying and monitoring device identities along with human identities.

All Identities are Not Created Equal: Device Discovery

The rise of connected device technology may mean interactions do not stop at one’s personal devices. Consider these examples: Your car pays for highway tolls automatically. Your smart refrigerator orders groceries and charges your credit card. A home air purifier orders a replacement filter using stored payment credentials. These “machine identities” increasingly may initiate financial actions without direct human involvement. While this is convenient, it introduces greater complexity and security risks. How do we trust a device that is acting on behalf of a person? Financial institutions may need new strategies to anticipate and manage these unanticipated identities before they become mainstream.

Linking Devices to People: Secure Binding

Building trust could start with the creation of a secure link between a device and its legitimate owner. This extends beyond simple passwords or one-time passcodes. Modern approaches use secure binding to tie a device to an account using software keys or passkeys that are resistant to phishing and fraud. Secure binding ensures that when a new device interacts with a financial institution, the organization can confidently say, “This device belongs to that customer.”

This is how the secure binding process works:

Device Fingerprinting: Recognizes devices by collecting nonintrusive signals, such as operating system, browser type and behavior patterns. When combined, these create a unique “fingerprint.”
Device Binding: Ties a specific device to a specific user or account using a secure digital relationship, ensuring future logins or transactions come from a trusted device. This helps prevent account takeover and strengthens authentication.
Device Identification: Relies upon fingerprinting to help the system recognize returning devices and flag unfamiliar ones.
Device Evaluation: Recognizes unusual behavior, location changes, or signs of compromise to evaluate risk in real time and help prevent fraud before it happens.
Device Monitoring: Ensures that if a device’s behavior changes or shows signs of compromise, the system can identify it and respond immediately.

The secure binding process should be continuously performed as customers change or want to add new devices. Financial institutions can consider which steps are the right balance to achieve a seamless, yet secure device onboarding process.

Smarter Security, Less Interaction: Risk-Based Access Control

Traditional security measures often treat every login attempt the same way, requiring multiple authentication steps that potentially can frustrate customers. However, if a transaction comes from a trusted device in a familiar context (e.g., similar time of day, same day of week, recognized IP address), the fraud control system can reduce inconvenient authentication requests. If an anomaly is identified, security can step up the interaction by requiring additional checks. This approach balances safety with convenience, allowing for digital banking to be more secure and user-friendly.

A New Era of Trust: Real-Time Trust Scoring and Risk-Based Device Scoring

As financial interactions move deeper into the digital realm, fraud prevention is evolving beyond traditional methods. The legacy model, verifying the identity of a person at a single point in time, is no longer sufficient. Today, security operates in more of a continuous trust environment, where interactions between the devices and the user are assessed in real time throughout the entire session.

Also, fraud detection is becoming more adaptive and moving closer to near-real-time through risk-based device scoring. Each device can be evaluated based on its behavior, history, when and where it is interacting with the financial institution. Devices with high trust scores enjoy smoother interactions, while devices with low scores trigger additional checks or restrictions. This approach may strengthen security and improve the customer experience by reducing unnecessary interactions. One key advancement is the ability to track and flag high-risk devices across the ecosystem. Criminals often reuse compromised devices or emulate (spoof) legitimate ones. By identifying patterns and sharing intelligence internally, financial institutions may be able to identify suspicious devices before they can cause harm.

Another major industry shift is movement away from the use of usernames and passwords, which often are easy to steal or guess. Instead, some financial institution systems use a combination of authentication apps, biometrics and secure passkeys, enabling authentication to be stronger and more seamless. These methods confirm identity directly on the device, reducing the risk of phishing and credential theft.

Conclusion

The rise of non-human identities may mark a turning point for financial services. This shift demands more than incremental changes. It may require a redefinition of identity to include both humans and the devices acting on their behalf.

Implementing strategies such as device fingerprinting, secure binding and continuous monitoring could create a safer, more seamless customer experience. Risk-based access control and real-time evaluation helps risk systems to adapt dynamically, reducing unneeded interactions while strengthening fraud defenses. Ultimately, this approach ensures that trust is not a one-time event but an ongoing process. This is critical in a world where interactions will be increasingly digital. The future of non-human identity verification for financial institutions can be built on trust layers that extend beyond people to devices and, eventually, to connected machines. Preparing for this evolution now could help financial institutions stay ahead of fraud.

Stay Connected

Keep informed about the Fed’s efforts to support payment security and mitigate fraud by joining the FedPayments Improvement Community.

Glossary of Terms

Non-human identities are digital entities requiring authentication and authorization that are associated with individual human users.
Device discovery automatically detects, identifies, and catalogs devices connected to a financial institution’s network.
Secure binding creates a protected association between entities to prevent tampering or substitution.
Risk-based access control grants or denies access based on real-time threat assessment rather than static permissions alone.
Real-time trust scoring continuously calculates a numerical trust value for users, devices, or sessions based on contextual factors, behavior, and risk signals to inform access decisions.
Risk-based device scoring assigns a numerical evaluation to devices based on their security posture, compliance status, and behavior to dynamically determine access privileges.