Passwordless Authentication with Passkey

This shift towards passkeys represents one of the biggest changes in digital security in recent years. By eliminating the need for passwords and one-time codes, passkey offers a faster, more secure way to authenticate while making the user experience smoother than ever.

Passkeys use advanced cryptography to offer stronger, more user-friendly security than traditional passwords, helping protect everyone online. In an increasingly digital world, they’re the key to simplifying and securing online transactions.

Key points about one-time passwords:

• SMS one-time passwords have serious security vulnerabilities that make them unsuitable for modern banking security. It is easily forgotten, reused, or guessed,
• SIM swapping attacks: Criminals can convince mobile operators to transfer phone numbers to new SIM cards. In 2017, O2 Telefonica (Germany) confirmed that hackers had successfully intercepted banking authentication codes.
• Network impersonation: Attackers can create unauthorised networks that can intercept SMS messages. The underlying SMS routing technology has fundamental security weaknesses that hackers can exploit.
• Message interception: Using a range of technical methods, this can happen before messages reach their intended recipients. For example, malware can infect mobile devices and secretly forward security codes to attackers.
• Phone number recycling: Mobile operators reassign previously used numbers, which can inadvertently give new users access to authentication messages for previous owners’ accounts.

As digital technology expands, traditional authentication methods like passwords and SMS, as well as one-time passwords (OTPs), are increasingly vulnerable to phishing, interception, and fraud. They are the weak link in online security, with many data breaches caused by stolen or weak passwords. So, this is no longer only a customer experience issue, but a growing security risk.

Banks are at a turning point in digital authentication, becoming more interested in moving away from OTP passwords and toward more secure passkey technology. Such a shift represents a milestone in banking security in recent years.

Seamless integration into existing banking infrastructure is essential, as is educating customers to build confidence and drive adoption.

Passkeys offer banks a powerful, passwordless alternative. Built on public-key cryptography and FIDO2/WebAuthn standards, passkeys enable secure, phishing-resistant authentication across web portals, mobile apps, and ATMs. For customers, this means logging in with biometrics or device-based credentials- no more remembering complex passwords or waiting for codes, resulting in a seamless, user-friendly experience that fosters trust and loyalty.

European banks can implement passkeys gradually while maintaining compliance with PSD2 regulations.

Passkeys use cryptographic technology that prevents common types of fraud and offers a more secure and user-friendly authentication method. This provides significant advantages over password-based systems and traditional one-time passwords.

A passkey consists of two cryptographic keys:

• Private key: Securely stored on the customer’s (user’s) side
• Public key: Shared with the banking platform

Multi Factor Authentication in action - Passkeys use both something you have (your device) and something you are (biometrics), which brings to:

1. Simplification: passkeys remove the need to remember complex combinations and offer a simpler and secure alternative, increasing convenience. For users, they provide phishing protection, eliminate the need for passwords, and enable smooth multi-device access. Biometric data stays private on the device, and passkeys combine multi-factor authentication into one easy step instead of entering a code or opening an app.
2. Security - Public-key cryptography.
   Provide stronger protection through cryptographic technology that prevents common types of fraud. They leverage advanced encryption and biometric authentication to eliminate the risk of phishing and password breaches.
3. For business owners, passkeys bring in stronger, phishing-resistant security and reduce the risk of breaches. They improve user conversion rates with a smoother login process and cut maintenance costs by removing password recovery support and management. Compliance with security standards becomes easier as sensitive credentials no longer need to be stored.
4. User experience - Improved and easy user experience. They don’t just protect transactions; they make the customer journey smoother, faster, and safer. And, as easy as it sounds, when authentication is secure and straightforward, customers return.

Most modern devices already support passkey authentication, which adds an extra layer of security by requiring biometric verification before the passkey can be used. Examples of FIDO-certified authenticators that can work with passkeys include Windows Hello, Mac Touch ID, iPhone’s Face ID, and Android’s fingerprint recognition.

For the customer, the authentication experience is simple and intuitive. Rather than having to remember a complex password or switch between apps to find an SMS code, they just need to tap their finger, show their face to a camera or type in a PIN code on their smartphone.

Passkeys can also be used for payment authentication. Major payment networks are already piloting passkey authentication in their wallet solutions, including Click to Pay.

The World Wide Web Consortium (W3C) is developing a new API called Secure Payment Confirmation that will streamline the payment authentication process further. This API will allow web browsers to display payment-specific information (e.g., merchant name, amount, and currency) natively while requesting passkey authentication.

The plan is to include the payment information in the authentication challenge (signed by the consumer’s passkey) to meet the dynamic linking requirement necessary in European Economic Area countries under PSD2.

The FIDO Alliance created working groups to consider future requirements and ensure widespread interoperability within the authentication ecosystem among devices, clients, and servers.

G+D Netcetera’s 3-D Secure Issuer Service enables banks to authenticate cardholders with high accuracy during online purchases.

With 19 years of experience in EMV 3-D Secure solutions, G+D Netcetera operates a multi-client capable service with a state-of-the-art Access Control Server used by thousands of banks and card issuers.

Key features include:

• Access Control Server supporting the latest EMV 3DSS versions, certified by all major card card networks
• Multiple authentication methods, including mobile app verification, one-time passcodes and risk-based authentication
• Real-time transaction risk assessment with third-party integration options
• Online registration portal for cardholder self-enrollment

By using G+D Netcetera, card issuers can smoothly transition to secure authentication while their cardholders benefit from safer online purchases and convenient registration.

Want to learn how Netcetera can help your bank stay secure? Get in touch with our experts.