What's best for PSD2-compliant passkey integration?

Best Practices for PSD2-Compliant Passkey Integration#

Passkeys offer a secure and user-friendly way to meet the Strong Customer Authentication (SCA) requirements of PSD2. However, to ensure full compliance, organizations must follow best practices when integrating passkeys into their authentication flows.

1. Implement Multi-Factor Authentication (MFA)#

• PSD2 requires two independent authentication factors:
  • Something You Know (e.g., password, PIN)
  • Something You Have (e.g., device with passkey)
  • Something You Are (e.g., biometric authentication)
• Best Practice: Use passkeys in combination with biometric authentication (Face ID, Touch ID, Windows Hello) to fulfill MFA requirements without additional friction.

2. Ensure Dynamic Linking for Transactions#

• Dynamic linking ensures that each transaction is cryptographically bound to its details.
• Best Practice: Use WebAuthn signatures to bind the transaction amount and recipient details to the authentication request.
• The user must approve the exact transaction details before completion.

3. Protect Against Phishing and Credential Theft#

• Passkeys are phishing-resistant because they are bound to the specific website or app.
• Best Practice: Use WebAuthn authentication with origin verification to prevent credential theft from fake login pages.

4. Store Passkeys Securely in Hardware Modules#

• PSD2 requires that authentication data is securely stored and resistant to tampering.
• Best Practice: Leverage device-based security modules, such as:
  • Secure Enclave (Apple)
  • Trusted Platform Module (TPM) (Windows)
  • Trusted Execution Environment (TEE) (Android)

5. Allow Recovery & Backup for User Convenience#

• While device-bound passkeys are highly secure, synced passkeys provide a balance between security and usability.
• Best Practice: Use cloud-synced passkeys to allow users to access their credentials across multiple devices without weakening security.

6. Implement Risk-Based Authentication for Exemptions#

• PSD2 allows exemptions for low-risk transactions.
• Best Practice: Use Transaction Risk Analysis (TRA) to assess when passkey authentication may be skipped for low-risk transactions, improving the user experience.

7. Ensure Cross-Platform Compatibility#

• Users should be able to authenticate seamlessly across devices and platforms.
• Best Practice: Support passkey synchronization via iCloud Keychain (Apple), Google Password Manager, or third-party password managers.

Conclusion#

Integrating passkeys in a PSD2-compliant way ensures strong security, regulatory compliance, and seamless user experience. By leveraging multi-factor authentication, dynamic linking, phishing resistance, and secure storage, businesses can provide secure and frictionless authentication while complying with European payment regulations.

Read the full article#