What challenges do banks face when implementing passkeys?

Passkeys offer phishing-resistant, passwordless authentication and are a major security upgrade for banks. However, transitioning from traditional authentication methods to passkeys presents several challenges. These must be addressed to ensure a smooth rollout and user adoption.

Banks operating in the European Economic Area (EEA) must comply with PSD2’s Strong Customer Authentication (SCA) regulations. While passkeys satisfy SCA requirements by leveraging:

• Something the user has (device-bound cryptographic keys).
• Something the user is (biometrics or a device PIN).

Regulators have yet to explicitly approve passkeys as a standalone SCA-compliant method. Banks must closely monitor evolving regulations and proactively work with financial authorities.

Banks must ensure that customers understand how to use and trust passkeys. Challenges include:

• User hesitancy – Customers may be unfamiliar with passkeys and reluctant to change from passwords and SMS OTPs.
• Device dependency – Passkeys are linked to devices, which may cause confusion during device loss or migration.
• Education efforts – Banks need clear, simple onboarding guides to help users transition.

Banks must seamlessly integrate passkeys into web banking portals, mobile apps, and ATM authentication. Key challenges include:

• Legacy system compatibility – Older banking platforms may not support WebAuthn and FIDO2.
• Cross-platform synchronization – Ensuring passkeys work across mobile, desktop, and alternative devices.
• Fallback mechanisms – Providing secure backup authentication methods for users without passkey-supported devices.

Although passkeys eliminate phishing risks, banks must:

• Secure cloud-synced passkeys – Some regulators may be concerned about the security of passkeys stored in iCloud Keychain or Google Password Manager.
• Prevent unauthorized access – Implement risk-based authentication for high-value transactions.
• Monitor fraud attempts – While passkeys reduce phishing risks, fraudsters may still attempt device-based attacks.

Banks cannot immediately phase out passwords and SMS OTPs. Instead, a gradual transition is required:

• Offer passkeys alongside existing methods as an opt-in feature.
• Encourage early adopters and gather feedback.
• Measure adoption rates before enforcing passkey-only logins.

Despite these challenges, passkeys provide a long-term solution to phishing, improve user experience, and ensure compliance with modern authentication standards. Banks that plan strategically, educate users, and integrate passkeys carefully will benefit from a more secure and seamless authentication system.