Executive Summary / Key Takeaways
-
OneSpan is executing a deliberate transformation from a legacy hardware token business to a software-centric model, with software now exceeding 80% of revenue and delivering double-digit subscription growth despite a 20% decline in hardware sales.
-
The company maintains exceptional profitability with 32% Adjusted EBITDA margins and 24% net margins, while initiating a 3.6% dividend yield and $25 million annual shareholder return program, demonstrating capital discipline rare in the identity security space.
-
Strategic acquisitions of Nok Nok Labs (FIDO2 passwordless software) and a 15% stake in ThreatFabric (fraud intelligence) position OneSpan to capitalize on the shift toward mobile-first authentication and AI-driven fraud prevention, though meaningful revenue contributions are a 2026 story.
-
The investment thesis hinges on whether OneSpan can accelerate software growth to offset hardware headwinds while competing against larger platforms; current valuation at 8.9x earnings and 7.3x EV/EBITDA appears to undervalue the durability of its $180 million ARR base and 103% net retention rate.
-
Critical variables to monitor include FIDO2 software adoption momentum, Digital Agreements segment operating leverage, and the pace of hardware decline in EMEA, where economic weakness has already prompted management to lower 2025 revenue guidance by $6 million.
Setting the Scene: The Identity Security Crossroads
OneSpan Inc., founded in 1991 and formerly known as VASCO Data Security International, operates at the intersection of digital identity, authentication, and secure agreements. The company generates revenue by selling multi-factor authentication solutions, mobile app shielding software, and electronic signature platforms primarily to financial institutions and enterprises conducting high-value digital transactions. Unlike broader identity management platforms that compete for every enterprise login, OneSpan has carved out a specialized niche securing the most sensitive financial workflows—think wire transfers, loan approvals, and regulatory compliance documents.
The industry structure reveals why this positioning matters. Banks in EMEA and APAC are rapidly abandoning physical hardware tokens for mobile-first authentication, a secular shift that has decimated OneSpan's legacy Digipass hardware business from 100% of consumer banking authentication a decade ago to less than 20% today. Simultaneously, the rise of FIDO2 passwordless standards and AI-driven fraud attacks is forcing institutions to upgrade authentication infrastructure. OneSpan sits at this inflection point: its hardware revenues are declining predictably, but its software solutions—particularly cloud authentication and app shielding—are growing double-digits, creating a classic business model transition that the market has yet to fully appreciate.
The competitive landscape intensifies this dynamic. Microsoft (MSFT), Okta (OKTA), and CyberArk (CYBR) offer broader identity platforms with deeper enterprise reach, while DocuSign (DOCU) dominates e-signatures. OneSpan's moat isn't scale but specialization: it combines hardware-grade security with software flexibility, serving banks that require both on-premise control and cloud scalability. This trusted position in financial services creates switching costs that generalist competitors struggle to replicate, but it also limits OneSpan's addressable market and growth velocity compared to its larger rivals.
Technology, Products, and Strategic Differentiation
OneSpan's core technology advantage lies in its hybrid authentication architecture that seamlessly integrates legacy hardware tokens, modern FIDO2 security keys, mobile app shielding, and cloud-based authentication software. This matters because most financial institutions cannot rip and replace existing infrastructure—they need gradual migration paths. While Okta and Microsoft push cloud-native solutions that require complete ecosystem lock-in, OneSpan's platform allows banks to maintain existing Digipass hardware for legacy users while deploying FIDO2 software (via the Nok Nok acquisition) for new customers, preserving revenue during transitions.
The Nok Nok Labs acquisition in June 2025 exemplifies this strategy. For $18.4 million, OneSpan acquired S3, a leading FIDO2 passwordless authentication platform that already secured two new six-figure deals within four months. The technology enables extreme scalability—millions of users with low-latency performance—and flexible deployment across cloud and on-premise environments. This is crucial because FIDO2 adoption is accelerating, with the U.S. and Japan leading and passkeys expected to become the global standard. OneSpan can now offer both hardware and software FIDO2 solutions, cross-selling to its extensive banking customer base and capturing revenue that would otherwise flow to pure-play competitors.
The Digital Agreements segment demonstrates similar integration advantages. OneSpan Sign e-signature and Notary solutions combine identity verification, electronic signatures, and digital workflows into a single platform. This matters because it addresses the entire agreement lifecycle, not just signature capture like DocuSign. The segment achieved record operating income of $4.2 million in Q3 2025 on 9% revenue growth, with gross margins holding steady at 72%. Management plans deeper AI integration over the next 12 months, which could further differentiate the platform by automating compliance checks and fraud detection during the signing process.
Research and development efforts, led by newly hired CTO Ashish Jain, focus on internal development of FIDO2 security keys and AI-enhanced fraud prevention. The company launched hardware security keys in 2024 and expects them to contribute meaningfully in 2026. This dual R&D approach—acquiring proven technology while developing complementary products—reduces execution risk and accelerates time-to-market, a critical advantage as AI-driven attacks evolve rapidly.
