Passkeys for Banking: A Comprehensive Guide for U.S. Bankers
There’s a notable shift toward adopting Multi-Factor Authentication (MFA) driven by regulatory guidelines in the U.S. banking cybersecurity domain. The Federal Trade Commission (FTC) has updated the Gramm-Leach Bliley Safeguard’s Rule, making it mandatory for financial institutions to implement MFA for both their internal and external users. Simultaneously, the New York Department of Financial Services (NYDFS) has been enforcing MFA since 2017 and is now proposing further amendments to its Cybersecurity Rule to expand MFA requirements. The Cybersecurity and Infrastructure Security Agency (CISA) has provided guidance highlighting potential vulnerabilities in some MFA methods, advocating for phishing-resistant standards. Given this regulatory environment, U.S. banks are presented with a clear choice: integrate advanced MFA solutions, such as passkeys (developed by the FIDO Alliance), to ensure compliance and maintain a competitive edge, or potentially face challenges.
Understanding Passkeys
Passkeys, as endorsed by the FIDO (Fast IDentity Online) Alliance, represent a shift from traditional password-based to passwordless authentication. Instead of relying solely on something you know (like a password), FIDO’s approach emphasizes the use of local authentication, where user verification happens on the device itself. This can be achieved through something you have (a physical security key or a registered device) or something you are (biometric data like fingerprints or facial recognition). The key advantage of passkeys is that they are resistant to phishing and replay attacks, as the authentication credentials are never exposed or stored centrally.
The FIDO (Fast IDentity Online) Alliance is not just any industry consortium; it’s a powerful collective of some of the world’s leading brands, including a significant banking and financial sector representation. This alliance is a testament to the global push towards more secure and user-friendly authentication methods. Among its members are top-tier U.S. banking and financial institutions such as Bank of America, JPMorgan Chase, Wells Fargo, and American Express. These institutions, recognizing the vulnerabilities and inefficiencies of password-based systems, have joined forces with tech giants and other industry players under the FIDO Alliance to drive the standardization and adoption of more robust authentication protocols. Their collaborative efforts have culminated in the development of the FIDO authentication standard, which has further evolved into passkey authentication. For a deeper dive into the world of passkeys, we recommend visiting this article titled
Why Secure and User-Friendly Authentication Matters
For banking customers, security and ease of use are paramount. In the fiercely competitive banking landscape, where differentiation is challenging, offering enhanced features becomes a game-changer. Banks can carve out a unique position by providing easy-to-use and phishing-proof authentication, offering a value proposition beyond traditional banking services. A consistent user experience across all communication channels enhances the overall user experience and bolsters online security.When customers can seamlessly and securely access their accounts through a mobile app, web portal, or even an in-branch kiosk, their trust in the bank solidifies. Moreover, this approach not only elevates the customer experience but also ensures that banks are in compliance with industry regulations, striking a balance between innovation and adherence to standards.
FIDO: The Unparalleled Gold Standard of Online Authentication
FIDO doesn’t just stand out among the vast landscape of authentication standards—it towers above the rest. It’s not merely another method in the ever-evolving world of cybersecurity; it’s the culmination of extensive research, investment, and collaboration by hundreds of global organizations. These aren’t just any organizations; they are titans in their respective industries, from tech behemoths to leading financial institutions, all of whom have poured significant time, money, and resources into the development of the FIDO standard. Their collective backing sends a clear message: FIDO isn’t a fleeting trend or a temporary solution. It’s the future of online authentication. The fact that it’s phishing-proof underscores its robustness. With FIDO, even if malicious actors manage to intercept user credentials, the intricate, multi-layered security of passkeys ensures they’re left with unusable data. In the vast sea of online security measures, nothing on the horizon comes close to the promise and potential of FIDO. It’s not just the next step in authentication; it’s the definitive one.
Challenges in Implementing New Authentication Technologies
Large, diverse organizations like banks often grapple with the challenge of integrating new technologies. Different user-facing applications, built on varied technological platforms, necessitate distinct coding stacks for upgrades. This complexity can delay the rollout of new authentication methods, leaving security gaps. Historical examples abound of failed technology projects due to overcomplexity. For instance, in the early 2000s, many organizations attempted to overhaul their entire IT infrastructure in one go, leading to projects that ran over budget, missed deadlines, and ultimately were abandoned. Another example can be seen in the healthcare sector, where attempts to integrate disparate patient record systems without a unified approach led to data mismatches and compromised patient care. In the banking sector, there have been instances where attempts to merge legacy systems with modern platforms resulted in significant downtime, affecting customer transactions and trust. Therefore, the ability to introduce new authentication technology without altering the existing technology stack is not just a convenience—it’s crucial. It ensures that introducing new security measures is seamless and efficient and doesn’t disrupt the ongoing operations or compromise the existing infrastructure.
