In this post, we will provide a concise overview of the current state of passkey implementation within Canada. Hereby, passkeys represent the next generation of secure and user-friendly authentication, moving beyond the vulnerabilities of traditional passwords. As a leader in passkeys solutions, we are keenly observing how different regions are adopting this technology. Canada presents a fascinating case study, influenced by specific regulatory drivers, financial sector activities and evolving public perception.

This article explores five key questions:

1. What exactly are passkeys and why are they especially relevant for Canada?
2. How is Canada’s regulatory landscape driving adoption?
3. To what extent are financial institutions and retailers implementing passkeys?
4. How do Canadians perceive passkeys and what drives or limits adoption?
5. What are the main challenges to scaling passkey usage nationwide and how can they be overcome?

By answering these questions, we aim to highlight the key developments, challenges and milestones that have shaped Canada’s evolving passkey landscape in recent years – from regulatory shifts to real-world adoption.

Passkeys replace traditional passwords with a much simpler and more secure way to log into websites and apps. Instead of typing a password, you use your device's built-in security features, like your fingerprint, face recognition or device PIN, to sign in. Each passkey is unique to the website or app it's used for and is stored securely right on your device(s). This makes them highly resistant to common online threats like phishing scams and large-scale data breaches, where passwords might be stolen.

The push towards passkeys in Canada is driven by several key factors:

Canada faces significant challenges with financial fraud. A September 2022 survey indicated that 25% of Canadians experienced fraud in the previous three years. The Canadian Anti-Fraud Centre (CAFC) highlighted numerous scam calls and phishing texts impersonating banks in 2022. Passkeys offer inherent resistance to phishing and credential stuffing attacks, directly addressing these vulnerabilities and aligning with calls from the financial sector and government for stronger consumer protection.

Canada is actively developing its digital identity ecosystem, including work on a pan-Canadian digital identity framework led by organizations like the Digital ID & Authentication Council of Canada (DIACC). Passkeys, being a user-friendly and secure credential technology based on FIDO standards, naturally align with these efforts, potentially serving as a key authentication method within future digital ID systems for both public and private sector services.

Canada's regulatory landscape doesn't explicitly mandate passkeys yet, but several pieces of legislation and key guidelines create a strong motive and baseline for adopting more robust authentication methods.

Perhaps the most significant recent regulatory driver is Guideline B-13 from the Office of the Superintendent of Financial Institutions (OSFI), which came into effect on January 1, 2024. This guideline sets new expectations for technology and cyber risk management for federally regulated financial institutions (FRFIs). Key aspects relevant to passkeys include:

• Emphasis on Risk-Based Controls: Guideline B-13 mandates robust identity and access management, including stronger multi-factor authentication (MFA) requirements.
• Discouraging Weak Methods: It explicitly addresses the vulnerabilities inherent in common methods like SMS-based one-time passwords (OTPs), noting their susceptibility to interception and phishing – methods still prevalent among Canadian FIs. OSFI calls for "safer, more reliable" authentication.
• Driving Innovation: OSFI stated the guideline aims to provide necessary guidance while allowing FIs "to compete effectively and take full advantage of digital innovation." Passkeys fit this description as an innovative, more secure alternative.

Guideline B-13 represents the first formal regulatory directive in Canada pushing FRFIs towards demonstrably safer MFA, making passkeys a compelling solution for compliance. A more detailed analysis can be found here.

The federal Personal Information Protection and Electronic Documents Act governs how private organizations handle personal data. While technology-neutral, it requires "appropriate security safeguards." The Office of the Privacy Commissioner of Canada (OPC) has issued guidance favouring strong authentication, indirectly supporting passwordless approaches like passkeys.

Quebec's modernized Law 25 (formerly Bill 64) imposes stricter data protection rules, potentially pushing organizations towards more secure authentication. Alberta's PIPA and BC's PIPA also require suitable security controls.

