From Passwords to Passkeys: Meeting Banking Regulations with FIDO Authentication

FIDO (Fast IDentity Online) is the main approach for passwordless and phishing-resistant authentication, which works across both mobile and web. The Passkey functionality makes FIDO even more user-friendly: making authentication available on several of the user’s devices, as well as support across Microsoft, Apple, and Google ecosystems.

FIDO and Passkeys are gaining momentum among banking and fintechs. Some of the largest Fintechs in the world, including Revolut [1] and Wise [2] are already using it in Europe, as well as several banks across US. Out of the 847 largest banking sites, 36.8% have adopted FIDO Passkeys [3]. We at Callsign also partner with many banks in both Europe, US, Middle East, and Asia who are on the journey to start using FIDO and Passkeys.

Passkey Syncing and Sharing: Design Considerations for Banks

At the same time, introducing FIDO Passkeys also raises concerns about the syncing of passkeys across devices. Most FIDO implementations across Google and Apple enables syncing of the Passkey across all the user’s devices based on the user’s Google account [4] or iCloud account [5]. Therefore, a compromise of the user’s Google or iCloud account, for example through Account Take-Over (ATO) or through device theft, means that the fraudster get access to the Passkey and therefore the user’s bank account.

There is also an even easier way: the user can just share the Passkey with somebody through Apple Airdrop. No account compromise, shoulder-surfing or writing down a complex password needed: the Passkey automatically appears on the other device.

PSD2 SCA Requirements and the Limits of FIDO Passkeys

FIDO credentials synchronise across devices and users can also share them explicitly. That makes it challenging to implement FIDO Passkeys for PSD2 SCA regulatory compliance, fraud prevention, and user experience.

Let’s focus on regulatory compliance with PSD2 SCA, which mandates:

• Prevention of replication of the possession element
• Dynamic linking of the amount and the beneficiary account

FIDO Passkeys alone does not meet those requirements out of the box, here’s why:

• Passkeys are often synchronised between devices or shared between users. That is a replication of the possession element to another device.
• Passkeys have no linking of the payment details to the FIDO Passkey signature. Therefore, FIDO Passkeys in isolation does not comply with Dynamic Linking, unless auditable and dynamically linked authentication code generation is done by other means, such as server-side signing.

How FIDO Extensions Attempted to Address Dynamic Linking

There has been attempts in the FIDO standard to mitigate some of these concerns. The FIDO standard proposed several extensions to include additional details and functionality in FIDO authentication requests, such as:

• Standard extension for text-based transaction confirmation txAuthSimple [6]
• Standard extension for image-based transaction confirmation: txAuthGeneric [6]
• Vendor-specific extensions for transaction confirmation, that only works for specific FIDO hardware devices that implement those specific extensions.

No major browsers or platforms across Windows, Mac, iOS, or Android have implemented the above extensions. Therefore, they are no longer part of the most recent versions of the standard [7].

Detecting Sharing and Synchronising of FIDO Passkeys

There has been attempts to prevent the sharing or synchronising of FIDO Passkeys between the devices. However, a FIDO Server cannot prevent this type of sharing and synchronising based on the current standards: most FIDO clients do not provide an attestation showing if the Passkey has been shared or synchronised across devices.

Instead, you can try to detect details about each FIDO implementation’s key protection and sharing approach, by only accepting providers or manufacturers that does not allow synchronisation. This could enable banks to only allow FIDO implementations that are not synchronising Passkeys. To identity a specific FIDO implementation, one could attempt to use the AAGUID and the FIDO Alliance Metadata Service [8]. However, AAGUID is not a cryptographically secure detection method and, on top of that, not all FIDO clients provide a AAGUID in the authentication response: for example, Apple does not provide an attestation of the AAGUID [9]. Therefore, a bank cannot reliable detect even the most popular FIDO implementations.

Secure Payment Confirmation: An Emerging Standard for PSD2 SCA

The Secure Payment Confirmation (SPC) has as one of its aims to rectify these and other issues with PSD2 SCA compliance with FIDO Passkeys, but is still being worked out today in 2026 since its initial creation in 2021[10].

SPC intends to provide [10]:

• Browser bound keys, to satisfy the PSD2 SCA requirement of non-replication of possession elements.
• Transaction confirmation, including display and confirmation of transaction details by the user, to satisfy the PSD2 SCA requirement for Dynamic Linking.

Challenges with SPC

Barriers to use the SPC standard today in addition to it being incomplete [10] are:

• There is no mainstream browser which has a complete implementation of the standard at this stage [11].
• The standard only applies to browsers; there is no scope in the standard for handling FIDO authentication in mobile apps [12].
• Existing FIDO keys does not work for SPC. Each user needs to go through a new specific SPC enrolment, to be able to use these functionalities [12].

Recommendations for implementing FIDO for banks

While there is some progress in securing the use of FIDO Passkeys for banks through Secure Payment Confirmation (SPC) as an emerging browser standard, banks cannot wait for standards to be finalised. And even when the standard is finalised, it doesn’t provide a solution for mobile app authentication.

You can implement FIDO authentication in a compliant fashion today, by using functionality such as:

• Device binding to detect and compensate for Passkey synchronising and sharing.
• Dynamic Linking to provide transaction confirmation for any FIDO device.
• Dynamic Interventions to increase scams protection by at least 30% and prepare for PSD3/PSR [13]
• Auditable authentication code creation to demonstrate compliance [14]

By using Callsign’s platform, including its FIDO functionality, you get an efficient and scalable FIDO solution with all the above features to be able to deploy a PSD2 SCA compliant FIDO authentication today. In addition, the Callsign platform reduces your change cycle from 6 months to 6 hours, enabling you to confidently deploy FIDO or any other authentication technology in one day.

Furthermore, most authentication and CIAM platforms won’t provide capabilities to dynamically analyse and optimise journeys based on behavioural analytics. Thanks to the Callsign behaviour analytics alongside the FIDO usage, you will get a further 40% improvement in user experience. Gartner® notes “IAM leaders should seek to configure authentication flows so that the outcome of step-up authentication is folded back into the analytics to determine the new level of trust, yielding an access decision when compared against the current level of access risk. However, IAM leaders are significantly constrained by the capabilities of their AM tools.” (Continuous Adaptive Trust is the Key to Zero Trust in IAM, Part 2: Embracing CAT) [15]. Callsign is included in the report.

GARTNER is a trademark of Gartner, Inc. and/or its affiliates. Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose.

References