What's best for PSD2-compliant passkey integration?
Vincent
Created: January 31, 2025
Updated: May 17, 2025
Read the full article
Explore insights on SCA & PSD2 requirements & the EBA's role in enhancing payment security with dynamic linking by providing regulatory technical standards.
Best Practices for PSD2-Compliant Passkey Integration#
Passkeys offer a secure and user-friendly way to meet the Strong Customer
Authentication (SCA) requirements of PSD2. However, to ensure full compliance,
organizations must follow best practices when integrating passkeys into their
authentication flows.
1. Implement Multi-Factor Authentication (MFA)#
PSD2requires two independent authentication factors:
Best Practice:Use passkeys in combination with biometric authentication (Face ID,
Touch ID, Windows Hello) to fulfill MFA requirements without additional friction.
2. Ensure Dynamic Linking for Transactions#
Dynamic linking ensures that each transaction is
cryptographically bound to its details.
Best Practice:Use WebAuthn signatures to bind the transaction amount and
recipient details to the authentication request.
The user must approve the exact transaction details before completion.
3. Protect Against Phishing and Credential Theft#
Passkeys are phishing-resistant because they are bound to the specific website or
app.
Best Practice:Use WebAuthn authentication with origin verification to prevent
credential theft from fake login pages.
4. Store Passkeys Securely in Hardware Modules#
PSD2 requires that authentication data is securely stored and
resistant to tampering.
Best Practice:Leverage device-based security modules, such as:
Best Practice: Use Transaction Risk Analysis (TRA) to assess when
passkey authentication may be skipped for
low-risk transactions, improving the user experience.
7. Ensure Cross-Platform Compatibility#
Users should be able to authenticate seamlessly across devices and platforms.
Best Practice:Support passkey synchronization via iCloud Keychain (Apple),
Google Password Manager, or third-party password managers.
Conclusion#
Integrating passkeys in a PSD2-compliant way ensures strong security, regulatory
compliance, and seamless user experience. By leveraging multi-factor authentication,
dynamic linking, phishing resistance, and secure storage, businesses can provide
secure and frictionless authentication while complying with European payment
regulations.
Read the full article#
Read the full article
Explore insights on SCA & PSD2 requirements & the EBA's role in enhancing payment security with dynamic linking by providing regulatory technical standards.