Pedro Martinez | Business Owner for Digital Banking Authentication
More About This Author >
Pedro Martinez | Business Owner for Digital Banking Authentication
More About This Author >
As cyber risks continue to evolve across the BFSI industry, financial institutions are turning to stronger, more innovative ways to secure digital identities and transactions. Passkeys, a future-proof replacement for passwords that use device-based authentication methods, are setting a new standard for security – they’re creating a safer digital landscape, aligning perfectly with the mission to secure our world. By leveraging cryptographic techniques and biometric authentication, passkeys offer a more robust and user-friendly alternative to traditional passwords, addressing many vulnerabilities that have long plagued our online accounts.
In this blog, we'll delve into how passkeys work, their benefits, and why they're an essential tool in our collective effort to build a more secure digital future for everyone.
Phishing, a Growing Scourge
Phishing is effective because it capitalizes on human psychology, exploiting natural biases and behaviors rather than targeting technological weaknesses. It is also popular because a successful phishing attempt can give malefactors a foothold on business networks, leading to data breaches and financial losses.
Despite ongoing efforts to raise awareness, these attacks successfully exploit human biases to bypass traditional password-based security systems. They lure people into giving out sensitive information like passwords or logins by masquerading as trusted entities, making passwords the weakest link in the cybersecurity chain. Let’s look at some stats:
- In the first quarter of 2025, more than 1 million unique phishing sites were detected globally, the largest number since late 2023.
- In 2024, the IC3 received a record number of complaints from people in the US, numbering 859,532 complaints with potential losses higher than $16.6 billion, a 33% increase from 2023.
- Thales’ Global Data Threat Report 2025 revealed that phishing has now surpassed ransomware as the second-most common attack vector, and specifically that AI-driven, socially engineered phishing is a growing threat.
These alarming statistics underscore the critical and escalating risk phishing poses on organizations today. Education has a role to play here, but adopting stronger, phishing-resistant authentication mechanisms like passkeys can be even more effective in preventing this scourge.
Passkeys Unpacked
Passkeys were designed to eliminate the weaknesses inherent in passwords. They provide faster, easier, and more secure sign-ins to websites and apps and are phishing-resistant.
They are based on the Fast Identity Online (FIDO) standard, with a cryptographic key pair (public and private keys) that authenticates users without putting sensitive data like passwords at risk of phishing schemes. In fact, they remove the need for passwords altogether.
Unlike passwords, which can be easily stolen or phished, passkeys never leave the user’s device and can’t be intercepted by bad actors. They are a giant leap toward passwordless authentication, boosting security across public and private sector entities.
Passkeys enhance multi-factor authentication (MFA), too. MFA needs users to provide two or more verification forms; passkeys streamline the process by integrating biometric data or a PIN with cryptographic authentication.
Types of Passkeys: Synced and Device-Bound
There are two kinds of passkeys: synced passkeys and device-bound passkeys. While both provide phishing resistance, they work differently in terms of security and user experience.
1. Synced Passkeys: These are stored in the cloud and can be synchronized across multiple devices. Tech giants like Apple, Google, and Microsoft use synced passkeys to improve the user experience. These can be easily transferred between devices so users can log in with a PIN or a biometric (fingerprint or facial recognition). They are convenient for personal use, enabling users to access accounts from different devices without friction.
2. Device-Bound Passkeys: These are tied to a specific device and never leave it. This makes them more secure than synced passkeys, as the private key remains guarded against external threats like cloud attacks. These sometimes come in the form of hardware security keys, such as USB tokens or smart cards, that require physical possession of the device to authenticate. Device-bound passkeys are particularly useful for businesses with high-security requirements, as they provide an extra layer of protection against phishing and man-in-the-middle attacks.
Which Passkey Is Right for Your Business?
Synced passkeys are convenient for personal accounts and everyday use, and device-bound passkeys are the gold standard for businesses prioritizing security. For instance, banks processing financial transactions or insurance firms managing confidential policyholder information should opt for device-bound passkeys to prevent phishing, man-in-the-middle attacks, and other types of identity theft.
Investment companies and payment processors, who are often subject to strict compliance requirements like PCI DSS also benefit from the additional security device-bound passkeys provide.
When convenience is the priority, synced passkeys are ideal for internal apps or services that don’t handle critical information. This could be a bank enabling synced passkeys for employee access to non-sensitive systems – such as scheduling platforms or internal team communication tools – while reserving device-bound passkeys for customer banking portals and any application processing sensitive financial data.
The Push for Stronger Authentication
As phishing attacks become more sophisticated, governments and regulators advocate for more robust security measures. In the European Union, the General Data Protection Regulation (GDPR) mandates businesses implement security measures, which MFA and passkeys address comprehensively.
Similarly, Executive Order 14028 has directed the use of phishing-resistant MFA in the United States, explicitly calling for FIDO-based solutions.
This regulatory push has seen the demand for passkeys soar, particularly in heavily regulated industries that handle confidential data, such as finance, healthcare, and the public sector.
What migration could look like for you
Migrating to FIDO2 passkeys can follow several common paths, depending on your business size, existing infrastructure, and user base:
- Phased Rollout: Start with pilot groups or less critical applications to gather user feedback and iron out issues before expanding passkey use enterprise wide.
- Parallel Approach: Run passkeys alongside existing authentication methods, giving users and IT teams time to adapt without disruption.
- Full Migration: In some cases, organizations with modern infrastructures can enable passkeys as the primary method, retiring legacy MFA or password systems.
Organizations across regulated industries have demonstrated how thoughtful, phased migration can deliver measurable security and operational benefits. For example, Aflac’s early passkey rollout enrolled over 500,000 customers and achieved a 32% reduction in password recovery requests and support calls. Read more real-world migration success stories here.
By planning your migration carefully and considering your users’ devices, workflows, and security policies, your business can transition smoothly to phishing-resistant passkeys and future-proof your authentication strategy.
Securing Our World
In the fight to "Secure Our World," passkeys offer a powerful defense against one of today’s most pervasive cybersecurity threats: phishing. By replacing vulnerable passwords with phishing-resistant authentication, passkeys are the future of digital security.
To learn more about how passkeys can protect your business and strengthen your security posture, visit our website.
Want to dive deeper? Check out this Thales Security Sessions Podcast episode where I joined Andrew Shikiar of the FIDO Alliance to discuss “The Stealthy Success of Passkeys”.