How can passkeys be integrated into mobile banking apps?

Banks looking to enhance security and streamline authentication can integrate passkeys into their mobile banking apps. Passkeys provide a passwordless, phishing-resistant login experience while ensuring compliance with PSD2 Strong Customer Authentication (SCA).

To integrate passkeys, mobile banking apps must use WebAuthn, a standardized authentication protocol that enables secure, device-bound authentication. Integration steps include:

• iOS (Apple Passkeys via iCloud Keychain)
  • Use AuthenticationServices.framework to manage passkey registration and authentication.
  • Leverage Face ID or Touch ID for seamless authentication.
  • Store passkeys in iCloud Keychain for multi-device access.
• Android (Google Passkeys via Google Password Manager)
  • Use Google Play Services Credential Manager API for passkey handling.
  • Enable biometric authentication with FingerprintManager or BiometricPrompt API.
  • Store passkeys in Google Password Manager for cross-device synchronization.

Passkeys eliminate passwords by binding authentication to a user’s device and biometrics. Mobile banking apps can:

• Use Face ID, Touch ID (iOS) or Fingerprint/Face Unlock (Android) for passkey login.
• Offer a fallback PIN-based authentication method for users without biometrics.
• Provide a one-tap login experience without requiring passwords or SMS OTPs.

Passkeys are stored securely in platform-managed credential vaults like:

• iCloud Keychain (Apple)
• Google Password Manager (Android) These storage methods ensure private key encryption, preventing unauthorized access while allowing cross-device synchronization.

For mobile banking apps in the EU market, passkeys must comply with PSD2 SCA requirements, which mandate:

• Possession factor – The registered device acts as proof of ownership.
• Inherence factor – Biometrics (Face ID, Touch ID) fulfill the second factor.
• Dynamic linking – Passkeys can generate transaction-specific authentication codes for secure payments.

To drive adoption, banks must simplify passkey registration and login:

• Allow easy passkey setup during app onboarding.
• Educate users on the security benefits of passkeys over passwords.
• Provide secure fallback options like recovery codes or secondary authentication methods.

By integrating passkeys with WebAuthn, biometrics, and platform credential managers, banks can replace passwords, improve security, and enhance user experience. Passkeys ensure PSD2 compliance, provide frictionless authentication, and protect users from phishing attacks.