Business Value

Passkeys & the Public: Tackling Trust & Confusion in the Middle East

TLDR

People worry that passkeys are easy to steal, easy to lose, and hard to understand. In reality, a passkey never leaves the user’s device and is unlocked with a biometric or PIN, which makes it resistant to phishing and SIM swap fraud that targets OTPs. Device-bound passkeys, combined with app level device binding such as a Zero Trust Secure Module, preserve both security and institutional control in regulated environments. Banks and fintechs can build trust with clear Arabic first education, RTL friendly onboarding, recovery that feels safe, and messages that connect to familiar national digital ID experiences. Start with opt in pilots, show the benefits in everyday tasks, keep OTP only as a temporary fallback, and measure drop off at each step.

What people get wrong about passkeys in MENA

Security fears
A common belief is that if someone gets your phone, they get your accounts. A passkey is a cryptographic key pair. The private key stays on the device and is released only after a biometric or PIN check, so a stolen phone without a match cannot sign in. This is unlike passwords or codes that can be reused elsewhere.

Loss of access
People worry that losing a phone means losing every account. There are two models. Synced passkeys are backed up by the platform and can be restored on a new device. Device bound passkeys never leave hardware and are best for high assurance. Each model has trade offs across recovery and control, and many institutions use device bound passkeys for riskier operations while allowing synced passkeys for lower risk.

Confusion with OTPs
Many users equate “code from SMS” with security. OTPs are widely targeted by SIM swap and social engineering. Regional reports and bank advisories in the Gulf highlight this risk, which is why carriers and banks are investing in SIM swap checks and stronger authenticators.

Passkeys, passwords, and OTPs in plain language

Passwords
You make up a secret and type it. If a criminal guesses it or steals the database, your account is at risk. No device check, easy to phish.

OTPs
A one time code is sent to your phone or app. Better than a password alone, but codes can be intercepted or tricked out of people. SIM swap targets SMS codes.

Passkeys
Your device holds a private key. The website holds a public key. The device proves you are you using the key only after a face, fingerprint, or PIN. Nothing reusable is typed or shared, which blocks phishing and database reuse.

Why device bound passkeys and app level device binding work for regulated environments

What device bound means
The private key is generated inside secure hardware such as a secure enclave, TEE, or TPM and is not exportable. This limits attack surface and gives institutions confidence that only a registered device can perform high risk actions.

Policy and control with device binding
Pair the passkey with an app side binding layer, such as a Zero Trust Secure Module, to attest device health, enforce jailbreak checks, rotate keys, and gate specific flows by risk. This gives banks both strong user authentication and operational control without shipping OTPs.

Regulatory alignment
Regional guidance encourages phishing resistant factors that use public key cryptography and requires strong IAM controls. The UAE Central Bank rulebook points banks toward phishing resistant authenticators, and SAMA’s framework expects robust MFA and IAM across critical access. Device bound passkeys with app binding satisfy these expectations while reducing OTP exposure.

Communication strategies that build trust

Start simple
Explain that a passkey replaces passwords and codes with a quick face or fingerprint on the customer’s own device. Avoid jargon. Anchor on everyday tasks like checking a balance or sending money.

Show how recovery works
Make recovery visible during onboarding. Example flow: register a primary device, add a secondary trusted device, set up platform backup if policy allows, and document branch or call center assisted recovery for device bound credentials.

Use Arabic first education
Lead with Arabic content and RTL friendly screens. Keep labels short, avoid dense text, and use step by step visuals. Provide the same clarity in English for expatriate segments.

Micro tutorials in product
A 20 second animation that shows tap, biometric, success. Follow with a one tap prompt to add a second device. Link to a short FAQ that answers three questions: what if I change phones, what if my fingerprint fails, how is this safer than an SMS code

Message the benefits, not the math
Safer against fake websites, no codes to wait for, faster checkout and transfers, fewer lockouts while traveling.

Lean on familiar trust anchors
Many customers already use national digital identity apps like UAE Pass or Absher, which normalize biometric sign in for serious tasks. Reference that familiarity in your copy, then explain that your bank’s passkeys work in a similar tap and go way but never leave the banking app’s control.

Across channels
Use short motion posts on social, a 90 second landing page video, an in branch demo stand, and customer care scripts that translate biometrics into everyday language. Train relationship managers to help VIP clients add a secondary device during meetings.

Cultural considerations for the Middle East

Arabic and RTL by default
Treat Arabic as a first class language, not a translation phase. Respect RTL layout patterns, mirrored iconography, and larger default fonts. Test dialect choices in key markets.

Family and multi device realities
Design for shared devices in some households. Offer per user profiles and clear cues about which device is registered. Encourage a second device for recovery.

High mobile adoption and digital ID familiarity
Smartphone penetration and digital government IDs are high in the Gulf, which lowers the learning curve for passkeys. Use this context to reassure customers that biometric sign in is already part of daily life.

Visible privacy posture
Explain that biometrics never leave the device and that the bank cannot access raw face or fingerprint data. Say it directly in Arabic and in English, and link to a short readable policy.

Inclusive support
Offer branch based help for setup and recovery, and a hotline path for users who prefer assisted service.

A practical rollout playbook

Pick a starter journey
Begin with login and low risk tasks like balance view. Add higher risk tasks such as transfers after you observe data and tune risk policies.
Offer opt in, then nudge
Give a clear opt in with a strong value proposition. Nudge later with friendly reminders and in flow benefits like faster checkout.
Register a second device by design
Prompt customers during the first week to add a laptop or tablet as a recovery device. Reward completion with a small perk or faster step down challenges.
Keep OTPs only as a temporary fallback
Gate fallback with extra checks and phase them out as adoption grows. Use SIM swap checks where available until you retire SMS codes. GSMA
Instrument everything
Track adoption by segment, success and failure per step, time to complete, recovery success, share of OTP fallbacks, and fraud outcomes.
Pair passkeys with device binding like ZSM
Use a Zero Trust Secure Module to bind identity to the app and the hardware, enforce policy per action, and keep a clear audit trail for compliance teams.

Actionable advice for leaders

• Set a policy that makes passkeys the default within one quarter, with OTP restricted to recovery only
• Localize all education in Arabic first and validate with user testing in the UAE and KSA
• Mandate second device registration for high risk users, and provide assisted add device in branches
• Publish a one page privacy explainer that says biometrics never leave the device
• Report monthly on OTP exposure, SIM swap incidents, and passkey success rates to the board