Quintin Stephen, Global Business Lead, Authentication from Giesecke+Devrient
The banking experience is undergoing significant developments, with regulatory compliance, fraud detection and user experiences under the spotlight for the entire financial ecosystem, including merchants and their customers. More consumers are opting for online purchases, with the UK hosting 60 million e-commerce users in 2023, making it the most advanced ecommerce market in Europe. As such, payment experiences should meet sufficient cybersecurity standards to protect consumer data. Surprisingly to some, one way in which this can be achieved is by removing passwords and OTPs (One Time Passwords) from the authentication process.
Subsequently, passkeys are moving into the spotlight, and are significantly improving security for banks and their customers. Passkeys – in other words, a pair of cryptography keys generated by a device such as a mobile or laptop – have become a secure way to log in to apps and websites without using a username and password combination. Consumers can use them to create a strong and secure connection between their personal device and digital platform, and they’re no more complicated than unlocking a smartphone with biometric face ID/ fingerprint touch ID. For end users, banks and merchants, passkeys provide significant value and are highly suited to limiting fraudulent activity associated with passwords when compromised.
Changes to the authentication landscape
Security measures were much more basic in the pre-digital era. All that was needed was a signature on a cheque to withdraw money or make a payment. Now, we have moved way beyond the days of signing physical documents and instead rely heavily on digital solutions, with device bound passkeys tethering to specific mobile devices, where only the owner of that device is able to complete a payment.
While convenience has often been the focus of modern-day banking apps, multi-factor authentication (MFA) solutions have presented their own risks. Previously, in an attempt to improve security one-time passwords (OTP) and SMS OTP were introduced. But customers and banks face challenges from an inefficient user experience, fake website attacks from bad actors to try get to the OTP, hidden costs from strategies to deal with fraudulent activity and a lack of control, all of which compromises user experiences.
Regulators and consumers are now asking for more from their banks when it comes to security. That’s of little surprise considering that nearly 40% of UK internet users are risking data breaches by using identical passwords for several accounts.
The fall of the password?
Synced passkeys distributed over a user’s devices and single device-bound passkeys have grown in stature by providing a more attractive alternative to passwords. They replace passwords with cryptographic key pairs, offering enhanced security and an enhanced user experience by leveraging FIDO (Fast Identity Alliance) https://fidoalliance.org/ global standard of combining biometric verification and creating a key pair. The time, effort and resources fraudsters require to hack passkeys are much greater than that of a traditional password. Over time, the superior security and end user convenience of passkeys could lead to passwords being completely eradicated from authentication.
With multi-device passkeys implemented in e-commerce sites, consumers can seamlessly switch between devices, such as smartphones, tablets, laptops or even a brand-new device, without ever needing to enter a username or a password. This is especially valuable as online shopping now takes place across numerous channels. and devices don’t need to be re-registered to each user account.
But in the area of banking and finance, multi-device passkeys are non-compliant with Strong Customer Authentication (SCA), which is a regulatory requirement of PSD2. That’s where device-bound passkeys, which remain exclusively tied to a single device, are proving to be particularly beneficial. Banks are then able to verify that a transaction has been authenticated from a trusted device. As such, device-bound authentication solutions are paving the way for a future where device and biometrics merge.
With device bound passkeys, it’s as simple as a user applying their fingerprint or looking at the camera to complete a two-factor authentication experience that feels as seamless as a one-factor setup because the FIDO powered authentication works ‘under the hood’. Behind the scenes, the biometric verification is combined with device information to provide two verification factors (biometric and possession). This means consumers not only benefit from increased security compared to passwords, but also enjoy a highly convenient process.
Enhancing the user experience with passkeys
The shift away from traditional passwords to more secure, user-friendly passkey authentication offers a promising outlook for mitigating fraud and enhancing consumer confidence. Passkeys are continuing to grab the attention of merchants as new technology innovations allow them to be used without being bound to one device. Now, financial institutions have an opportunity to redefine digital security for the benefit of both merchants and end users by adopting the technology for the wider ecosystem.