Revolutionizing MFA Implementation: The BNP Paribas Success Story
Secfense offers a unique approach to this challenge, emphasizing a “no-code” methodology. This approach is especially beneficial for large institutions with many applications running on diverse platforms. The significance of a no-code implementation becomes evident when we delve into real-world case studies. BNP Paribas, a global banking leader, provides a compelling example. By adopting Secfense’s User Access Security Broker, BNP Paribas achieved remarkable results:
They expanded MFA to 43% more applications than initially planned.
A staggering 82% reduced the engagement of IT specialists.
The bank realized savings of $778,000 compared to the traditional MFA implementation approach.
They could leverage all the MFA methods they already used, ensuring 100% utilization.
Software developer engagement was entirely eliminated and reduced by 100%.
The overall cost of implementation was slashed by 87%.
With Secfense, U.S. banks can now seamlessly introduce FIDO & passkeys across all channels and customer access points. This ensures a phishing-proof security framework for end customers, an enhanced user experience due to the usability of passkeys, and a smooth transition for customers adapting to these new authentication methods.
Experience the Future of Banking Security: Dive into Our Proof of Value Offering
To truly appreciate the transformative power of this approach, we invite institutions to experience a Proof of Value (POV). This hands-on experience provides comprehensive multi-factor authentication protection for one of your applications, equips users with a chosen MFA method, introduces microauthentications for added security, and offers full-site protection akin to VPN functionalities. All we ask in return is the dedication of one specialist for a mere 10 hours over a week and honest feedback post-POV. Dive into this opportunity and ensure your bank remains compliant, secure, and always customer-centric.
In digital banking today, security is one of the core elements and passkeys serve as tool to greatly improve the login security. Leading the charge in the banking sector, Revolut's strategic implementation of passkeys for both Personal and Business accounts signifies a step towards redefining user authentication.
Passkey authentications with Dashlane have grown to 200,000 per month, a more than 400% increase since the beginning of the year. Overall, one in five active Dashlane users now has at least one passkey stored in their credential vault.
The Chase POS app will prompt for a Bluetooth pairing request. Enter the Passkey (PIN) digits from the card reader display to pair with the app and tap OK.
When prompted for your USB security key, all you need to do is tap the button on the key already inserted into your USB port, allow the browser to read your device and continue with your transfer.
No shared secret is transmitted, and the server does not need to protect the public key. This makes passkeys very strong, easy to use credentials that are highly phishing-resistant.
What happens if a user loses their device? Passkeys created on Android are backed up and synced with Android devices that are signed in to the same Google Account, in the same way as passwords are backed up to the password manager. That means user's passkeys go with them when they replace their devices.
The disadvantages of using Passkeys include: they are not yet widely adopted, they need extra software and hardware, and they can be costly, and businesses may need to budget for implementation.
No, passkeys cannot be stolen in a way that would allow unauthorized access because the private key, which is crucial for authentication, is securely stored on the user's device in a protected environment like a TPM, TEE, or secure enclave.
Instead, password managers will become even more important. This is because passkeys are tied to an authenticator. Users have a choice as to whether to use a device – usually a smartphone, but a tablet, laptop or desktop could work – or a password manager that supports passkeys.
Passkeys have already started to roll out as a replacement for passwords, with major tech companies like Apple, Google, and Microsoft announcing support for them in 2022. The first broad availability came with iOS 16 in 2022, marking a significant milestone in user authentication.
Yes, passkeys are more secure than passwords. This is not only because passkeys are phishing-resistant, but they are also error-proof. When users generate a passkey, they can't make mistakes like they do with passwords.
And while they can be an effective security measure, passkeys are still at risk for certain types of fraud and could impact customer experience in unintended ways.
Bank accounts are typically frozen for suspected illegal activity, a creditor seeking payment, or by government request. A frozen account may also be a sign that you've been a victim of identity theft. Each situation requires specific actions to unfreeze the account.
If you find yourself being locked out of online banking (even though you know your password is right!), it could be caused by not properly logging out the last time you accessed your online banking via the mobile app or web browser.
All the big operating systems, as well as third party password managers such as Dashlane, 1Password, and Bitwarden all support passkeys. These tools should help ease the transition from passwords to passkeys.
Similar to SMS OTP, PIN-based biometric authentication banking is widely accepted because of its user-friendliness. All users have to do is enter their self-selected PIN codes to complete the transaction.
Introduction: My name is Barbera Armstrong, I am a lovely, delightful, cooperative, funny, enchanting, vivacious, tender person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
