Explore how synced and device-bound passkeys meet SCA compliance in our latest blog, detailing their roles in secure online banking authentication.
Vincent
Created: April 15, 2024
Updated: December 16, 2024
Our mission is to make the Internet a safer place, and the new login standard passkeys provides a superior solution to achieve that. That's why we want to keep you up to date on the latest developments in the industry.
After having analyzed, the differences between device-bound and synced passkeys in the first part of our series, and the specific requirements of SCA in the second part of our series, we now combine the two fields and work on the application and real-life conclusions for banks, fintechs and financial institutions.
In the following, we will focus on a scenario where SCA applies to the use case of accessing online banking accounts. The goal is to find out the real-life legal applicability of passkeys.
We start by taking a look at typical SCA architectures of banks today, learn why device-binding has been around for a while and how passkeys could serve as the next step in user authentication.
Recent Articles
The European banking system for consumers can widely be divided between traditional banks with stationary branches and neo-banks that have evolved as app-first fintechs / banks that often do not have a desktop website or branches for banking.
Traditional Banks | Neo-Banks | |
---|---|---|
Primary User Device | Desktop | Native App |
Primary Username | Account number Username | Mobile number |
First Factor | PIN or Password | SMS TAN (sometimes + PIN) |
Second Factor | SMS TAN Native App Push Notification eTAN / ChipTAN PhotoTAN / QR-Code | Native App Push Notification Public / Private Keypair |
Additional HW | eTAN / ChipTAN Generator PhotoTan / QR-TAN (optional) | - |
Recovery | In-Person Via Mail Post Offline / Online Identification | Security Password Selfie-Ident with Email Online-Identification |
The array of authentication options has evolved considerably, but many traditional banks still rely on easily phishable knowledge factors as the primary security measure (e.g. PIN or password), which can give potential attackers access to user accounts. This vulnerability may allow them to circumvent further security layers, e.g. by exploiting less secure methods like SMS TAN for fraudulent purposes. For second factors in traditional banking, especially when focusing on native apps, “device binding” has been the standard. When the device was reinstalled from a backup (in case of a device change), the association with the banking app was lost causing a sub-optimal UX.
Subscribe to our Passkeys Substack for the latest news, insights and strategies.
SubscribeAs we have outlined above, banking apps that provide the second authentication factor via a native application, through methods such as scanning a QR code, Photo-TAN, or receiving or generating a one-time passcode (OTP), user accounts are bound to a this specific mobile device.
The fundamental process of utilizing a native application as a second authentication factor involves generating a public/private key pair. This pair is then linked to the user's account on the provider's side by submitting the public key to the provider. This submission often occurs during the completion of the initial identification process or service registration, usually as part of the recovery mechanism mentioned earlier. The native application retains the private key to sign future challenges, one-time passcodes (OTPs), or push notifications. This process effectively demonstrates that the second factor of authentication, namely "possession," is securely maintained.
Let’s first go back to remember the statements by the regulators to gather the corresponding requirements that apply in this scenario:
The only way to ensure the credentials’ safety was to use the hardware security modules provided by the operating systems (e.g. secure enclaves, TPMs, TEEs). They ensured that the keys would never leave the mobile phone because keys stored in these operating system hardware security modules are not exportable,durable (some of the settings configurable depending on the operating system) and are therefore not included in device backups.
The private key storage in the hardware security module was necessary because there was no guarantee that the device was sufficiently protected to prevent an attacker from extracting the private key from the application storage of a native app – even from its “private space”(!= hardware security module).
Since mobile devices are often backed up to desktop computers and cloud services, this presents a considerable security risk. There’s no assurance that these backups and cloud copies are secured in accordance with the stringent customer authentication standards mandated by PSD2 regulations. Specifically, there may be no multi-factor authentication (MFA) guarantee, no encryption, and no measures in place to prevent unauthorized access.
This is also outlined in #EBA2019.26: a device binding would be necessary to actually be able to identify that this specific key pair belongs to a specific user. The device-binding therefore does not constitute a requirement in itself. It evolved as consequence of storing the private key into the hardware security module in the mobile phone as the only way to fulfill secure storage requirement. Therefore, the resulting experience was that a device loss or device change would lead to losing the device binding.
