ALL BLOG POSTS
Authentication

Passwordless Authentication in Banking: A Guide to FIDO2 & Passkeys (2026)

FIDO2
PASSKEYS
BANKING SECURITY
FIDO2
WULTRA
May 15, 2026
Illustration of passwordless banking authentication using a hardware security key and passkeys to authorize a secure banking transaction with phishing-resistant user verification and dynamic linking.

Passwordless authentication is already part of modern banking, even if it is not always explicitly labeled as such. In many markets, strong customer authentication (SCA) and multi-factor authentication are well established, and passwords rarely function as a standalone control.

Table of contents
TOC Content Items Loads Here

This article explains the gaps passwordless authentication can address for banks, how the FIDO2 standard and passkeys are gaining traction, and how the regulatory landscape is shifting.

Passwords have historically been part of banking authentication, but their role has been significantly reduced. Today, most attacks do not target passwords in isolation, but rather the broader authentication and recovery flows around them. Passwordless authentication goes even further, completely shifting away from shared secrets toward credentials that are resistant to phishing and large-scale compromise.

Why banking authentication still has gaps

Account takeover fraud remains one of the most significant threats in digital banking. While many banks have already moved beyond passwords as a standalone factor, current authentication and access recovery flows still rely on mechanisms that can be phished, intercepted, or socially engineered.

Recent industry analysis indicates that fraudsters are shifting toward identity-based attacks, with account takeover and impersonation driving a growing share of fraud attempts, according to TransUnion’s latest fraud trends report.

In practice, attackers rely on:

  • phishing and real-time social engineering
  • malware and session hijacking
  • SIM swap and OTP interception
  • abuse of insufficient account recovery flows

 

Password database breaches are still an issue. Even when passwords are securely stored using modern hashing algorithms in secure services like online banking, compromise can still originate from breaches of other services because users tend to reuse passwords.

Credential stuffing continues at a massive scale across digital services, with billions of automated login attempts each year. More than 50 percent of authentication attempts involve previously exposed passwords, based on findings from Cloudflare and NordPass. While banks are generally less exposed to this risk, some scenarios, such as mobile app reactivation, may still remain vulnerable.

SMS OTPs do not fully solve this problem. The FBI Internet Crime Complaint Center continues to warn about real-time phishing attacks that intercept one-time codes and hijack sessions.

Modern banking security is therefore shifting from protecting shared secrets toward eliminating them where possible. For banks, this transition is not just about replacing passwords. It represents a broader architectural shift toward modernization, phishing-resistant authentication, and up-to-date solutions.

Introducing passkeys

Passwordless authentication is not a single technology. In banking, it includes multiple approaches such as app-based authentication, hardware security tokens, server-side biometrics, and cryptographic credentials.

However, the most relevant standardized implementation, and the one receiving the most attention today, is passkeys based on FIDO2 and WebAuthn, open standards developed by the FIDO Alliance in partnership with the W3C.

What passkeys are

Passkeys are a consumer-friendly name for phishing-resistant FIDO2 credentials used for passwordless authentication. They typically use biometrics or a PIN and may synchronize across devices via platform ecosystems, improving usability and recovery.

Device-bound passkeys, meaning non-synced credentials, offer higher assurance and are better suited for high-risk banking actions. Hardware security keys go further. Credentials never leave the specialized authenticator device. There is no internet exposure, and user presence and verification are usually required for each use. 

The cryptographic foundation

When a user registers a passkey, a private key is created and securely stored on their device, while the service provider, such as the bank, stores the public key. During authentication, the device signs a random challenge using its private key, and the service provider verifies the signature using the public key. No secret is transmitted.

Each credential is also bound to a specific web domain, meaning it cannot be used on phishing sites.

Diversity of authenticators

In practice, banks rarely standardize a single authenticator type for all users and all scenarios. Retail customers, corporate users, elderly populations, accessibility-sensitive groups, and high-risk transaction flows often require different authentication approaches with different assurance levels. As a result, many banks are evolving toward multi-authenticator strategies rather than replacing all existing authentication methods with a single passkey-based model.

Platform authenticators

Platform authenticators are often the first and most straightforward step in passkey adoption. Built into devices and operating systems, they use hardware-backed security such as Secure Enclave or Trusted Execution Environments.

Users authenticate with biometrics or a device PIN, with credentials protected on-device and never exposed to the server.

Their security and assurance properties depend on implementation, particularly whether credentials are synced or device-bound. Limitations include assurance and coverage, as synced credentials depend on platform ecosystems and not all users have compatible devices.

In banking, they can be added as a phishing-resistant component to existing strong customer authentication flows or, when implemented correctly and assessed from a compliance standpoint, even used as the main strong customer authentication solution.

