Why Passkeys and Device-Native Biometrics Fall Short of the Inherence Standard

11 July 2025

Starting in October 2026, banks and payment service providers (PSPs) will need to comply with the EU’s Payment Services Directive 3 (PSD3), which introduces updated Strong Customer Authentication (SCA) requirements. 
One of the most important parts of this regulation is the requirement for inherence - proving that the person logging in is truly who they say they are. 
Many technologies, including device-native biometrics (like FaceID and Android Fingerprint) and passkeys, claim to meet this requirement. 
But do they really?
The Basics of Strong Customer Authentication (SCA)
SCA is designed to make online payments more secure. To meet the SCA requirements, there must be two out of three factors for authentication:
  • Knowledge: Something the user knows, like a PIN or password.
  • Possession: Something the user possesses, like a phone or hardware token.
  • Inherence: Something inherent to the user, like a fingerprint or face scan.
The focus of this blog is on inherence, which means proving that the person logging in is the same person who enrolled in the system. Let’s look at how FaceID and passkeys work in relation to this requirement.
Device-Native Biometrics: The Technology Behind FaceID and Passkeys
Device-native, or ‘local’ biometrics is any biometric system where data does not leave the device. It is processed on the device, and stored on the device. This means that the data is kept private, as the user doesn’t share it with anyone.
Two technologies that use local biometrics are FaceID and passkeys. While FaceID and passkeys share a similar goal of keeping biometric data private, they work in slightly different ways.
What is FaceID?
When you first set up FaceID on your phone, you enroll your face using a PIN or password. After that, whenever you need to log in, FaceID compares the face you are presenting to the one stored on your device to verify that it’s you. 
But here’s the issue: FaceID only verifies that it’s the same person who enrolled the FaceID, not necessarily the person who set up the bank account.
What is a Passkey?
With passkeys, when you first set up a bank account, you create a PIN or password, just like with FaceID. Then, you can create a passkey. Behind the scenes, the passkey generates a cryptographic key pair: one is stored on your device, and the other is stored on the bank’s server. So only your device can authenticate you, making it very private.
But here’s the issue: Just like FaceID, passkeys are tied to your device. If someone knows your PIN or password, they can bypass the biometric check (FaceID or passkey) and still access your account.
Why These Technologies Fall Short of Inherence
While both FaceID and passkeys provide convenient authentication methods, they don’t fully meet the inherence requirement for a couple of key reasons:
Password or PIN Dependency: Both technologies still rely on a PIN or password as the backup. If someone else knows your PIN or password, they can bypass FaceID or passkeys and log into your account, making these methods less secure than you might think.
Template Mismatch: When you use FaceID to log into your bank account, the FaceID enrollment template (the face stored when setting up FaceID) is compared with the face you show to the phone. 
But this face isn't compared with the bank’s KYC template, the one that was used when you set up your bank account. 
This creates a vulnerability where someone else’s face (even a family member’s) could unlock your bank app if their face is enrolled in FaceID.
A Real-World Example:
Imagine this:
  • You enroll your bank account by completing the KYC (Know Your Customer) check, where you show your ID and face to the bank. This is how the bank knows who you are when you first set up your account.
  • Later, you try to log in to your bank using FaceID or passkeys. However, FaceID doesn’t compare your face to the KYC face template the bank has on file. Instead, it compares your face to the FaceID template on your phone.
  • This means that if your FaceID template has been changed (perhaps your family member enrolled their face on your phone too), someone else’s face could potentially be used to log into your bank account.
The Alternative: Cloud-Based Biometrics
Unlike device-native biometrics, cloud-based biometrics compare your biometric data directly with the KYC data the bank has on file. This ensures that when you authenticate using your face or fingerprint, the system is always comparing your biometric data with the one used during your KYC process.
Here’s how it works:
  • When you enroll with cloud-based biometrics, your face or fingerprint is compared with the KYC enrollment template used by the bank. So, when you log in, the system ensures it’s the same person who set up the bank account.
  • This method ensures more accurate authentication because the biometric check is always linked to the bank’s KYC process. So, you’re never just relying on the FaceID or passkey template stored on your phone.
While FaceID and passkeys offer convenient and private authentication, they fall short of meeting the inherence standard required by PSD3 as they don’t prove that the person authenticating is the same person who originally set up the bank account
Cloud-based biometrics, on the other hand, link biometric data directly to the bank’s KYC process, providing a more secure and reliable way to authenticate users.
If you’re interested in seeing what a secure, modern authentication solution looks like, feel free to schedule a custom demo.
Read Next
Blog
Cloud-Based Biometric Authentication and Why It Matters for Banking
In today’s digital world, proving who you are is more important and more difficult than ever. With passwords, codes, and tokens failing to keep up with rising fraud and security breaches, biometric authentication has emerged as a powerful solution for financial services.
Read More
Blog
Authentication Solutions: What They Are, How They Work, and Why They Matter
Not all authentication solutions work the same way. Discover how modern identity authentication solutions protect users beyond passwords, and why passwordless methods like biometrics are becoming the new security standard.
Read More
Blog
Identity Verification (IDV) Is Not Authentication: Why This Matters
Most fraud happens after onboarding. Learn why identity verification alone isn't enough and how continuous authentication ensures it's the same person behind every action.
Read More
Consumer SolutionsWorkforce SolutionsTechnologyIndustriesResourcesCompanySupport Center
PSD2/SCA CompliantPSD2/SCA Compliant
GDPR CompliantGDPR Compliant
CCPA CompliantCCPA Compliant
FIDO2 CertifiedFIDO2 Certified
FIDO Biometrics CertifiedFIDO Biometrics Certified
ISO 27001 CertifiedISO 27001 Certified
ISO 9001 CertifiedISO 9001 Certified
ISO/IEC 30107-3 CertifiedISO/IEC 30107-3 Certified
NIST AccreditedNIST Accredited
eIDAS Module CertifiedeIDAS Module Certified
© 2025 Keyless. All rights reserved.
Cookie Settings