Passkeys in regulated industries: IAM compliance without passwords

Passkeys in regulated industries IAM compliance without passwords

Regulated industries such as banking, healthcare, and public administration face stringent identity and access management (IAM) requirements driven by regulations including PSD2, HIPAA, NIS2, and DORA. These regulations demand strong customer authentication, secure credential handling, and robust access controls to safeguard sensitive data and ensure operational resilience. Traditional password-based IAM systems are increasingly inadequate for these demands due to their vulnerability to phishing, credential theft, and user friction.

Passkeys, rooted in the FIDO2/WebAuthn standards defined by the FIDO Alliance, offer a passwordless, phishing-resistant authentication method that aligns with regulatory mandates. Leveraging Secfense’s identity and access management software and services enables regulated organizations to adopt passkeys securely and compliantly, often without intrusive changes to their existing infrastructure, as detailed in Secfense’s technical whitepapers on hybrid passwordless authentication and the integrated authentication system.

Regulatory Compliance Challenges and Passkeys

PSD2 and DORA in Banking

The Payment Services Directive 2 (PSD2) mandates Strong Customer Authentication (SCA), requiring at least two independent factors (knowledge, possession, inherence) to authenticate payment transactions and account access. PSD2 emphasizes secure credential confidentiality, integrity, and fraud resistance. The Digital Operational Resilience Act (DORA) complements PSD2 by imposing rigorous operational requirements on financial entities, including strict IAM and multi-factor authentication controls to guarantee cyber resilience (European Commission PSD2, European Commission DORA).

NIS2 Directive for Critical Infrastructure and Public Administration

The NIS2 Directive enforces cybersecurity duties for operators of essential services and digital service providers. It prioritizes zero-trust security models, continuous risk evaluation, and stringent IAM policies ensuring confidentiality, integrity, and availability of network systems (European Digital Strategy – NIS2).

HIPAA in Healthcare

HIPAA requires entities to apply strong access controls, audit mechanisms, and technical safeguards to protect electronic Protected Health Information (ePHI). This includes ensuring that only authorized users gain electronic access to health data (HIPAA Security Rule).

What is DORA, the Digital Operational Resilience Act, and What are its Objectives

How Passkeys Meet These Regulatory Requirements

Strong Phishing-Resistant Authentication

Passkeys employ asymmetric cryptography: private keys never leave the user device, thus preventing interception or replay attacks. Authentication challenges are signed locally, meeting PSD2’s SCA strong authentication and HIPAA’s integrity requirements. This approach eliminates the risks associated with shared secrets like passwords (FIDO Alliance – FIDO2).

Multifactor Authentication Built-In

Passkeys inherently combine device possession and either biometrics or local PIN for identity verification, fulfilling multi-factor authentication mandates across PSD2, DORA, NIS2, and HIPAA frameworks (FIDO Alliance).

Secure Credential Lifecycle and Auditability

Secfense’s IAM solutions integrate hardware-backed security modules—such as Trusted Platform Modules (TPMs), Secure Enclave, or hardware tokens (e.g., YubiKey)—for secure credential generation, storage, and revocation. These processes enable detailed audit trails required for compliance and enhance credential integrity (Secfense Hybrid Passwordless Authentication Whitepaper).

Seamless and Compliant Integration with Secfense

By operating at the network layer and integrating with existing identity providers through protocols like SAML and OpenID Connect, Secfense enables gradual, non-intrusive adoption of passkeys in hybrid IAM architectures. This preserves legacy authentication methods during transition periods while meeting ongoing compliance and operational requirements (Secfense Integrated Authentication System Whitepaper).

What is DORA? Who does it apply to? What are the requirements? organizations?

Sector-Specific Compliance Benefits

  • Banking: Passkeys satisfy PSD2 and DORA by securely combining possession and inherence factors, enabling strong, user-friendly, phishing-resistant authentication that reduces fraud and helps financial institutions meet stringent regulatory standards (European Commission PSD2, Secfense BNP Paribas Case Study).
  • Healthcare: Passkeys support HIPAA’s requirement for strong access controls and technical safeguards by ensuring granular, cryptographically verifiable access to ePHI, combined with comprehensive auditing capabilities (HIPAA Security Rule, Secfense Integrated IAM).
  • Public Sector and Critical Infrastructure: Passkeys facilitate compliance with NIS2’s zero-trust and continuous monitoring mandates by providing tamper-resistant authentication methods that strengthen security postures and reduce risk of breaches (EU NIS2 Directive, Secfense Hybrid Passwordless Authentication).
Now Available On Demand Learn how BNP Paribas and Secfense deployed FIDO & Passkeys at scale

The Path Forward: Embrace Passwordless IAM

Passkeys, standardized by the FIDO Alliance and implemented using Secfense’s enterprise-grade IAM software and services, offer a secure, scalable, and compliant alternative to passwords in regulated industries. By eliminating password vulnerabilities and integrating strong multifactor authentication seamlessly, they empower banking, healthcare, and public administration organizations to meet and exceed regulatory requirements like PSD2, DORA, NIS2, and HIPAA.