Financial Performance & Segment Dynamics: Profits Amid Transition
OneSpan's Q3 2025 results provide compelling evidence that the software pivot is working financially, even as hardware headwinds persist. Total revenue grew 1% to $57.1 million, a modest headline figure that masks a powerful underlying mix shift. Subscription revenue surged 12% organically to $37.8 million, while hardware revenue plunged 19.6% to $9.7 million. This shift is significant because higher-margin software is replacing hardware revenue, leading to improved consolidated gross margins of 74% from 71% year-over-year, even as Security Solutions gross margins held at 74% despite the revenue decline.
The segment dynamics reveal the transformation's mechanics. Security Solutions revenue dipped 1% to $40.3 million, but subscription revenue within the segment grew 13% to $21.1 million, driven by cloud authentication, app shielding, and a modest contribution from Nok Nok. Hardware's 20% decline was expected, but the segment still generated $17 million in operating income at a 41% margin. This demonstrates that OneSpan can maintain profitability while managing the hardware sunset, a feat many legacy technology companies fail to achieve.
Digital Agreements emerged as the growth engine, with revenue up 9% to $16.7 million and subscription revenue growing 11% to $16.7 million. The segment's operating income more than doubled to $4.2 million, achieving a 25% operating margin. This operating leverage is structural: the segment has substantially completed its SaaS transition, sunsetting on-prem e-signature products and converting maintenance revenue to higher-value subscriptions. With ARR growing 8% to $65 million and gross margins stable at 72%, Digital Agreements is positioned to drive consolidated margin expansion as it becomes a larger portion of the mix.
Annual Recurring Revenue reached $180.2 million, up 10% year-over-year, with a net retention rate of 103%. While NRR declined from 106% due to fewer expansion contracts in EMEA, it remains above 100%, indicating existing customers continue to spend more over time. This is crucial for valuation: a 10% ARR growth rate on a $180 million base with 103% retention implies durable, predictable cash flows that deserve a premium multiple, yet the stock trades at just 8.9x earnings.
Adjusted EBITDA hit $17.5 million in Q3 (30.7% margin) and $58.2 million year-to-date (32% margin), both records. The company generated $47 million in operating cash flow during the first nine months, a 26% cash conversion rate that funded $6.3 million in share buybacks and $4.7 million in quarterly dividends. With no long-term debt and $85.6 million in cash, OneSpan has the balance sheet flexibility to pursue acquisitions while returning capital, a balanced approach that reflects management's confidence in the transition.
Outlook, Management Guidance, and Execution Risk
Management's guidance for 2025 reveals both confidence and caution. Revenue guidance was lowered to $239-241 million from $245-251 million, reflecting a $6 million reduction at the lower end of the range, driven by additional hardware headwinds and slower net expansions in EMEA security business. This highlights OneSpan's geographic concentration risk, as Europe remains a historically large market where economic weakness directly impacts growth. However, the company maintained Adjusted EBITDA guidance of $72-76 million, implying it can absorb revenue shortfalls through cost discipline and mix improvement.
The software revenue guidance of $190-192 million (3-4% growth) appears conservative given Q3's 12% subscription growth. CFO Jorge Martell attributed the reduction to "lower activity with respect to net expansions and new logos, primarily net expansions" in EMEA and APAC. This suggests the sales organization, particularly in North America where OneSpan started a dedicated security sales effort in July 2024, is still scaling from a small base. The modest guidance creates potential for upside if the North American sales team gains traction or if FIDO2 adoption accelerates faster than expected.
CEO Victor Limongelli emphasized that 2025 is about "putting the pieces in place while continuing to operate with strong profitability to enable growth." The Nok Nok acquisition is expected to be accretive to Security operating income in Q4 2025, while ThreatFabric's contribution is "largely a 2026 story." This extended timeline suggests the stock may remain range-bound until tangible evidence emerges that these strategic bets are driving accelerated ARR growth. Management's focus on achieving "Rule of 40 performance"—balancing growth and profitability—suggests they will prioritize margin expansion over revenue growth if necessary, a prudent strategy that could limit upside but protects downside.
The FIDO2 opportunity represents the largest potential upside asymmetry. Limongelli believes "there is a large opportunity in the coming years for S3 as FIDO2 becomes more widely adopted," with the U.S. and Japan leading initially. If OneSpan can convert even a fraction of its existing banking relationships to S3 software licenses, the revenue impact could be material. The two new logos closed in four months, while small, validate the product-market fit and build pipeline for 2026. Success here would transform OneSpan from a hardware-dependent legacy vendor to a leading passwordless authentication provider.
Risks and Asymmetries: What Could Break the Thesis
The most material risk is the pace of hardware decline exceeding software growth, creating a revenue treadmill that compresses margins. Hardware revenue fell 22% year-to-date to $34.8 million, now representing less than 20% of the business. While management believes the decline will stabilize around 12-15% of revenue, a faster drop could overwhelm software gains. This risk is acute in EMEA, where economic weakness has already impacted net expansions and where banks are aggressively shifting to mobile authentication. If European banks accelerate token retirement beyond expectations, OneSpan could face another guidance cut.
