Question 1

How can passkeys integrate with our existing IAM platform (ForgeRock, Ping, custom IdP)?

Accepted Answer

Passkeys are based on WebAuthn and can be layered onto your current IdP/CIAM without a rip-and-replace. Corbado integrates with all major enterprise IdPs like ForgeRock, Ping Identity, Auth0, Cognito, and custom IdPs via standard protocols. We augment your IdP with passkey capabilities rather than replacing it - your existing user directory, policies, and integrations remain intact. This passkey layer approach means no user migration and preserves existing workflows. Read more: Passkey Integration Options

Question 2

Can we enforce biometric-only authentication and block PIN usage?

Accepted Answer

No, this cannot be strictly enforced at the WebAuthn level. You can require user verification (userVerification=required) and verify the UV flag, ensuring the device's local authenticator was unlocked. However, the platform decides whether that's biometric or device PIN (e.g., Windows Hello PIN, Android screen lock). For consumer devices, you must accept biometric-or-PIN. In managed enterprise environments, MDM policies may provide partial control, but strict biometric-only enforcement isn't possible across consumer iOS/Android devices.

Question 3

Can we restrict customers to device-bound (non-synced) passkeys?

Accepted Answer

Not reliably on consumer devices today. Mobile platform passkeys (Apple iCloud Keychain and Google Password Manager) are typically multi-device (synced). There's no standard control to force only non-synced credentials on consumer iOS/Android. You can detect backup-eligible credentials using WebAuthn Level 3 signals and apply policy - allow synced for login but require device-bound authenticators or additional step-up for high-risk transactions. Hardware security keys remain the most broadly supported device-bound option for high-value banking operations.

Question 4

Do phones provide attestation/AAGUID data to identify authenticators?

Accepted Answer

Generally no, not reliably. iOS and most Android/browser combinations default to attestation=none and often omit or anonymize AAGUID for privacy. Some Android devices can provide Basic/AndroidKey attestation, and enterprise-managed environments can allow enterprise attestation, but you shouldn't depend on receiving stable, identifying attestation from consumer phones. Plan for attestation/AAGUID to be unavailable or non-identifying in most cases. Focus on risk-based authentication rather than authenticator identification.

Question 5

Can we deploy in our own cloud or on‑premises?

Accepted Answer

Yes. Corbado offers dedicated single-tenant deployments in any AWS region and supports private cloud or on‑prem installations to meet data residency and security policies. We provide multiple deployment options including Multi-AZ Single-Region, Cross-Region Replica, and Geo Failover-Ready configurations. For large banks, we provide near on-premise isolation and data access while ensuring rapid updates to keep pace with the fast-evolving passkey ecosystem. Your data is always protected with state-of-the-art encryption - we enforce TLS 1.3 for data in-transit and use AES-256 for data at-rest, including database volumes and backups. The platform is ISO 27001 and SOC 2 Type II certified. With Enterprise Private Cloud, you have full access to the underlying AWS account and can export all user and passkey data (public keys) in industry-standard formats. See: Security & Compliance

Question 6

How do we handle passkey recovery for banking customers?

Accepted Answer

We support multi-factor recovery flows with configurable step-up including second device, email, TOTP, security key, or ID verification via KYC provider integration. For banking-grade recovery, combine ID verification via third-party KYC/identity proofing with possession checks (existing device or email) and optional human review for high-risk cases. All steps are logged for audit and can be tuned per risk tier. Users can self-serve to view/remove authenticators and re-enroll new passkeys.

Question 7

Where are passkeys in terms of maturity and readiness for large banks?

Accepted Answer

Passkeys (WebAuthn/FIDO2) are broadly supported across major platforms and browsers and are being adopted by regulated financial institutions globally. Major banks like UBank (NAB group), ANZ, and fintechs like Revolut and Wise have deployed passkeys. They provide phishing-resistant authentication for both web and native apps and can be rolled out incrementally alongside existing factors. Typical enterprise pilots can be delivered in weeks rather than months, with phased enablement for specific user segments or channels.

Question 8

Can we remove passwords altogether and go passkey-only?

Accepted Answer

Yes. You can roll out passkey-only authentication on web and mobile. Typical options include: (1) transitional rollout with passkeys alongside passwords; (2) a dedicated “Login with passkey” path; or (3) a passkey-first flow using identifier-only, backend device checks, and conditional UI/one-tap to maximize coverage. To avoid lockouts while achieving phishing resistance, many banks phase enforcement and migrate users over time. For a passkey-only strategy to succeed, you need to drive adoption up by giving customers time to add passkeys on multiple devices and platforms.

Question 9

Should passkeys be optional or mandatory for banking customers?

Accepted Answer

Start optional to drive adoption without friction, then gradually make it the default. Use standard WebAuthn/FIDO passkeys for maximum compatibility, and layer bank-specific risk policy: allow syncable platform passkeys for low-risk login to maximize adoption, step up to app-based approval, device-bound keys, or additional biometrics for high-risk actions. Define attestation and authenticator policies, cap or review the number of credentials per account, bind devices in your risk engine, and implement strong recovery (in-app re-proofing, call-center/branch re-KYC) rather than SMS.

