Passkeys ReviewsRevolut Passkeys: Bold Move with Room for Improvement
Revolut silently rolls out passkeys. Learn about the impact on banking security, user experience, and areas for improvement in our comprehensive analysis.
Vincent
Created: February 7, 2024
Updated: August 12, 2024
We believe that passkeys will make the Internet a safer place. Thats why we aim to provide a systematic analysis of the passkey processes of different companies as they move towards a password-free world.
2. The Essence of Passkeys and Their Significance
3. Revolut's Passkey Rollout: A Mixed Bag of Innovation and Challenges
3.1 Upside of Revolut's Passkey Integration
4. Revolut Business Passkeys Analysis
4.1 Revolut Business Web Application
4.2 Revolut Business Native Application
5. Revolut Personal Passkeys Analysis
5.1 Revolut Personal Web Application
5.2 Revolut Personal Native Application
6.1 Different Login Options in Revolut SSO for Account Types
6.2 Analysis of PublicKeyCredentialRequestOptions
6.3 Analysis of Association Files
1. Introduction
In digital banking, the need for strong security without sacrificing user experience has led to innovative solutions. Among these, passkeys as the new standard for user authentication stands out. Revolut, a leading neo-bank based in London, has recently and silently started to roll out passkeys for both Personal and Business accounts. This strategic move not only aligns with the growing demand for more secure and convenient digital experiences but also positions Revolut as a pioneer in the banking sector's adoption of passkeys.
With the rollout of passkeys, Revolut follows the trend among tech giants, with Coinbase, WhatsApp, Nintendo and Uber leading the passkeys wave. In the financial sector, Revolut is one of the first banks, if not the biggest bank so far, to roll out passkeys.
Disclaimer: We expect that in the upcoming weeks, passkeys will gradually rolled out on a wider scale and bugs will be improved. We will update the post accordingly. The current version is of February 7, 2024.
2. The Essence of Passkeys and Their Significance
Passkeys represent the next stage in passwordless authentication, offering users a seamless yet secure way to access their accounts. Unlike traditional passwords, passkeys eliminate the need to remember complex passwords, relying instead on asymmetric cryptography with keys unique to each user and device. This method not only enhances security by reducing the risk of phishing attacks and data breaches but also simplifies the login process, as the users only need to use Face ID, Touch ID or Windows Hello, thereby improving the overall user experience.
3. Revolut's Passkey Rollout: Mixed Bag of Innovation and Challenges
Revolut follows a phased introduction of passkeys and also rolls out features not simultaneously for Business and Personal accounts. The major differences we spotted during our research are outlined in the following table:
| Feature | Revolut Personal | Revolut Business |
|---|---|---|
| Passkey login button displayed on login page | No | Yes |
| Promotional passkey popup after successful login on new device | Yes, but unsuccessful on all devices | Yes, on all devices but passkey creation only successful on Windows 11 |
| Passkey settings in account security settings available | Yes, however, theres no button to create a passkey | No |
| Native iOS / Android app support for passkeys | No | No |
3.1 Upside of Revolut's Passkey Integration
The following aspects need to be positively mentioned in Revoluts passkey integration:
- Secure Digital Leadership in Banking Sector: By leading the way in passkey adoption, Revolut not only secures its position as a digital leader in the banking landscape but also encourages other financial institutions to follow suit.
- Improve User Experience: Passkeys are the simplest form of user authentication, as users do not need a second device for MFA and also do not need to remember complex passwords.
- Save SMS OTP Costs: One of the driving forces behind passkey initiatives at enterprise-grade is often not only UX improvements and security benefits but also saving huge amounts of costs for outdated and rather insecure SMS OTP (which are still widespread among banks).
3.2 Rooms for improvement
While Revolut's bold step towards passkey integration is commendable, the rollout has not been without its flaws.
- Lack of Informative Passkey Resources: The absence of official passkey FAQs or guides for users (we didnt find any) indicates a gap in communicating the rollout, even though features are offered to users. Providing detailed documentation can help demystify passkeys, fostering a smoother transition for all users.
- Inconsistent Passkey UX: Observations reveal that passkey features' availability and functionality vary across devices and platforms. Ensuring a consistent user experience, where passkey settings are reliably displayed and passkey promotion popups lead to real passkey creation ceremonies (during our tests it only worked on Windows 11) would improve user confidence.
