Why US passkey providers are no help on your journey towards a secure passkey login

Why US passkey providers are no help on your journey towards a secure passkey login

If you want to safeguard your personal data from unauthorized access, securing your online accounts with passkeys is a must. However, relying on US-based passkey providers poses risks, especially with the nullification of the Privacy Shield agreement, which makes personal data susceptible to government surveillance.

With the increasing threat of cyber attacks and data breaches, it's vital to ensure that sensitive information is kept safe and secure. This is where passkeys come in, providing an additional layer of protection for online accounts. While there are many ways to host passkey infrastructure, from EU companies’ perspective EU passkey providers have recently been gaining an edge over US providers. This mainly due to their compliance with the General Data Protection Regulation (GDPR) and their reputation for providing top-notch security and data protection. In this article, we'll dive into why European passkey providers are the way to go, causing less headache if you want to be on the safe side when it comes to data security.

Privacy Shield nullification makes it hard to trust US companies’ data privacy

In July 2020, the European Court of Justice issued a landmark ruling, known as the 'Schrems II' judgement, which nullified the Privacy Shield agreement between the US and the EU. The Privacy Shield agreement aimed to provide a framework to ensure that companies transferring personal data from the EU to the US complied with EU data protection requirements, especially the GDPR.

With its nullification, there are increased concerns about the potential for unauthorized access and use of this data by US-based companies, as well as the potential for government surveillance. This has caused widespread anxiety about the protection of personal data in the US, and the implications for EU citizens who entrust their data to US companies.

In addition to the US Foreign Intelligence Surveillance Act (FISA) one of the main reasons for these concerns is the CLOUD Act, which requires US companies to hand over data to the government - even if servers are stationed in Europe. This has led to serious questions about data security and privacy. As a result, it is essential that businesses take proactive measures to ensure that customer data is handled securely and transparently.

So lets break down your options:

Option 1: US providers with their servers stationed in the US

You could go with a US passkey provider that also operates in the EU, but with their primary focus not directed to this region. This means that there won’t be any motivation for them to comply with GDPR.

High risk of government surveillance of your user‘s data.

Option 2: EU-focused US providers with US-hosted servers

Another option is to choose an American passkey provider that actually caters to the EU market. While these providers might make some efforts to meet GDPR requirements, the risk of potential government surveillance and unauthorized access to your data remains a concern. Even if their servers are located in Europe they can't guarantee that user data is out of reach of US surveillance because they are still legally required to hand it out.

Little improvement to just choosing a standard US provider as in option 1.

Option 3: EU providers using US infrastructure providers

Alternatively, you could opt for a European passkey provider. We’re getting on the right track, but let’s not lose sight of the fact even EU companies often use US infrastructure providers, such as Amazon Web Services (AWS), Google Cloud Platform (GCP), or Microsoft Azure. While it's possible to specify the server location to be in the EU, keep in mind that this still doesn't eliminate the requirement for the US infrastructure provider to hand over data to the government even if data is collected on foreign soil.

Option 4: DIY passkeys

Concerned about data privacy? You may be considering having your engineering team implement and operate passkey authentication themselves. While this may be more secure, it will be a significant undertaking in terms of time and resources. Really, just trust us with this one (…or check out our article about time and cost involved). 

Option 5: EU providers with European servers are key

So what’s the key to best data privacy for EU companies?

If you want to be on the safe side when it comes to your users data privacy, you’ll hardly find a way around European passkey providers with servers hosted in Europe. They are mandated to comply with GDPR, ensuring a higher standard of personal data handling, transparency, and accountability. You have more control over your data, including the ability to request deletion or access to it, a fundamental right under the GDPR.

Plus, using European passkey providers means that businesses can focus on their operations without worrying about compliance issues. These providers ensure that they meet all necessary requirements and are always up-to-date with any changes in data protection legislation. This gives businesses peace of mind and allows them to concentrate on their core operations.  

Corbado hosts its services with German providers

In conclusion, if you're looking for a passkey provider that puts data privacy and data protection first, European passkey providers are the way to go!

Sparked your interest? Corbado’s passkey solution might be a good fit for you and your company. Reach out to us to learn more about how our solution manages to keep your user’s data 100% secure.

Enjoyed this read?

Stay up to date with the latest news, strategies and insights about passkeys sent straight to your inbox!