Vincent
Created: January 31, 2025
Updated: March 21, 2025
Do you want to learn more?
Read full blog postPasskeys offer phishing-resistant, passwordless authentication and are a major security upgrade for banks. However, transitioning from traditional authentication methods (e.g. passwords, SMS OTP, email OTP, authenticator app, push notifications in native apps) to passkeys presents several challenges. These must be addressed to ensure a smooth rollout and user adoption.
Banks operating in the European Economic Area (EEA) must comply with PSD2’s Strong Customer Authentication (SCA) regulations. While passkeys satisfy SCA requirements by leveraging:
Regulators have yet to explicitly approve passkeys as a standalone SCA-compliant method. Banks must closely monitor evolving regulations and proactively work with financial authorities.
How to overcome the challenge of regulatory compliance and PSD2?
Device-bound passkeys (e.g. on Windows Hellor or when using hardware security keys such as YubiKeys) are not an issue and clearly compliant to PSD2 / SCA. However, with synced passkeys, there's ambiguity in the PSD2 framework. We recommend the following:
Banks must ensure that customers understand how to use and trust passkeys. Challenges include:
How to overcome the challenge of user adoption and education:
We recommend to introduce passkeys as natural in the login and sign-up flow as possible. User should not need to think or educate about passkeys. Make the passkey UX so seamless that they just login. Many will either way think it's like "using Face ID to log into websites or apps". For users who are interested in technical details and edge cases, you should provide an extensive FAQ or glossary that explains the core concepts of passkeys. Moreover this passkey info page also holds more information for interested users.
Banks must seamlessly integrate passkeys into web banking portals, mobile apps, and ATM authentication. Key challenges include:
How to overcome the challenge of integrating passkeys into existing banking infrastructure:
Many banks run on rather old infrastructure and migrating users from their existing IdP / IAM to a new one is a major effort that could span over years (if it's a large-scale bank). We recommend to look for a Passkey Layer vendor that does not require any user data migration but brings all the passkey enterprise functionality that highly-regulated entities like banks need while still providing the best user experience and guaranteeing a very high passkey adoption. The optimized UX for passkeys will lead to a high adoption of passkeys ultimately resulting in project success of passkeys: saving operational costs for SMS, fraud reduction and account resets, as well as a higher engagement rate with digital banking products.
Although passkeys eliminate phishing risks, banks must:
How to overcome the challenge of security and fraud considerations:
Cloud accounts at Apple and Google that most customers will use have strong protection by default and cannot easily be hacked. For more security-aware users, you should provide the option to also use hardware security keys (e.g. YubiKeys) that provide non-synced passkeys. Moreover, for high-value transactions, you can introduce step up authentication to make sure there's another level of security involved.
Banks cannot immediately phase out passwords and SMS OTPs. There is much risk and uncertainty connected to going passkey-only when you already have existing users that are just used to log in via passwords or SMS OTP.
How to overcome the challenge of security and fraud considerations:
Instead of a big bang introduction and immediate switch off of passkeys, a gradual transition is required:
Despite these challenges, passkeys provide a long-term solution to phishing, improve user experience, and ensure compliance with modern authentication standards. Banks that plan strategically, educate users, and integrate passkeys carefully will benefit from a more secure and seamless authentication system.
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
Do you want to learn more?
Read full blog post