Bill C-27, the Digital Charter Implementation Act (2022), introduces the Consumer Privacy Protection Act (CPPA), mandating organizations to implement appropriate security safeguards, including reasonable measures to verify individual identities. This requirement underscores the importance of robust and secure authentication practices, strongly aligning with modern, phishing-resistant solutions like passkeys.

Beyond specific regulations, the Government of Canada has published password guidance for its own systems that reflects modern security thinking:

• Recommending longer passwords (12+ characters) without maximum length limits.
• Eliminating complexity and mandatory expiry requirements.
• Implementing blocklists for weak passwords.

This guidance acknowledges the limitations of traditional password policies and aligns with the principles underpinning passkeys: enhancing security while reducing user friction.

Moreover, there are additional influences that favor passkeys in Canada:

While primarily focused on Anti-Money Laundering (AML), FINTRAC’s recommendations for secure authentication helps prevent fraudulent account creation used in money laundering, creating an indirect link.

As the operator of Canada's payment systems, Payments Canada recognizes the need for strong authentication in its "Modernizing Payments" initiatives, often framing passkeys within the broader category of next-generation authentication.

The Canadian financial sector, under pressure from regulators like OSFI and facing rising fraud rates, has been actively exploring and beginning to implement passkey technology.

Canada's banks were involved in exploring FIDO2 and passwordless options during this period:

RBC’s Joseph Choi has helped to create FIDO Alliance’s "Passkeys: The Journey to Prevent Phishing Attacks" white paper which was published in March 2025 indicating that RBC actively seeks industry collaboration and engages within the FIDO Alliance.

While there are rumors about TD Bank exploring passkeys as a form of passwordless logins, there is not yet an officially confirmation for passkeys being introduced at TD Bank's consumer platforms.

All three banks (Scotiabank, BMO, CIBC) have implemented biometric authentication in mobile apps (e.g., Face ID, Touch ID – see the difference between passkeys vs. local biometrics). Passkeys are not officially announced yet.

A significant public step forward occurred in June 2023, when PayPal announced the expansion of passkey support to its Canadian customers on both Apple and Android devices. As a founding member of the FIDO Alliance, PayPal became one of the first major financial service companies to offer this passwordless login option widely in Canada, allowing users to authenticate via device biometrics or PINs.

• Credit Unions: Credit unions expressed interest in FIDO-based solutions, though adoption tends to lag due to resource constraints. Consortium solutions might accelerate uptake.

• FinTech’s: Firms showed public interest in passwordless authentication to enhance security and reduce operational costs (e.g., account resets).

• Insurance: Providers l, also regulated by OSFI, began exploring passkey pilots, particularly for high-value corporate or advisor accounts.

Interest in passkeys isn't limited to traditional finance. As of mid-2023, Shopify introduced passkey support for its platform, allowing users to sign in without passwords using biometric authentication. This marks a significant step by a major Canadian e-commerce provider and suggests that retailers with large digital ecosystems are beginning to adopt passkeys, potentially accelerating adoption beyond the banking sector.

A more detailed analysis on Shopify passkeys can be found here.

Understanding how Canadians view passkeys is crucial for successful adoption.

A study reported by Payments Canada provides valuable insights:

• Appeal: Exactly half (50%) of Canadians found passkeys an appealing alternative to usernames and passwords.

• Likelihood to Use: 47% indicated they would likely use passkeys for email, banking, or e-commerce if offered.

• Hesitancy: However, 23% did not find them appealing, and 27% were neutral.

• Concerns: Among those hesitant, primary concerns were:

  • Perception of lower security (27%)

  • Lack of interest or need (20%)

  • Confusion or perceived complexity (16%)

  • Lack of understanding (12%)

  • Lack of trust (7%)

These findings underscore a significant need for public education to clarify how passkeys work and address security misconceptions.

