Passkeys Alone Are Insufficient for Financial Services

The third part in this five-part series explores the current state of passkeys and why enhanced implementations, what we call Passkeys+, are essential for meeting the security and compliance demands of bank-grade use cases.

You can read the other two posts in this series here: 

• Part 1: The Passkey Shift - Passkeys Inevitable Triumph over Passwords
• Part 2: Convenience vs. Control: The Problem with Synced Passkeys

TLDR;

• Passkeys improve usability and phishing resistance compared to passwords.
  
  
• But they still count as one factor, something you are, which is not enough for financial services .
  
  
• Banks and financial services require multi-factor authentication (MFA) and verifiable device control.
  
  
• Outsourcing authentication to Apple or Google, without internal oversight, violates many compliance models.
  
  
• Ideem’s Passkeys+ restores control, auditability, and device binding, built for high-assurance use cases.
  
  

Over the past year, passkeys have gained traction as the most promising replacement for passwords. Backed by major platform providers like Apple and Google, they offer a simpler, phishing-resistant way for users to sign in. In 2024 alone, passkey usage across consumer apps grew by more than 400% (Dashlane, 2024).

But better doesn’t mean sufficient, especially for financial services like banking, payments, and softcoin payments.

Why Passkeys Alone Fall Short

A passkey is a cryptographic credential that replaces your password. It’s stored on your device and protected by a biometric like Face ID or fingerprint unlock. It’s elegant. It’s fast. And when passkeys are synced across devices through Apple or Google’s cloud, the device factor is lost and the credential can be used from any authorized device, even if that device wasn’t explicitly trusted by the bank.

This makes synced passkeys inherently single-factor, and that’s a compliance risk for financial services.

Financial services are required by law in many jurisdictions to implement multi-factor authentication (MFA). That means having two of the following: something you have, something you are, and something you know.

Relying on a Single Point of Failure Is Too Risky

Beyond technical MFA requirements, there’s a broader truth: financial services must not rely on any single point of failure in their authentication stack. And synced passkeys represent one.

When you depend entirely on the biometric system of a third-party platform, and the cloud service that syncs credentials, you give up control over the chain of trust. If something breaks, or is compromised, or the rules change, your institution has no recourse. No logs. No policy override. No remediation path.

And it’s not just a security problem. It’s a governance one.

‍

Authentication Must Stay in Your Control

Regulators expect that critical security infrastructure remains under the control of the authorizing entity. This includes how identities are created, stored, verified, and revoked. If all of that is outsourced to Apple or Google, with no way to audit or intervene, it undermines both technical resilience and regulatory compliance.

To be clear: Apple and Google have built world-class security ecosystems. But relying entirely on them is not a substitute for institutional control. Especially when the stakes are financial fraud, account takeover, or regulatory penalties.

Authentication is not a UX feature. It’s a core business function. And financial services must own it — end to end.

What’s Needed: Passkeys+, Not Just Passkeys

Passkeys are a leap forward, but financial services use cases require more.

Ideem’s Passkeys+ extends the standard passkey model to meet the demands of high-assurance environments:

• Device binding to ensure possession of a known, registered device
  
  
• Multi-factor assurance including biometrics, device trust, and policy-driven signals
  
  
• Auditability and visibility for compliance and incident response
  
  
• Local control, not outsourced identity management
  
  

With Passkeys+, financial institutions don’t have to choose between security and usability. They can have both—without sacrificing control.

Conclusion

Passkeys are one of the most important security innovations of the last decade. But ∫hey aren’t enough for institutions bound by regulatory scrutiny, customer protection mandates, and internal security standards.

When authentication becomes too convenient to control, it becomes too risky to trust. That’s why Ideem built Passkeys+, a way to make passkeys bank-grade.

Sources

• Dashlane: Passkeys 2024 Usage Insights
  
  
• FIDO Alliance: Enterprise Passkey Adoption Report 2024
  
  
• Apple: Platform Security Guide – Passkeys
  
  
• Google: Passwordless Updates – 2024
  
  
• European Central Bank: Guidelines on Security Measures for Internet Payments (PSD2)
  
  
• Monetary Authority of Singapore (MAS): Notice PSN01 on Cyber Hygiene