Content Library

Passkeys vs. passwords: which one better prevents fraud?

As more organizations adopt passkey authentication, we assess the fraud risks attached to this method.

Passkeys header

We all hate when streaming services crack down on password sharing. But when it comes to finances, it’s a whole different matter. No bank, credit union, or fintech customer wants a fraudster to get ahold of their account credentials.

In 2023, 81% of businesses saw an increase in phishing attacks, a social engineering tactic that fraudsters use to steal sensitive information like log-in credentials. According to Alloy’s State of Fraud Benchmark Report, the largest portion of respondents (20%) said that increasingly sophisticated fraud attacks were the leading cause of fraud within their organization. In the same report, authorized push payment (APP) fraud — where the fraudster tricks a legitimate customer into sending them money — was the most common type of fraud for US and UK respondents combined. 

As AI makes it easier to commit sophisticated social engineering attacks, more organizations are adopting passkeys as a fraud prevention strategy. And while they can be an effective security measure, passkeys are still at risk for certain types of fraud and could impact customer experience in unintended ways. 

This blog post defines passkeys, explores their benefits, and examines the fraud risks that organizations should still consider when implementing passkey authentication.

To learn more about how organizations are fighting back against fraud, download Alloy’s Annual State of Fraud Benchmark Report.

What is a passkey? 

A passkey is a passwordless login method that aims to add extra security to digital banking accounts. To log in with a passkey, you might use a biometric sensor like a fingerprint or facial recognition or enter a personal identification number (PIN). This may sound similar to using biometrics to autofill a password or entering a PIN to unlock your phone. 

So what's the difference? The answer is cryptography.

How passkeys use cryptography

Unlike passwords, passkeys use cryptography to create keypairs similar to the ones used in blockchain technology. The financial institution (FI)’s website or application stores a “public” passkey, while a private key is stored on the customer's device or password manager. 

Passkeys are encrypted on both ends, so the customer can only access their account once their private key matches the site or application's public key. 

What isn’t a passkey?

It's important to note that the term "passkey" is sometimes used incorrectly to refer to other protection methods, like security keys. Security keys are hardware devices (similar to a USB) that are physically inserted into a device for added protection. While security keys may be able to store single-device passkeys, they themselves are not passkeys.

What are the benefits of passkeys?

While the cryptographic technology underlying passkeys is more complex than traditional passwords, if implemented correctly, passkeys can offer a simpler and more seamless login experience for end-users. For banks, credit unions, and fintechs, passkeys can help protect against common threats like data breaches and phishing attacks.

Image 17
An example of a passkey.

Image source: Corporate Insight

The convenience of a simple login process 

User authentication is performed at login to help ensure that the credentials being used to access an account are authentic. Passkeys streamline MFA processes like two-factor authentication (2FA), aiming to complete those steps with a single action. Once a passkey is set by the customer, they can use this single action to log in to their account moving forward. 

Passkeys allow organizations to offer secure authentication without requiring constant 2FA or MFA processes. In turn, they can significantly reduce customer friction. Here’s a look at how: 

  • Passkeys are mobile-friendly, meaning customers can use the same authenticator for their passkey as they use to unlock their device’s screen. This could look like biometrics, facial recognition, or even a PIN.
  • Depending on what passkey is chosen, customers may not need to type anything to log into their account (not even their username). Once their device has been verified, all a valid customer has to do to access their account is unlock their device and pull up their FI’s app.
  • A quarter of internet users forget their password at least once a day, according to some estimates. Passkeys can help customers avoid the pain of falsely triggering their FI’s fraud detection systems with excessive password resets. 

Preventing fraud is a matter of adding the right amount of user friction to the banking experience. Passkeys can reduce customer friction while simultaneously making it harder for fraudsters to commit account takeover (ATO) fraud

Data breach protection

Customers may prefer passkeys for their privacy features, including the extra protection they offer in the event of a data breach. While customers may be inclined to repeat passwords, passkeys are unique to each site or application. 