Storing Location of Private Key | General Storage | Hardware Security Modules |
---|---|---|
Private key protected from other apps | yes | yes |
Private key protected from other apps on rooted device | no | yes |
Private key protected in cloud backup (or private key is not backed up) | no | yes |
Private key backups are 2FA protected (or private key is not backed up) | no | yes |
The table above clearly shows that storing the private key in a hardware security module system is without alternative, leaving developers with no opportunity to enable secure key mobility between consumer devices.
To find out if device-bound and synced passkeys are compliant to SCA, lets go through all necessary steps and requirements we have laid out above in our definitions. Let’s first start with generic things that apply to both passkey types (device-bound & synced).
Passkeys fulfil, all general requirements to constitute an authentication process that is SCA-compliant. For possession factors via apps & private-public cryptography, the EBA has provided some additional requirements that have to be checked (#EBA2019.24-26), which we will do in the following paragraphs.
Become part of our Passkeys Community for updates and support.
JoinThe last requirement that needs to be checked is that the passkey is safely associated with the user, there is proof of possession, and that the private key is securely stored with mitigation measures. Let’s go through them one by one:
Now we have reached the important distinction point between device-bound passkeys and synced passkeys.
Passkeys in general are always stored in the hardware security module as we have discussed in the beginning of the article. Their only difference is the key-portability with cloud syncing.
Let’s unpack the differences by adjusting our table from above to include a column for device-bound and a column for synced passkeys. The core question we want to answer with this analysis is:
What are the security differences between device-bound passkeys and synced passkeys?
Security Feature | Device-Bound Passkeys | Synced Passkeys |
---|---|---|
Private key stored in hardware security module | yes | yes |
Private key protected from other apps | yes | yes |
Private key protected from other apps on rooted device | yes | yes |
Private key protected in cloud backup | not backed up | yes |
Private key backups are 2FA protected | not backed up | yes |
Private key available on multiple devices | no | yes |
The main difference is that the private keys will be part of backups and can be access from multiple devices. For device-bound passkey we can therefore conclude that the secure storage requirements are fulfilled. The consequences of the storage architecture is that they can only ever be used on one device.
To answer the question whether synced passkeys satisfy the secure key storage requirement, we have to take a look at the technology behind the synchronization feature.
Google and Apple have spent significant effort on designing a secure ecosystem for passkeys. We will analyze in-depth the implementation and efforts of Apple, but most of the design principles apply equally to Google.
Which steps are needed to use synced passkeys on Apple devices with iCloud (prevent unauthorize use)?
The following requirements need to be fulfilled to sync passkeys across Apple devices via the iCloud Keychain
After making sure these steps are fulfilled, iCloud accounts essentially conform to SCA automatically. The first factor of authentication is the iCloud account’s password, and the second factor is an SMS TAN / hardware security key.
With the activation of the iCloud Keychain, all devices that need to be part of the synced Keychain must be enrolled either with another device or with 2FA. Subsequently, all keys generated within this iCloud account are synced securely, ensuring that private keys never leave any device unencrypted. They can only be securely synced from one secure enclave to another.
How can access to the iCloud Keychain be restored prevent replication)?
In case the user needs to restored access to their iCloud Keychain, there can be two scenarios depending if other connected / trusted devices are available.
Successful login with iCloud account password and second factor
Provision of last used device passcode on any of the user’s devices
Note the following:
After 3-5 wrong attempts the escrow record is locked.
Apple customer support needs to be contacted for more attempts
After a total number of 10 wrong attempts the escrow record is deleted unrecoverable
During all attempts it is cryptographically guaranteed that Apple cannot read the device’s passcode or the stored private keys
The escrow data are stored in government- / enterprise-level HSM lusters separated from other iCloud / phone backup records. This means that accessing the last resort escrow requires three factors (Password, second factor SMS OTP / security key and passcode).
What happens with my passkeys when the device is stolen (prevent unauthorized use)?
In case a device holding passkeys is stolen, we need to distinguish two scenarios:
We can see that there is considerable effort to protect information inside mobile phone in case of theft, but are the information safe with Apple?
Can Apple access my passkeys (prevent unauthorized use of third-parties)?
Let’s analyze if Apple has access to a user’s passkeys. Answer-first: Apple has no direct access to passkeys. Just like passwords, passkeys are encrypted and stored in the user’s iCloud Keychain, where they aren't visible to anyone (including Apple).
