Outcome-Based Strong Customer Authentication with Passkeys

The European Union's Payment Services Directive (PSD2) introduced Strong Customer Authentication (SCA) using factors like knowledge, possession, and inherence to boost electronic payment security and consumer confidence, impacting banks and merchants globally. While SCA reduced certain frauds, its prescriptive nature led to a compliance focus. This emphasis on fitting solutions into predefined categories, rather than achieving the best security outcomes against evolving threats, risks prioritizing formalism over effectiveness and could hinder the adoption of superior technologies that don't neatly align with the original PSD2 framework.

In this article we want to take a look at the landscape of today because it has changed and might need a different approach:

1. How do passkeys influence the old SCA regulations? The maturation of technologies like passkeys, built on FIDO/WebAuthn standards, offers a user-friendly, consumer-grade authentication method that is inherently resistant to phishing – a primary vector behind data breaches.
2. How does AI influence attack vectors: The explosion of accessible Artificial Intelligence (AI) has supercharged phishing attacks, making them hyper-realistic, personalized, scalable, and capable of bypassing traditional defenses and human vigilance with alarming ease.

This might demand a critical reassessment of regulations made ten years ago. The regulation wasn't designed for today's specific challenges and opportunities, creating a mismatch.

This article analyses the current interpretation of SCA, particularly concerning the classification of passkeys and the 'possession' element and highlights that passkeys are arguably the most effective consumer-grade phishing protection available. An outcome-based approach to SCA is urgently needed – one that prioritizes demonstrable security results, especially phishing resistance.

The core mechanism of PSD2 SCA is straightforward: for actions like accessing payment accounts online or initiating electronic payments, Payment Service Providers (PSPs) must verify the user's identity using at least two independent factors drawn from the three categories: Knowledge (e.g., password, PIN), Possession (e.g., mobile device via OTP, token, app), and Inherence (e.g., fingerprint, facial recognition). For payment transactions, a crucial additional requirement is dynamic linking, ensuring the authentication code is specific to the transaction amount and payee, protecting against man-in-the-middle attacks.

SCA achieved significant success in its primary goal of improving security and reducing fraud. Reports indicated a noticeable decrease in certain fraud types, particularly Card-Not-Present (CNP) fraud, within the European Economic Area (EEA) following its implementation. France, for instance, reported a 37% drop in online card fraud between 2019 and 2021 attributed to SCA measures. This established a more secure environment for online payments across the EU.

However, implementing SCA was a complex and costly undertaking for financial institutions and merchants. Initial rollouts were often marked by increased friction in the checkout process, leading to concerns about customer experience and transaction-abandonment rates; although the industry has since adapted and success rates have improved, exemptions still apply to low-value transactions, recurring payments and trusted beneficiaries.

But the rigid three-category structure, defined before the adoption of passkeys presents challenges. While intended to provide clarity, it struggles to neatly accommodate innovative solutions like passkeys, which achieve security through mechanisms like cryptographic device, account and origin-binding rather than solely relying on the traditional separation of factors. This forces regulators and implementers to try and fit advanced technologies into a framework that may no longer fully reflect the state-of-the-art in authentication.

This is paradoxical because PSD2 explicitly aimed to promote innovation in payments. Yet, the prescriptive nature of the Regulatory Technical Standards (RTS) on SCA, particularly the strict factor definitions, now risks stifling the adoption of authentication methods like passkeys that emerged after the rules were finalized. The difficulty in definitively classifying passkeys within the existing framework creates uncertainty, which leads banks in Europe to avoid relying on passkeys yet.

Furthermore, while PSD2 has influenced global security trends, the specific, detailed interpretations of SCA factors by the [uropean Banking Authority (EBA) contrast with how similar globally standardized technologies, like FIDO-based passkeys, might be deployed elsewhere based on their proven effectiveness (as seen with PayPal in the US). This potential divergence hindering the deployment of best-in-class security within the EU.

To understand the regulatory challenge, it's essential to grasp what passkeys are and how they work. Developed by the FIDO Alliance and based on open standards like FIDO2 and WebAuthn, passkeys represent a fundamental shift away from shared secrets like passwords. Instead, they rely on asymmetric cryptography. When a user registers for a service using a passkey, their device (phone, computer, security key) generates a unique pair of cryptographic keys: a public key and a private key and binds it to the domain (also called origin). The public key is sent to the service provider (e.g., the bank or merchant) and associated with the user's account. The crucial private key, however, never leaves the user's control; it remains securely stored on the user's device or within their encrypted cloud keychain (like iCloud Keychain or Google Password Manager), protected by the device's secure hardware and the user's local authentication method (like a fingerprint, face scan, or PIN).

