Passkeys for Banking in the US

Passkeys for the US Banking System

Passkeys for Banking: A Comprehensive Guide for U.S. Bankers

There’s a notable shift toward adopting Multi-Factor Authentication (MFA) driven by regulatory guidelines in the U.S. banking cybersecurity domain. The Federal Trade Commission (FTC) has updated the Gramm-Leach Bliley Safeguard’s Rule, making it mandatory for financial institutions to implement MFA for both their internal and external users. Simultaneously, the New York Department of Financial Services (NYDFS) has been enforcing MFA since 2017 and is now proposing further amendments to its Cybersecurity Rule to expand MFA requirements. The Cybersecurity and Infrastructure Security Agency (CISA) has provided guidance highlighting potential vulnerabilities in some MFA methods, advocating for phishing-resistant standards. Given this regulatory environment, U.S. banks are presented with a clear choice: integrate advanced MFA solutions, such as passkeys (developed by the FIDO Alliance), to ensure compliance and maintain a competitive edge, or potentially face challenges.

Passkeys are developed by the FIDO Alliance and backed by industry giants

Understanding Passkeys

Passkeys, as endorsed by the FIDO (Fast IDentity Online) Alliance, represent a shift from traditional password-based to passwordless authentication. Instead of relying solely on something you know (like a password), FIDO’s approach emphasizes the use of local authentication, where user verification happens on the device itself. This can be achieved through something you have (a physical security key or a registered device) or something you are (biometric data like fingerprints or facial recognition). The key advantage of passkeys is that they are resistant to phishing and replay attacks, as the authentication credentials are never exposed or stored centrally.

The Role of the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance is not just any industry consortium; it’s a powerful collective of some of the world’s leading brands, including a significant banking and financial sector representation. This alliance is a testament to the global push towards more secure and user-friendly authentication methods. Among its members are top-tier U.S. banking and financial institutions such as Bank of America, JPMorgan Chase, Wells Fargo, and American Express. These institutions, recognizing the vulnerabilities and inefficiencies of password-based systems, have joined forces with tech giants and other industry players under the FIDO Alliance to drive the standardization and adoption of more robust authentication protocols. Their collaborative efforts have culminated in the development of the FIDO authentication standard, which has further evolved into passkey authentication. For a deeper dive into the world of Passkeys, we recommend visiting this article titled Passkeys: Quick & Easy Guide to Passwordless Authentication.

Passkeys can help US banks become regulations compliant and competitive

Why Secure and User-Friendly Authentication Matters

For banking customers, security and ease of use are paramount. In the fiercely competitive banking landscape, where differentiation is challenging, offering enhanced features becomes a game-changer. Banks can carve out a unique position by providing easy-to-use and phishing-proof authentication, offering a value proposition beyond traditional banking services. A consistent user experience across all communication channels enhances the overall user experience and bolsters online security. When customers can seamlessly and securely access their accounts through a mobile app, web portal, or even an in-branch kiosk, their trust in the bank solidifies. Moreover, this approach not only elevates the customer experience but also ensures that banks are in compliance with industry regulations, striking a balance between innovation and adherence to standards.

Passkeys across all client-facing platforms boosts trust and security

FIDO: The Unparalleled Gold Standard of Online Authentication

FIDO doesn’t just stand out among the vast landscape of authentication standards—it towers above the rest. It’s not merely another method in the ever-evolving world of cybersecurity; it’s the culmination of extensive research, investment, and collaboration by hundreds of global organizations. These aren’t just any organizations; they are titans in their respective industries, from tech behemoths to leading financial institutions, all of whom have poured significant time, money, and resources into the development of the FIDO standard. Their collective backing sends a clear message: FIDO isn’t a fleeting trend or a temporary solution. It’s the future of online authentication. The fact that it’s phishing-proof underscores its robustness. With FIDO, even if malicious actors manage to intercept user credentials, the intricate, multi-layered security of passkeys ensures they’re left with unusable data. In the vast sea of online security measures, nothing on the horizon comes close to the promise and potential of FIDO. It’s not just the next step in authentication; it’s the definitive one.

Challenges in Implementing New Authentication Technologies

Large, diverse organizations like banks often grapple with the challenge of integrating new technologies. Different user-facing applications, built on varied technological platforms, necessitate distinct coding stacks for upgrades. This complexity can delay the rollout of new authentication methods, leaving security gaps. Historical examples abound of failed technology projects due to overcomplexity. For instance, in the early 2000s, many organizations attempted to overhaul their entire IT infrastructure in one go, leading to projects that ran over budget, missed deadlines, and ultimately were abandoned. Another example can be seen in the healthcare sector, where attempts to integrate disparate patient record systems without a unified approach led to data mismatches and compromised patient care. In the banking sector, there have been instances where attempts to merge legacy systems with modern platforms resulted in significant downtime, affecting customer transactions and trust. Therefore, the ability to introduce new authentication technology without altering the existing technology stack is not just a convenience—it’s crucial. It ensures that introducing new security measures is seamless and efficient and doesn’t disrupt the ongoing operations or compromise the existing infrastructure.