- Missing Conditional UI: The introduction of Conditional UI could be a game-changer. Boosting the user experience by offering not only passwordless but also username-less logins would further streamline the login process and make it more intuitive.
- No Native App Integration: Currently, Revolut's mobile-first approach does not extend to passkey support within its native iOS and Android applications. Integrating passkeys with native apps would leverage the high passkey-readiness of iOS and Android devices.
- No Unified Authentication Across Platforms: Bridging the gap between web and native app passkey authentication presents a complex challenge ( read this blog post for more technical details on a sample setup). However, creating a unified authentication mechanism that allows shared passkeys between the web app, iOS app and Android app could enhance security and user convenience.
In the following, we go into more depth about Revolut Personal and Business accounts and how passkeys are rolled out on selected devices and platforms.
4. Revolut Business Passkeys Analysis
We start the Revolut Business passkeys analysis by taking a closer look at the web application before analyzing the native apps.
4.1 Revolut Business Web Application
To keep things concise in the following, we only highlight certain platform, device and browser combinations.
Note that, you receive the passkey popup from Revolut only once, after successfully logging in with the existing authentication methods. To trigger the popup again, you need to either delete the Revolut cookies or access the site in Incognito / Private Browser mode.
When you access the login page for Revolut Business, you'll immediately notice a prominent new login option situated below the email inputfield and above the Google / Apple social logins, labeled: Continue with passkey.
4.1.1 Windows 11 + Chrome
The passkeys promotional popup looks as follows:
Interestingly, for Revolut Business, even though the primary user identifier is the email address, the passkeys are tied to the phone number, probably because Revolut Personal accounts are created with a phone number first.
Now that you've successfully created a passkey on Windows 11 and Chrome, you can log out and click on Continue with passkey on the login page. Subsequently, the browser UI for handling passkey authentication will appear:
In contrast to the current login procedure for Revolut Business, where you need to provide a password and confirm your identity via a push notification in the native app or an email magic link as a second factor, no additional authentication method is needed for passkey logins, as passkeys inherently serve as 2FA. This represents a significant improvement in user experience, especially on desktop devices, as it eliminates the need to switch contexts or use a second device.
4.1.2 Android + Chrome
On Android 14 and in Chrome 121, the Continue with passkey login button is very prominent.
4.1.3 iOS + Safari
On iOS 17.3 and in Safari, the Continue with passkey login button is very prominent as well.
4.2 Revolut Business Native Application
The native iOS and Android apps for Revolut Business do not support passkeys yet. Thus, there is no Passkey option the Security & privacy section of the iOS (see screenshot) or Android app:
5. Revolut Personal
One of the initial differences to note is that Revolut Personal employs the phone number as the primary user identifier. Instead of a password, authentication is managed through a 6- to 12-digit passcode, while Revolut Business utilizes a 4-digit passcode and makes use of the password in the default login process.
5.1 Revolut Personal Web Application
To keep things concise in the following, we only highlight certain platform, device and browser combinations.
5.1.1 macOS + Safari
The following promotional passkey popup is displayed the first time you login (or after deleting your cookies / being in Private Browser mode):
For some reason, after clicking on Add passkey in the previous screen, we were directly forwarded to the logged-in page, without having the opportunity to initiate the passkey ceremony with Touch ID. Upon investigating the issue, we found the corresponding API call (https://sso.revolut.com/api/challenges /webauthn) in the network tab of Safaris developer tools. However, this API call returned an HTTP 403 status code, indicating that the feature has not been fully rolled out yet apparently.
Contrary to the Revolut Business account, the account settings in Revolut Personal hold a section for passkeys:
5.1.2 iOS + Safari
The following promotional passkey popup is displayed the first time you login (or after deleting your cookies / being in Private Browser mode):
5.2 Revolut Personal Native Application
The native iOS and Android apps for Revolut Personal do not support passkeys yet. However, the iOS app as well as the Android app (see the screenshots below) hold a security setting section for passkeys:
6. Technical Analysis
Below, we delve into more depth on some technical aspects.