To log in, the service sends a unique challenge to the user's device. The device uses the stored private key to cryptographically "sign" this challenge, proving possession of the key without revealing the key itself. The service then verifies this signature using the stored public key.

This architecture is the source of the passkey's defining characteristic: inherent phishing resistance. Unlike passwords or One-Time Passcodes (OTPs) sent via SMS, which are secrets that the user provides to the service (and can thus be tricked into providing to a fake service), a passkey involves no shareable secret. Critically, the cryptographic key pair generated during registration is bound to the verified origin (the legitimate domain name) of the service. If a user is lured to a phishing site (e.g., mybank.fakedomain.com instead of mybank.com), the browser or operating system recognizes the origin mismatch. It will either refuse to offer the passkey associated with the legitimate site or, if a passkey interaction were somehow initiated, the signature generated would be invalid for the legitimate service because the challenge would originate from the wrong domain.

The user cannot accidentally authenticate to a fake site with their passkey, even if they are completely fooled by the deception.

This strong security model, however, runs into ambiguity when mapped onto PSD2 SCA's factor requirements, primarily concerning the 'Possession' element. The EBA has clarified that possession doesn't have to be physical; a non-physical element like an app can qualify, provided there is a "reliable means to confirm possession" (e.g., via dynamic validation like an OTP) or a unique connection is established between the element and the user. Significantly, an EBA Q&A response explicitly states that it is "not always required that the device should perform cryptographically underpinned validity assertions using keys or cryptographic material stored in the device" to prove possession. This suggests flexibility.

However, uncertainty persists, particularly around the independence of factors. If a passkey's private key (representing possession on the device) is unlocked using biometrics (inherence) or a PIN (knowledge) on the same device, does this constitute two sufficiently independent factors under the EBA's interpretation? Some guidance suggests that simply unlocking the phone might not qualify as a valid SCA element if the locking mechanism isn't under the direct control of the PSP. The EBA has also been clear that certain actions, like memorized swiping paths, count as knowledge, not inherence. This leaves the industry questioning whether a typical passkey usage flow (e.g., fingerprint unlock on a phone to authenticate) fully satisfies the two-factor independence requirement for SCA in the eyes of regulators.

Adding another layer of complexity is the emergence of synced passkeys. Unlike traditional "device-bound" passkeys where the private key is permanently tied to a single piece of hardware (e.g. Windows Passkeys or Passkeys on Security Keys), synced passkeys allow the private key to be securely copied and synchronized across multiple devices belonging to the user via cloud services like Apple's iCloud Keychain or Google Password Manager. While this greatly enhances user convenience and provides backup, it further complicates the 'possession' argument under SCA. If the passkey exists simultaneously on a user's phone, laptop, and tablet, can the payment provider definitively prove the user possesses the specific device used for authentication at that moment? The key is no longer bound to a single physical item the user "possesses". This challenge is compounded by the fact that major platforms often do provide attestation for synced passkeys. Attestation is a mechanism allowing the authenticator (the passkey provider/device) to cryptographically prove its origin and characteristics to the service. Without attestation for synced keys, it becomes even harder for a service (like a bank) to verify the properties or even the specific type of device or cloud being used, adding yet another hurdle to demonstrating strict compliance with the possession element as interpreted under SCA. While the FIDO Alliance is working on standards to provide better signals about authenticators, the current situation with synced passkeys introduces additional uncertainty.

This debate, focused on dissecting the passkey mechanism (factor independence, syncing, attestation) into the predefined SCA categories, arguably misses the larger picture. The industry & EBA appears to be trying to fit a technology based on cryptographic binding and device trust into categories designed for older authentication models. The very concept of factor independence, crucial when combining potentially weak factors like passwords and SMS OTPs, might be less relevant for an integrated system like passkeys. Here, the security relies heavily on the cryptographic link between the key, the device, and the service origin, a property not directly captured by the traditional factor definitions. Over-emphasizing factor separation or the nuances of key portability could inadvertently disqualify a method whose strength lies in its integrated, cryptographically secured design. The critical point is the outcome: passkeys deliver exceptionally strong, phishing-resistant authentication, arguably surpassing the security level achieved by many technically compliant combinations of weaker, phishable factors (like SMS OTP).

