Executive Summary / Key Takeaways
-
The Hardware-to-Software Transformation Is Reaching Escape Velocity: OneSpan has surgically reduced hardware from over 50% of revenue in 2019 to just 16% in Q1 2026, while growing software ARR to $192M. This fundamentally rewrites the company's earnings power—from lumpy, low-margin device sales to predictable, high-margin subscription revenue that commands premium valuations.
-
Strategic Acquisitions Are Filling Product Gaps, Not Buying Revenue: The Nok Nok Labs and Build38 deals added cutting-edge FIDO2 passwordless authentication and mobile app shielding SDKs, addressing a $3M ARR headwind from a customer that left pre-acquisition. Management is building a comprehensive authentication platform that can retain existing customers while capturing new growth in passwordless and mobile security—critical for competing against Okta (OKTA) and Microsoft (MSFT).
-
Rule of 40 Ambition Meets Near-Term Margin Pressure: Management's explicit goal of achieving Rule of 40 performance is being tested by $5.5M in incremental sales/R&D investments and $3-4M of Build38 EBITDA dilution in 2026. The current performance reflects a trade-off: 6.5% ARR growth today versus a foundation for double-digit expansion tomorrow.
-
Valuation Disconnect Creates Asymmetric Risk/Reward: Trading at 6.16x earnings, 1.77x sales, and offering a 4.23% dividend yield, OSPN is priced like a no-growth hardware vendor despite 80% software revenue mix and 21.45% operating margins. If the transformation succeeds, multiple expansion could drive significant upside; if growth stalls, the dividend and buyback provide downside protection.
-
The Critical Variable Is North American Execution: With only 10-12% of security revenue historically from North America, the July 2024 dedicated sales effort and new CRO Shaun Bierweiler represent a pivotal bet. Success here determines whether OneSpan can offset EMEA/APAC hardware declines and achieve the mid-single-digit ARR growth needed to justify current valuation.
Setting the Scene: The Identity Security Specialist You Think Is a Hardware Company
Founded in 1991 as VASCO Data Security International and headquartered in Chicago, OneSpan spent three decades building its reputation on physical authentication devices—those pocket-sized hardware tokens that generate one-time passwords for bank customers. This heritage explains why the market still values OSPN like a legacy hardware business trading at 6x earnings, despite the fact that software and services reached 80% of revenue in 2025. The company's core business model has evolved into two distinct but complementary platforms: a Cybersecurity segment that protects identities and mobile applications for over 60 of the world's 100 largest banks, and a Digital Agreements segment that processes hundreds of millions of e-signature transactions annually across 120 countries.
OneSpan makes money through a B2B2C licensing model that is fundamentally different from enterprise SaaS peers. Rather than charging per employee seat like Okta or per user like DocuSign (DOCU), OneSpan prices based on the number of end consumers using its authentication or app shielding solutions. A bank with 10 million retail customers pays for 10 million potential authentications, creating a direct correlation between client growth and OneSpan's revenue. This model generates high gross margins (74% consolidated) and sticky relationships—banks cannot easily swap out authentication infrastructure that touches millions of customers without risking regulatory scrutiny and operational disruption.
The significance lies in the bifurcation of the identity security market between workforce identity (dominated by Okta and Microsoft Entra ID) and consumer authentication (OneSpan's stronghold). While workforce solutions optimize for employee productivity, consumer authentication must balance security, regulatory compliance, and user experience at massive scale. This is where OneSpan's hybrid deployment model—offering both cloud and on-premise solutions, both hardware and software tokens, both OTP and FIDO2 protocols—creates a moat. Banks transitioning from legacy hardware to mobile-first strategies need a vendor that can bridge both worlds without forcing a risky "big bang" migration. OneSpan's platform lets them phase in software authentication while maintaining hardware for high-value corporate banking transactions, reducing churn risk and extending customer lifetime value.
Technology, Products, and Strategic Differentiation: Building the Authentication Bridge
OneSpan's product strategy centers on becoming the "Switzerland" of identity—offering maximum flexibility while competitors force customers into proprietary ecosystems. The Cybersecurity portfolio now spans Cloud Authentication, Mobile Security Suite, Digipass hardware tokens, and the newly acquired Nok Nok Labs FIDO2 passwordless software. This breadth addresses the three secular trends reshaping authentication: the shift from hardware to mobile, the move from passwords to passkeys, and the need for mobile app shielding against AI-driven threats.
