Finom Passkeys: Revolutionizing Banking Security

1. Introduction to Finom Passkeys

Modern banking needs best-of-class security while also making customers lives easier. Thats why Finom, a pioneering, Amsterdam-based fintech has taken a significant leap forward by introducing passkeys as their new primary authentication method for their web app. As a testament to innovation, Finom's implementation of passkeys not only challenges the traditional password paradigm (+ traditional MFA via SMS OTP) but also aligns with the growing demand for more secure, convenient, and privacy-focused user experiences. This blog post delves into the technical settings and end-user benefits of Finom's passkey implementation, offering insights into why this approach could herald a new era for passkeys in banking and financial services.

2. Technical Insights Finom Passkeys

Passkeys represent a paradigm shift in authentication, moving away from the vulnerable password-based systems to a more secure, phishing-resistant authentication. Finom's web application embraces this technology, allowing users to authenticate via various devices - computers, smartphones, or hardware security keys (e.g YubiKeys), thus also supporting cross-platform / roaming authenticators.

Finom has introduced passkeys

Join them

2.1 Browser and OS Compatibility

Finom ensures broad accessibility by aligning with industry standards for browser and operating system compatibility. The following browser versions support passkeys (according to the official Finom passkeys FAQ):

• Chrome (v105+)
• Safari (v16+)
• Edge (v105+)

Contrary, to the official Finom passkeys FAQ, passkey authentication also worked during our testing on the latest Firefox version (v122) on Windows 11 23H2 and macOS Sonoma 14.2.1

Regarding the operating system support in general, for desktop devices, we tested passkey authentication successfully on Windows 11 and macOS Sonoma (theres no official minimum OS version stated in the FAQ).

Mobile device users must ensure their systems are updated to iOS 16+ or Android 9+ for full passkey support. The good thing is that the majority of mobile devices (over 94%) already support passkeys.

2.2 WebAuthn Server Options at Finom

The creation process of passkeys at Finom supports the full bandwidth of passkeys, employing a variety of transport modes including USB, NFC, BLE, hybrid, and internal options. This flexibility ensures that users have multiple options for authentication, fitting their personal preferences or situational needs.

2.2.1 Analysis of PublicKeyCredential-CreationOptions

Some aspects to highlight from the WebAuthn server settings and deeper analysis of the PublicKeyCredentialCreationOptions:

{
  "attestation": "direct",
  "authenticatorSelection": {
    "residentKey": "discouraged",
    "userVerification": "required"
  },
  "challenge": "JWi0v7X1X-O1UvXB_I5q2A",
  "excludeCredentials": [
    {
      "id": "ARt1Ba2haVHZNrw8FhKLc_V1LFMVdrsHbezmQ8jMP59lXscBnkTLxABNNR9dd499EG5PWY0VYSFtbui_XmYeJtM",
      "transports": [
        "usb",
        "nfc",
        "ble",
        "hybrid",
        "internal"
      ],
      "type": "public-key"
    },
    {
      "id": "CaRVt041w10I948-OS6TBtAyVOUdak03b6BUyev3S3e7xOH99pS9GLgTURasdNH4HgKkazUmT0ejDbVpuDhAtQ",
      "transports": [
        "usb",
        "nfc",
        "ble",
        "hybrid",
        "internal"
      ],
      "type": "public-key"
    },
    {
      "id": "3nOhnTkXXdyiBAfC60K7E_-OgKwwk57uewpwGCgJe44",
      "transports": [
        "usb",
        "nfc",
        "ble",
        "hybrid",
        "internal"
      ],
      "type": "public-key"
    }
  ],
  "pubKeyCredParams": [
    {
      "alg": -7,
      "type": "public-key"
    },
    {
      "alg": -257,
      "type": "public-key"
    },
    {
      "alg": -37,
      "type": "public-key"
    },
    {
      "alg": -35,
      "type": "public-key"
    },
    {
      "alg": -258,
      "type": "public-key"
    },
    {
      "alg": -38,
      "type": "public-key"
    },
    {
      "alg": -36,
      "type": "public-key"
    },
    {
      "alg": -259,
      "type": "public-key"
    },
    {
      "alg": -39,
      "type": "public-key"
    },
    {
      "alg": -8,
      "type": "public-key"
    }
  ],
  "rp": {
    "id": "app.finom.co",
    "name": "app.finom.co"
  },
  "user": {
    "displayName": "Vincent Delitz",
    "id": "dmluY2RlbGl0aaBhb2wuY29t",
    "name": "vincent@corbado.com"
  }
}

• Usage of excludeCredentials parameter to avoid creation of a new passkey on a device with existing passkeys
• Relying Party ID set to "app.finom.co" to ensure secure, domain-specific authentication
• Direct attestation requires devices to provide attestation statements, thereby proving the authenticity of the authentication credentials
• userVerification is required thus ensuring that only the rightful user can initiate the authentication process
• Discouragement of residentKeys as Conditional UI is not yet rolled out. However, the behavior of passkey creation depends a lot on the authenticators if they take the value of residentKeys into consideration (see this article). Moreover, Finom would actually benefit to already create resident keys for future Conditional UI support. On the other hand site, this decision saves storage on hardware security keys (e.g. YubiKeys), as they often only have limited capacity for resident keys.

