Question 1

How does the HRE Add-on work with our existing WebAuthn server?

Accepted Answer

The HRE Add-on is designed specifically for organizations that want to keep their WebAuthn server in-house. You maintain full control of:WebAuthn credential creation and verificationPublic key storage and managementAuthentication decision logicUser database and identity managementWhat Corbado provides:Client-side SDKs (JavaScript/TypeScript, iOS, Android)Telemetry and analytics infrastructureDevice trust and PSD2 compliance layerGradual rollout and A/B testing capabilitiesError classification and debugging toolsIntegration requires adding our SDK to track authentication events and optionally using our device trust signals for regulatory compliance.

Question 2

What's the difference between the HRE Add-on and Corbado Connect?

Accepted Answer

HRE Add-on (Headless SDK): You own the WebAuthn server and authentication logic. Corbado provides surrounding tooling.Your infrastructure handles credential verificationComplete control over authentication flowsNo credential data leaves your environmentDesigned for regulated entities with strict compliance requirementsCorbado Connect (Full Solution): Corbado provides both the WebAuthn server and tooling.Corbado handles credential verificationPre-built authentication flows and UI componentsFaster implementation (days vs. weeks)Best for organizations comfortable with managed authenticationBoth options include the same analytics, debugging and adoption optimization features.

Question 3

What client-side signals do you track for device trust?

Accepted Answer

For PSD2 compliance and fraud prevention, we track 100+ client-side signals:Device Identifiers: Non-fingerprinting, cookie-based with 95%+ persistenceEnvironment Detection: OS version, browser capabilities, authenticator availabilityPasskey Metadata: Backup eligibility, cross-platform capability, attestation dataBehavioral Signals: Authentication patterns, device switching, shared device indicatorsPrivacy & Compliance:No PII collected (UUID-based only)GDPR compliant with EU data residencyConfigurable data retention policies

Question 4

How long does it take to implement the HRE Add-on?

Accepted Answer

Implementation typically takes 2-4 weeks depending on your architecture:Week 1-2: Basic IntegrationAdd JavaScript SDK to web applicationsIntegrate iOS/Android SDKs for mobile appsConfigure event tracking at authentication pointsSet up dashboards and monitoringWeek 3-4: Advanced FeaturesConfigure device trust rules for PSD2Set up gradual rollout policiesImplement A/B testing for optimizationCompare this to 12-36 months for building equivalent capabilities in-house.

Question 5

How do we handle gradual rollout to millions of users?

Accepted Answer

The HRE Add-on includes sophisticated rollout controls designed for large-scale deployments:Recommended Rollout Strategy:Internal pilot: Employees only (typically 1-2 weeks)Beta customers: 0.1-1% of users (2-4 weeks)Progressive expansion: 5%, 10%, 25%, 50%, 100%Rollout Controls:Target by OS version (start with iOS 17+, Android 14+)Geographic targeting (country, region)User segments (age, activity level)Device type (mobile first, then desktop)A/B testing for messaging and UXChanges are instant without app releases. If issues arise, you can pause or rollback immediately.

Question 6

Can we start with just analytics and add features later?

Accepted Answer

Yes, the HRE Add-on is designed for progressive adoption. So you can start with the analytics only and then gardaully expand the layers.

Question 7

What's the ROI of the HRE Add-on?

Accepted Answer

Banks typically see ROI within 6-12 months through:Cost Savings:60% reduction in SMS OTP costs ($300k-$2M annually)30% fewer password reset support calls50% reduction in account takeover fraud90% faster debugging (months → days)Revenue Impact:2-5% increase in login conversionHigher transaction completion ratesImproved customer satisfaction scoresDevelopment Savings:95% reduction in implementation effortNo dedicated passkey team neededAutomatic updates for new WebAuthn features

Question 8

Why not build these capabilities ourselves?