The Nok Nok acquisition in June 2025 exemplifies management's technology-first M&A philosophy. Nok Nok's ARR grew 20% in less than ten months post-acquisition, not because OneSpan bought revenue, but because it acquired technology that solved a critical gap. When a $3M ARR customer decided to go passwordless before the acquisition, they left OneSpan's hardware-centric offering. Post-acquisition, OneSpan can now offer that same customer a software-based FIDO2 solution, creating a win-back opportunity. More importantly, Nok Nok's S3 platform provides extreme scalability—millions of users with low latency—and a management console that pure open-source FIDO2 implementations lack. This translates into pricing power: banks will pay for enterprise-grade reliability and management capabilities that DIY solutions cannot match.
The Build38 acquisition completed in February 2026 adds SDK-based mobile app protection that complements OneSpan's existing post-compilation wrapping technology. AI is making mobile threats more dynamic and sophisticated. Build38's telemetry provides real-time visibility into the threat environment, enabling OneSpan to dynamically update detection methods without requiring customers to recompile their apps. This creates a network effect: as more customers deploy Build38, OneSpan's threat intelligence improves, making the entire platform more valuable. The $26M in goodwill reflects management's belief that this technology can be cross-sold to OneSpan's 60+ top-tier bank relationships, potentially adding $3-4M in ARR.
In Digital Agreements, OneSpan is embedding AI to provide deeper insights and streamline decision-making. While DocuSign dominates generic e-signature volume, OneSpan focuses on financial services workflows requiring non-repudiation and compliance. The segment's 94% gross revenue retention rate and 11% ARR growth demonstrate that this specialization creates stickiness. Banks cannot risk audit failures or legal challenges by switching to a general-purpose e-signature provider that lacks embedded identity verification and transaction signing integration.
Financial Performance & Segment Dynamics: Margin Pressure from Strategic Investment
OneSpan's Q1 2026 results show deliberate reinvestment. Total revenue of $65.95M grew 4% year-over-year, though this figure includes a $2.7M FX tailwind and reflects the secular hardware decline. The underlying software business shows momentum: subscription revenue grew 8% overall, with Digital Agreements delivering 11% growth and Cybersecurity subscription revenue up 6.5%. The hardware portion—now just 16% of revenue—continues its decline as banks adopt mobile-first strategies, which is a core component of the transformation.
Segment profitability reveals the investment trade-off. Cybersecurity operating income fell $3.4M (14% decline) despite revenue growth, driven by $1.2M increases in both sales/marketing and R&D expenses. This aligns with management's plan for incremental investment in sales capacity and product development to drive future growth. The Digital Agreements segment shows the potential endgame: operating income jumped $1.9M (56% increase) on 11% revenue growth, as the segment achieves scale efficiency. This divergence demonstrates that OneSpan's cost structure can deliver operating leverage once growth investments mature.
The balance sheet provides strategic flexibility. With $49.8M in cash, a $100M undrawn revolver, and minimal debt (D/E ratio of 0.03), OneSpan can fund acquisitions and internal investments without diluting shareholders. The company returned $10M via dividends and buybacks in Q1 while simultaneously spending $35M on Build38, exemplifying a balanced capital allocation strategy. This shows management is confident enough in cash generation to return capital while investing for growth.
Cash flow quality is high. Q1 2026 operating cash flow of $28.2M represents a 43% margin on revenue, driven by the subscription model's working capital efficiency. This funded the Build38 acquisition and shareholder returns without tapping the credit facility. The 4.23% dividend yield indicates the business generates significant cash relative to its current reinvestment needs.
Outlook, Management Guidance, and Execution Risk: The Rule of 40 Path
Management's 2026 guidance reveals a company in transition. Revenue guidance of $244-249M implies 1-3% growth, while software and services revenue guidance of $201-204M (82-83% of total) and ARR guidance of $194-198M suggest management expects subscription growth to accelerate in H2 2026. This seasonal pattern is typical for enterprise software but creates execution risk: a weak Q4 would impact the full-year ARR target.
The $3M ARR headwind in Q2 2026 from two non-renewing contracts is instructive. The larger customer moved to passwordless authentication before OneSpan acquired Nok Nok, reinforcing the strategic logic of the acquisition. Management frames the loss as validation of the product portfolio shift. The risk is that other customers make similar decisions before OneSpan can cross-sell Nok Nok solutions, creating a gap that new sales must fill.
The Rule of 40 ambition is the primary objective. With current ARR growth of 6.5% in Cybersecurity and 9.9% in Digital Agreements, and operating margins of 21.45%, OneSpan is approaching Rule of 30 territory. The $5.5M in incremental investments and $3-4M Build38 dilution are near-term hits intended to achieve long-term Rule of 40 performance. This trade-off is rational but requires investor patience, as the stock may remain range-bound until ARR growth re-accelerates.
