Hey, fintech fam π
Last Friday was my wedding. And it was one of the most beautiful, special days of our lives.
Seeing everyone we love in one room, eating good food, toasting with good drinks, and listening to incredible music (& my husband serenading me π)β¦ it doesnβt get better than that.
I wish I couldβve invited every single one of you to join us, because your support is the reason we can pause and celebrate.
Maybe I can swing it and invite you to the vow renewal in 10 years π€£ Stay tuned!
For today, Iβm sharing a guest piece from the host of the Security Summit during FTW:SF, Frances Zelazny.
Our industry needs to have important conversations about identityβ¦ and they arenβt happening. Frances is sharing more below.
Let's get into it. β¨
GUEST CONTRIBUTOR: FRANCES ZELAZNY
Are We Building The Future of Identity on A Cracked Foundation?
Las Vegas. June 2026.Β
Thousands of identity professionals gathered in a city built on spectacle for Identiverse 2026, and the spectacle this year was identity itself.Β

On the one hand, you couldn't walk 2 feet without talking about or hearing someone talk about agents or digital credentials.Β
On the other hand, the reality is that we are still dealing with a seriously unresolved problem in cybersecurity.Β
To me, that paradox is the story of Identiverse 2026, and it's the story we in the industry need to stop dancing around.Β
Yes, we are on the cusp of something transformative, but the bottom line is that our house is not in order.
The Four Identity Pillars
Identiverse 2026's program was organized around four content pillars:Β
AI Identity
Continuous Identity
Passkeys & Wallets
Non-Human & Agentic AI Identity
Each reflected a genuine leap forward in where identity is going. The agentic AI conversation was everywhere.Β
As the conference described it, non-human identities now vastly outnumber human ones.
The rapid rise of agentic AI is transforming these identities from passive, deterministic processes into autonomous digital actors capable of making decisions and initiating actions at machine speed.Β
Sessions with titles like "The Agentic AI Arms Race" and "Giving AI Models a Verifiable Digital Identity" reflected the urgency: who is accountable when an AI agent acts on your behalf?
How do you govern an identity that can replicate, reason, and act independently, often without human oversight? These are themes that I have been harping on.
The Second Theme: Digital Credentials
The second dominant theme was digital credentials.Β
Verifiable credentials, mobile driver's licenses (mDLs), and digital wallets are finally crossing from pilot to production.Β
Today, mDLs are active in over 20 U.S. states.
Theyβre stored in Apple Wallet, Google Wallet, and state-specific apps, built on ISO/IEC 18013-5, the international standard that makes them cryptographically verifiable, privacy-preserving, and machine-readable.Β
The EU's eIDAS 2.0 framework sets a mandatory acceptance deadline of November 2027 for businesses in banking, finance, and telecom to accept the European Digital Identity Wallet.Β
The world is finally moving toward portable, cryptographically-bound, user-controlled identity.
These are genuinely exciting developments. I believe in this future. I've spent my career working toward it.
And that's exactly why I feel compelled to say what needs to be said.

