top of page
Search

The Audit Trail Dilemma: Why Passkeys Fall Short for Financial Services

Writer: Maranda ManningMaranda Manning

Passkeys are often promoted as the future of authentication, offering a passwordless and phishing-resistant login experience. But while they make logins easier for consumers, their ability to seamlessly transfer between devices introduces a critical security flaw—one that makes them unsuitable for financial services and other high-assurance industries.

The problem? Passkeys cannot provide a reliable audit trail.


Passkeys and the Broken Chain of Trust


A core requirement in financial services security is the ability to track and verify every authentication attempt. Banks, fintechs, and payment providers must ensure that every login has a clear, auditable record of:


  • Who authenticated

  • Which device performed the authentication

  • When it happened


This traceability is critical for fraud detection, dispute resolution, and regulatory compliance under frameworks like PSD2 in Europe, MAS TRM in Singapore, and the FFIEC Authentication Guidance in the U.S.


However, because passkeys are designed to be transferable, they break this chain of trust. A user can create a passkey on one device and then access it from any other trusted device without any explicit verification of which hardware is actually being used. This means there’s no guarantee that the original, secure device was the one performing authentication.


This is especially problematic in industries where device-level security matters as much as user identity. Financial institutions, for example, are required to implement multi-factor authentication (MFA) measures that bind to a specific device to ensure a stronger level of trust. But passkeys, by design, don’t enforce this.


The Real-World Consequences of Transferable Passkeys


In practice, this weakens security. If an attacker gains access to one of a user's linked devices—whether through malware, session hijacking, or device theft—they can authenticate using a passkey without triggering any alerts that the login is coming from a different device.


Industry experts have raised concerns about the lack of strong attestation in current passkey implementations, meaning there’s no built-in way to verify that authentication is happening on a legitimate, known device.


Google, for example, still requires hardware security keys for its Advanced Protection Program (APP), which protects high-risk users. Even Google’s own security team acknowledges that passkeys don’t yet provide the same level of security as device-bound authentication methods, particularly in scenarios where strict control over login devices is necessary.


A real-world example of the risks posed by transferable authentication credentials comes from Okta’s 2023 security breach, where attackers used compromised session tokens to access accounts undetected. While session tokens aren’t the same as passkeys, the underlying issue is similar—once authentication credentials can move between devices freely, it becomes harder to enforce strong security controls.


Why Financial Services Require Device-Bound Authentication


Given the risks associated with transferable passkeys, financial institutions need stronger protections. The ability to tie authentication to a single, verifiable device is essential for ensuring compliance with industry standards and reducing fraud risk.

Device-bound authentication provides:


  • Verifiable Audit Trails – Ensures every login attempt is linked to a specific device, closing the accountability gap.

  • Stronger Fraud Prevention – Eliminates the possibility of passkeys being used on unverified devices.

  • Regulatory Compliance – Aligns with banking security mandates that require strict authentication controls.


This is why many security experts recommend hardware-bound credentials or other forms of device-bound authentication over passkeys in high-security environments. Even within the WebAuthn ecosystem, security keys with FIDO-certified attestation offer a higher level of security than passkeys that can roam between devices.


In Conclusion...


Passkeys may be convenient, but they introduce significant security gaps for industries that require strict authentication controls. Financial institutions, in particular, need to ensure that every login is both phishing-resistant and tied to a verifiable device—something today’s passkeys simply don’t guarantee.


As authentication standards evolve, the industry needs to recognize that security shouldn’t be sacrificed for convenience. Financial services require authentication methods that provide both strong security guarantees and regulatory compliance. Right now, passkeys aren’t up to the task.


Sources:

 
 
 

Comments


bottom of page