What Challenges do Banks face when implementing Passkeys

Passkeys offer phishing-resistant, passwordless authentication and are a major security upgrade for banks. However, transitioning from traditional authentication methods (e.g. passwords, SMS OTP, email OTP, authenticator app, push notifications in native apps) to passkeys presents several challenges. These must be addressed to ensure a smooth rollout and user adoption.

Banks operating in the European Economic Area (EEA) must comply with PSD2’s Strong Customer Authentication (SCA) regulations. While passkeys satisfy SCA requirements by leveraging:

• Something the user has (device-bound cryptographic keys).
• Something the user is (biometrics or a device PIN).

Regulators have yet to explicitly approve passkeys as a standalone SCA-compliant method. Banks must closely monitor evolving regulations and proactively work with financial authorities.

How to overcome the challenge of regulatory compliance and PSD2?

Device-bound passkeys (e.g. on Windows Hellor or when using hardware security keys such as YubiKeys) are not an issue and clearly compliant to PSD2 / SCA. However, with synced passkeys, there's ambiguity in the PSD2 framework. We recommend the following:

1. Engage with the regulators to push them to be more open-mindend and more outcome-driven when it comes to Strong Customer Authentication. Almost all of today's authentication methods that are common in banking are prone to phishing (be it passwords, OTPs or push notification attempts). Synced passkeys are phishing-resistant and solve a huge problem for financial service institutions. As PSD2 was created in a time when passkeys and phishing-resistant authentication was not yet a thing, we recommend to reach out to the European Banking Authority and push for the better outcome: protect customers adequately. It's technically possible and other regions in the world already go down this path.
2. We recommend to add some more controls to your passkey solution that allow to determine the device from which a user authenticats (even when using a synced passkeys). There are ways how a Proof of Possession can be implemented. This however requires some extra development work and multiple approaches exist. Feel free to reach out if you are interested in these methods.

Banks must ensure that customers understand how to use and trust passkeys. Challenges include:

• User hesitancy: Customers may be unfamiliar with passkeys and reluctant to change from passwords and SMS OTPs.
• Device dependency : Passkeys are linked to devices, which may cause confusion during device loss or migration.
• Education efforts – Banks need clear, simple onboarding guides to help users transition.

How to overcome the challenge of user adoption and education:

We recommend to introduce passkeys as natural in the login and sign-up flow as possible. User should not need to think or educate about passkeys. Make the passkey UX so seamless that they just login. Many will either way think it's like "using Face ID to log into websites or apps". For users who are interested in technical details and edge cases, you should provide an extensive FAQ or glossary that explains the core concepts of passkeys. Moreover this passkey info page also holds more information for interested users.

Banks must seamlessly integrate passkeys into web banking portals, mobile apps, and ATM authentication. Key challenges include:

• Legacy system compatibility: Older banking platforms may not support WebAuthn and FIDO2.
• Cross-platform synchronization: Ensuring passkeys work across mobile, desktop, and alternative devices.
• Fallback mechanisms: Providing secure backup authentication methods for users without passkey-supported devices.

How to overcome the challenge of integrating passkeys into existing banking infrastructure:

Many banks run on rather old infrastructure and migrating users from their existing IdP / IAM to a new one is a major effort that could span over years (if it's a large-scale bank). We recommend to look for a Passkey Layer vendor that does not require any user data migration but brings all the passkey enterprise functionality that highly-regulated entities like banks need while still providing the best user experience and guaranteeing a very high passkey adoption. The optimized UX for passkeys will lead to a high adoption of passkeys ultimately resulting in project success of passkeys: saving operational costs for SMS, fraud reduction and account resets, as well as a higher engagement rate with digital banking products.

Although passkeys eliminate phishing risks, banks must:

• Secure cloud-synced passkeys: Some regulators may be concerned about the security of passkeys stored in iCloud Keychain or Google Password Manager.
• Prevent unauthorized access: Implement risk-based authentication for high-value transactions.
• Monitor fraud attempts: While passkeys reduce phishing risks, fraudsters may still attempt device-based attacks.

How to overcome the challenge of security and fraud considerations:

Cloud accounts at Apple and Google that most customers will use have strong protection by default and cannot easily be hacked. For more security-aware users, you should provide the option to also use hardware security keys (e.g. YubiKeys) that provide non-synced passkeys. Moreover, for high-value transactions, you can introduce step up authentication to make sure there's another level of security involved.

Banks cannot immediately phase out passwords and SMS OTPs. There is much risk and uncertainty connected to going passkey-only when you already have existing users that are just used to log in via passwords or SMS OTP.

How to overcome the challenge of security and fraud considerations:

Instead of a big bang introduction and immediate switch off of passkeys, a gradual transition is required:

• Offer passkeys alongside existing methods as an opt-in feature.
• Encourage early adopters and gather feedback.
• Measure adoption rates before enforcing passkey-only logins.

Despite these challenges, passkeys provide a long-term solution to phishing, improve user experience, and ensure compliance with modern authentication standards. Banks that plan strategically, educate users, and integrate passkeys carefully will benefit from a more secure and seamless authentication system.