How does biometric auth with passkeys fit into PSD3/PSR?

The Payment Services Regulation (PSR) under PSD3 aims to enhance Strong Customer Authentication (SCA) by embracing modern, phishing-resistant authentication methods. Passkeys, which utilize biometric authentication, align perfectly with these new regulatory goals.

• Under PSD2, biometric authentication was permitted but required additional authentication factors to comply with SCA.
• PSD3 strengthens biometric security by:
  • Allowing biometric factors (e.g., fingerprint, facial recognition) to be used in combination with cryptographic passkeys.
  • Reducing reliance on phishable authentication methods like passwords and OTPs.

• Passkeys leverage biometric authentication built into the user's device (e.g., Face ID, Windows Hello), ensuring:
  • Phishing resistance – Unlike passwords, passkeys cannot be stolen via phishing attacks.
  • Better fraud prevention – They rely on hardware-based security keys rather than knowledge-based credentials.
  • Seamless user experience – Users authenticate instantly without needing additional security steps.

• The European Banking Authority (EBA) has clarified that biometric authentication can be used for SCA compliance, provided:
  • It meets high security standards for encryption and fraud detection.
  • It is securely integrated within the payment provider's ecosystem.
• PSD3 is expected to provide clearer guidelines on biometric authentication, making it easier for banks, fintechs, and enterprises to implement passkeys securely.

• PSD3 aims to make SCA more effective and user-friendly while minimizing authentication friction.
• Passkeys with biometrics simplify compliance, since:
  • They eliminate password-related security risks.
  • They enable seamless authentication while maintaining high security standards.
  • They are device-bound and cannot be reused outside their registered environment.

PSD3/PSR acknowledges biometric authentication as a key component of SCA. The adoption of passkeys aligns perfectly with PSD3's goals, making authentication more secure, convenient, and phishing-resistant. As passkeys gain broader regulatory support, organizations implementing them will benefit from enhanced security and compliance.