Passkeys, developed based on the FIDO Alliance’s FIDO2 and U2F standards, are cryptographic keys designed to replace traditional passwords, providing enhanced security without the vulnerabilities of password-based authentication. This article explores how passkeys align with major global regulations—GDPR, HIPAA, CCPA, and PSD2—and how they support organizations in achieving compliance with data protection and privacy requirements.
What Are Passkeys?
Passkeys are based on public key cryptography, using paired keys—one public and one private—to authenticate users without relying on passwords. This approach offers significant improvements over traditional multi-factor authentication (MFA) by removing the need for shared secrets, like passwords, that can be phished, stolen, or reused. Passkeys can fully replace or enhance existing MFA systems, providing stronger security without additional user steps. Since they are bound to a user’s device, passkeys are inherently phishing-resistant and protect against a range of common cyberattacks, making them a transformative solution for secure, compliant identity authentication.
Passkeys and PSD2 Compliance
1. Understanding PSD2
Revised Payment Services Directive (PSD2) is an EU regulation that enhances electronic payment security and data protection. PSD2 mandates Strong Customer Authentication (SCA) for secure online transactions, which must include independent factors of authentication and dynamic linking for each transaction.
2. Key PSD2 Articles on Authentication
PSD2 mandates specific requirements for strong authentication:
- Article 97: Requires Strong Customer Authentication (SCA) using at least two independent factors.
- Dynamic Linking: Each transaction must be authenticated with a unique code that links to the transaction amount and recipient.
3. How Passkeys Address PSD2 Requirements
Passkeys align well with PSD2’s SCA and security requirements:
- Multi-Factor Authentication: Passkeys meet SCA requirements through device-bound possession factors and local biometric or PIN authentication.
- Dynamic Linking: Passkeys generate transaction-specific signatures, supporting PSD2’s dynamic linking.
Potential PSD2 Compliance Concerns for Passkeys and Their Solutions
Device Dependency
Passkeys tied to user devices may require re-enrollment if a device is lost or replaced. Organizations should implement secure recovery mechanisms for passkeys that comply with Strong Customer Authentication (SCA) standards under PSD2. While this is a standard best practice for passkey management, it helps minimize risks and ensures regulatory compliance.
Dynamic Linking Challenges
Dynamic linking, a core PSD2 requirement, poses significant challenges—not due to FIDO2 limitations but rather the capabilities of authenticators. WebAuthn supports fields for embedding transaction-specific data, allowing a direct link between the authentication and the transaction. This approach fully satisfies PSD2’s dynamic linking requirement by ensuring the authentication process is tied to a specific transaction.
However, the challenge lies in payer awareness—many authenticators currently lack the ability to display transaction context. Without this, users cannot see or confirm what they are authorizing, failing the second condition of dynamic linking. Addressing this gap requires the development of authenticators capable of presenting transaction details to users in a secure manner.
Secure Payment Confirmation (SPC)
SPC builds on mechanisms familiar from 3D Secure protocols while incorporating best practices for passkey usage. It enhances the security and compliance of dynamic linking by ensuring both the technical and user-awareness aspects are covered. Organizations implementing SPC can more easily meet PSD2 requirements for multi-domain payment scenarios.
Continuous Testing
While PSD2 emphasizes the importance of secure authentication, focusing on regular monitoring and testing of systems is a general best practice rather than a direct regulatory challenge. Addressing dynamic linking and payer awareness more directly aligns with PSD2’s core requirements and provides a stronger foundation for compliance.
Passkeys and GDPR Compliance
1. Understanding GDPR
The General Data Protection Regulation (GDPR) is a comprehensive EU regulation focused on protecting the personal data and privacy of EU citizens. GDPR applies to any organization that processes personal data of EU residents, regardless of the organization’s location. GDPR mandates stringent standards for data handling, privacy, and security, and non-compliance can result in significant fines. This law is especially relevant for organizations that handle user authentication, as it demands secure and transparent processes to protect personal data.
2. Key GDPR Articles on Strong Authentication
GDPR includes specific articles that emphasize the need for strong security measures and robust access control:
- Article 32: Requires data controllers and processors to implement “appropriate technical and organizational measures” to secure personal data, highlighting the “pseudonymization and encryption of personal data” and the need for processes “to regularly test, assess, and evaluate the effectiveness of security measures.”
- Recital 51: Mentions the importance of “appropriate safeguards” in ensuring data protection, supporting the use of secure authentication methods to protect personal data from unauthorized access.
3. How Passkeys Address GDPR Requirements
Passkeys address these GDPR standards in several key ways:
- Encryption and Phishing Resistance: Passkeys use public key cryptography, which aligns with GDPR’s emphasis on encryption in Article 32. This technology prevents phishing attacks and data breaches associated with passwords.
- Data Minimization: By eliminating the need for password storage, passkeys reduce the amount of sensitive data organizations need to store and manage, meeting GDPR’s data minimization requirement.
- Regular Testing and Evaluation: Organizations can conduct regular testing of passkey implementations to ensure ongoing security and compliance, supporting GDPR’s requirements for continual security assessment.
4. Potential GDPR Compliance Concerns for Passkeys and Their Solutions
Device Dependency
Passkeys are device-bound, which may necessitate re-enrollment if a user loses or replaces their device. This process may involve limited personal data processing, which must comply with GDPR principles such as data minimization and purpose limitation. Organizations should implement secure re-enrollment procedures to address this concern. Leveraging FIDO2-compliant multi-device passkeys reduces the need for additional personal data processing, as these passkeys support secure transfer between devices while minimizing compliance risks.
