Beyond Passwords: How PSD3 Could Reshape the Future of Digital Identity in European Finance

Europe’s digital payments landscape is evolving—again. With the introduction of PSD3 and its companion regulation (PSR), the European Union is not only responding to rising fraud but also setting the stage for a more secure and inclusive financial future. At the heart of this shift lies a reimagining of Strong Customer Authentication (SCA) and the role that modern, passwordless solutions like passkeys might play in it.

But as the promise of convenience meets the rigor of regulation, a central question emerges: will PSD3 unlock the full potential of synced passkeys in European finance—or reinforce the case for stricter, device-bound alternatives?

From PSD2 to PSD3: A New Chapter in European Payment Security

PSD2, enacted in 2018, introduced groundbreaking changes like Open Banking and SCA to make payments safer and more competitive. However, the fragmented implementation across member states and the surge in sophisticated fraud have exposed its limitations. Enter PSD3 and the Payment Services Regulation (PSR), a more centralized approach that aims to harmonize enforcement, close security gaps, and adapt to the realities of an increasingly digital and mobile-first world.

Unlike PSD2, PSD3/PSR won’t rely on each country passing its own laws. As a regulation, PSR will apply uniformly across the EU—bringing clarity and consistency to how financial institutions must implement secure authentication.

SCA, Reimagined: What’s Changing Under PSD3

PSD3 proposes an updated definition of Strong Customer Authentication. Crucially, it allows two independent authentication elements from the same category (knowledge, possession, or inherence) if they are technically separate—for example, fingerprint and facial recognition.

This evolution opens the door to new authentication models that were previously on shaky regulatory ground. It also shifts attention toward the integrity of implementation, rather than rigid category separation. For passwordless solutions like synced passkeys, this could mark a turning point.

Additional changes include:

• Accessibility mandates: SCA mechanisms must support users with disabilities, limited digital access, or older devices. Providers can no longer take a “mobile-only” approach or charge for access to secure authentication.
• Stricter outsourcing oversight: Delegated Authentication (e.g., Apple Pay or Adyen handling SCA) will now qualify as formal outsourcing, triggering strict compliance obligations.
• Fraud liability expansion: Wallet providers, gateways, and technical service providers may bear liability if they fail to properly implement SCA—significantly raising the stakes for choosing authentication methods.
• Clarification for edge cases: PSD3 defines when SCA is (and isn’t) required for merchant-initiated transactions (MITs) and Mail Order/Telephone Order (MOTO) payments.

Synced Passkeys: A Convenient Fit or a Compliance Risk?

Synced passkeys, backed by FIDO2/WebAuthn standards and stored in encrypted cloud services like iCloud Keychain or Google Password Manager, promise a user experience that is fast, secure, and device-agnostic. For consumers, the appeal is obvious: no passwords, no one-time codes, and seamless login across devices.

But for banks and payment providers, especially in Europe, synced passkeys introduce tough questions. Chief among them: can a credential that syncs across multiple devices still count as “something only the user possesses”?

Under PSD2, that answer remained murky. PSD3’s updated SCA framework—particularly its nuanced view of independent factors—may finally offer clarity. If biometric authentication stored in a secure enclave and synced through a tamper-resistant cloud environment can be shown to maintain factor independence, synced passkeys may gain regulatory legitimacy.

Accessibility and Inclusion: A New Compliance Frontier

One of PSD3’s most progressive shifts is its emphasis on accessibility as a compliance requirement. Authentication mechanisms must now work for all users—those without smartphones, those with disabilities, and those with limited digital literacy. Solutions that exclude vulnerable populations risk non-compliance.

This provision changes the design calculus for authentication technologies. A synced passkey experience limited to premium smartphone users might not meet the bar. Providers will need to ensure broader compatibility, potentially via hardware tokens, desktop sync options, or assisted setup flows.

For vendors, this is an opportunity to differentiate: accessibility isn't just good UX anymore—it's a regulatory mandate.

Delegated Authentication Gets Real

Under PSD3, Delegated Authentication becomes a formally recognized outsourcing activity. This means when an issuer allows a third party like Apple, Google, or Adyen to handle SCA, they must follow full outsourcing rules—contractual obligations, risk assessments, audits, and ongoing monitoring.

This formalization could have two effects:

1. Greater confidence in delegated passkey flows, provided vendors can meet the compliance burden.
2. Heightened scrutiny on providers offering passkey delegation without robust documentation or monitoring.

For platforms hoping to build passkey flows into their checkout experience, aligning with the new outsourcing requirements will be essential.

What It All Means for Passkey Adoption in Europe

PSD3 is not a blank check for synced passkeys—but it does chart a more defined path forward. The new rules:

• Lower some of the regulatory barriers to adoption
• Raise the bar for accessibility and security assurances
• Increase liability for poorly implemented authentication

Vendors and institutions alike must adjust. Solutions that blend security, inclusivity, and compliance clarity will win. Those that don’t—whether due to platform exclusivity, opaque architectures, or vague SCA mapping—risk falling behind.

Final Thought: The Race Is On

As PSD3/PSR moves toward implementation in 2025 and beyond, financial institutions and technology providers are facing a pivotal moment. The regulatory landscape is shifting from abstract directives to precise, enforceable rules. Authentication is no longer a backend problem—it’s a strategic lever.

For synced passkeys to thrive in this new era, they must not only delight users but convince regulators, auditors, and CISOs. That means technical rigor, airtight compliance documentation, and inclusive design.

In short, the future of digital identity in Europe isn’t just passwordless—it’s accountable, accessible, and regulatory-ready.

✅ Don’t Wait for 2026: Move Ahead of the Curve

PSD3 only applies to the EU—and it may not land until 2026. But you don’t have to wait to meet its expectations.

Ideem’s Zero-Trust Secure Module (ZSM) is already aligned with the draft regulatory framework—delivering device-bound, accessible, and audit-ready authentication that’s trusted by forward-thinking fintechs.

If you’re evaluating passkey options or looking to future-proof your SCA strategy, learn how ZSM can help you stay compliant and competitive—starting today.

👉 Explore Ideem ZSM

Sources

1. European Commission. Revised Directive on Payment Services (PSD2) – https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015L2366
2. European Commission. Proposal for a Regulation on Payment Services (PSR) – https://ec.europa.eu/info/publications/payment-services-regulation_en
3. European Banking Authority. Guidelines on the security measures for operational and security risks under PSD2 – https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/guidelines-on-security-measures
4. FIDO Alliance. Passkeys: What They Are and How They Work – https://www.fidoalliance.org/passkeys
5. Apple Inc. iCloud Keychain and Security Overview – https://support.apple.com/en-us/HT204085
6. Google. About Google Password Manager and passkeys – https://support.google.com/accounts/answer/12993159
7. Thales Group. Strong Customer Authentication (SCA) under PSD2 – https://www.thalesgroup.com/en/markets/digital-identity-and-security/banking-payment/blog/psd2-strong-customer-authentication
8. Corbado. Analysis of PSD2/PSD3 Implications for Passkeys – https://www.corbado.com/blog/psd2-psd3-sca-passkeys
9. European Commission. Digital Finance Package: PSD3 and Open Finance – https://finance.ec.europa.eu/digital-finance/digital-finance-package_en