The appointment of Shaun Bierweiler as CRO in December 2025 is a critical execution variable. With a six-to-nine-month sales cycle, his impact should materialize in H2 2026. Historically, North America represented only 10-12% of security revenue, which management views as a growth opportunity. Bierweiler's mandate to improve lead generation and pipeline conversion addresses the company's historical sales execution challenges.
Risks and Asymmetries: What Could Break the Thesis
The most material risk is that hardware declines outpace software gains. While hardware is now 16% of revenue, management expects the shift away from consumer banking tokens to continue. If FIDO2 security keys fail to offset this decline—a key assumption for 2026 hardware guidance of $43-45M—total revenue could stagnate. Corporate banking still relies heavily on hardware tokens for high-value transaction signing, which provides some stability, but a rapid acceleration in mobile-first adoption could compress the timeline faster than OneSpan can cross-sell software alternatives.
Customer concentration is a factor. With over 60 of the top 100 global banks as customers, OneSpan is exposed to the banking sector's cyclicality and consolidation. A major bank merger could reduce authentication volumes. The company's geographic concentration—79% of revenue outside the US—creates FX volatility and regulatory exposure, particularly in EMEA.
Competitive pressure from Okta and Microsoft is intensifying. Okta's 12% revenue growth and 26.7% operating margins reflect its scale advantage, while Microsoft's bundling of Entra ID with Azure creates a competitive alternative. OneSpan's differentiation—hybrid deployment, hardware+software flexibility, and B2B2C pricing—is effective if customers continue to value these features. If the market consolidates around cloud-only, workforce-centric solutions, OneSpan's addressable market could be limited to highly regulated industries.
The execution risk on acquisitions is present. Nok Nok and Build38 require integration of technology and teams while maintaining product roadmaps. If cross-selling fails to materialize—specifically selling Nok Nok's FIDO2 software to hardware customers—the acquisitions may not drive the expected growth. The $3-4M Build38 EBITDA dilution in 2026 will be a factor if revenue synergies do not emerge in 2027.
Valuation Context: Mispriced Transformation or Value Trap?
At $11.58 per share, OneSpan trades at 6.16x trailing earnings, 1.77x sales, and 8.52x free cash flow. The 4.23% dividend yield and 25.53% payout ratio are characteristic of a mature business, yet this valuation is juxtaposed against an 80% software revenue mix, 74% gross margins, and 21.45% operating margins.
Peer comparisons highlight the disconnect. DocuSign trades at 31x earnings and 2.78x sales despite 8% growth and 10.48% operating margins. Okta commands 56x earnings and 4.46x sales with 12% growth and 6.57% operating margins. Adobe (ADBE), at 14x earnings and 4.07x sales, enjoys 38.76% operating margins. OneSpan's EV/EBITDA of 6.03x is significantly lower than DocuSign's 24.41x and Okta's 43.88x, suggesting the market has not yet priced in the software transformation.
The balance sheet quality supports the valuation. With net cash of roughly $7M, a current ratio of 1.50, and a quick ratio of 1.26, OneSpan has financial flexibility. The $100M undrawn revolver provides acquisition capacity without equity dilution. Return on equity of 30.10% and ROA of 8.63% demonstrate efficient capital deployment relative to many peers.
The key valuation question is whether OneSpan will eventually command a SaaS multiple. If the company achieves its $194-198M ARR target and demonstrates double-digit growth in 2027, a 3-4x revenue multiple would imply a stock price of $18-24. If growth remains at 5-6%, the stock likely trades sideways, supported by the dividend. The asymmetry favors long-term investors as downside is limited by cash generation and capital return.
Conclusion: A Software Business Priced Like Hardware
OneSpan's investment thesis hinges on a disconnect: the market sees a legacy hardware vendor, while the financials reveal a software business generating 74% gross margins and 21% operating margins. The transformation from hardware tokens to subscription authentication is 80% complete. The strategic acquisitions of Nok Nok Labs and Build38 fill critical product gaps, addressing specific ARR headwinds and focusing on technology completeness.
The path to Rule of 40 performance is clear. Incremental investments in sales and R&D will impact 2026 margins, but the Digital Agreements segment demonstrates the potential for leverage. The critical variable is North American execution: if the new CRO can replicate Digital Agreements' success in the security segment, OneSpan can offset hardware declines and achieve the double-digit ARR growth needed to command a software valuation multiple.
Risks are manageable. Hardware decline is predictable and largely priced in. Customer concentration is mitigated by deep integration. Competitive pressure from Okta and Microsoft is real, but OneSpan's hybrid flexibility and financial services focus create a defensible niche. The stock's 6x earnings multiple provides a margin of safety, while the 4.2% dividend yield provides a return during the transformation. For patient investors, OneSpan offers an asymmetric risk/reward profile based on its transition to a high-margin software compounder.