2.2.2 Analysis of PublicKeyCredential-RequestOptions

The PublicKeyCredentialRequestOptions are equally important, facilitating the authentication process with configurations that ensure flexibility and security:

PublicKeyCredentialRequestOptions.json
{
  "allowCredentials": [
    {
      "id": "ARt1Ba2haVHZNrw8FhKLc_V1LFMVdrsHbezmQ8jMP59lXscBnkTLxABNNR9dd499EG5PWY0VYSFtbui_XmYeJtM",
      "transports": [
        "usb",
        "nfc",
        "ble",
        "hybrid",
        "internal"
      ],
      "type": "public-key"
    },
    {
      "id": "CaRVt041w10I948-OS6TBtAyVOUdak03b6BUyev3S3e7xOH99pS9GLgTURasdNH4HgKkazUmT0ejDbVpuDhAtQ",
      "transports": [
        "usb",
        "nfc",
        "ble",
        "hybrid",
        "internal"
      ],
      "type": "public-key"
    },
    {
      "id": "3nOhnTkXXdyiBAfC60K7E_-OgKwwk57uewpwGCgJe44",
      "transports": [
        "usb",
        "nfc",
        "ble",
        "hybrid",
        "internal"
      ],
      "type": "public-key"
    }
  ],
  "challenge": "s4R8Fsy7iSxxWIgUr7iTLA",
  "rpId": "app.finom.co",
  "userVerification": "discouraged"
}

• allowCredentials are set (all credentials are set independently of the device being used as a client by the user) to make sure only registered passkeys can be used
• userVerification is discouraged which is interesting in the login ceremony, as its required in the passkey creation ceremony.

2.2.3 Integrating Cross-Device Passkeys

A future-forward aspect of Finom's passkey implementation is the potential for cross-device passkey sharing. By analyzing the association files provided at https://app.finom.co/.well- known/assetlinks.json for Android and https://app.finom.co/.well-known/apple-app-site-association for iOS, it becomes evident that Finom is laying the groundwork for seamless passkey integration across its web and native mobile applications. Adding support for cross-device sharing, e.g. using your macOS passkey from the web application also in the native iOS app via iCloud Keychain sync can be quickly added. This initiative promises to further enhance the user experience by enabling effortless authentication across different platforms and devices.

3. Secure, Simple and Privacy-Enhancing UX

At the heart of Finom's passkey implementation lies a commitment to prioritizing three fundamental aspects: unmatched security, unparalleled simplicity, and uncompromising data privacy.

• Security: Finom's passkey system is engineered to establish a barrier against cyber threats. Unlike conventional passwords, passkeys are securely connected to the user's device and Finom's verified domain, virtually eliminating the risk of phishing and fraudulent access.
• Simplicity: The simplicity in Finom's passkey authentication is captured through its instantaneous login process. By using Face ID, Touch ID or Windows Hello, users can gain access to their accounts in mere seconds, without the hassle of typing out complex passwords. This streamlined authentication process not only enhances user convenience but also significantly reduces login times, setting a new standard for ease of access in the banking industry.
• Data Privacy: Finom places the highest priority on the privacy and security of user data. By employing a system where passkeys remain tied to the user's device, Finom ensures that personal information, including biometric data, stays under the user's control and is never shared with the server. This approach not only protects users' privacy but also empowers them with the confidence that their personal and financial information is safeguarded against unauthorized access and breaches.

3.1 Confirm Passkey Creation on New Devices

On new devices, the user needs to confirm the passkey creation either in the native Finom iOS / Android app via push notification or using an email magic link. Until the confirmation is provided, the user cannot create a passkey.

Confirm the passkey creation request via email:

Alternatively, you can confirm the passkey creation request via push notification (here natvie Android app):

After successful passkey creation, you will see this popup:

3.2 Passkey-First Login Flow

Finom simplifies the login experience by making passkeys the default authentication method (passkey-first) once the user's email address is entered and the user clicks on Continue (no password field displayed by default). This direct approach enhances user experience by eliminating unnecessary choices and de-prioritizing passwords. However, the absence of Conditional UI marks a potential area for future improvement.

3.3 Canceling Passkey Login Flow

When cancelling the passkey login flow in the passkey pop-up, the user receives the following warning:

If the user decides to click on Retry, the passkey login flow starts again and the passkeys pop-up (e.g. Face ID, Touch ID, Windows Hello) emerges allowing the user to scan the biometrics again.