The following table compares common authentication methods against modern threats, highlighting the superior outcomes offered by passkeys:

Table 1: Comparing Authentication Methods Against Modern Threats

To see the practical benefits of prioritizing security outcomes over strict categorical definitions, one need only look at PayPal's implementation of passkeys. As a founding member of the FIDO Alliance, PayPal embraced passkeys early, launching them for US users on Apple devices in October 2022 and subsequently expanding to Android and other global markets throughout 2023 and beyond. This wasn't merely a technical upgrade; it was a strategic decision driven by the desire to replace vulnerable factors with a more secure and user-friendly alternative, fundamentally improving the login and checkout experience.

PayPal has publicly shared data quantifying the success of this outcome-focused approach. In a statement from January 2025, Rakan Khalid, Senior Director of Identity Product at PayPal, reported compelling results based on their large-scale deployment:

• Security Outcome: A dramatic 70% reduction in Account Takeover (ATO) rates for transactions authenticated using a passkey compared to traditional password-based authentication. This provides powerful empirical evidence of the passkey's effectiveness in mitigating a major fraud vector.
• User Experience Outcome: A significant 10%+ increase in login success rates with passkeys compared to passwords. This points directly to reduced user friction. Eliminating forgotten passwords – a major pain point cited as causing 44% of US consumers to abandon purchases – leads to smoother journeys and likely higher conversion rates.

These results validate the core premise of passkeys: they can deliver enhanced security without compromising, and indeed improving, the user experience. PayPal positions passkeys not just as a password replacement but as a streamlined authentication solution capable of utilizing a combination of factors (possession via the key/device, unlocked by inherence/knowledge) within a single, secure interaction. This self-contained nature simplifies the process for the user while delivering robust security.

PayPal's experience provides real-world validation that transcends theoretical debates about factor classification under SCA. By implementing passkeys at scale and measuring concrete results, PayPal has demonstrated the technology's effectiveness. This empirical data strongly suggests that the outcomes achieved by passkeys – drastic ATO reduction and improved login success – should be the primary focus, regardless of how neatly they fit into regulatory boxes defined years ago.

The positive user response, reflected in the higher login success rate, also indicates clear market demand for security that is seamless and intuitive. Consumers readily adopt solutions that leverage familiar device interactions (like biometrics or PINs) over methods involving friction and memorization.

This alignment of security, usability, and business benefits (fewer abandoned carts, potentially higher loyalty) is a key advantage of the passkey approach.

Furthermore, PayPal's proactive global rollout and their explicit advocacy for regulators to adopt an "innovation friendly," "outcomes-based approach" considering both fraud reduction and user experience equally underscore the strategic importance they place on this technology. This contrasts sharply with the situation in the EU, where regulatory ambiguity potentially hinders PSPs from realizing these same benefits for SCA-mandated flows. If European institutions face higher hurdles in deploying passkeys for SCA compared to international competitors, they could find themselves at a disadvantage, potentially experiencing higher fraud rates or losing customers to competitors offering a superior, passkey-enabled experience elsewhere.

The debate around SCA and passkeys is not happening in a vacuum. It happens at the same time of the rapidly evolving AI age. What was once a manageable threat requiring user education has become an extremely sophisticated AI-driven threat that overwhelms traditional consumers.

Consider the capabilities now readily available to phishing attackers:

• Hyper-Realistic Communication: Generative AI models like ChatGPT can craft phishing emails, SMS messages (smishing), and social media messages that are grammatically perfect, contextually relevant, highly personalized, and mimic legitimate communication styles flawlessly. The age-old advice to "look for spelling errors" is now dangerously obsolete.
• Unprecedented Scale and Speed: AI enables attackers to generate and deploy these tailored attacks at massive scale and minimal cost. Security firm SlashNext correlated the launch of ChatGPT with a staggering 1,265% increase in malicious phishing emails observed between late 2022 and 2023.
• Convincing Impersonation: AI-powered voice cloning (vishing) and deepfake video technology allow attackers to realistically impersonate executives, colleagues, or even family members in phone calls or video conferences. High-profile attacks, like a $25 million fraud executed via a deepfake conference call involving cloned voices and likenesses of company officers, demonstrate the devastating potential.
• Sophisticated Infrastructure: AI assists in the rapid creation of pixel-perfect fake login pages, fraudulent websites, and even the generation of malicious QR codes used to bypass initial email scanning. The surge in fake domain registrations highlights this trend. Specialized malicious LLMs like FraudGPT and WormGPT are being developed specifically to aid cybercrime.

This fundamentally changes the security equation because it overwhelms the human factor. These AI-crafted attacks are explicitly designed to bypass human scrutiny, especially that of average consumers. Even security-aware individuals and professionals can be deceived by the realism and personalization. Reliance on user education as the primary defense, while still necessary, becomes increasingly insufficient against attacks that exploit psychological triggers with AI-driven precision. The statistic that 97% of organizations report difficulty verifying identity underscores the scale of this challenge.

