Passwordless Authentication with Passkey

An easier and more secure alternative to passwords, and a game-changer in online security

Since the early 2000s, one-time passwords (OTPs) have been used to make digital banking more secure. Nowadays, there is a shift in payments from OTP passwords toward more secure passkey technology.

This shift towards passkeys represents one of the biggest changes in digital security in recent years. By eliminating the need for passwords and one-time codes, passkey offers a faster, more secure way to authenticate while making the user experience smoother than ever.

Passkeys use advanced cryptography to offer stronger, more user-friendly security than traditional passwords, helping protect everyone online. In an increasingly digital world, they’re the key to simplifying and securing online transactions.

Passwords vs passkeys: What are the main differences?

Key points about one-time passwords:

  • SMS one-time passwords have serious security vulnerabilities that make them unsuitable for modern banking security. It is easily forgotten, reused, or guessed,
  • SIM swapping attacks: Criminals can convince mobile operators to transfer phone numbers to new SIM cards. In 2017, O2 Telefonica (Germany) confirmed that hackers had successfully intercepted banking authentication codes.
  • Network impersonation: Attackers can create unauthorised networks that can intercept SMS messages. The underlying SMS routing technology has fundamental security weaknesses that hackers can exploit.
  • Message interception: Using a range of technical methods, this can happen before messages reach their intended recipients. For example, malware can infect mobile devices and secretly forward security codes to attackers.
  • Phone number recycling: Mobile operators reassign previously used numbers, which can inadvertently give new users access to authentication messages for previous owners’ accounts.

How transitioning from OTP to passkeys will improve banking security

As digital technology expands, traditional authentication methods like passwords and SMS, as well as one-time passwords (OTPs), are increasingly vulnerable to phishing, interception, and fraud. They are the weak link in online security, with many data breaches caused by stolen or weak passwords. So, this is no longer only a customer experience issue, but a growing security risk.

Banks are at a turning point in digital authentication, becoming more interested in moving away from OTP passwords and toward more secure passkey technology. Such a shift represents a milestone in banking security in recent years.

Seamless integration into existing banking infrastructure is essential, as is educating customers to build confidence and drive adoption.

Passkeys offer banks a powerful, passwordless alternative. Built on public-key cryptography and FIDO2/WebAuthn standards, passkeys enable secure, phishing-resistant authentication across web portals, mobile apps, and ATMs. For customers, this means logging in with biometrics or device-based credentials- no more remembering complex passwords or waiting for codes, resulting in a seamless, user-friendly experience that fosters trust and loyalty.

European banks can implement passkeys gradually while maintaining compliance with PSD2 regulations.

Are passkeys safer than passwords?

Passkeys use cryptographic technology that prevents common types of fraud and offers a more secure and user-friendly authentication method. This provides significant advantages over password-based systems and traditional one-time passwords.

A passkey consists of two cryptographic keys:

  • Private key: Securely stored on the customer’s (user’s) side
  • Public key: Shared with the banking platform
passkeys

How does passkey authentication work?

  1. When customers start the log-in into their banking website or app, the bank sends back an authentication challenge
  2. The consumer’s device then uses the consumer’s private key to respond to this challenge
  3. This confirms the user’s identity without transmitting sensitive authentication data

Unlike passwords or SMS codes, passkeys can’t be compromised using fake websites or deceptive messages. This makes passkeys highly effective at preventing phishing and fraud. 

Key benefits of passkeys:

Multi Factor Authentication in action - Passkeys use both something you have (your device) and something you are (biometrics), which brings to:

  1. Simplification: passkeys remove the need to remember complex combinations and offer a simpler and secure alternative, increasing convenience. For users, they provide phishing protection, eliminate the need for passwords, and enable smooth multi-device access. Biometric data stays private on the device, and passkeys combine multi-factor authentication into one easy step instead of entering a code or opening an app.
  2. Security - Public-key cryptography.
    Provide stronger protection through cryptographic technology that prevents common types of fraud. They leverage advanced encryption and biometric authentication to eliminate the risk of phishing and password breaches.
  3. For business owners, passkeys bring in stronger, phishing-resistant security and reduce the risk of breaches. They improve user conversion rates with a smoother login process and cut maintenance costs by removing password recovery support and management. Compliance with security standards becomes easier as sensitive credentials no longer need to be stored.
  4. User experience - Improved and easy user experience. They don’t just protect transactions; they make the customer journey smoother, faster, and safer. And, as easy as it sounds, when authentication is secure and straightforward, customers return.

"If an attacker breaks into a certain database, they can steal all the public keys of all the users, but this will be of no value to them because they’re public anyway.”

Nakjo Shishkov

G+D Netcetera payment expert

Which devices support passkey authentication?

Most modern devices already support passkey authentication, which adds an extra layer of security by requiring biometric verification before the passkey can be used. Examples of FIDO-certified authenticators that can work with passkeys include Windows Hello, Mac Touch ID, iPhone’s Face ID, and Android’s fingerprint recognition.

For the customer, the authentication experience is simple and intuitive. Rather than having to remember a complex password or switch between apps to find an SMS code, they just need to tap their finger, show their face to a camera or type in a PIN code on their smartphone.

Passkeys can also be used for payment authentication. Major payment networks are already piloting passkey authentication in their wallet solutions, including Click to Pay.

What’s next for passkeys?

The World Wide Web Consortium (W3C) is developing a new API called Secure Payment Confirmation that will streamline the payment authentication process further. This API will allow web browsers to display payment-specific information (e.g., merchant name, amount, and currency) natively while requesting passkey authentication.

The plan is to include the payment information in the authentication challenge (signed by the consumer’s passkey) to meet the dynamic linking requirement necessary in European Economic Area countries under PSD2.

The FIDO Alliance created working groups to consider future requirements and ensure widespread interoperability within the authentication ecosystem among devices, clients, and servers.

How banks can transition to passkeys

Banks may not be in a position to phase out existing authentication methods immediately due to legacy system architecture, regulatory considerations and customer familiarity. But by gradually transitioning towards passkeys, they can ensure continuity of service and increase customer adoption.

A user-friendly transition approach could be implemented in the following way:

  1. Introduce passkeys as an optional authentication method
  2. Educate customers about the security benefits of passkeys
  3. Gradually make passkeys the default while maintaining alternative options
  4. Eventually phase out less secure methods entirely

To maximise user adoption, banks can also introduce passkeys at specific moments:

  • During account creation for new customers
  • In account settings for existing customers
  • After a successful authentication during login with traditional methods
  • During the “forgot your password” process

Banks can work with experts such as G+D Netcetera to address the technical challenges of integrating with existing systems. An experienced provider will minimise complex data migration requirements while offering the enterprise-grade security features that regulated financial institutions need.

How G+D Netcetera helps banks stay secure

G+D Netcetera’s 3-D Secure Issuer Service enables banks to authenticate cardholders with high accuracy during online purchases.

With 19 years of experience in EMV 3-D Secure solutions, G+D Netcetera operates a multi-client capable service with a state-of-the-art Access Control Server used by thousands of banks and card issuers.

Key features include:

  • Access Control Server supporting the latest EMV 3DSS versions, certified by all major card card networks
  • Multiple authentication methods, including mobile app verification, one-time passcodes and risk-based authentication
  • Real-time transaction risk assessment with third-party integration options
  • Online registration portal for cardholder self-enrollment

By using G+D Netcetera, card issuers can smoothly transition to secure authentication while their cardholders benefit from safer online purchases and convenient registration.

 

Want to learn how Netcetera can help your bank stay secure? Get in touch with our experts.

 

More stories

On this topic