For example, imagine a customer has a high-yield savings account at a bank and a checking account at a credit union. Both platforms use passkeys, so the customer creates one for each account and stores them using a password manager. Even though the customer’s passkey for their bank account is different from the one for their credit union, the customer can use facial recognition to access both accounts. 

Now, let’s say that there is a data breach at the bank. Even if the hackers are able to obtain sensitive information about this particular customer, they still cannot access the account without the passkey. Also, they cannot use that sensitive data to manipulate their way into the credit union checking account. This is true for two reasons: 

  • Passkeys are not stored in organizations’ databases like passwords, so hackers cannot steal or guess a passkey with the same ease that they can steal or guess a password.
  • Even if the hackers can answer knowledge-based authentication (KBA) questions on the platform or for a customer service representative, a passkey is not as easy to reset as a password.

Even encrypted password managers are not immune to data breaches. In 2022, encrypted copies of password vaults and other PII were stolen from LastPass, a leading password manager. A year later, over $35 million was reportedly stolen from the company’s users, largely through cryptocurrency logins. 

While it is still possible for passkeys to be stolen and then reset — for example, by stealing someone’s device — passkeys widen the barrier to entry for hackers. As a result, passkeys offer greater protection against data breaches than passwords. 

Better safeguards against phishing attacks 

Imagine that a customer receives an email that looks exactly like the ones they have previously received from their bank. The email claims that someone with a new IP address tried to access the account and that, if the customer isn’t aware of this login, they should click the link in the email and report the attempted fraud. 

The customer is unlikely to notice that this is actually a clone phishing attack — a scenario where fraudsters send emails that appear to be from a trusted source. Once the customer clicks the link, ransomware is installed on their computer to steal sensitive data like the login credentials to a bank account. 

But what happens if that customer uses a passkey instead of a password? 

Even if the customer is fooled, their passkey still protects them. 

The hacker could find out what password manager they are using, but since passkeys are encrypted, they are often too difficult to hack. While biometric spoofing is possible, it’s incredibly complex and impractical for large-scale phishing attacks.  

Some fraudsters are sophisticated enough to use AI to replicate a boss or loved one’s voice (known as voice phishing or vishing) or create lookalike websites. In circumstances like these, passkeys still act as a barrier to account access. If the fraudster is not using the device tied to the passkey, they are unlikely to gain access despite their efforts to manipulate the customer. 

Less likelihood of credential-stuffing

Credential-stuffing typically occurs when fraudsters manage to steal a large amount of passwords. They then systematically try to use these credentials across a wide variety of sites and applications, hoping to gain access. 

The logic behind credential stuffing attacks is that customers will often reuse passwords on multiple accounts because that one password is easy to remember. (A quarter of global survey respondents admittedly reuse the same password across 11 to 20 accounts.) But when passkeys replace passwords, credential-stuffing attacks simply do not work. 

What fraud risks do passkeys still carry? 

Although passkeys are a positive step forward for fraud prevention strategists, no solution will ever be fully immune to fraudsters. It is important to remember that authentication is not the same as verification. Most passkeys are a form of user authentication, meaning they confirm whether the person logging in has the right credentials to access that account. 

However, most passkeys are not a form of identity verification. In other words, while passkeys can prove the validity of a user’s login credentials, they do not confirm whether the person attempting to access the account is who they claim to be. 

So, what does this mean? While passkeys might offer higher security than passwords, they can still be bypassed by savvy fraudsters. 

Passkeys are still susceptible to both identity theft and synthetic identity fraud

Passkeys do not necessarily prevent more sophisticated forms of fraud. For example, let’s say the person setting the passkey is a fraudster committing identity theft. If a bad actor steals someone’s personally identifiable information (PII) off the dark web, uses it to commit an account takeover, and then sets a passkey for the first time, the passkey is not going to protect the victim of identity theft. The bad actor could also open additional accounts with the legitimate customer’s stolen PII, and then create a passkey to prevent the legitimate customer from accessing them. 