Accepted Answer

While banks can build passkey tooling in-house, consider:Hidden Complexity:100+ OS/browser combinations to testConstant WebAuthn spec changesOEM-specific implementations (Samsung, Xiaomi, etc.)Cross-platform synchronization issuesResource Requirements:3-5 dedicated engineers for 12-36 monthsOngoing maintenance teamContinuous testing across all platformsRegular updates for new featuresOpportunity Cost:Delayed passkey deployment (competitors gain advantage)Engineering resources diverted from core bankingRisk of poor adoption without proper toolingThe HRE Add-on lets you focus on your core banking platform while we handle the passkey complexity.

Question 9

How does this compare to other passkey solutions?

Accepted Answer

The HRE Add-on is unique in the market:vs. Traditional IAM Vendors (Ping, ForgeRock, Okta):They provide basic WebAuthn but lack passkey-specific toolingNo adoption analytics or debugging capabilitiesNo device trust for PSD2 complianceRequire full authentication outsourcingvs. Device Fingerprinting Vendors:Focus only on device identificationNo passkey-specific featuresNot purpose-built for WebAuthnOften not PSD2 compliant for possessionvs. Full DIY Implementation:95% less implementation effortProven at scale (100M+ authentications)Continuous updates without engineeringBattle-tested across all platformsThe HRE Add-on is the only solution designed specifically for regulated entities that need to keep authentication in-house while getting enterprise passkey capabilities.

Question 10

How does the HRE Add-on ensure PSD2 compliance for synced passkeys?

Accepted Answer

Synced passkeys present a challenge for PSD2 Strong Customer Authentication (SCA) because the possession factor is uncertain. The HRE Add-on provides:Device Trust Layer:Possession proof: Cookie-based device binding with 95%+ persistenceDPoP support: RFC 9449 implementation for cryptographic possessionStep-up detection: Identify when additional verification is neededShared device protection: Prevent passkey creation on public devicesCompliance Alignment:EBA Q&A 2019_4827: Device binding as possession factorRTS Article 9: Independence of authentication elementsConfigurable rules for your risk appetiteThis approach is validated by major European banks and aligns with regulatory guidance on SCA implementation.

Question 11

What data is collected and where is it stored?

Accepted Answer

Data Collection (UUID-only):No PII, emails, or passwordsNo biometric or credential dataTechnical telemetry only (success rates, errors, device types)UUIDs generated and owned by youData Storage & Security:EU data centers (AWS Frankfurt)Encrypted at rest (AES-256)Encrypted in transit (TLS 1.3)ISO 27001 and SOC 2 Type II certifiedCompliance & Privacy:GDPR compliant with DPAs availableConfigurable data retention (30-365 days)Right to deletion supportedNo data sharing with third partiesCritical: Your WebAuthn credentials never leave your infrastructure. We only track authentication events and outcomes.

Enterprise Passkey SDK for Banks & Regulated Entities

Deploy Passkeys without Risk

Outcomes based on Industry Benchmarks

Fraud Reduction

Authentication Success

Time to Resolution

Support Reduction

SOLUTION ARCHITECTURE

8 Layers of Enterprise Passkey Tooling

KEY FEATURES

Critical Capabilities for Regulated Environments

Device Trust & Analytics

Authentication Success Monitoring

Authenticator Detection

Error Classification

Funnel Analytics

User-Level Debugging

Banking Passkeys Report 2025

BUILD VS BUY

DIY + HRE Add-on vs. 100% DIY Implementation

DIY + HRE Add-on

100% DIY

Device Trust & PSD2 Compliance

Passkey Analytics & Debugging

Gradual Rollout & A/B Testing

Edge Case Handling

Implementation Time

Ongoing Maintenance

FREQUENTLY ASKED QUESTIONS

Your Questions, answered

Technical Architecture

Implementation & Rollout

Business Case & ROI

Security & Compliance

Make your passkey project a success

How to successfully introduce Passkeys?

Analysis of PSD2 & SCA Requirements (SCA & Passkeys II)

What SCA Requirements Mean for Passkeys (SCA & Passkeys III)

PSD2 Passkeys: Phishing-Resistant PSD2-Compliant MFA

Ready to deploy Passkeys without Risk?