Strong Authentication & Biometrics: Security Without Friction in LATAM

The most expensive way to lose a customer isn't letting fraud through: it's blocking the right person. Every extra authentication step you add to feel safer is costing you customers who were perfectly legitimate.

There's a quiet fight inside every financial institution in the region. On one side, the risk team, which lives with fraud every day and wants more layers: OTP, second factor, extra verification. On the other, the product team, watching every new layer crush conversion. Both are right, which is why the debate is never won: it's framed wrong. The question isn't "how much security do we add?" but "when do we ask for it?" And that answer doesn't live on the login screen; it lives in the core.

Fraud in LATAM isn't a hypothesis, it's a monthly invoice

First, let's grant the risk team its point, because the numbers are brutal. Identity fraud grew 137% in Latin America and the Caribbean during 2024, with an average annual increase of 53% in Mexico, per Sumsub's Global Fraud Index as reported by Mexico Business News. And this isn't artisanal fraud: on the dark web you can already buy "a minute of simulated video of a person for biometric tests in banking apps" at affordable prices. Deepfakes have reached the region's banking.

Brazil, which tends to preview what's coming for the rest of LATAM, lost R$10.1 billion to fraud in 2024, with roughly 70% of those losses stemming from social engineering—schemes where the victim makes the transfer themselves—, according to QED Investors. That's the key insight: if the customer is tricked into authenticating, adding another OTP solves nothing. The extra layer punishes the honest user and lets the scammed one through.

Now the other side: friction is also a measurable loss

Enter the product team, and its data is just as hard. 19% of users abandon their cart specifically because they forgot a password, and 60% cite login frustration as their reason for abandoning entirely, per Elavon and Ping Identity figures compiled by Corbado. In the same vein, 46% of U.S. consumers failed to complete a transaction due to an authentication failure, per a Ponemon study cited in that same analysis.

The efficiency gap between methods is enormous. The FIDO Alliance Passkey Index—measured across real deployments at Amazon, Google, Microsoft, PayPal and others—found that passkeys achieve a 93% sign-in success rate versus 63% for traditional methods, with an average time of 8.5 seconds against 31.2, and an 81% drop in login-related support incidents, according to the FIDO Alliance. Thirty points of success and a quarter of the time aren't a UX detail: they're retention and conversion.

The region already voted: biometrics aren't friction, they're relief

What's striking is that in LATAM the user doesn't see biometrics as a hurdle—quite the opposite. 85% of Latin American consumers prefer biometric authentication over passwords for online transactions, and 90% globally consider biometrics the safest method, according to Mastercard research (note: Mastercard is a payments vendor; attributed figure). The region is ready to move from SMS OTP—vulnerable to SIM swapping and interception—to factors the user carries and can't forget.

Globally the trend holds: password use for financial services over a two-month window fell from 51% to 31% between 2022 and 2024, per the FIDO Alliance report. Customers aren't asking for less security. They're asking for security that doesn't feel like a punishment.

The way out isn't "more" or "less": it's "adaptive"

This is where the fight is reconciled. The right answer to "more security vs. less friction" is adaptive—also called risk-based—authentication: the system evaluates each operation in real time and only requests an extra factor when something falls outside the norm. A login from the usual device, at the usual hour, for a typical amount, passes without friction. One from a new country, at 3 a.m., for triple the usual amount, triggers step-up verification.

Europe has operated under this logic for years. PSD2 mandates strong customer authentication (SCA), but allows exempting low-risk transactions via real-time transaction risk analysis (TRA), provided the provider keeps fraud rates low and monitoring live, as Ravelin describes regarding the EBA framework. It's not a European mandate LATAM must copy verbatim; it's a proven template for combining security and experience: ask for a lot only when the risk justifies it.

Why none of this works without the core

And here's the knot almost no one names. Adaptive authentication isn't a pretty screen: it's a decision your system makes in milliseconds, and to make it, it needs context. Is this amount normal for this customer? Have we seen this device before? Does this behavior match their history? That decision is only possible if your data is available via API and in real time—not buried in a core that only reconciles in batches at end of day.

A legacy core leaves you two bad options: ask everyone for the extra factor—and pay the friction—or ask no one—and pay the fraud. Adaptive authentication, well-implemented biometrics, and standards like FIDO only pay off on a foundation that can serve the risk data at the exact instant of the transaction. Security without friction isn't a product you buy; it's a capability the core enables.

How we see it at WAU

At WAU we don't sell you "the biometrics module." We build the core that makes it possible to decide when to ask for more: customer, device, and behavior data exposed via API and in real time, with the traceability compliance demands. On that foundation, your risk team can harden suspicious operations without punishing legitimate customers, and your product team stops losing conversion to misapplied security. The fight between risk and product ends when the core stops forcing you to choose.

If security and conversion are still pulling in opposite directions at your institution, let's talk. We'll help you see what your architecture needs so strong authentication stops costing you customers. 👉 Book a conversation with our team.

Sources

• Mexico Business News — Identity fraud soars 137% in LATAM, driven by deepfakes (Sumsub Global Fraud Index, Nov 2024)

• QED Investors — Brazil as a global testbed for financial crime prevention (2025)

• Corbado — Login friction kills conversion (Elavon, Ping Identity and Ponemon figures, 2024)

• FIDO Alliance — Passkey Index: passkey uptake and business benefits (Oct 2025)

• Mastercard — 85% of Latin Americans prefer biometric authentication for online payments (vendor, Dec 2024)

• FIDO Alliance — World Password Day 2024 Report: password and passkey trends (May 2024)

• Ravelin — Guide to PSD2, strong customer authentication (SCA) and transaction risk analysis, EBA framework