OneSpan Inc. (OSPN)

OneSpan solves a problem that banks face every single day: how do you know that the person logging into an account is actually the account holder, and not a thief who stole the password? And if someone is trying to wire money or approve a big payment, how do you confirm they actually meant to do it, rather than a hacker taking over their phone or computer? These problems have no perfect answer, but OneSpan has built a billion-dollar business writing software that comes closer than most competitors.

Ticker	OSPN (NASDAQ)
Sector	Cybersecurity / financial software
Main business	Digital transaction security and authentication
Key product	CRONTO transaction signing
Customer base	60%+ of world's 100 largest banks
Geographic reach	Americas, Europe, Middle East, Africa, Asia Pacific
SEC CIK	0001044777

What the company actually makes

OneSpan makes software, not hardware. The software sits between a bank’s customer and that customer’s money. When someone logs in to check their balance, OneSpan’s authentication software can ask for multiple forms of proof — the password, sure, but also something on the person’s phone, a fingerprint, maybe a code generated by an app only the real account holder has. This is multifactor authentication, and it makes stealing just a password useless to a thief because they still cannot get past the phone-based check.

When a customer tries to execute a major transaction — wire money, approve a payment, change the account details — OneSpan’s transaction-signing software kicks in. It shows the customer on their phone exactly what is about to happen (the amount, the destination account, the recipient name), and asks them to approve it right there. This step is crucial. A thief might trick someone into clicking a malicious link that wires money out of the account, but if the real customer has to physically open their banking app and confirm the transaction, the thief is blocked.

The company has bundled these capabilities into suites and licensing arrangements that serve banks large and small. A massive bank like JPMorgan or HSBC uses OneSpan to protect millions of customer accounts. A smaller regional bank uses the same tools to protect thousands. OneSpan makes money when banks deploy its software, then ongoing fees as the banks use it to secure transactions.

Two main segments: Cybersecurity and Digital Agreements

OneSpan officially divides its business into two segments. The Cybersecurity segment is the core money-maker — authentication, mobile security, transaction signing, the tools that protect accounts and payments. The company sells this through direct sales teams to banks and through partnerships with big cloud providers and software vendors who resell OneSpan’s capabilities wrapped into their own platforms.

The Digital Agreements segment is smaller but growing. It offers electronic signature software — tools that let companies collect digital signatures on contracts, loans, and other legal documents, without printing, scanning, or shipping paper back and forth. This segment grew out of the company’s history in digital transaction security and now competes in a crowded market where competitors include DocuSign and Adobe Sign. For OneSpan, Digital Agreements is less about margin expansion and more about keeping existing bank customers engaged with additional products. A bank that uses OneSpan for authentication might also use OneSpan to collect signatures digitally on loan documents and account-opening paperwork.

The underlying competitive moat

Banks do not rip out authentication software on a whim. Once OneSpan’s software is built into a bank’s login process and transaction workflow, replacing it requires engineering effort, testing, customer communication, and risk. A bank cannot afford to mess up authentication — a botched deployment means either real customers cannot log in, or thieves can. That switching cost is OneSpan’s primary protection against price competition.

The second protection is specialization. OneSpan has spent decades understanding how banks think about security, what regulators demand, and which threats are real versus theoretical. When a new fraud vector emerges — phishing attacks that trick users into approving fraudulent transactions, synthetic identity theft, account takeover — OneSpan’s security teams are built to understand it and push updates to combat it. A bank could theoretically buy authentication software from a big cloud vendor or build it in-house, but OneSpan’s focus and depth in financial-sector security give it an edge in credibility and feature completeness.

The company is not alone in the space. Okta competes in authentication broadly. Duo Security (owned by Cisco) does multifactor authentication. But OneSpan’s grip on banks — it secures more than 60 percent of the world’s 100 largest banks — means it is a standard that other competitors have to match or exceed.

Recent innovation: VISION FX

In late 2024, OneSpan announced VISION FX, a new tool combining the company’s patented CRONTO transaction-signing technology with FIDO2 protocols. In plain language: VISION FX makes it much harder for a phishing attacker to trick a customer into approving a fraudulent transaction. Instead of a thief just needing to steal a password or fool the customer into clicking a link, they would need to get the customer to physically approve a specific transaction on a hardware key or a phone — and the transaction details are showing on that device so the customer can see what they are signing off on. It is not unhackable, but it raises the bar significantly.

The business model and how it scales

OneSpan’s business model is classic software licensing: one-time implementation fees when a bank adopts the software, then ongoing annual fees for maintenance, support, and updates. As the company lands new customers or expands existing relationships (selling more licenses, adding more features), revenue grows. The software itself is not consumption-based in the way cloud services like Salesforce or Slack are; OneSpan does not charge per user or per transaction, but rather per deployment and per maintenance period. This means margins improve as the company scales — the engineers writing the code are paid a fixed salary, but every additional customer on the same software increases profit almost directly.

A bank that deploys OneSpan to protect 10 million customer accounts sees the same software running, just with more scale. OneSpan’s job is to keep the software fast, reliable, and ahead of new threats.

What investors research

Anyone looking at OneSpan should track three things. First: what percentage of revenue is coming from existing customers (the stickiness and contract-renewal business) versus new logos (new banks adopting the software for the first time). Existing customers are more predictable and have higher margins, because the software is already built and the cost of support is amortized. Second: the trend in multifactor authentication adoption across the banking system. If more banks mandate multifactor authentication (which regulators are pushing for), that is a tailwind for OneSpan. Third: the company’s ability to stay ahead of fraud. If a major bank gets breached or loses customer funds to fraud despite using OneSpan’s software, that is a real hit to the company’s credibility and its sales pipeline.