Using Apple as example we see that there is considerable effort to protect keys, store them securely and have mitigations in place to prevent malicious use. That’s why we conclude the following:
Over 99% of all passkeys currently created as synced passkeys are stored in the cloud services of Google and Apple. There are numerous security measures in place to enhance the security of these passkeys. The industry anticipates the integration of synced passkeys for Microsoft platforms as well; currently, passkeys on Microsoft are device-bound. These three operating systems are considered First-Party Passkey Providers, for which there should be no security concerns. Third-Party Passkey Providers, such as password managers like 1Password or Dashlane, integrate with platforms through APIs. The security of their storage depends on the implementation but should also be a focus for the provider since they store passwords for consumers and enterprises, often including banking accounts. There is an ongoing discussion within the industry pointing out that some password managers do not comply with the standard when verification is required. This could lead to a future where some providers might be excluded by security-focused companies. Overall synced passkey providers can be overwhelmingly considered as safe as nearly all passkeys reside within First-Party-Providers. When passkeys import/export between providers should become reality those points need to be revisited.
Synced passkeys with user verification activated are secure way of multi-factor authentication that can uphold the high standards that Strong Customer Authentication (SCA) sets, even when the passkeys are synced to the cloud. It is important to keep in mind that with advancing technology, older assumptions, and decisions of the EBA can be reinterpreted differently. Very conservative traditional banking institutions have adopted a strict mindset regarding “device binding”. They leave the technical advancement and user experience improvements out of sight.
In the opinion from 2019 under number #24 the EBA outlines:
Article 4(30) of PSD2 defines possession as ‘something only the user possesses’. Possession does not solely refer to physical possession but may refer to something that is not physical (such as an app)
In a more general sense now, a synced-passkey proves possession of the “Cloud account” that lies behind the passkey – which is something the user possesses but is not physical.
Apple and Google provide enough documentation about the protection of synced passkeys in their respective cloud accounts that they can be considered SCA-compliant. Therefore, the chain of trust is not broken for the vast majority of passkeys in the consumer market.
The same assumption was stated by the EBA about the security of SMS OTPs when they assumed that mobile phone network providers put in considerable efforts to protect the reliability of the mobile phone network. This leads to the conclusion that the concern is not about the actual device but about the possession of the actual SIM card, despite numerous proofs indicating that SMS is not entirely safe. For years, this stance has remained unchanged, likely due to practicality reasons. SMS OTP remains the most accepted and convenient second factor authentication option for consumers due to its portability. Given the choice, consumers overwhelmingly prefer SMS OTP over other methods (80%), even when it incurs costs.
Furthermore, in our discussion, we have not really touched on the fact that passkeys are a non-phishable authentication option. This is a dimension of authentication factor quality that has not yet received the attention that it should.
Finally, we want to show a final comparison of the most important dimensions when comparing the two types of passkeys.
Dimension | Device-bound | Synced |
---|---|---|
First factor | Biometrics (Inherence) | Biometrics (Inherence) |
First factor fallback | Passcode (knowledge) | Passcode (knowledge) |
Biometrics fallback allowed | yes | yes |
Low probability of biometrics false-positives | yes | yes |
Second factor | Possession | Possession |
Two distinct authentication categories | yes | yes |
Passkey association with user | yes | yes |
Proof of possession | yes | yes |
Independence of factors | yes | yes |
Possession element | Keypair | Account |
Possession storage | Hardware security module | Keychain |
Possession storage security Unauthorized-use Prevent replication | Unexportable Unexportable | MFA/HSM MFA/HSM |
Passkeys are the future of authentication on the Internet. Banks, fintechs and financial institutions banks should start adopting this technology by collecting passkeys from their customers. We understand that for traditional banks, the step to start implementing passkey-first authentication with synced passkeys might be a major effort, but there are other options to begin with:
Replacing the first authentication factor with an unphishable one, such as passkeys, stops many cyber-attacks at their source. Starting the integration of passkeys into banking apps and websites is also beneficial to prepare for a future where passkeys are standard and ubiquitous (this scenario will sooner or later come). A subsequent adoption or upgrade to supplementalPubKeys is always feasible, enabling the enforcement of device-linking at a cryptographic level.
Here are the links to the other parts of our series:
Table of Contents
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour
Start for free
Recent Articles