---
url: 'https://www.corbado.com/faq/psd2-passkey-integration-best-practices'
title: 'What''s best for PSD2-compliant passkey integration?'
description: 'To ensure PSD2 compliance, passkey integration must support multi-factor authentication (MFA), dynamic linking, and phishing-resistant security.'
lang: 'en'
---

# What's best for PSD2-compliant passkey integration?

## Best Practices for PSD2-Compliant Passkey Integration

**Passkeys** (both device-bound and synced) can be SCA-compliant and offer a secure,
user-friendly way to meet **PSD2's Strong Customer Authentication (SCA) requirements**.
However, since no single "correct" SCA interpretation exists yet, organizations must
follow best practices when integrating passkeys to ensure compliance while maintaining
flexibility.

### 1. Choose your SCA Compliance Approach

The industry is converging on three approaches to satisfying SCA with passkeys. Each
institution should choose based on its risk appetite and regulatory relationship:

- **Passkeys as-is** (e.g. [Revolut](https://www.corbado.com/blog/revolut-passkeys),
  [Finom](https://www.corbado.com/blog/finom-passkeys)) — inherence (biometric) + possession (device with private
  key). Suitable for fintechs and banks with progressive regulators.
- **Passkeys + cookie/session binding** (e.g. [PayPal](https://www.corbado.com/blog/paypal-passkeys), Comdirect)
  — adds an extra possession signal for a more conservative SCA interpretation.
- **Cryptographic binding (DBSC/DPoP)** — hardware-bound proof of possession, providing
  the strongest guarantee. Best for institutions requiring maximum assurance.

### 2. Implement Multi-Factor Authentication (MFA)

- [PSD2](https://www.corbado.com/blog/psd2-passkeys) **requires two independent authentication factors** from
  different categories: knowledge (PIN/password), possession (device/key), and inherence
  (biometrics).
- **Best Practice:** Use passkeys with biometric
  [user verification](https://www.corbado.com/blog/webauthn-user-verification)
  ([Face ID](https://www.corbado.com/faq/is-face-id-passkey), Touch ID, [Windows Hello](https://www.corbado.com/glossary/windows-hello))
  to fulfill MFA requirements inherently — passkeys provide possession (private key in
  hardware security module or cloud keychain) + inherence (biometric) or knowledge (PIN)
  in a single gesture.

### 3. Ensure Dynamic Linking for Transactions

- [Dynamic linking](https://www.corbado.com/blog/dynamic-linking-passkeys-spc) is a **separate requirement** from
  SCA for [payment](https://www.corbado.com/passkeys-for-payment) transactions — it ensures each transaction is
  cryptographically bound to its details (amount + payee).
- **Best Practice:** Use WebAuthn signatures to bind transaction details to the
  authentication request. Note that passkeys solve [phishing](https://www.corbado.com/glossary/phishing); dynamic
  linking solves authorization integrity — both are needed for
  [payments](https://www.corbado.com/passkeys-for-payment).

### 4. Protect Against Phishing and Credential Theft

- Passkeys are **phishing-resistant by design** because they are bound to the specific
  origin (website or app).
- **Best Practice:** Use WebAuthn authentication with origin verification to prevent
  credential theft. An outcome-based approach to SCA that prioritizes demonstrable
  [phishing](https://www.corbado.com/glossary/phishing) resistance over rigid factor categorization is the
  direction the industry is moving.

### 5. Store Passkeys Securely in Hardware Modules

- [PSD2](https://www.corbado.com/blog/psd2-passkeys) requires that authentication data is **securely stored and
  resistant to tampering**.
- **Best Practice:** Leverage device-based security modules such as **Secure Enclave**
  (Apple), **Trusted Platform Module (TPM)** (Windows), and **Trusted Execution
  Environment (TEE)** ([Android](https://www.corbado.com/blog/how-to-enable-passkeys-android)). Both device-bound
  and synced passkeys use these modules — synced passkeys additionally encrypt the private
  key before cloud synchronization via
  [end-to-end encryption](https://www.corbado.com/faq/end-to-end-encryption-passkey-sync).

### 6. Support Both Device-Bound and Synced Passkeys

- **Device-bound passkeys** offer strict device control (ideal for high-security
  scenarios), while **synced passkeys** provide better usability and account recovery.
- **Best Practice:** Support both types. Use configurable trust policies to apply
  different SCA treatments: [device-bound passkeys](https://www.corbado.com/faq/are-passkeys-device-specific) on
  known devices can be trusted without step-up, while synced passkeys on new devices can
  trigger additional verification. This lets you adapt to your institution's risk appetite
  without forcing a single approach.

### 7. Implement Risk-Based Authentication for Exemptions

- [PSD2](https://www.corbado.com/blog/psd2-passkeys) allows exemptions for low-risk transactions (below €30,
  recurring [payments](https://www.corbado.com/passkeys-for-payment), trusted beneficiaries).
- **Best Practice:** Use **Transaction Risk Analysis (TRA)** to assess when passkey
  authentication may be skipped for low-risk transactions, improving the user experience
  while maintaining compliance.

### 8. Ensure Cross-Platform Compatibility

- Users should be able to authenticate **seamlessly across devices and platforms**.
- **Best Practice:** Support passkey synchronization via **iCloud Keychain (Apple)**,
  **Google Password Manager**, or **third-party password managers**. Monitor device trust
  and passkey success rates across your entire device landscape to catch platform-specific
  issues early.

## Conclusion

Integrating passkeys in a **PSD2-compliant** way requires choosing an SCA approach that
matches your risk appetite, ensuring [dynamic linking](https://www.corbado.com/blog/dynamic-linking-passkeys-spc)
for [payments](https://www.corbado.com/passkeys-for-payment), and supporting both device-bound and synced
passkeys with appropriate trust policies. By focusing on **demonstrable security
outcomes** (phishing resistance, high success rates) rather than rigid factor
categorization, banks and fintechs can provide **secure and frictionless authentication**
while complying with European [payment](https://www.corbado.com/passkeys-for-payment) regulations.

## Read the full article