6.1 Different Login Options in Revolut SSO for Account Types
We examined the technical implementation specifics. Primarily, each time the login page is loaded, a client_id is sent to the backend, which then returns different authentication options based on the account type:
- Business Account: Apple, Google, Passkeys (WebAuthn) login
- Personal Account: Apple, Google login
Interestingly, the passkey option for Revolut Personal accounts has been prepared but is not yet activated (see screenshot below), indicating that a rollout could be imminent and implemented swiftly, enabling a "Continue with passkey" button for Personal accounts as well.
The decision to display login options is based on the client_id. For example: https://sso.revolut.com/signin?client_id=o3r08ao16zvdlf2y5fde For experimental purposes, we altered the client_id to a random value, which revealed all login options (incl. the possibility to switch between phone number and email as login identifier) on Windows 11 with Chrome.
6.2 Analysis of PublicKey- Credential-RequestOptions
During the login ceremony, we analyzed the PublicKeyCredentialRequestOptions. Notably, allowCredentials were not set, while the relying party ID was established as "sso.revolut.com." Setting userVerification to preferred is a prudent choice from a security standpoint.
publicKeyCredentialRequestOptions.json{ "allowCredentials": [], "challenge": "WHAxZnJDaDB1VnNXMmlOQW1hVndqdTYzSzF3emR3b3gtRFRCWHVxRjJYRQ", "rpId": "sso.revolut.com", "userVerification": "preferred" }
6.3 Analysis of Association Files
We also analyzed how a rollout to the native iOS and Android apps could look like and thus used the relying party ID of sso.revolut.com and appended the paths to the assetlinks.json (Android) and apple-app-site-association (iOS) file to see what information these files maybe already hold regarding passkey rollout.
6.3.1 assetlinks.json
Attempting to access https://sso.revolut.com/.well-known/assetlinks.json results in a 404 error from nginx, suggesting the use of a reverse proxy for file management. By using the domain https://app.revolut.com, we located the assetlinks.json at https://app.revolut.com/.well- known/assetlinks.json, which provided insightful information for Revolut Personal:
assetlinks.json[ { "relation": [ "delegate_permission/common.handle_all_urls" ], "target": { "namespace": "android_app", "package_name": "com.revolut.revolut", "sha256_cert_fingerprints": [ "9C:9B:E0:71:35:E9:72:78:02:82:C2:E5:D2:7D:A0:6E:CB:8E:E3:AD:FC:75:30:39:17:DD:F6:6D:6F:AA:EF:A4", "11:F2:5B:D6:30:60:CE:B4:EF:EC:48:7C:C8:1F:6D:3D:D0:3A:75:C3:E9:D2:C5:32:3D:69:55:9D:C1:7F:6A:23" ] } }, { "relation": [ "delegate_permission/common.handle_all_urls" ], "target": { "namespace": "android_app", "package_name": "com.revolut.revolut.test", "sha256_cert_fingerprints": [ "90:EC:5D:75:11:4E:67:B7:F1:3F:C0:D0:57:85:9B:78:0D:A0:BA:49:E2:22:4C:60:42:7E:D2:EA:00:84:D1:B7" ] } } ]
Via https://well-known.dev, we also discovered the association file for Revolut Business at https://business.revolut.com/.well-known/assetlinks.json:
assetlinks.json[ { "relation": ["delegate_permission/common.handle_all_urls"], "target": { "namespace": "android_app", "package_name": "com.revolut.business", "sha256_cert_fingerprints": [ "9C:9B:E0:71:35:E9:72:78:02:82:C2:E5:D2:7D:A0:6E:CB:8E:E3:AD:FC:75:30:39:17:DD:F6:6D:6F:AA:EF:A4", "9F:07:80:54:0F:3A:C9:6F:D7:26:02:8A:37:C5:CD:48:DB:A3:67:EE:2D:93:B3:9D:DE:51:BC:F2:2E:7F:B1:88", "F8:F5:95:3A:C3:85:DB:0D:85:C3:56:E9:9B:37:BD:CA:4D:EE:B0:D2:52:C6:2A:36:4F:BA:C8:3B:C6:AF:3A:C2" ] } } ]
Since neither the assetlinks.json file for Revolut Personal nor the one for Revolut Business is located on the path designated by the relying party ID for associating the native Android app with the web app, its intriguing to consider what changes are necessary to enable passkeys to work across both web and native Android apps.
