RASIMENE
Blog
Regulation·April 18, 2026·6 min read

Why your bank still asks for a password in 2026.

Spoiler: it's not for security reasons. A breakdown of PSD2 regulatory constraints — and what you can do to avoid being caught out.

ME
Mohamed ESSID
Founder — Trasimène

PSD2 and strong authentication

The European Payment Services Directive (PSD2), transposed into French law since 2019, mandates strong authentication — known as SCA, or Strong Customer Authentication — for all online payments and access to bank accounts.

SCA requires combining at least two factors from three categories: something you know (password, PIN, secret question), something you have (phone, hardware token, smart card) and something you are (fingerprint, facial recognition, voice).

A password is therefore not a step backwards — it's the first factor in multi-factor authentication. The second factor is usually a push notification in your banking app or an SMS code. It's this combination that constitutes the strong authentication required by regulation.

French banks are playing catch-up

Several traditional French banks still use 6-digit passwords or short numeric codes. This isn't a deliberate technical weakness — it's a legacy implementation constraint. The core banking systems at some institutions date back to the 1980s–1990s, and migrating them costs hundreds of millions of euros.

Neo-banks and online banks — Revolut, N26, Lydia, Boursorama — have migrated to modern architectures that support native biometrics, instant push notifications and one-time dynamic codes. Their systems were designed for mobile from day one.

This gap creates an unfair perception: large banks appear less secure when in reality they apply the same regulation. The difference is in user experience, not in the actual level of protection.

What you can do

Whatever your bank, a few simple actions maximise your real protection level.

  • Always enable biometrics in your banking app if available.
  • Use a password manager to generate and store a long, unique password for each bank.
  • Never reuse your debit card PIN as a password for another service — it's the most common mistake.
  • Enable real-time transaction notifications to immediately detect any unauthorised operation.
  • Check active sessions in your app regularly — most banks let you view and close ongoing connections.
A short bank password is not a problem in itself if strong authentication (2FA) is properly enabled on your account.

Real protection doesn't lie in password complexity but in activating the second authentication factor. A 4-digit code combined with biometric confirmation is objectively more secure than a 20-character password without 2FA. Focus your efforts on the right setting.

Trasimène — Mobile security

Check the security of your apps

Download Trasimène →
Back to blog