Hardware security keys

Hardware tokens solve coverage and assurance gaps. They are independent of mobile devices, resistant to malware and session manipulation, and enable secure transaction confirmation. They are essential for corporate banking, high-value transactions, and regulatory fallback requirements.

The regulatory picture in 2026

Banking regulators have been moving toward requiring phishing-resistant authentication for several years, and the direction is now unambiguous.

PSD2 and Strong Customer Authentication (SCA)

PSD2 requires two independent authentication factors and dynamic linking for payments. FIDO2 can satisfy SCA requirements when implemented as device-bound passkeys or security keys with appropriate user verification, where the device provides possession, and a PIN or biometrics can provide knowledge or inherence. It also goes beyond baseline requirements by being phishing-resistant.

PSD3/PSR: What changes

PSD3/PSR reached political agreement in 2025 and is expected to enter implementation from 2026 onward, with transition timelines extending into 2027 and 2028.

Key changes include:

  • stronger expectations for phishing-resistant authentication
  • increased fraud liability for banks
  • mandatory alternative authentication methods

Global regulatory alignment

The shift is global. CISA recognizes FIDO and WebAuthn as phishing-resistant MFA. NIST SP 800-63B classifies correctly implemented hardware-bound FIDO2 at the highest assurance level. UAE regulators introduced stronger authentication requirements in 2025, reducing reliance on OTP-based approaches. Singapore continues to lead in adopting phishing-resistant measures.

The pattern is consistent. Shared secrets are being phased out.

Banking: The next major adopter of passkeys

Historically, the adoption of passkeys in banking has been slower due to regulatory and coverage constraints. But the trend is clear: passkeys are gaining traction in banking, which is poised to become one of the biggest adopters. 

Phishing-resistant authentication with passkeys will gradually become the baseline expectation, while authentication ecosystems themselves will become more diverse. The challenge for banks is therefore not simply deploying passkeys, but building authentication architectures that can accommodate multiple authenticator types, evolving regulations, and future security requirements without repeatedly redesigning the customer experience.

Broader market adoption has demonstrated positive results

Real-world deployments from other industries show clear outcomes, although results depend on rollout and adoption models. In opt-in scenarios, passkey adoption can reach 40 to 45 percent within months, according to the FIDO Alliance

Authentication success rates can reach around 98 percent, compared to significantly lower rates for password-based flows.

Adoption of passkeys also measurably reduces fraud exposure, lowers support costs, and improves the user experience.

How FIDO2 fits into banking

FIDO2 typically secures login, which is identity authentication. Transaction approval and dynamic linking are separate additional layers that ensure the integrity of specific actions, such as payments, as required under PSD2 and PSD3/PSR.

While the FIDO2 standard can technically support transaction signing with dynamic linking and comply with other requirements for strong customer authentication (SCA), its applicability in banking and its compliance posture depend on the specific authenticator device and overall configuration. Banks should take this into consideration when evaluating and deploying passkeys or other FIDO2 solutions.

Deployment considerations

Key decisions include whether to use synced versus device-bound credentials, attestation requirements, secure recovery flows, and regulatory documentation for PSD2 and PSD3/PSR compliance. The recovery process is especially critical because, in practice, it often defines the system's effective security baseline. 

If you are planning your next step toward passwordless authentication, you can explore how it’s implemented in real banking environments with our Passkeys & FIDO2 solution.

Frequently asked questions

What is passwordless authentication in banking?

It refers to authentication methods that do not rely on passwords or shared secrets. In banking, this includes approaches such as mobile apps, device-based authentication, and cryptographic credentials like passkeys or hardware keys. Users authenticate using biometrics, PINs, or devices without transmitting any shared secret.

Are passkeys secure against phishing?

Yes. They are bound to specific domains and use cryptographic signatures, making them resistant to phishing and credential replay attacks.

Is FIDO2 compliant with PSD2 and PSD3/PSR?

It depends on the implementation. FIDO2 can meet SCA requirements when combined with appropriate user verification and transaction authorization, fulfilling both identity and intent authentication requirements.

What is the difference between platform authenticators and hardware security keys?

Passkeys implemented via platform authenticators are credentials available via consumer devices, such as smartphones or laptops. Hardware security keys are dedicated physical devices used for authentication. Hardware security keys are typically used when higher assurance or separation from the main device is required.

What happens if a user loses their device?

Secure recovery flows are required and must rely on independent identity verification or strong authentication using another already enrolled element, rather than the compromised device.

Related articles

CONTACT US

Get in touch

Consider partnering with Wultra to meet compliance standards, deliver a secure and seamless user experience, and deliver additional value to your customers while improving your bottom line.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Terms of UsePrivacy PolicyCookie Policy