6.3.2 apple-app-site-association
The apple-app-site-association file for Revolut Personal is accessible at https://revolut.com/.well-known/apple-app-site-association, with no details yet added regarding web credentials:
apple-app-site-association{ "applinks": { "apps": [], "details": [ { "appID": "QUZEZSEARC.com.revolut.revolut", "paths": ["/app/*"] }, { "appID": "QUZEZSEARC.com.revolut.test", "paths": ["/app/*"] } ] } }
In contrast, the Revolut Business apple-app-site-association file contains more comprehensive information, notably concerning web credentials. This indicates that the iOS app QUZEZSEARC.com.revolut.business is configured to share credentials with the Revolut Business web application. It is accessible at https://business.revolut.com/.well-known/apple-app-site-association.
{ "applinks": { "apps": [], "details": [ { "appID": "QUZEZSEARC.com.revolut.business", "paths": [ "/", "/accept-payments/in-person", "/accept-payments/online-requests", "/accept-payments/web-integrations", "/accounts", "/accounts/connect-external", "/accounts/connect-external/*", "/accounts/new", "/accounts/transactions", "/account-transactions/*", "/action/confirm", "/add-card-to-wallet", "/advances", "/advances/manual-repayment", "/app/*", "/application", "/approvals/requests", "/article/*", "/articles/*", "/bug-report", "/card-reader/order", "/cards", "/cards/*", "/cards/*/sca-counters-exceed", "/cards/*/sca-counters-warn", "/cards/*/security", "/cards/*/settings", "/cards/*/transactions", "/cashback", "/catalogue/manage", "/challenges/*", "/consumer-tickets/*", "/crypto", "/e-commerce", "/exchange", "/expense-documents/*", "/expenses", "/expenses/*", "/faq", "/faq/*", "/favourites", "/form", "/form/*", "/help-centre", "/help-centre/topic/*", "/hub/integrations", "/insurance", "/invoices", "/invoices/*", "/marketplace", "/merchant", "/merchant/*", "/new-card-acceptance-pricing", "/offboarding", "/open-onboarding-application-next-step", "/orders", "/pay-in-store/order/*", "/payments", "/payments/scheduled", "/payments/transfers", "/plan/subscriptions", "/points", "/pricing-plans", "/qr-code-sign-in/*", "/referrals", "/referrals/invite-contacts", "/referrals/invitee-details/*", "/request-info", "/request-info/merchant", "/requests", "/requests/request", "/reset-password", "/rewards", "/sales/revolut-me", "/statements", "/savings", "/send", "/settings/accounts-and-documents", "/settings/business-profile", "/settings/manage-devices", "/settings/merchant-profile", "/settings/merchant-profile/branding", "/settings/notifications", "/settings/personal-profile", "/settings/trusted-merchants", "/settings/vat-number", "/signup/invite", "/stories/*", "/story/*", "/subscriptions", "/team", "/team/approvals", "/team/member/add", "/team/roles", "/tip/settings", "/topup", "/transactions", "/transactions/*/add-expense-info", "/transactions/*/add-info-flow", "/transactions/*/chargeback-status", "/transfers", "/treasury", "/upgrade", "/vouchers" ] } ] }, "webcredentials": { "apps": [ "QUZEZSEARC.com.revolut.business" ] } }
Just like with Android, it remains intriguing how cross-platform sharing of passkeys between the native and web apps can be implemented, given that the relying party ID for the web app (sso.revolut.com) does not have the association files in the expected locations.
7. Conclusion
In conclusion, Revolut's passkey rollout is a significant step towards revolutionizing user authentication in the banking sector. By adopting passkeys, Revolut not only improves security by moving away from traditional passwords but also significantly enhances the UX through a simpler login process. Despite facing challenges in the initial rollout, including inconsistencies across devices and the absence of native app support, Revolut's efforts underscore a commitment to digital innovation and user-centric design.
The technical analysis reveals that while the groundwork for a seamless passkey integration is laid, there are areas ripe for improvement. Enhancing communication, ensuring consistency across platforms, and expanding support to include native mobile applications are critical next steps. Addressing these areas will not only refine Revolut's implementation but also set a benchmark for the industry, encouraging other financial institutions to adopt passkeys soon (see also our blog post on PSD2 compliance of passkeys).
Share this article
Table of Contents
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour
Start for free
Recent Articles