Question 10

How do we drive high user adoption without confusing customers?

Accepted Answer

Present it as “Make your sign-in faster” or “Secure your account with Face ID.” Most users understand it instantly and prefer it. Corbado treats passkey adoption as a core product initiative, providing a dedicated Passkey Adoption Accelerator playbook with proven UX components, wording recommendations, and A/B testing guidelines. Our Passkey Intelligence intelligently prompts users only when their device is ready. This structured approach allows banks to achieve 50-80% passkey adoption within 18-36 months. See case study: FIDO Alliance: VicRoads

Question 11

Can we roll out passkeys gradually to millions of users?

Accepted Answer

Yes. Start with pilots (e.g. employees, specific regions or products), then expand. For workforce passkeys, we integrate with your IdP/HRIS for lifecycle, enforce enrollment policies (e.g., minimum authenticators, allowed platforms), support bulk revocation on offboarding, and provide admin APIs and reports to track adoption. Maintain coexistence with legacy methods until adoption is high. Use feature flags, percentage rollouts and targeted prompts. Corbado provides Gradual Rollout, Passkey Intelligence and dashboards to monitor uptake and success rates.

Question 12

What ROI can a bank expect from passkeys?

Accepted Answer

The ROI from passkeys is driven by three main factors: direct cost savings, risk reduction, and revenue uplift. Banks can eliminate up to 90% of their MFA costs by replacing expensive SMS OTPs. Additionally, passkeys are phishing-resistant and can significantly reduce financial losses from account takeover fraud - often $50–$70 per helpdesk reset call alone. For consumer-facing applications, the frictionless login experience improves conversion rates, reduces abandonment, and increases customer satisfaction. With high adoption (50-80% achievable with Corbado), banks commonly cut SMS and reset volumes by 60–90%, translating to material annual savings. For a business with 100,000 daily logins, optimized adoption can achieve savings of over $3.5 million over 24 months. Model your ROI: Adoption Business Case and ROI Calculator

Question 13

How do we build the internal business case?

Accepted Answer

Quantify the current SMS spend, reset volumes/costs and fraud losses. Model savings at different adoption levels and add qualitative risk reduction. Corbado provides an ROI calculator, business case template, benchmarks and a Banking Passkeys report to support budget approvals. See: Banking Passkeys Report

Question 14

How do you differ from built-in passkey capabilities in our IdP?

Accepted Answer

While major IdPs like Ping, ForgeRock, and Auth0 offer basic WebAuthn endpoints, Corbado provides a complete passkey adoption system designed to prevent vendor lock-in. Our solution layers on top of your existing identity systems - you don't migrate users or replace your auth stack, and you keep full ownership of your user database. We add Passkey Intelligence (device detection, conditional UI), adoption analytics, recovery flows, gradual rollout controls, and continuous platform updates. Every passkey is cryptographically bound to your own domain as the WebAuthn Relying Party ID, and we offer full data export capabilities for compliance or migration. Our focus is driving 50-80% adoption vs the 5-10% typical with basic implementations, while ensuring complete data portability and no vendor lock-in.

Question 15

What audit trails and reporting do you provide for banking compliance?

Accepted Answer

Corbado provides comprehensive audit trails for all registrations, authentications, and recoveries. Our Management Console delivers deep visibility into passkey adoption and usage with real-time metrics. Track how many users have created passkeys, monitor adoption rates, see live usage statistics, and discover where users store their passkeys with device and platform insights. We include login-journey analysis showing user progress through authentication and where drop-offs occur. The system collects hundreds of signals for every login, providing enterprise-grade reporting and auditing of authentication events that can be streamed to your SIEM solution.

Question 16

Beyond savings, are there strategic benefits?

Accepted Answer

Yes: improved conversion and engagement, brand trust from phishing‑resistant MFA and competitive differentiation. Early movers (e.g., Revolut, UBank/​NAB group) validate market direction and signal innovation to customers and regulators. Banks report reduced fraud losses, improved customer satisfaction scores, and positioning as digital innovation leaders.

Question 17

Are passkeys PSD2 SCA compliant out of the box?

Accepted Answer

Passkeys can satisfy SCA when implemented with the right controls. PSD2 requires two independent elements (knowledge, possession, inherence) for account access and step-up, plus dynamic linking for remote payments. Platform passkeys provide user verification (biometric or device PIN) and a cryptographic key tied to the device. However, most mobile passkeys today are multi-device (synced), which some regulators view as weaker evidence of the “possession” factor if used alone. Common industry practice is to combine passkeys with device binding/app attestation and risk checks, or to allow device-bound authenticators (e.g., hardware security keys) for higher assurance. Many EU fintechs have adopted passkeys and passed audits, but exact acceptance depends on your SCA policy and regulator's interpretation.