Competitive pressure from larger platforms represents a strategic vulnerability. Microsoft Entra ID, Okta, and CyberArk have substantially greater R&D resources and sales reach. While OneSpan's hybrid approach is differentiated, these competitors could bundle authentication into broader identity suites at lower prices, eroding OneSpan's market share. The risk is particularly high in North America, where OneSpan's security sales effort is nascent. If the company cannot scale its go-to-market organization quickly, it may miss the FIDO2 adoption wave to better-funded rivals.
Execution risk on acquisitions could derail the growth story. The Nok Nok integration is still in early stages, with provisional accounting incomplete and deferred consideration payments ongoing. If S3 software fails to gain traction or if key Nok Nok personnel depart, the $18.4 million investment could generate minimal returns. Similarly, the ThreatFabric partnership requires successful sales enablement to monetize mobile threat intelligence. OneSpan's track record includes discontinuing blockchain technology investments in 2024, demonstrating that not all strategic bets pay off.
On the positive side, an asymmetry exists in Digital Agreements' operating leverage. The segment's 25% operating margin could expand further as AI integration drives premium pricing and automation reduces service costs. If OneSpan can accelerate growth in this segment beyond the mid-single-digit guidance, it would diversify revenue away from hardware and security, creating a more resilient business model. A breakthrough in AI-powered fraud prevention could also differentiate the platform enough to command higher prices and win larger enterprise deals.
Valuation Context: Profitable Growth at a Discount
Trading at $13.22 per share, OneSpan carries a market capitalization of $507 million and enterprise value of $431 million. The stock trades at 8.9x trailing earnings and 7.3x EV/EBITDA, a significant discount to identity security peers. DocuSign trades at 48x earnings and 42x EV/EBITDA, Okta at 82x earnings and 67x EV/EBITDA, and CyberArk—though unprofitable—commands 17.6x EV/Revenue. This valuation gap suggests the market views OneSpan as a legacy hardware vendor rather than a growing software company.
The valuation metrics that matter most for OneSpan's story are cash flow-based multiples. The stock trades at 9.9x free cash flow and 8.6x operating cash flow, implying a 10-12% cash yield on enterprise value. With a 3.6% dividend yield, 24% payout ratio, and ongoing buybacks, OneSpan is returning nearly 40% of its free cash flow to shareholders while maintaining a net cash position and investing in growth. This capital allocation profile is superior to most software peers, who retain all cash for growth.
Balance sheet strength provides downside protection. With $85.6 million in cash, no debt, and a $100 million undrawn credit facility, OneSpan has 1.5 years of operating expenses in cash and ample capacity for acquisitions. The 1.75 current ratio and 0.04 debt-to-equity ratio compare favorably to Okta's 1.47 current ratio and DocuSign's 0.73 current ratio, indicating stronger liquidity. This financial stability means OneSpan can weather economic downturns and invest through cycles, a key advantage over leveraged competitors.
The disconnect between valuation and fundamentals appears stark. OneSpan's 10% ARR growth, 103% net retention, and 32% EBITDA margins would typically command a premium multiple in today's software market. Yet the stock trades like a no-growth value play. This suggests either the market is skeptical of management's ability to sustain software growth or is applying a hardware discount that no longer reflects the business reality. If OneSpan can demonstrate two consecutive quarters of accelerating subscription growth, the multiple expansion potential is significant.
Conclusion: A Transition Story at an Inflection Point
OneSpan has successfully navigated the most perilous phase of its business model transformation, exiting 2024 with a fixed cost structure and entering 2025 with both business units profitably positioned for growth. The software business now exceeds 80% of revenue, delivering double-digit subscription growth and 10% ARR expansion despite hardware headwinds and EMEA economic weakness. This achievement, combined with record profitability and disciplined capital allocation, demonstrates management's ability to execute a complex strategic pivot.
The investment thesis rests on whether OneSpan can accelerate software growth enough to achieve the "Rule of 40 performance" management targets while maintaining its specialized competitive moat in financial services authentication. The FIDO2 opportunity via Nok Nok Labs and the fraud prevention enhancement from ThreatFabric provide clear catalysts for 2026, but execution risk remains. The North American sales effort, though growing from a small base, must scale rapidly to capture the U.S.-led FIDO2 adoption wave.
At 8.9x earnings with a 3.6% dividend yield and net cash balance sheet, the stock appears to price in minimal growth, creating an attractive risk-reward asymmetry. If OneSpan can convert its banking relationships to S3 software and expand Digital Agreements' operating leverage, the combination of multiple expansion and earnings growth could generate substantial returns. Conversely, if hardware declines accelerate or competitive pressure intensifies, the downside is cushioned by strong cash generation and a valuation floor that already reflects low expectations. The next two quarters will reveal whether this transition story is ready for its next chapter.