Passkeys - Quick & Easy Guide to Passwordless Authentication
Click the image to go to Passkeys – Quick & Easy Guide to Passwordless Authentication.

Revolutionizing MFA Implementation: The BNP Paribas Success Story

Secfense offers a unique approach to this challenge, emphasizing a “no-code” methodology. This approach is especially beneficial for large institutions with many applications running on diverse platforms. The significance of a no-code implementation becomes evident when we delve into real-world case studies. BNP Paribas, a global banking leader, provides a compelling example. By adopting Secfense’s User Access Security Broker, BNP Paribas achieved remarkable results:

  • They expanded MFA to 43% more applications than initially planned.
  • A staggering 82% reduced the engagement of IT specialists.
  • The bank realized savings of $778,000 compared to the traditional MFA implementation approach.
  • They could leverage all the MFA methods they already used, ensuring 100% utilization.
  • Software developer engagement was entirely eliminated and reduced by 100%.
  • The overall cost of implementation was slashed by 87%.

With Secfense, U.S. banks can now seamlessly introduce FIDO & passkeys across all channels and customer access points. This ensures a phishing-proof security framework for end customers, an enhanced user experience due to the usability of passkeys, and a smooth transition for customers adapting to these new authentication methods.

Passkeys with Secfense can be deployed within 7 days across the entire organization

Experience the Future of Banking Security: Dive into Our Proof of Value Offering

To truly appreciate the transformative power of this approach, we invite institutions to experience a Proof of Value (POV). This hands-on experience provides comprehensive multi-factor authentication protection for one of your applications, equips users with a chosen MFA method, introduces microauthentications for added security, and offers full-site protection akin to VPN functionalities. All we ask in return is the dedication of one specialist for a mere 10 hours over a week and honest feedback post-POV. Dive into this opportunity and ensure your bank remains compliant, secure, and always customer-centric.

Antoni takes care of all the marketing content that comes from Secfense. Read More


We are faced with new challenges every day. We must always be one step ahead of the attackers and know what they are going to do before they do it. We are convinced that the User Access Security Broker will bring security to a new level, both for those working at the office and from home. For us, working with Secfense is an opportunity to exchange experience with developers who put great value on out-of-the-box thinking.

Krzysztof Słotwiński

Business Continuity and Computer Security Officer

BNP Paribas Bank Poland

As part of the pre-implementation analysis, we verified that users utilize a wide range of client platforms: desktop computers, laptops, tablets, smartphones, and traditional mobile phones. Each of these devices differs in technological advancement, features, and level of security. Because of this, and also due to the recommendation of the Polish Financial Supervision Authority (UKNF), we decided to introduce additional protection in the form of multi-factor authentication mechanisms based on FIDO. As a result, users of our applications can log in safely, avoiding common cyber threats such as phishing, account takeover, and theft of their own and their clients’ data.

Marcin Bobruk



We are excited to partner with Secfense to enhance our user access security for our web apps. By integrating their User Access Security Broker, we ensure seamless and secure protection for our applications and systems, delivering superior security and convenience to our customers.

Charm Abeywardana

IT & Infrastructure

Visium Networks

Before investing in Secfense, we had the opportunity to talk to its existing clients. Their reactions were unanimous: wow, it’s so easy to use. We were particularly impressed by the fact that implementing their solution does not require the involvement of IT developers. It gives Secfense a huge advantage over the competition, and at the same time opens the door to potential customers who so far were afraid of changes related to the implementation of multi-factor authentication solutions.

Mateusz Bodio

Managing Director


Even when the network and infrastructure are secured enough, social engineering and passwords can be used to gain control of the system by attackers. Multifactor authentication is the current trend. Secfense addresses this and allows you to build zero trust security and upgrade your current systems to passwordless applications within minutes, solving this problem right away,” said Eduard Kučera, Partner at Presto Ventures and cybersecurity expert – former Director in hugely successful Czech multinational cyber security firm Avast.

Eduard Kučera


Presto Ventures

One of the biggest challenges the world is facing today is securing our identity online. That’s why we were so keen to have Secfense in our portfolio. They make it possible to introduce strong authentication in an automated way. Until now, organizations had to selectively protect applications because the deployment of new technology was very hard, or even impossible. With Secfense, the implementation of multi-factor authentication is no longer a problem, and all organizations can use the highest standards of authentication security.

Stanislav Ivanov

Founding Partner

Tera Ventures

Two-factor authentication is known to be one of the best ways to protect against phishing; however, its implementation has always been difficult. Secfense helped us solve that problem. With their security broker, we were able to introduce various 2FA methods on our web applications at once.

Dariusz Pitala

Head of IT