But Wait, There’s More to Passkeys+

This is the fifth and final post in a five-part series explores the current state of passkeys and why enhanced implementations, what we call Passkeys+, are essential for meeting the security and compliance demands of bank-grade use cases.

You can read the other four posts in this series here: 

• Part 1: The Passkey Shift - Passkeys Inevitable Triumph over Passwords
• Part 2: Convenience vs. Control: The Problem with Synced Passkeys
• Part 3: Passkeys Alone Are Insufficient for Financial Services
• Part 4: Making Passkeys Bank-Grade: The Missing Ingredient

—

Passkeys are designed to make authentication simple: a cryptographic challenge is signed by your private key, and you’re in. That’s enough for many everyday use cases.

But in financial services, signing a challenge isn’t always the end of the story.

Under PSD2, for example, financial services must support Dynamic Linking: the authentication must be cryptographically bound to the specific transaction details (like amount and recipient), not just the session or login. This goes beyond simply proving identity, it ensures the user is authorizing that specific transaction, in that context.

Passkeys+ supports this.

Because the ZSM (Zero-Trust Secure Module) is actively involved in the flow, it can sign not just an authentication challenge, but also context-specific payloads, ensuring the authentication is transaction-aware. This is a critical requirement for SCA (Strong Customer Authentication) compliance in the EU and similar frameworks globally.

Handling New Devices with Awareness

Another common challenge: device onboarding.

Synced passkeys are fantastic for usability. If a user gets a new phone and signs into their Apple ID or Google account, their passkeys come with them. But from the relying party’s perspective, there’s a blind spot. That new device looks identical to the old one.

That’s a problem. High-assurance platforms need to know:

• Is this a new device?
  
  
• Was it previously trusted?
  
  
• Should we require step-up authentication before allowing access or transactions?
  
  

Passkeys+ makes that possible.

When a passkey is used on a new device for the first time, the ZSM informs the relying party that it is not yet bound to this device. The server can then trigger a step-up event—like re-verifying biometrics, completing an out-of-band challenge, or asking for re-authentication through a known device.

Once verified, the ZSM can be cryptographically linked to that new device, restoring trust and maintaining a verifiable device-bound identity across the ecosystem.

More Than a Signature: Context-Aware Authentication

Traditional WebAuthn flows are limited in what context they provide. The browser passes along the credential ID, the challenge, and basic metadata. But it’s not enough for every use case.

Passkeys+ extends the FIDO2 standard by allowing additional fields to be signed and verified as part of the authentication payload. This includes:

• Device state (e.g., new, previously verified, hardware-backed)
  
  
• Local risk signals or session data
  
  
• Transaction-specific metadata
  
  
• Optional user attributes or scope permissions
  
  

This gives the relying party more context at decision time, enabling policies that adapt to user behavior, session risk, or transaction sensitivity.

A Smarter Way to Trust

Security and usability don’t have to be at odds. Passkeys+ preserves everything that makes passkeys appealing—simplicity, privacy, and phishing resistance—but adds the logic and transparency that financial services need to safely adopt them.

Whether you're processing a $5,000 bank transfer, onboarding a new user on a fresh device, or verifying a step-up after a flagged session, Passkeys+ gives you the levers you need to make trust decisions confidently and compliantly.

Sources

• FIDO Alliance: Dynamic Linking in PSD2
  
  
• EBA Guidelines: Security of Internet Payments (PSD2)
  
  
• Google Security Blog: Passkey Updates, 2024
  
  
• Apple: Platform Security and Passkeys