In this hyper-sophisticated threat environment, the inherent weaknesses of traditional authentication factors become critical vulnerabilities. Any method relying on a secret that can be phished (like a password) or intercepted (like an SMS OTP) is fundamentally compromised, even when used in combination for MFA. Adversary-in-the-middle (AitM) attacks, often facilitated by phishing, can capture both factors simultaneously.

This reality elevates the importance of inherent phishing resistance. As AI makes it trivial to deceive humans, security must pivot towards mechanisms that rely on verifiable, machine-level trust rather than human judgment.

Passkeys achieve this through cryptographic proofs and origin binding, where the browser or operating system validates the service's identity and ensures the correct, non-phishable credential is used.

The speed at which AI tools are being developed and weaponized adds extreme urgency. This is not a future threat; it is a clear and present danger escalating daily. Relying on authentication methods vulnerable to AI-powered phishing is no longer a sustainable strategy. Regulatory frameworks and industry practices must adapt fast to embrace inherently phishing-resistant technologies like passkeys, as delaying their adoption due to classification debates leaves the entire ecosystem exposed to significantly heightened risk today.

The journey initiated by PSD2 and its Strong Customer Authentication mandate aimed to create a safer, more innovative European payments ecosystem. While it achieved notable successes in raising the baseline for security, its factor-based approach, conceived nearly a decade ago, now faces significant challenges in the era of advanced cryptography and AI-driven threats.

The evidence presented strongly suggests that passkeys, built on FIDO/WebAuthn standards, offer a superior path forward. They provide demonstrably higher security outcomes, particularly their inherent resistance to phishing – a critical defense against the rising tide of AI-powered attacks. PayPal's real-world deployment outside the EU provides compelling data: a 70% reduction in account takeover fraud and a 10%+ increase in login success rates, validating both the security efficacy and user acceptance of passkeys.

Yet, the adoption of passkeys for SCA purposes within the EU remains clouded by regulatory ambiguity, primarily concerning how they fit within the existing Knowledge, Possession, and Inherence framework, and particularly the interpretation of 'possession' and factor independence. This uncertainty hinders the deployment of arguably the most effective consumer-grade anti-phishing technology available, precisely when it is needed most.

Therefore, the path forward requires a paradigm shift towards an outcome-based approach to Strong Customer Authentication. The EBA and EU policymakers, particularly as discussions around PSD3 and the Payment Services Regulation (PSR) progress, should prioritize the demonstrable security effectiveness of authentication solutions over rigid adherence to potentially outdated categorical definitions. While defining and objectively measuring specific 'outcomes' presents its own challenges, the potential benefits of adapting to technological reality outweigh the difficulties.

This entails:

1. Recognizing Effectiveness: Formally acknowledging and accepting authentication methods that demonstrably prevent critical threats like phishing and significantly reduce fraud, even if their technical implementation blends or transcends the original three factors.
2. Evaluating Holistically: Assessing solutions based on their proven resilience against contemporary, real-world attack vectors (especially AI-driven social engineering) and their impact on crucial factors like user experience, accessibility, and conversion rates, as advocated by industry players like PayPal.
3. Providing Clarity: Issuing clear, unambiguous guidance that allows PSPs and merchants to confidently deploy state-of-the-art, phishing-resistant technologies like passkeys in a manner compliant with SCA regulations. This might involve revisiting the RTS or providing interpretive guidance that focuses on security outcomes rather than prescriptive implementation details.

Adopting an outcome-based perspective is not just about accommodating passkeys; it's about future-proofing financial regulation. Technology will continue to evolve. A regulatory framework focused on desired end-states – robust security against current threats, minimal user friction, broad accessibility – is inherently more adaptable than one tied to specific mechanisms of a previous era. It fosters innovation by allowing the market to find the best ways to achieve those outcomes.

Furthermore, embracing solutions like passkeys that demonstrably improve both security and usability helps align the often-competing priorities of risk management, product development and business growth. True security in the digital age cannot be achieved at the expense of user experience; the most effective solutions enhance both.

The original goals of PSD2 – enhancing security, promoting innovation, and protecting consumers – remain paramount. An outcome-focused approach to SCA is the most effective way to achieve these goals in the face of today's sophisticated threats. Continuing down a path strictly defined by the factors of the past risks leaving the European payment ecosystem unnecessarily vulnerable and less competitive. It is time for regulation to catch up with innovation and focus squarely on the results that matter most: secure, seamless, and trustworthy digital payments for everyone.