Frances and Nicole during FTW:NYC
The Reality: Our Foundation Is Cracked
Inside, we were talking about agentic identity governance and verifiable credential ecosystems.
But the world outside was still running on passwords, SMS codes, and secret questions about your mother's maiden name.Β
I don't think any speaker asked anyone to raise their hand to ask them how many times they used a password in the last 24 hours, lest they would have exposed the elephant in the room.Β
As we pivot towards the future, this is not a peripheral concern. This should be considered a five-alarm crisis.
The Most Common Password In The World: 123456
On passwords: There are an estimated 300 billion passwords in use worldwide today.Β
The average person manages 70 to 80 passwords. The average professional manages more than 100.Β
And what do people do with them? Sixty percent of Americans reuse passwords across multiple accounts. Globally, 78% of people admit to reusing passwords.Β
Three out of four passwords are considered unsafe due to reuse or simplicity.Β
The most common password in the world continues to be "123456," found in breach datasets over 4.5 million times and crackable in under one second.
The breach data tells the same story.Β
In June 2025, a compilation of over 16 billion login credentials was exposed across 30 datasets, the largest credential dump ever discovered online, fueled by infostealer malware.Β
The New York State Attorney Generalβs Office investigation on credential stuffing highlights attempts exceeding 193 billion in a single year and its own ability to harvest more than 1.1 million credentials for 17 well-known companies.Β
I could go on and on with more examples and statistics.
The fact is, our approach to identity management and authentication is failing us.
SMS-Based 2FA Isnβt Progress
On two-factor authentication: Folks often cite SMS-based 2FA as progress. It is not.Β
Back in 2016, a full decade ago, NIST Digital Identity Guidelines in Special Publication 800-63-3 deprecated SMS OTP, citing its susceptibility to SIM-swapping, SS7 interception, and VoIP spoofing.Β
NIST understood this ten years ago.Β
The final SP 800-63-4, updated in August 2025, formally classified SMS/PSTN as a "restricted authenticator", the only method in that category, making clear that its weaknesses are significant enough to require additional conditions and a migration plan.
And yet here we are.Β
Nearly 56% of IT professionals worldwide report that their company uses SMS-based one-time passcodes for logins.
And 23% view their workplace security habits as risky, with notable percentages storing passwords insecurely (45%) or using weak credentials (44%).Β
Consumer-facing applications treat it as robust security.
We knew better ten years ago, and we still haven't acted.
Untangling Knowledge-Based Authentication
On knowledge-based authentication: If the password situation is a slow-motion train wreck that continues to plague us, KBA is a farce we're legally required to perform in some cases.Β
The IRS still requires knowledge-based authentication for IRS Forms 8879 and 8878, the e-file signature authorization forms used by millions of Americans every tax season.Β
And while not an explicit prescriptive mandate demanding a specific quiz, KBA is often treated as a regulatory mandate by proxy under the FTCβs Red Flags Rule (16 CFR Part 681).
This requires banks and credit unions to implement comprehensive Identity Theft Prevention Programs.Β
So when a consumer calls to reset a bank password, opens a new account online, or changes an address remotely, they can use dynamic KBA infrastructure (like Equifax, Experian, or LexisNexis) to fulfill their legal obligation to clear high-risk "red flags".Β
Beyond this, KBA remains embedded in notarization workflows, loan originations, account openings, and government portals across the country.Β
The premise is that only the right person knows the answers. The reality is that the data broker ecosystem, which has been breached repeatedly, holds all of it.Β
The information that KBA treats as a secret has long since become public.Β
To make it worse, while 50% of the time the fraudsters have the right answer, 33% of the time the legitimate person forgets their information or doesnβt have it handy and is stuck.
So the bottom line is that we are legally mandating the use of authentication methods that our own standards bodies have declared insecure.
And we wonder why we are in the situation we are in.
ππ½ Read Francesβ full newsletter here. And get your early bird tickets to the Security Summit before prices go up!
Frances Zelazny is a seasoned executive and founder with a track record of building and scaling disruptive technologies into market-defining businesses.
From mobile payments and digital identity to biometrics and cybersecurity, she brings deep experience turning complex challenges into real-world solutions that deliver commercial impact.
Throughout her career, sheβs helped startups grow into category leaders by driving go-to-market strategy, unlocking new revenue streams, forging global partnerships, and securing major enterprise deals.
Frances is the host of The Security Summit during Fintech Week (FTW), coming to San Francisco this fall.
Cybersecurityβs most important conversations start here!
I WANT IT, I GOT IT (NICOLEβS VERSION)
π Today's Watch: Just watching this video of our wedding day on repeat over and over (and over!) again. 15-year-old me would be screaming if she knew my first look was in Central Park π₯²
FINTUNES (NICOLEβS VERSION)
Love is in the air! This is one of those songs that makes you want to slow-dance in a speakeasy.

LETβS CONNECT
π° Share this newsletter with a friend and start growing your network.
π Connect with me on LinkedIn for daily insights on leadership.
π€ Grow your business through content & community by partnering with me.
π£ Promote yourself to 50,000 subscribers by sponsoring this newsletter or the Humans of Fintech podcast.
π€ Host an epic event by booking me as a speaker, moderator, or emcee.
π Increase your expertise by ordering your copy of my book, Fintech Feminists: Increasing Inclusion, Redefining Innovation, and Changing the Future for Women Around the World.
Thanks for spending time with Frances and me today! We hope to see you at FTW:SF in the fall.
Love,
Nicole π