Secfense’s codeless, agentless, and standards-based approach enables quick deployment and operational continuity without requiring application rewrites or infrastructure disruption, making passwordless IAM a practical reality for compliance-driven enterprises today.

The Path Forward with Secfense

Identity and access management is strongest when it combines security, compliance, and usability. Passkeys deliver phishing-resistant, regulation-ready authentication, but introducing them into complex, regulated environments requires more than technology. It requires a way to integrate without rewriting applications, disrupting critical systems, or delaying compliance initiatives.

That’s where Secfense comes in. Our User Access Security Broker (UASB) enables passkeys, MFA, and other strong authentication methods across any application, legacy or modern, without code changes, agents, or downtime. By acting at the network layer, Secfense helps regulated organizations:

  • Meet compliance mandates (PSD2, HIPAA, NIS2, DORA) with strong customer authentication, full audit trails, and lifecycle documentation.
  • Modernize IAM securely by layering passwordless flows on top of existing identity providers and applications.
  • Reduce risk and operational costs by eliminating passwords, simplifying user experience, and minimizing helpdesk overhead.
  • Scale quickly with phased, opt-in rollouts and hybrid deployments tailored to your environment.

👉 Schedule a call with Secfense to see how your organization can deploy passkeys securely, meet regulatory requirements, and accelerate your journey to passwordless IAM.

Sources

Featured Articles

Keep In Touch

Read More

Phishing-resistant MFA: The new compliance baseline

Cybersecurity regulations are converging on a clear message: phishing-resistant multi-factor authentication (MFA) is now the baseline for compliance. Whether you operate in financial services, critical…
Avatar of Antoni Sikora Antoni Sikora

READ TIME 3 MIN

Passkeys in regulated industries: IAM compliance without passwords

Regulated industries such as banking, healthcare, and public administration face stringent identity and access management (IAM) requirements driven by regulations including PSD2, HIPAA, NIS2, and…
Avatar of Antoni Sikora Antoni Sikora

READ TIME 4 MIN

Migrating IAM systems to support passkeys: challenges and solutions

Modernizing identity and access management (IAM) to enable passkeys is shifting from “nice to have” to a competitive necessity for enterprises. As identity-based attacks and…
Avatar of Antoni Sikora Antoni Sikora

READ TIME 4 MIN

Testimonials

We are faced with new challenges every day. We must always be one step ahead of the attackers and know what they are going to do before they do it. We are convinced that the User Access Security Broker will bring security to a new level, both for those working at the office and from home. For us, working with Secfense is an opportunity to exchange experience with developers who put great value on out-of-the-box thinking.

Krzysztof Słotwiński

Business Continuity and Computer Security Officer

BNP Paribas Bank Poland

As part of the pre-implementation analysis, we verified that users utilize a wide range of client platforms: desktop computers, laptops, tablets, smartphones, and traditional mobile phones. Each of these devices differs in technological advancement, features, and level of security. Because of this, and also due to the recommendation of the Polish Financial Supervision Authority (UKNF), we decided to introduce additional protection in the form of multi-factor authentication mechanisms based on FIDO. As a result, users of our applications can log in safely, avoiding common cyber threats such as phishing, account takeover, and theft of their own and their clients’ data.

Marcin Bobruk

CEO

Sandis

We are excited to partner with Secfense to enhance our user access security for our web apps. By integrating their User Access Security Broker, we ensure seamless and secure protection for our applications and systems, delivering superior security and convenience to our customers.

Charm Abeywardana

IT & Infrastructure

Visium Networks

Before investing in Secfense, we had the opportunity to talk to its existing clients. Their reactions were unanimous: wow, it’s so easy to use. We were particularly impressed by the fact that implementing their solution does not require the involvement of IT developers. It gives Secfense a huge advantage over the competition, and at the same time opens the door to potential customers who so far were afraid of changes related to the implementation of multi-factor authentication solutions.

Mateusz Bodio

Managing Director

RKKVC

Even when the network and infrastructure are secured enough, social engineering and passwords can be used to gain control of the system by attackers. Multifactor authentication is the current trend. Secfense addresses this and allows you to build zero trust security and upgrade your current systems to passwordless applications within minutes, solving this problem right away,” said Eduard Kučera, Partner at Presto Ventures and cybersecurity expert – former Director in hugely successful Czech multinational cyber security firm Avast.

Eduard Kučera

Partner

Presto Ventures

One of the biggest challenges the world is facing today is securing our identity online. That’s why we were so keen to have Secfense in our portfolio. They make it possible to introduce strong authentication in an automated way. Until now, organizations had to selectively protect applications because the deployment of new technology was very hard, or even impossible. With Secfense, the implementation of multi-factor authentication is no longer a problem, and all organizations can use the highest standards of authentication security.

Stanislav Ivanov

Founding Partner

Tera Ventures