What if the identity being used to open an account was never real in the first place? Just like the scenario above, if a fraudster is using a synthetic identity to originate an account, passkeys won’t stop them. In instances like these, passkeys could even make fraudsters look more legitimate. 

Think of it this way: If an organization’s know your customer (KYC) checks did not catch the synthetic identity during the onboarding process, and then a fraudster creates a passkey, appearing to be a “good customer” who only wants to protect their account, then why would a fraud team question this behavior? And what is the likelihood that they will catch the fraud before it’s too late? 

While passkeys do help organizations fight against social engineering attacks and other types of fraud like credential stuffing, it is important to remember that they are certainly not a catch-all for all types of fraud, nor can they prevent significant funds from being lost once a fraudster has established credibility with the institution. 

It is possible to turn KYC/KYB and AML regulations into a competitive advantage. Learn how Alloy can help you manage an end-to-end compliance program. 

There are instances when passkeys actually increase customer friction instead of decreasing it

Most discussions around passkeys center on decreasing customer friction, covered in the sections above. But, there are situations where passkeys could potentially increase customer friction and result in frustrating customer experiences: 

  • Without providing the proper education, customers might be hesitant to switch to passkeys because passwords feel more familiar. 
  • As a result, some customers could find the initial setup process for passkeys to be cumbersome and complicated. 
  • If a device is lost or stolen, resetting a passkey could either be very easy or incredibly difficult, depending on the platform. 

However, one of the most complex issues is getting customers to understand how passkeys interact with different vendors and operating systems.

Issues with cross-vendor support

Passkeys were created to be a technology-agnostic security solution. But today’s customers might not actually be able to use passkeys universally across every device because passkeys often create vendor locks. For example, if a customer creates their passkey on an iPhone, they will not be able to use the same passkey on their Microsoft laptop. These devices use different operating systems (iOS and Windows, respectively), which have their own encryption algorithms. 

Similarly, they wouldn’t be able to set up their passkey on an Android device and switch to an iOS device without connecting the devices through a multi-step process. This often involves scanning QR codes and confirming the login across both devices several times. (Typically, the iOS device prompts the customer to create an entirely new passkey anyway.) 

When the promise of passkeys is all about avoiding multi-step processes, there are bound to be disappointments. Customers who do not fully grasp passkey technology could struggle to understand why they are undergoing the same process again, as opposed to simply using a password to log in to their chosen devices. And even customers who are savvy with technology could get confused about where to store their passkey — password manager, browser, or device — when they are using more than one operating system. 

Always keep identity at the core with Alloy 

In terms of digital security, passkeys represent a solid step up from passwords. But while passkeys can make the customer login and authentication process more secure than passwords, they are not a complete solution against all types of fraud. Identity theft and synthetic identities remain high risks even with passkeys in place.

Much like passwords, whether or not passkeys keep fraud out can also depend on factors outside of the FI’s control, like the location of the passkey storage. Organizations must recognize that passkeys are just one component of a comprehensive fraud prevention strategy. Once FIs have a handle on authentication, then they can identify and address vulnerabilities in areas like identity and behavior.

Organizations are still in the process of adopting passkeys, and the switch from passwords to passkeys ultimately remains in flux. Fortunately, Alloy’s Identity Risk Solution offers the same benefits whether organizations use passkeys or passwords: 

  • Automatic step-up verifications, like the cross-verification of identity data across multiple third-party sources
  • Unified, evolving customer risk profiles that outline typical behaviors, devices, and channels
  • More efficient, effective detection of suspicious activity 

Alloy gives banks, credit unions, and fintechs holistic visibility into identity, empowering them to prevent fraud throughout the customer lifecycle without adding unnecessary user friction. 

Alloy is an omnichannel solution that integrates seamlessly with your platform to manage identity, fraud, credit, and compliance risks.

Related content