Convenience vs. Control: The Problem with Synced Passkeys

This is the second post in a  five-part series that explores the current state of passkeys and why enhanced implementations, what we call Passkeys+, are essential for meeting the security and compliance demands of bank-grade use cases.

In Part 1, Passkeys Inevitable Triumph over Passwords, we discuss the inevitability of passkeys and how they have transformed the authentication industry. Check it out here.

TLDR;

• In 2024, synced passkeys became the default for platforms like Apple and Google.
  
  
• Device binding was removed, reducing passkeys to single-factor credentials.
  
  
• While synced passkeys reduce friction for the user, it creates security gaps for financial services that require multi-factor authentication.
  
  
• Financial services and banks need visibility, auditability, and device control.
  
  
• Ideem’s Passkeys+ enhances standard passkeys with device binding and compliance-grade features.

In 2024, adoption of passkeys accelerated dramatically. According to Dashlane, passkey logins increased by 400% over the previous year, with 1 in 5 users now storing at least one passkey in their vault. Google, Apple, and Microsoft all now support syncing passkeys across devices via iCloud Keychain or the Google Password Manager, making it easier than ever to go passwordless.

For most users and apps, this is a win. Synced passkeys remove friction and enhance privacy. There's no need to re-register when changing phones, and the credentials are protected behind platform-native biometrics like Face ID or Android's fingerprint unlock.

But this move toward convenience has come with a trade-off—one that’s especially significant for financial institutions.

The Problem for Financial Services

When platforms removed the requirement that passkeys stay bound to a single device they also weakened a key security property: device possession.

Passkeys were originally designed to be something you have (the device) and something you are (the biometric). But once passkeys are synced to the cloud, exported/shared across multiple devices and users, the assurance of “something you have” disappears. What remains is a single factor: the user’s biometric on any synced device.

For financial services like financial services, that’s not enough.

Banks, payment wallets, stablecoin payment providers, and more in the financial services industry are required to implement multi-factor authentication with strong device assurance, especially for transactions, account recovery, and fraud response. A synced passkey doesn’t provide visibility into which device is being used. It doesn’t allow for enforcement of per-device risk policies. And it can’t offer cryptographic proof that the same device used to enroll the credential is still being used to authenticate.

As the FIDO Alliance noted in its 2024 report, while consumer awareness of passkeys is growing (62% in the US), consumer adoption, particularly financial services, remains cautious due to a lack of policy controls and device telemetry.

Designed for Convenience and Privacy, But Not Always for Compliance

There’s a reason synced passkeys work this way. Apple and Google have gone to great lengths to reduce friction and protect user privacy. Synced passkeys allow a user to enroll once and use everywhere; and they do not expose metadata about the device, location, or context of authentication. This is excellent for most consumer use cases—but it limits what a bank can see or do when trying to enforce compliance, detect fraud, or respond to threats.

Banks are ultimately responsible for their authentication stack. That means they need to know which devices are accessing their systems. They need to verify possession. They need audit trails. And they need a way to revoke access if a device is lost or compromised.

The current model of synced passkeys doesn’t support that level of visibility or control.

What’s Missing and What’s Possible

Synced passkeys aren’t broken, they’re just not complete for all use cases. They do an excellent job of replacing passwords in low- and medium-risk scenarios. But for high-assurance environments, something more is needed.

That something is device binding: the ability to cryptographically tie a credential to a known, registered device. Combined with strong user verification and context-aware policies, device binding allows organizations to maintain full control over their authentication process—without giving up the convenience users love.

This is where Ideem sees opportunity.

Introducing Passkeys+

Passkeys+ is Ideem’s approach to bridging the gap between consumer-grade usability and enterprise-grade control. We’re building on the strong foundation of synced passkeys to add back the pieces that financial services need:

• Deterministic device binding, with verifiable possession
  
  
• Enhanced user verification, combining biometrics with policy controls
  
  
• Auditability and telemetry, to support compliance and fraud response
  
  
• Step-up triggers, based on risk, transaction size, or location
  
  

Passkeys+ doesn’t replace passkeys, it extends them, making them viable for sectors that can’t afford to compromise on control or compliance.

What’s Next

In our next post, we’ll unpack exactly how Passkeys+ works under the hood—and how banks, fintechs, and other financial services can use it to finally go passwordless without sacrificing security, visibility, or trust.

Sources:

• Dashlane Passkey Usage Report 2024: https://blog.dashlane.com/passkeys-2024-adoption/
  
• FIDO Alliance Enterprise Survey 2024: https://fidoalliance.org/2024-enterprise-passkey-report/
  
• Google Security Blog: https://security.googleblog.com/2024/05/passkeys-update-android-sync.html‍
• Apple Platform Security: https://support.apple.com/guide/security/passkeys-overview-secbaefe3c01/web