What's best for PSD2-compliant passkey integration?

Best Practices for PSD2-Compliant Passkey Integration#

Passkeys (both device-bound and synced) can be SCA-compliant and offer a secure, user-friendly way to meet PSD2's Strong Customer Authentication (SCA) requirements. However, since no single "correct" SCA interpretation exists yet, organizations must follow best practices when integrating passkeys to ensure compliance while maintaining flexibility.

1. Choose your SCA Compliance Approach#

The industry is converging on three approaches to satisfying SCA with passkeys. Each institution should choose based on its risk appetite and regulatory relationship:

• Passkeys as-is (e.g. Revolut, Finom) — inherence (biometric) + possession (device with private key). Suitable for fintechs and banks with progressive regulators.
• Passkeys + cookie/session binding (e.g. PayPal, Comdirect) — adds an extra possession signal for a more conservative SCA interpretation.
• Cryptographic binding (DBSC/DPoP) — hardware-bound proof of possession, providing the strongest guarantee. Best for institutions requiring maximum assurance.

2. Implement Multi-Factor Authentication (MFA)#

• PSD2 requires two independent authentication factors from different categories: knowledge (PIN/password), possession (device/key), and inherence (biometrics).
• Best Practice: Use passkeys with biometric user verification (Face ID, Touch ID, Windows Hello) to fulfill MFA requirements inherently — passkeys provide possession (private key in hardware security module or cloud keychain) + inherence (biometric) or knowledge (PIN) in a single gesture.

3. Ensure Dynamic Linking for Transactions#

• Dynamic linking is a separate requirement from SCA for payment transactions — it ensures each transaction is cryptographically bound to its details (amount + payee).
• Best Practice: Use WebAuthn signatures to bind transaction details to the authentication request. Note that passkeys solve phishing; dynamic linking solves authorization integrity — both are needed for payments.

4. Protect Against Phishing and Credential Theft#

• Passkeys are phishing-resistant by design because they are bound to the specific origin (website or app).
• Best Practice: Use WebAuthn authentication with origin verification to prevent credential theft. An outcome-based approach to SCA that prioritizes demonstrable phishing resistance over rigid factor categorization is the direction the industry is moving.

5. Store Passkeys Securely in Hardware Modules#

• PSD2 requires that authentication data is securely stored and resistant to tampering.
• Best Practice: Leverage device-based security modules such as Secure Enclave (Apple), Trusted Platform Module (TPM) (Windows), and Trusted Execution Environment (TEE) (Android). Both device-bound and synced passkeys use these modules — synced passkeys additionally encrypt the private key before cloud synchronization via end-to-end encryption.

6. Support Both Device-Bound and Synced Passkeys#

• Device-bound passkeys offer strict device control (ideal for high-security scenarios), while synced passkeys provide better usability and account recovery.
• Best Practice: Support both types. Use configurable trust policies to apply different SCA treatments: device-bound passkeys on known devices can be trusted without step-up, while synced passkeys on new devices can trigger additional verification. This lets you adapt to your institution's risk appetite without forcing a single approach.

7. Implement Risk-Based Authentication for Exemptions#

• PSD2 allows exemptions for low-risk transactions (below €30, recurring payments, trusted beneficiaries).
• Best Practice: Use Transaction Risk Analysis (TRA) to assess when passkey authentication may be skipped for low-risk transactions, improving the user experience while maintaining compliance.

8. Ensure Cross-Platform Compatibility#

• Users should be able to authenticate seamlessly across devices and platforms.
• Best Practice: Support passkey synchronization via iCloud Keychain (Apple), Google Password Manager, or third-party password managers. Monitor device trust and passkey success rates across your entire device landscape to catch platform-specific issues early.

Conclusion#

Integrating passkeys in a PSD2-compliant way requires choosing an SCA approach that matches your risk appetite, ensuring dynamic linking for payments, and supporting both device-bound and synced passkeys with appropriate trust policies. By focusing on demonstrable security outcomes (phishing resistance, high success rates) rather than rigid factor categorization, banks and fintechs can provide secure and frictionless authentication while complying with European payment regulations.

Read the full article#