It the user decides to click on Try another way, they are forwarded to the old login with email address and password input fields:

3.4 No Recommendation for Non-Private Devices

Finom strongly advises against the use of non-private or publicly accessible devices for passkey authentication (e.g. in public libraries). The inherent risk with such devices lies in their accessibility; anyone who can unlock the device (whether through a password, screen lock, or biometric data like fingerprints or facial recognition registered on the device) has the potential to authenticate as you and gain access to your account.

3.5 Cross-Device Authentication (via QR code and Bluetooth)

Embracing the multi-device reality of today's users, Finom supports cross- device authentication (hybrid transport) using QR code scanning and Bluetooth proximity checks. This feature allows for a fluid authentication experience across different devices, facilitating a seamless login from a passkeys stored on a mobile device while trying to access Finom from a desktop environment (see also this article for more details regarding cross-device authentication with passkeys).

3.6 Passkey Management (Rename and Remove a Passkey)

Finom has introduced intuitive passkey management features that empower users to customize and control their authentication methods. These features, including the ability to rename and remove passkeys, reflect a deep understanding of the necessity for flexibility and security in managing digital access.

• Multiple Passkeys for Different Devices: Finom recommends the creation of multiple passkeys across users' devices. This approach guarantees uninterrupted access to Finom's services via passkeys, catering to a seamless multi-device experience.
• Smart Duplicate Prevention: Leveraging the excludeCredentials parameter in the PublicKeyCredentialCreationOptions, Finom prevents the creation of duplicate passkeys on the same device. This measure not only enhances security but also streamlines the user experience by ensuring each device has a unique passkey.
• Passkey Deletion Confirmation Requires Passkey Authentication: Prior to the removal of a passkey, users are required to authenticate the action using a passkey. This added layer of security underscores the importance Finom places on safeguarding user access and ensures that only the rightful owner can make such significant changes.

Note that, the icon detection logic isnt as smart as it may seem at first. I stored the passkeys for the Google Password manager on my Android, however its displayed as Windows. The same applies for cross-platform / roaming authenticators like YubiKeys which are by nature not tied to a certain operating system.

3.7 Passkey Created Notification

After the successful creation of a passkey, the user will receive an email notification:

3.8 All Passkeys Deleted on Password Reset

In case the user has to reset their password, not only the device binding of the native iOS / Android is deleted but also all your passkeys are deleted. To be more precise, the public keys of the passkeys are deleted server-side making a login with passkeys impossible (even after you restored the device binding). The private keys of the passkey reside on the device but are useless for subsequent login attempts.

4. Finoms Passkey Strategy and Improvements

Finom's passkey implementation is not just about enhancing security and user experience; it's a strategic move towards cost savings from traditional SMS OTP systems and positioning itself as a modern, digital-first fintech that is confident to combat incumbent banks and financial institutions. The system's current design shows promise, with room for expansion into native app support, Conditional UI rollout and transaction confirmations via passkeys.

4.1 SMS OTP Cost Savings

By steering away from SMS OTP - a method historically marred by security gaps

• Finom lays the foundation for major benefits in their authentication and MFA strategy. This transition not only mitigates the risks associated with SMS OTP but also aligns with Finom's mission to harness cutting-edge technology to safeguard user data, enhance the banking user experience and save substantial costs for MFA via SMS OTP.

4.2 Roadmap for Improvements

During our testing, we identified some major areas for improvement:

• Expanding Passkey Support to Native Apps: Recognizing the ubiquity of mobile banking, Finom will hopefully soon roll out passkey support to its native iOS and Android applications which would also adhere to their mobile-first strategy. As a user, especially coming from a macOS desktop device, the login on the iOS app of an iPhone using the same iCloud Keychain connected can be substantially simplified compared to todays login experience.
• Passkey-Only Authentication: Over time, we also expect Finom to promote passkeys as the first and only factor on passkey-ready devices. This also includes the creation of new accounts with passkeys as the only form of authentication (with some fallbacks as backup).
• Implementing Conditional UI: The introduction of Conditional UI would be another major optimization for the user experience that has shown to be great success for the adoption of passkeys at other players.
• Use Passkeys for Payment Confirmation: During our testing, we also made a test payment to check if the payment confirmation works with passkeys as well. However, Finom still uses native app push notifications and SMS OTP for confirmation (the latter one being a substantial cost driver). This could be for regulatory purposes but we hope that passkeys can be employed in the future here as well.

Become part of our Passkeys Community for updates and support.

Join

4.3 PSD2 Compliance with Passkeys

One question still remains unanswered in Finom's passkey strategy: What is Finom's stance on PSD2 and SCA compliance with passkeys? This issue has generally not been fully addressed, but it would have been interesting to learn more about Finom's perspective on this matter. For more insights and thoughts on the PSD2 compliance of passkeys, refer to this blog post.

5. Conclusion

Finom's passkey rollout stands as a prime example for the banking and financial service sector, showcasing how fintechs can lead in adopting advanced security measures that cater to modern users' needs. By providing a detailed analysis of Finom's passkey system, this blog post aims to help other software developers, product managers, and security specialists learn about the implementation of passkeys in the financial and banking sector.