The same Payments Canada research highlighted that certain demographics, like newcomers to Canada (53% likely) and gig workers (47% likely), showed higher inclination towards using newer authentication technologies, suggesting potential early adopter groups.

• Overall Awareness: General public awareness of the term "passkeys" remained relatively low as of 2023, often conflated with familiar biometrics (fingerprint/Face ID). This probably has changed ever since due to major rollouts and push of passkeys by tech giants like Amazon, eBay or KAYAK.

• Media Coverage: Mainstream outlets (CBC, Globe and Mail, Financial Post) began mentioning passkeys around 2020-2021, often within broader cybersecurity articles about the "death of passwords." Coverage increased after Apple and Google's major announcements in 2022. Tech-specific media (BetaKit, MobileSyrup) provided more detailed coverage, including interviews with Canadian experts. The narrative often focuses on the broader "passwordless" transition rather than just passkeys specifically.

Canadian cybersecurity professionals generally support the shift towards passkeys, such as Claudette McGowan (Founder of Protexxa, ex-BMO, ex-TD) who emphasized that during her extensive banking career, human error related to passwords was consistently the top vulnerability, not technology failures like encryption or firewalls. "There was always a human in the middle."

Passkey adoption intersects with broader Canadian government digital initiatives:

• Federal CIO Office: Has included FIDO2 standards in future-planning documents related to e-government services, recognizing their potential within a pan-Canadian digital identity framework.

• Public Services and Procurement Canada (PSPC): References strong authentication as key for secure digital government services, although specific passkey pilots in the public sector remain limited.

• DIACC: The Digital ID & Authentication Council of Canada's work on the Pan-Canadian Trust Framework often references FIDO-based authentication, highlighting the synergy between passkeys and federated identity models suitable for Canada.

Despite the momentum, several challenges remain for widespread passkey adoption in Canada:

• Consumer Education: As highlighted by the Payments Canada research, significant confusion and misconceptions persist. Users need clear explanations about how passkeys work, how they are stored (on-device vs. synced), and their security benefits compared to passwords. Banks anticipate a transition period supporting both methods.

• Legacy System Integration and Cost: Transitioning from existing authentication infrastructure to support passkeys can be complex and costly, especially for institutions with deeply embedded legacy systems. Smaller FIs may be particularly cautious about the required investment and ROI.

• Regulatory Clarity: While OSFI's B-13 provides a strong push for FRFIs, broader regulatory clarity or specific endorsements for passwordless solutions across other sectors could further accelerate adoption.

• Integration with Digital ID: Effectively integrating passkeys into the developing pan-Canadian digital identity ecosystem requires ongoing coordination and standardization efforts.

Canada's journey towards passwordless authentication with passkeys has reached a tipping point for accelerated adoption. While initial progress might have appeared measured compared to some global leaders, the convergence of key factors now signals a significant shift.

1. What are passkeys and why do they matter for Canada?
   Canada faces growing fraud threats and is advancing digital identity initiatives, both areas where passkeys offer a meaningful upgrade in security and usability.
2. How is regulation pushing change?
   OSFI’s Guideline B-13 is a major catalyst, encouraging banks to move beyond vulnerable methods like SMS OTPs and adopt stronger, phishing-resistant solutions like passkeys.
3. How far has implementation gone?
   We’re seeing strong momentum: PayPal has launched passkeys in Canada, major banks are piloting solutions, furthermore Shopify has brought passkeys to the retail world.
4. What does the public think?
   There’s curiosity: Nearly half of Canadians are open to using passkeys, but awareness and trust still need to grow. Education will be key to bridging this gap.
5. What challenges remain?
   Device compatibility, legacy systems and the need for clearer cross-sector guidance all pose hurdles, but they’re increasingly seen as solvable with the right focus and collaboration.

In sum, passkeys are no longer a fringe innovation, they are quickly becoming central to Canada’s digital authentication landscape. The next phase will be about scale, trust and seamless integration and Canada is well-positioned to lead that transition.