How Does Biometric Authentication with Passkeys Fit Into PSD3/PSR?#
The Payment Services Regulation (PSR) under PSD3 aims to enhance Strong Customer Authentication (SCA) by embracing modern, phishing-resistant authentication methods. Passkeys, which utilize biometric authentication, align perfectly with these new regulatory goals.
1. Biometric Authentication Meets SCA Requirements#
- Under PSD2, biometric authentication was permitted but required additional authentication factors to comply with SCA.
- PSD3 strengthens biometric security by:
- Allowing biometric factors (e.g., fingerprint, facial recognition) to be used in combination with cryptographic passkeys.
- Reducing reliance on phishable authentication methods like passwords and OTPs.
2. Passkeys Improve Security and Compliance#
- Passkeys leverage biometric authentication built into the user's device (e.g., Face ID, Windows Hello), ensuring:
- Phishing resistance – Unlike passwords, passkeys cannot be stolen via phishing attacks.
- Better fraud prevention – They rely on hardware-based security keys rather than knowledge-based credentials.
- Seamless user experience – Users authenticate instantly without needing additional security steps.
3. PSD3’s Stance on Biometric Authentication#
- The European Banking Authority (EBA) has clarified that biometric authentication can be used for SCA compliance, provided:
- It meets high security standards for encryption and fraud detection.
- It is securely integrated within the payment provider's ecosystem.
- PSD3 is expected to provide clearer guidelines on biometric authentication, making it easier for banks, fintechs, and enterprises to implement passkeys securely.
4. How Passkeys Fit Into PSD3/PSR’s Security Goals#
- PSD3 aims to make SCA more effective and user-friendly while minimizing authentication friction.
- Passkeys with biometrics simplify compliance, since:
- They eliminate password-related security risks.
- They enable seamless authentication while maintaining high security standards.
- They are device-bound and cannot be reused outside their registered environment.
Conclusion#
PSD3/PSR acknowledges biometric authentication as a key component of SCA. The adoption of passkeys aligns perfectly with PSD3's goals, making authentication more secure, convenient, and phishing-resistant. As passkeys gain broader regulatory support, organizations implementing them will benefit from enhanced security and compliance.