Understanding passkeys: Debunking four common myths

Passkeys are often seen as a promising leap forward in the future of authentication – secure, user-friendly, and increasingly supported by platforms like Apple, Google, and Microsoft. Yet many organizations remain skeptical: Are passkeys truly secure? Do they meet regulatory requirements like Strong Customer Authentication (SCA)? And is the technology ready for use in practice?

In this article, we take a closer look at four common myths about passkeys and show you what's important when assessing their potential and limitations realistically.

 

Myth 1: “Synced passkeys are insecure.” 

The facts: Not all passkeys are the same. They come in two fundamental forms with distinct security and usability characteristics – and understanding this distinction is key when evaluating their suitability for different environments: 
 

• Synced passkeys are synchronized across devices via platform services such as iCloud, Google, or password managers. They offer great user convenience, provide phishing protection and a reliable recovery mechanism. However, their security strongly depends on the security policies and cloud sync implementation of the platform provider – a factor that organizations typically cannot control.
   
• Device-bound passkeys are stored in hardware (e.g., TPM, Secure Enclave) and offer maximum security, independent of any cloud provider. They are better suited to highly regulated environments but require greater effort in device management and recovery processes. 

Conclusion: Labeling synced passkeys as “insecure” is too simplistic. Both types of passkeys follow the FIDO2 standard and can be highly secure when implemented and used correctly. The key is to evaluate them in the context of your risk tolerance, compliance requirements, technical architecture, and user expectations. It's about balancing security, usability, and operational costs – and being clear about the trade-offs. 
 

Myth 2: “Passkeys are not strong customer authentication (SCA).” 

The facts: The PSD2 directive defines strong customer authentication (SCA) as a combination of two out of three factors: knowledge (e.g., password), possession (e.g., device), and inherence (e.g., fingerprint). 

Evaluation of common methods: 

Why is SCA compliance disputed for synced passkeys?

Synced passkeys lack a clearly verifiable proof of possession since the key is not bound to hardware. Still, they offer strong phishing resistance, great UX, and solve recovery challenges. Whether they meet SCA requirements ultimately depends on the quality of the cloud sync implementation – something that is difficult to verify independently. 

Conclusion: Device-bound passkeys clearly meet SCA requirements. For synced passkeys, compliance depends on the quality of the cloud sync. Without additional device-binding measures, they do not meet PSD2 standards. 
 

Myth 3: “Banks cannot use passkeys."

The facts: Many banks are hesitant to adopt passkeys. Common concerns include: 

1. Security doubts – which may be valid for synced passkeys depending on the use case; however, device-bound passkeys are SCA-compliant. 

2. Lack of a second channel – but SCA is about two factors, not two channels. 

3. Existing SCA solutions are already in place – often with poor UX or high operational costs. 

4. Missing transaction approval – technically feasible with passkeys, though not always strictly WYSIWYS-compliant. 

5. Unclear compliance situation – currently an issue with synced passkeys; this is expected to improve with PSD3 and the Payment Services Regulation (PSR). 

Conclusion: Banks can absolutely use passkeys – especially as a first authentication factor or to eliminate passwords entirely. Passkeys address pressing phishing challenges that result in significant financial losses. A well-thought-out migration path and continuous monitoring of regulatory developments are key. 
 

Myth 4: “Passkeys require an alternative authentication factor.”

The facts: There are situations in which a user cannot access their passkey – for example, on a public device or due to technical failure.

The cross-device capability of passkeys – using a personal smartphone in combination with a browser on an untrusted device – can address this, but requires device support (Bluetooth must be enabled on both devices). In certain scenarios, a fallback authentication factor remains indispensable. 

If a system must be accessible at all times and from all locations, an additional factor is necessary – but this is true for many authentication solutions. 

Conclusion: Not a myth, but a practical design consideration. What matters is whether such fallback scenarios are relevant for the business model. In most cases, they are not.
 

Passkeys aren’t black and white 

Passkeys are not a one-size-fits-all solution – but when implemented correctly, they offer compelling benefits in terms of security, usability, and cost efficiency. Organizations should ask themselves the following questions: 

• Do passkeys match our use cases? 
• Are compliance requirements (e.g., SCA) met? 
• Are synced or device-bound passkeys better suited? 
• Is our CIAM solution passkey-ready? 
• How will we handle the migration process? 
• Do we need an alternative authentication factor? 

 

Ready to embrace a passwordless future? 

Airlock IAM helps organizations implement passkeys in a user-centric and secure way. Contact us for a consultation or visit us at one of our upcoming events.