Biometric Data
Some passkeys utilize biometrics, such as facial recognition or fingerprints, for local device unlocking. Biometric data, as a special category under GDPR, must remain confined to the local device and never transmitted externally. This aligns with FIDO2 and WebAuthn principles, where secrets used to unlock private keys stay within the authenticator and are not accessible outside the device. Transparency is essential—organizations must provide clear information to users about the purpose of biometrics in authentication and confirm that no sensitive biometric information leaves their device.
Data Portability
GDPR grants users the right to data portability, which can present challenges if passkeys are used on platforms lacking FIDO2 support. Adopting FIDO2 standards ensures cross-platform compatibility and addresses data portability requirements by allowing secure multi-device functionality without requiring data to leave the user’s control. This approach supports GDPR’s data portability mandates while maintaining a high level of security.
Passkeys and HIPAA Compliance
1. Understanding HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. regulation that sets standards for protecting electronic Protected Health Information (ePHI) within the healthcare industry. HIPAA applies to healthcare providers, insurers, and their business associates, requiring them to implement strict data privacy and security measures. Non-compliance can lead to significant penalties, making HIPAA compliance critical for healthcare organizations.
2. Key HIPAA Standards on Authentication
HIPAA includes several technical safeguards that emphasize secure authentication:
- Security Rule: Requires “person or entity authentication” to ensure that anyone accessing ePHI is properly verified.
- Technical Safeguards: Mandates access control and encryption to protect ePHI, ensuring the integrity and confidentiality of health information.
3. How Passkeys Address HIPAA Requirements
Passkeys meet HIPAA’s standards for data protection and access control in multiple ways:
- Device-Bound Security: Passkeys stored on a device satisfy HIPAA’s requirements for secure possession-based authentication.
- Phishing-Resistant Authentication: As passkeys eliminate phishing risks, they reduce unauthorized access risks to ePHI, enhancing overall security.
- Encryption: Passkeys rely on public key cryptography, supporting HIPAA’s encryption mandate for secure data protection.
Potential HIPAA Compliance Concerns for Passkeys and Their Solutions
Device Portability
Passkeys are device-bound, meaning that if a device is lost or replaced, secure recovery or transfer processes are essential. To address this, organizations should deploy HIPAA-compliant mechanisms for passkey backup and recovery. These processes ensure the secure handling of passkeys without compromising the confidentiality of electronic Protected Health Information (ePHI).
Biometric Data Usage
Passkeys that incorporate biometric authentication, such as facial recognition or fingerprints, align with a fundamental principle: any secret used to unlock the private key remains confined to the authenticator itself. This design inherently complies with HIPAA’s privacy requirements for sensitive data. Transparency remains crucial—organizations must inform users clearly about the role of biometrics in authentication and ensure that no sensitive biometric information is transmitted externally.
Encryption Compliance
The private key associated with passkeys is stored within a secure, encrypted environment by default. This inherent characteristic fulfills HIPAA’s encryption requirements without additional complexity. As a result, the private key’s secure storage protects sensitive health information and ensures compliance with HIPAA encryption standards.
Passkeys and CCPA Compliance
1. Understanding CCPA
The California Consumer Privacy Act (CCPA) provides California residents with rights over their personal data, requiring businesses to implement appropriate security measures and honor data access, portability, and deletion rights. Non-compliance can lead to fines, so companies that collect or process data from California residents must adopt strong privacy and data protection practices.
2. Key CCPA Requirements on Authentication
While CCPA does not explicitly define authentication requirements, it mandates:
- Reasonable Security Measures: Businesses must implement security measures appropriate for the personal data they process.
- Consumer Rights: CCPA grants data access, portability, and deletion rights, impacting how authentication data is managed.
3. How Passkeys Address CCPA Requirements
Passkeys support CCPA compliance through:
- Data Minimization: By removing password storage, passkeys align with CCPA’s goal of reducing data exposure and safeguarding privacy.
- Enhanced Security: Passkeys use cryptographic security, which supports CCPA’s requirements for reasonable security measures.
- Support for Portability and Access: FIDO2 standards support cross-platform compatibility, meeting CCPA’s right to data portability.
Potential CCPA Compliance Concerns for Passkeys and Their Solutions
Device Dependency
Losing a device may require secure re-enrollment of passkeys, which could pose challenges under CCPA. To address this, organizations should ensure robust passkey recovery and re-registration processes. While this is a standard requirement for passkey management, implementing these mechanisms reduces the risk of non-compliance with CCPA’s data protection requirements.
Data Portability Limitations
Passkeys, based on FIDO2 standards, inherently support multi-device functionality. Additionally, recent advancements such as the Credential Exchange Protocol (CXP) enable passkeys to be transferred between devices under certain conditions. Organizations should ensure they leverage these capabilities to maintain both data portability and strong security while adhering to CCPA’s requirements.
Security Documentation
CCPA requires businesses to implement and document reasonable security measures. For passkeys, this includes maintaining detailed records of processes for managing and securing them. While standard, comprehensive documentation helps demonstrate compliance and fosters transparency in data protection practices.
Passkeys provide a powerful solution for organizations navigating complex regulatory requirements like PSD2, GDPR, HIPAA, and CCPA. By enhancing security, supporting transparency, and simplifying data portability, passkeys align with key compliance standards while reducing operational risks.
Take the next step in securing your organization’s future. Schedule a call with a Secfense expert to explore how passkeys can streamline your compliance efforts. For deeper insights, download our special report on achieving regulatory compliance with DORA and NIS2 standards.
