What's best for PSD2-compliant passkey integration?

Passkeys offer a secure and user-friendly way to meet the Strong Customer Authentication (SCA) requirements of PSD2. However, to ensure full compliance, organizations must follow best practices when integrating passkeys into their authentication flows.

• PSD2 requires two independent authentication factors:
  • Something You Know (e.g., password, PIN)
  • Something You Have (e.g., device with passkey)
  • Something You Are (e.g., biometric authentication)
• Best Practice: Use passkeys in combination with biometric authentication (Face ID, Touch ID, Windows Hello) to fulfill MFA requirements without additional friction.

• Dynamic linking ensures that each transaction is cryptographically bound to its details.
• Best Practice: Use WebAuthn signatures to bind the transaction amount and recipient details to the authentication request.
• The user must approve the exact transaction details before completion.

• Passkeys are phishing-resistant because they are bound to the specific website or app.
• Best Practice: Use WebAuthn authentication with origin verification to prevent credential theft from fake login pages.

• PSD2 requires that authentication data is securely stored and resistant to tampering.
• Best Practice: Leverage device-based security modules, such as:
  • Secure Enclave (Apple)
  • Trusted Platform Module (TPM) (Windows)
  • Trusted Execution Environment (TEE) (Android)

• While device-bound passkeys are highly secure, synced passkeys provide a balance between security and usability.
• Best Practice: Use cloud-synced passkeys to allow users to access their credentials across multiple devices without weakening security.

• PSD2 allows exemptions for low-risk transactions.
• Best Practice: Use Transaction Risk Analysis (TRA) to assess when passkey authentication may be skipped for low-risk transactions, improving the user experience.

• Users should be able to authenticate seamlessly across devices and platforms.
• Best Practice: Support passkey synchronization via iCloud Keychain (Apple), Google Password Manager, or third-party password managers.

Integrating passkeys in a PSD2-compliant way ensures strong security, regulatory compliance, and seamless user experience. By leveraging multi-factor authentication, dynamic linking, phishing resistance, and secure storage, businesses can provide secure and frictionless authentication while complying with European payment regulations.