How Passkeys Meet Common Compliance Standards

Grace Lu
August 2, 2023

As organizations face increasingly advanced cyber threats and stringent regulatory requirements, adapting to evolving authentication and identity management standards is critical. The wheels are already in motion for the next wave of stronger authentication to be passkeys, but there is still confusion on how passkeys address compliance and data protection regulations. This post summarizes how passkeys address authentication-related compliance topics, such as multi-factor authentication, data minimization, storage limitation, authentication event logging, and even high assurance compliance programs such as SCA.

Multi-factor authentication

Passkeys can meet AAL2 levels of authentication as defined in NIST SP 800-63-3 required by most common compliance programs such as ISO 27001, PCI, HIPAA and SOC 2. Authentication must be based on two or more elements: knowledge (something you know), possession (something you have) and inherence (something you are). Passkeys provide two of these factors with inherence (local biometrics) and possession (having your phone). It eliminates the most commonly breached factor - knowledge, which can be shared and phished.

Data minimisation & storage limitation

Passkeys reduce the scope of data possession which is required by data protection laws, such as GDPR, since they don’t require hashed passwords or any other PII beyond one identifier.

The only data you need to store with Passage as a passkey provider is a user identifier - which can be a username, e-mail, or phone number. Passage also offers an option with Passkey Flex to configure the sign-in so that even the e-mail remains on your servers, instead of being stored within Passage. Customers can easily delete users from the Passage console or through the API, and set policies to delete users after a period of inactivity.

Authentication event logging

Authentication event logging are the key inputs to diagnostic performance and error correction for identity systems, and are often the basis of forensic analysis, security analysis, and criminal prosecution. Therefore, audit and control requirements are needed for most major compliance programs including NIST, ISO, HIPAA and PCI.

While WebAuthn doesn’t have data capabilities built in, as a full service identity provider, Passage provides authentication event logs out of box that can be queried from any audit logging system to meet audit and control requirements.

Passkeys in high assurance compliance programs

High assurance compliance programs such as strong customer authentication (SCA) under PSD2 in the EU have additional requirements that traditional password schemes haven’t complied with or fulfilled. Passkeys address all of the following concerns:

Separate software execution environments

SCA requires MFA implementation to be done in separated software execution environments. Traditional password and 2FA schemes haven’t met this requirement, since they are shared secrets processed in the same server-side environment.

For passkeys, the biometrics or other cryptographic material lives on private devices, which meet the requirements for a separate secure software environment. These credentials are never exposed to the service.

Dynamic Linking

SCA also requires payment providers to issue a unique authentication code for each transaction, and that any changes require a completely new code, and that the payment amount and recipient are visible when authenticating, what it calls "dynamic linking."

The private key in a passkey always lives on a user’s device and is used to sign the data, including the amount of the payment and recipient as required under SCA. When the transaction is processed, the signed response is passed back from Passage to cryptographically link with the authentication code, with any discrepancy in the data invalidating the authentication code generated.

Passkey compliance summary

Passkeys have been embraced by the consumer identity community for addressing a lot of the issues previously unaddressable by traditional password and MFA schemes. By combining inherence and possession factors while minimizing data possession and offering robust event logging, passkeys offer a compelling option meeting regulatory requirements and strengthening an organization’s security posture. As the landscape of cyber threats continues to evolve, more companies will adopt passkeys as part of their comprehensive security strategy.

As interest in this new authentication method increases, many organizations will find that implementing support for passkeys can be quite difficult. Technical challenges include handling account recovery on different ecosystems, detecting & presenting fallbacks for non-biometric enabled devices, and cross-platform interoperability of passkeys. That’s why Passage offers a comprehensive passwordless authentication service that handles all of the complexity of supporting passkeys. If you’d like to learn how we can help your organization meet compliance requirements, give us a shout.