Passwords have long been the gateway to web and mobile applications since the internet’s inception, but the omnipresent password might not be so omnipresent anymore. Passkeys are set to replace them, especially in the world of financial services.

The good old password suffers from two significant usability flaws. For one, users forget their passwords. The average person has 100 different passwords, and four out of five users have forgotten at least one password in the last 90 days. More worryingly, passwords aren’t the most secure option when it comes to security. They are frequently compromised in cybercrime, from phishing to replay attacks. Phishing, which disproportionately affects financial institutions and their customers, increased 61% in 2022, with a 50% increase in attacks on mobile devices. Security has long needed to move beyond the password paradigm, especially when it comes to financial firms.

One option to increase account security is multi-factor authentication (MFA). Across all industries, the firms we track have widely introduced MFA options. MFA protection is remarkably effective, blocking over 99.9% of account compromise attacks. It is, however, also slightly annoying. For initial logins, users must supply password credentials and a possession-based code, either from an authenticator app or one sent via SMS. Subsequent logins frequently leverage inherence-based authentication—face recognition or fingerprint verification—or require re-authentication via MFA every few weeks or months. While these steps confer additional protection, users still need to remember their passwords, type it correctly, track down their phone or open their email, and then type a separate MFA code within a set timeframe. MFA trades convenience for increased security.

These four screenshots show the MFA delivery pages from various financial firms

Enter the Passkey, convenient and secure

The technology, finance, and security industries have long identified the shortcomings of passwords and sought better ways to secure accounts. Major industry players in 2009 joined to form the Fast ID Online (FIDO) Alliance. Since its formation, FIDO has pioneered several industry-standard security protocols around MFA, and has wide-ranging membership from PayPal, Visa and Wells Fargo to Apple, Google and Meta. The most significant recent development is the passkey. At the end of 2022, Apple, Google, and Microsoft began slowly rolling out support for passkeys across their mobile and web environments. Our researchers have already noticed certain firms rolling out passkeys as a login method. FIDO details the logic behind passkeys in articles and graphics.

In practice, passkeys render passwords obsolete, a win-win for the user experience and security. CI’s recent Insight article underscores that the most effective user experiences strike a balance between security and convenience. With passkeys, users will no longer need to remember passwords, while firms can offer increased security. Another consequence of ditching the password-centric paradigm is also minimizing the role of 2FA authenticators or SMS codes, which sometimes do not arrive in a timely manner. Instead, passkeys incorporate an inherence-based authenticator, like Face ID or fingerprint signature. Users just need their device to log into any account.

A swift user experience

Passkeys are simple to set up, and even simpler to use on mobile and web devices. The investing app Robinhood allows users to create a passkey on the Security menu. After entering a one-time code via SMS or authenticator, users finish the process by confirming their passkey with a biometric factor. On iOS, passkeys are saved on the user’s personal iCloud Keychain, analogous to Android devices using Google’s Password Manager. Consequently, mobile users in both Apple and Google environments enjoy seamless, encrypted syncing of passkeys between devices in each ecosystem.

These four screenshots from mobile phones show Robinhood's method for passkey login

Once the passkey is initialized, users authenticate by tapping the passkey button in the password field, prompting the iCloud Keychain interstitial. Users select a saved passkey and authenticate with their Face ID. In contrast to passwords, passkeys eliminate the need for one-time codes from SMS or authenticator apps. And by eliminating the need to manually enter passwords and second factors, passkeys significantly reduce friction, from typos or forgotten passwords, during login.

These screenshots from a mobile device show the login process for the investing app Robinhood using a passkey

Finally, given that they are already an industry standard, passkeys are compatible across ecosystems. In the example below, users can authenticate on Robinhood’s desktop experience via the Chrome browser using an existing passkey on an iOS device. By simply scanning the QR identifier with the passkey-enabled device, users can seamlessly login without any further authenticating steps.

These images show the passkey login experience for Robinhood's desktop site

The path forward

Passkeys are a promising technology that will likely make passwords a thing of the past. Widespread adoption, however, will take time. This year, Microsoft is expected to fully introduce passkeys to the Windows environment. Robinhood has already implemented passkeys on iOS and Chrome, and PayPal plans to rollout passkey support soon. Other providers, ranging from travel-booking tool Kayak to retailer Best Buy, have also implemented passkeys on web and mobile platforms. Ultimately, financial institutions, fintechs, and other web services will need to integrate passkeys into their security infrastructure—which also means that firms will need to create resources to teach users about passkey’s security benefits and encourage adoption. We expect to see more about passkeys throughout the financial services industry going forward.

For more of CI’s ongoing research into developments and trends within the financial services industry, check out our Insights page. And learn more about our Mobile Monitor subscription research services, including a recent Mobile Security Best Practices report.

Benjamin Altschul

Benjamin Altschul is an Analyst on CI's Fintech and Mobile team.