Sign In
Try it Free

Device Pairing Best Practices for Credit Unions in Digital Banking

Panagiotis Koutroumpis : VP of Research & Analysis at FinTech Insights 24th December 2025
Device Pairing Best Practices for Credit Unions in Digital Banking
FinTech Insights
Challenger
High Street Banks
Digital Banking
Market research
Feature 1
digital banking research
credit union
device pairing

Device-pairing — adding a user's phone, tablet, or wearable to a list of trusted devices — is enormously important for trust-building, because it completes the transition from sign-up to reliable ongoing security.

And, with 60% of Americans dropping off during onboarding — the step that precedes device-pairing — the bar for surprising and delighting customers is relatively low. 

Think of it this way. The 40% who complete onboarding have invested significant time and effort and shared sensitive information, which signals a degree of commitment and trust. Making the pair device process as quick and painless as possible while still keeping it secure prevents further avoidable friction at a moment when users expect they'll be able to start using the app.

So what approaches move the needle when it comes to device-pairing? 

We've analyzed all 35 credit unions in our digital banking research platform FinTech Insights to get a feel for how they approach the pair device process and identify best practices. 

A uniform approach

Our analysis — this focused solely on mandatory steps and excluded skippable ones — revealed that credit unions approach the pair device process in very similar ways.

60% of our sample — 21 firms — require a username, password, and OTP (one-time password). A handful of firms vary the process slightly or add one or more steps on top, but none are particularly distinctive:

  • Username — password — create PIN (as a quicker login alternative)confirm PIN
  • Username — password — verify you're human
  • Username — password — verify you're humanOTP
  • Username — password — create PIN confirm PIN — OTP
  • Username — password — authorize device. Here, the user receives a push notification to the previously paired device. This approach in particular can add significant (and avoidable) friction, because if the old device is no longer available, the user has to log on to their bank's web portal and manually remove it from their account.

16.7% of the firms in our data set also ask the user to give their device a nickname, or alias, which helps them identify devices more easily and prevent confusion during future device management on the platform.

The minority approach — used by 5.7% of the credit unions in our sample — requires a username and password only. No OTP or further verification. 

According to Security.org, around 77 million Americans experienced an account takeover in 2024. 

The data doesn't specify how many of these takeovers were of bank or credit union accounts. That said, it still highlights how risky the latter approach is. Should their login credentials get leaked, there's no failsafe stopping bad actors from logging on. 

But is the majority approach of username, password, and OTP — or a variation on the above — best practice? Or are there better ways to tackle device-pairing?

How banks and challengers approach device-pairing

A look at the wider US market isn't particularly illuminating. 

The 25 banks and challengers we analyzed for comparison approach device pairing in much the same way as credit unions: username and password, sometimes (but not always) supplemented by an OTP or other basic authentication methods. 

The EU-UK market, on the other hand, is a different story, with several examples of clever, out-of-the-box thinking that enhances security without adding significant friction to the process. 

Let's have a look at what, in our view, are the three stand-out examples from a data set of 36 banks and challengers.

Bunq

The Amsterdam-based challenger's approach to device-pairing incorporates a selfie. 

bunq-2

The user takes the selfie within the bunq app. This both minimises friction and makes the process more secure as, unlike an OTP, there's no risk that the selfie will be intercepted by bad actors. 

Monese

UK-based Monese replaces the selfie requirement with a short video.

Monese-1

As with a selfie, a video is harder to intercept than an OTP or other off-app verification. And, because the video captures movement, it's harder to spoof than a selfie but doesn't add measurable friction to the process. 

Monzo

Monzo forgoes the selfie or video and, instead, asks the user to upload proof of ID, such as a passport or driving licence.  

Monzo

This method introduces the most friction, because the user will need to have a valid ID document handy. If they don't have access to any of the four documents Monzo accepts, this will delay the process.

One small step for US credit unions, one giant step towards better security and UX

Broadly speaking, the majority approach to device pairing among US credit unions — username, password, additional verification step — is in line with that of US challengers and incumbents, and with the approach of EU and UK banks and challengers too. 

But it's the last step — additional verification — that can make all the difference. 

NIST — the US National Institute for Standards and Technology — is openly critical of one-time passwords via SMS, due to the increasing incidence of SIM-swap fraud. 

But, with phishing and other social engineering scams also on the rise — in 2024, they were up by 94% over 2023 — even OTPs via email are a risky proposition. 

Against this backdrop, our view is that the best choice overall is to use a username — password — selfie, for three reasons:

  • It adds an additional layer of security. Even if a bad actor were to successfully log on to the user's account and take over their SIM and email, they'd need to be able to submit a convincing selfie matching the user's official ID, in order to pair the device
  • It's quicker and easier than filming a video or uploading a passport, driving licence, or other ID document 
  • It doesn't force the user to leave the app 

Of course, the rising incidence of deepfake AI — highly realistic, artificially generated videos and images — means that, over time, selfies and videos will also no longer be secure enough on their own. 

It will be interesting to see how the firms that are ahead of the curve will approach deepfake-proofing while minimizing friction.

Want to dig deeper into US credit unions' onboarding and device-pairing processes?

Try FinTech Insights free
Panagiotis Koutroumpis : VP of Research & Analysis at FinTech Insights
Panagiotis is the VP of Research & Analysis at FinTech Insights, where he leads the analysis, development, and implementation of Digital Banking Applications within the platform. His expertise lies in staying abreast of the latest changes in the digital banking market, identifying exceptional implementations from financial institutions, and mastering the art of categorizing them appropriately.

You may also like

September 6, 2024

How US banks face fraud: The critical first login from a new device
With fraudsters becoming ever more sophisticated — according to the Federal Trade Commission, fraud went up by 185.7% between 2020 and 2023 — banks..
Read More

October 10, 2024

Which US Bank or Challenger Offers the Best In-App Authentication?
While a customer's first login from a new device — the moment when they connect the device to their account and confirm they really are who they say..
Read More

April 22, 2025

US Digital onboarding & KYC best practices: What does the data tell us
Digital onboarding & KYC (or Know Your Customer) is like airport security. Important. Necessary. But, when mishandled, extremely frustrating.
Read More
fintec-logo-blurry

Build a digital banking strategy that can't be challenged

Let's show you how FinTech Insights can help you wow your customers, on every login.

Try it free