Question 18

How do passkeys support dynamic linking and payer awareness for payment authorization?

Accepted Answer

Yes. Corbado's approach pairs phishing-resistant passkeys with bank-controlled display and server-side dynamic linking to meet PSD2 RTS Art. 5 (“what-you-see-is-what-you-sign”). We display the transaction amount and payee in a bank-controlled UI immediately before and during passkey authentication, ensuring payer awareness. Our backend generates a one-time challenge bound to a canonicalized transaction snapshot (amount, payee, txnId) - any change invalidates it. This satisfies all four dynamic linking requirements: payer awareness, uniqueness/specificity, invalidation on change, and integrity/confidentiality. You can hash over and bind fields like beneficiary name, IBAN, and amount into the challenge. While passkeys eliminate cross-origin phishing, dynamic linking remains required for remote payments to bind authorization to the exact amount and payee, preventing MITM/MITB attacks and transaction tampering. This approach is stronger than SMS OTP because signatures are cryptographically bound to your origin and cannot be replayed on phishing sites. Learn more in our detailed guide on biometrics and payer awareness.

Question 19

How do passkeys fit with PSD2/SCA today, and what changes with PSD3?

Accepted Answer

Under PSD2, SCA is functional but passkeys (phishing‑resistant, possession + inherence) can satisfy SCA when implemented correctly. While there's no explicit EBA guidance specific to passkeys yet, many banks are successfully implementing them. PSD3 is expected to move toward an outcome-based approach, allowing newer authentication factors like passkeys more explicitly. Timeline indications suggest potential changes within 12–24 months. Outside the EU (US, CA, AU, SG), there's no PSD2 regulation - MAS and others encourage phishing‑resistant MFA.

Question 20

How are passkeys stored? What if cloud sync is compromised?

Accepted Answer

Keys are generated in secure enclaves on user devices. Synced passkeys are end‑to‑end encrypted and require the user’s biometric/PIN to use. Corbado never stores private keys, only public keys. Optionally offer device‑bound hardware security keys for users needing non‑synced credentials.

Passkeys for Banking

Benefits for Banks

Protect Customers. Simpler Logins. Save Costs.

Passkey Activation Rate

Higher Login Success

Lower Auth Support Costs

VicRoads uses Corbado to offer passkeys to 5 million users

Banking Passkey Features

Deploying Passkeys? It takes more than just Code

Advanced Analytics & Reporting

Keep Passwords & Existing Users

Guaranteed Passkey / WebAuthn Conformity

Enterprise Gateway

Gradual & Managed Rollout

Adoption Accelerator

Login Observability

Management Cockpit

Client SDKs

Feature Walkthrough

See Corbado's Passkey Solution for Banks in Action

Live Usage

Funnel Analysis

Process Search

Gradual Rollout

Passkey Adoption

Passkey Insights

Calculate your Passkey ROI

Learn how to implement passkeys as a bank

Get our Banking Passkey Whitepaper!

Build vs. Buy

Higher Passkey Adoption. More Savings.

Corbado Passkeys

DIY Passkeys

Passkey Intelligence™

Implementation effort

Tested passkey UI/UX

Passkey adoption rate

Passkey login rate

Multi-device authentication

Step-up authentication

SMS OTP cost savings

FREQUENTLY ASKED QUESTIONS

Your Questions, Answered

Technical Integration & Deployment

How can passkeys integrate with our existing IAM platform (ForgeRock, Ping, custom IdP)?

Can we enforce biometric-only authentication and block PIN usage?

Can we restrict customers to device-bound (non-synced) passkeys?

Do phones provide attestation/AAGUID data to identify authenticators?

Can we deploy in our own cloud or on‑premises?

How do we handle passkey recovery for banking customers?

Rollout & User Experience

Where are passkeys in terms of maturity and readiness for large banks?

Can we remove passwords altogether and go passkey-only?

Should passkeys be optional or mandatory for banking customers?

How do we drive high user adoption without confusing customers?

Can we roll out passkeys gradually to millions of users?

Business Case & ROI

What ROI can a bank expect from passkeys?

How do we build the internal business case?

How do you differ from built-in passkey capabilities in our IdP?

What audit trails and reporting do you provide for banking compliance?

Beyond savings, are there strategic benefits?

Security & Compliance

Are passkeys PSD2 SCA compliant out of the box?

How do passkeys support dynamic linking and payer awareness for payment authorization?

How do passkeys fit with PSD2/SCA today, and what changes with PSD3?

How are passkeys stored? What if cloud sync is compromised?

Make your passkey project a success

How to successfully introduce Passkeys?

PSD2 Passkeys: Phishing-Resistant PSD2-Compliant MFA

Revolut Passkeys: Bold Move with Room for Improvement

Finom Passkeys: Revolutionizing Banking Security

PSD3 / PSR Implications for Passkeys (SCA & Passkeys IV)

Which banks offer passkeys?

Passkeys Buy vs. Build Guide

Talk to a Passkey Expert