In the 21st-century financial services sector, security is paramount, and threats abound.
As sophisticated cyber threats, from deepfakes to cloud vulnerabilities, spread from every corner of the globe, experts debate the best form of authentication.
Adam Lowe, Ph.D., chief product and innovation officer at CompoSecure/Arculus, told PYMNTS that the nuances of different authentication methods, particularly synced and hardware-bound passkeys, can have implications for financial institutions relying upon them to safeguard sensitive user data and transactions.
A “synced passkey” provides users the convenience of storing their login credentials in the cloud and accessing them across multiple devices, such as those tied to iCloud or Google accounts, said Lowe, who holds a doctorate from Cornell where he studied nanotechnology.
This setup is especially useful for individuals with multiple devices — phones, laptops and tablets — who need seamless access to their accounts, he said. In theory, even if someone loses their devices, they can quickly recover their login keys simply by syncing with the cloud.
However, convenience can come with its own set of risks.
“While it’s convenient, it means your login [credentials] are synced in the cloud and, therefore, can be ripped out of the cloud,” Lowe said.
As digital banking continues to grow in scope and importance, these risks have reinvigorated the debate over which authentication method best balances security and usability within sensitive financial environments — cloud-based or hardware passkeys.
Hardware-bound passkeys — authentication methods that require a physical device — potentially stand out as a more secure alternative in today’s financial services environment. Unlike cloud-based passkeys, these keys are embedded in physical objects, such as a smart card or a security token like a USB form factor.
Solutions like those offered by Arculus, which use physical, hardware-bound passkeys, can help mitigate risks by storing the authentication key on the physical card itself, which users carry in their pocket, Lowe said.
“For banking applications where it is paramount that you can prove your identity and can do so in an easy way, hardware-bound passkeys are extremely important,” he said, adding that over the years, various breaches have proven how easily cloud-stored information can be compromised.
To use a hardware passkey, the attacker must possess the physical token. This makes remote attacks virtually impossible, unlike cloud-based passkeys, which could be compromised if a user’s device is hacked.
The concept is straightforward. When a user is to authenticate, they tap the card to their mobile device, and their identity is confirmed without needing to rely on potentially vulnerable cloud-based storage systems. This physical method is less susceptible to remote attacks, as the key never leaves the card or device it’s stored in, ensuring that attackers can’t hack into a cloud server to retrieve it.
In the banking world, the advantages are clear. For high-value or sensitive transactions, like moving large sums of money or altering personal account details, hardware passkeys provide a layer of security. These “step-up” authentication measures act as an additional safeguard, ensuring that the person conducting the transaction is, indeed, authorized to do so, Lowe said.
As encryption standards continue to evolve, financial services providers must stay ahead of the curve, Lowe said. Strong encryption ensures that even if a passkey is intercepted, it cannot be easily decrypted or misused.
In an era of deepfake technology, where artificial intelligence can convincingly mimic a person’s voice and appearance, passkeys are becoming even more critical. Deepfakes pose a threat to identity verification systems, particularly in financial services where unauthorized access could have devastating consequences, he said.
Despite the security advantages of hardware-bound passkeys, their adoption is not without challenges. One of the biggest obstacles, particularly for large financial institutions, is scalability. Historically, hardware passkeys have been most used in enterprise environments, such as corporate or government systems. USB tokens, for instance, are popular in these spaces but may not be feasible or user-friendly for widespread consumer use, he said.
Also important is developing a multi-faceted approach that allows for the use of both cloud-based and hardware passkeys, with each playing a role based on the level of security needed, Lowe said.
For example, a user could log in to their bank account for basic functions like checking balances with a cloud-based passkey. However, for more critical operations — such as transferring large amounts of money or updating personal information — a hardware-bound passkey would be required to provide an extra layer of verification.
Looking ahead, Lowe said password-based authentication systems, which have long been a weak link in cybersecurity, will continue declining. Knowledge-based systems, such as passwords and security questions, are being phased out in favor of more secure options like passkeys and biometric verification.
For financial services companies, the shift represents an opportunity to enhance security and improve the user experience. Many platforms, from major banks to smaller FinTechs, offer the option to go passwordless, using passkeys and biometric authentication instead.
As hardware-bound passkeys become more prevalent, particularly in high-security environments, they will play an increasingly important role in fortifying the authentication landscape, Lowe said. As customers interact with their digital lives more and more on their phones, they now have the option to tap-to-authenticate, which provides a higher level of security than cloud-based passkeys.
Banks and FinTechs can combine a premium metal payment card and digital passkeys with hardware solutions to offer a seamless customer experience.
“That’s why we think hardware-bound passkeys are extremely important,” Lowe said. “So, in the same way a physical lock that you trust for your home, the keys are in your pocket. We think the keys for your digital life should be in your pocket as well in the payment cards that you carry around every day. Not in your device where it can be stolen. Not in your device where it can be extracted.”
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More