---
url: 'https://www.corbado.com/faq/challenges-banks-passkeys'
title: 'What Challenges do Banks face when implementing Passkeys'
description: 'Banks may face challenges like regulatory compliance, user adoption, and system integration when implementing passkeys for authentication.'
lang: 'en'
keywords: 'bank challenges, banking challenges, banking issues, banking problems'
---

# What Challenges do Banks face when implementing Passkeys

## What Challenges might Banks face when implementing Passkeys?

Passkeys offer **phishing-resistant, passwordless authentication** and are a **major
security upgrade** for banks. However, transitioning from **traditional authentication
methods** (e.g. passwords, SMS OTP, email OTP, [authenticator](https://www.corbado.com/glossary/authenticator)
app, push notifications in native apps) to **passkeys** presents several challenges. These
must be addressed to **ensure a smooth rollout and user adoption**.

### 1. Regulatory Compliance and PSD2

Banks operating in the **European Economic Area (EEA)** must comply with **PSD2’s Strong
Customer Authentication (SCA)** regulations. While passkeys satisfy **SCA requirements**
by leveraging:

- **Something the user has** (device-bound cryptographic keys).
- **Something the user is** (biometrics or a device PIN).

Regulators have yet to **explicitly approve passkeys** as a standalone SCA-compliant
method. Banks must **closely monitor evolving regulations** and proactively work with
financial authorities.

**How to overcome the challenge of regulatory compliance and PSD2?**

[Device-bound passkeys](https://www.corbado.com/blog/fbi-operation-winter-shield-passkeys) (e.g. on Windows
Hellor or when using [hardware security keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys)
such as [YubiKeys](https://www.corbado.com/glossary/yubikey)) are not an issue and clearly compliant to
[PSD2](https://www.corbado.com/blog/psd2-passkeys) / SCA. However, with synced passkeys, there's ambiguity in the
[PSD2](https://www.corbado.com/blog/psd2-passkeys) framework. We recommend the following:

1. Engage with the regulators to push them to be more open-mindend and more outcome-driven
   when it comes to [Strong Customer Authentication](https://www.corbado.com/faq/sca-psd2-importance). Almost all
   of today's authentication methods that are common in [banking](https://www.corbado.com/passkeys-for-banking)
   are prone to [phishing](https://www.corbado.com/glossary/phishing) (be it passwords, OTPs or push notification
   attempts). Synced passkeys are [phishing](https://www.corbado.com/glossary/phishing)-resistant and solve a
   huge problem for financial service institutions. As [PSD2](https://www.corbado.com/blog/psd2-passkeys) was
   created in a time when passkeys and [phishing](https://www.corbado.com/glossary/phishing)-resistant
   authentication was not yet a thing, we recommend to reach out to the European
   [Banking](https://www.corbado.com/passkeys-for-banking) Authority and push for the better outcome: protect
   customers adequately. It's technically possible and other regions in the world already
   go down this path.
2. We recommend to add some more controls to your passkey solution that allow to determine
   the device from which a user authenticats (even when using a synced passkeys). There
   are ways how a Proof of Possession can be implemented. This however requires some extra
   development work and multiple approaches exist. Feel free to [reach out](https://www.corbado.com/contact) if
   you are interested in these methods.

### 2. User Adoption and Education

Banks must ensure that customers understand how to **use and trust passkeys**. Challenges
include:

- **User hesitancy**: Customers may be unfamiliar with passkeys and reluctant to change
  from **passwords and SMS OTPs**.
- **Device dependency** : Passkeys are linked to devices, which may cause confusion during
  device loss or migration.
- **Education efforts** – Banks need **clear, simple onboarding guides** to help users
  transition.

**How to overcome the challenge of user adoption and education:**

We recommend to introduce passkeys as natural in the login and sign-up flow as possible.
User should not need to think or educate about passkeys. Make the passkey UX so seamless
that they just login. Many will either way think it's like "using
[Face ID](https://www.corbado.com/faq/is-face-id-passkey) to log into websites or apps". For users who are
interested in technical details and edge cases, you should provide an extensive
[FAQ](https://www.corbado.com/faq) or [glossary](https://www.corbado.com/glossary) that explains the core concepts of passkeys. Moreover
this [passkey info page](https://passkeys.eu) also holds more information for interested
users.

### 3. Integration with Existing Banking Infrastructure

Banks must **seamlessly integrate passkeys** into **web banking portals, mobile apps, and
ATM authentication**. Key challenges include:

- **Legacy system compatibility**: Older [banking](https://www.corbado.com/passkeys-for-banking) platforms may
  not support WebAuthn and [FIDO2](https://www.corbado.com/glossary/fido2).
- **Cross-platform synchronization**: Ensuring passkeys work across **mobile, desktop, and
  alternative devices**.
- **Fallback mechanisms**: Providing secure **backup authentication methods** for users
  without passkey-supported devices.

**How to overcome the challenge of integrating passkeys into existing banking
infrastructure:**

Many banks run on rather old infrastructure and migrating users from their existing IdP /
IAM to a new one is a major effort that could span over years (if it's a
[large-scale](https://www.corbado.com/blog/introducing-passkeys-large-scale-overview) bank). We recommend to look
for a Passkey Layer vendor that does not require any user data migration but brings all
the passkey enterprise functionality that highly-regulated entities like banks need while
still providing the best user experience and guaranteeing a very high
[passkey adoption](https://www.corbado.com/blog/passkey-adoption-business-case). The optimized UX for passkeys
will lead to a high adoption of passkeys ultimately resulting in project success of
passkeys: saving operational costs for SMS, fraud reduction and account resets, as well as
a higher engagement rate with digital banking products.

### 4. Security and Fraud Considerations

Although **passkeys eliminate phishing risks**, banks must:

- **Secure cloud-synced passkeys**: Some regulators may be concerned about the
  [security of passkeys](https://www.corbado.com/faq/are-passkeys-safe) stored in **iCloud Keychain or Google
  Password Manager**.
- **Prevent unauthorized access**: Implement risk-based authentication for **high-value
  transactions**.
- **Monitor fraud attempts**: While passkeys **reduce phishing risks**, fraudsters may
  still attempt device-based attacks.

**How to overcome the challenge of security and fraud considerations:**

Cloud accounts at Apple and Google that most customers will use have strong protection by
default and cannot easily be hacked. For more security-aware users, you should provide the
option to also use [hardware security keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys) (e.g.
[YubiKeys](https://www.corbado.com/glossary/yubikey)) that provide non-synced passkeys. Moreover, for high-value
transactions, you can introduce step up authentication to make sure there's another level
of security involved.

### 5. Transitioning From Legacy Authentication Methods

Banks cannot **immediately phase out passwords and SMS OTPs**. There is much risk and
uncertainty connected to going passkey-only when you already have existing users that are
just used to log in via passwords or SMS OTP.

**How to overcome the challenge of security and fraud considerations:**

Instead of a big bang introduction and immediate switch off of passkeys, a **gradual
transition** is required:

- **Offer passkeys alongside existing methods** as an opt-in feature.
- **Encourage early adopters** and gather feedback.
- **Measure adoption rates** before enforcing passkey-only logins.

## Conclusion: A Worthwhile Transition Despite Challenges

Despite these challenges, **passkeys provide a long-term solution** to phishing, **improve
user experience**, and ensure compliance with modern authentication standards. Banks that
**plan strategically, educate users, and integrate passkeys carefully** will **benefit
from a more secure and seamless authentication system**.

## Read the full article