Revolut, a leading neobank in London, has recently implemented passkeys to enhance security and user experience. This revolutionary approach to authentication aims to streamline and secure online payments for millions of users worldwide.
The implementation's technical aspects, impact on user experience, enhanced security, and broader implications for the fintech industry will be examined in this analysis.
Understanding technology behind passkeys (FIDO2, WebAuthn)
Passkeys are built on the FIDO2 (Fast Identity Online) standard, which includes the Web Authentication (WebAuthn) specification. This open standard is supported by major technology companies and is designed to enable passwordless authentication across the web.
Read More: What is Passwordless Authentication?
The WebAuthn protocol allows servers to register and authenticate users using public key cryptography instead of passwords.
When a user creates a passkey, their device generates a public-private key pair. The public key is sent to the server, while the private key remains securely stored on the user's device.
During authentication, the server sends a challenge to the user's device, which is signed using the private key. This signed response proves the user's identity without ever transmitting the private key itself.
Revolut's Implementation of Passkeys
Timeline of Revolut's passkey rollout
Revolut has taken a phased approach to implementing passkeys, gradually rolling out the feature to different segments of its user base. The exact rollout timeline is not publicly disclosed, but our analysis shows that the feature began appearing for some users in early 2024.
Differences between Personal and Business account implementations
Our analysis revealed notable differences in how passkeys have been implemented for Revolut Personal and Business accounts:
Personal Accounts:
- Uses phone number as the primary identifier
- Passkey settings are available in the account security section
- No "Continue with passkey" button on the login page (as of the time of writing)
Business Accounts:
- Uses email address as the primary identifier
- "Continue with passkey" button prominently displayed on the login page
- Passkey promotional popup appears after successful login on new devices
Supported platforms and devices
Revolut's passkey implementation currently supports various platforms and devices:
- Web browsers: Chrome, Safari, and other major browsers that support the WebAuthn standard
- Desktop operating systems: Windows 11, macOS
- Mobile operating systems: iOS, Android
However, it's important to note that the functionality and user experience may vary across these platforms, with some inconsistencies observed during our testing.
How Passkeys Streamline Online Payments with Revolut?
Simplified login process
The introduction of passkeys significantly simplifies the login process for Revolut users. Instead of remembering and typing in a complex password, users can now authenticate using their device's biometric sensors (such as fingerprint or facial recognition) or a simple PIN.
This streamlined process reduces friction in the user experience, particularly when making payments or accessing financial information quickly.
Also Read: Understanding Passkeys: Functionality and Why Authsignal Leads in Passkey Deployment
Reduction in authentication steps
Traditional multi-factor authentication (MFA) often requires users to go through multiple steps, such as entering a password, confirming a push notification, or entering a one-time code.
With passkeys, these steps are condensed into a single, secure action. For Revolut Business users, this means no longer needing to use a second device or email for 2FA, as passkeys inherently serve as a strong two-factor authentication method.
Cross-device functionality
While Revolut's current implementation doesn't fully leverage cross-device functionality for passkeys, the technology has the potential to allow seamless authentication across multiple devices.
This could enable users to easily access their Revolut account and make payments from any device without the need to remember different passwords or go through additional setup processes.
Impact on user experience
The streamlined authentication process offered by passkeys has a significant positive impact on the overall user experience:
- Faster logins: Users can access their accounts and initiate payments more quickly
- Reduced cognitive load: No need to remember complex passwords
- Increased accessibility: Biometric authentication can be easier for users with certain disabilities
- Consistent experience: Potential for a unified authentication method across web and mobile platforms
Security Improvements via Passkeys
Phishing resistance
One of passkeys' most significant security benefits is their inherent resistance to phishing attacks.
Unlike passwords, which can be stolen if a user is tricked into entering them on a fake website, passkeys are bound to the specific domain they were created for. This means that even if a user is directed to a phishing site, their passkey cannot be used on that fraudulent domain.
Elimination of password-related vulnerabilities
Passkeys address several critical vulnerabilities associated with traditional passwords:
- Password reuse: Each passkey is unique to a specific service, eliminating the risk of credential stuffing attacks.
- Weak passwords: The cryptographic strength of passkeys far exceeds that of even the most complex user-created passwords.
- Password database breaches: Since passkeys are not stored on the server, there's no centralized database of credentials for attackers to target.
Biometric authentication integration
Integrating biometric authentication adds an extra layer of security to the passkey system. Biometrics are significantly harder to forge than passwords and provide a seamless user experience.
In Revolut's implementation, users can leverage their device's built-in biometric capabilities, such as Face ID or Touch ID on iOS devices or fingerprint sensors on Android and Windows devices.
Comparison with traditional 2FA methods
While traditional two-factor authentication (2FA) methods like SMS codes or authenticator apps do enhance security, they come with their own set of vulnerabilities and usability issues.
Passkeys offer several advantages over these methods:
- No risk of SIM swapping attacks (a vulnerability in SMS-based 2FA)
- No need for a separate authenticator app or physical security key
- Reduced risk of man-in-the-middle attacks
- Improved user experience with faster, more seamless authentication
Read More: SIM Swap Attacks — Explained
Technical Analysis of Revolut's Passkey Implementation
PublicKeyCredentialRequestOptions analysis
Our examination of Revolut's passkey implementation revealed interesting details about their use of PublicKeyCredentialRequestOptions:
- The allowCredentials array is empty, allowing any registered passkey to be used for authentication.
- The relying party ID (rpId) is set to "sso.revolut.com," which defines the scope of the passkey.
- User verification is set to "preferred," striking a balance between security and usability.
This configuration suggests that Revolut prioritizes a flexible and user-friendly approach while maintaining strong security standards.
Relying Party ID configuration
The use of "sso.revolut.com" as the relying party ID is significant. It indicates that Revolut is using a centralized authentication domain, which could facilitate a unified passkey experience across different Revolut services and applications in the future.
Analysis of association files (assetlinks.json and apple-app-site-association)
Our investigation into the association files revealed some interesting insights:
- The assetlinks.json file for Android was not found at the expected location (sso.revolut.com), but a version was discovered at app.revolut.com.
- The apple-app-site-association file for iOS contained comprehensive information for the Business app but lacked web credentials details for the Personal app.
These findings indicate that Revolut may need to make additional configurations to fully enable cross-platform passkey functionality, particularly for seamless integration between web and native apps.
Challenges and Areas for Improvement
Inconsistencies across platforms
One of the main challenges observed in Revolut's passkey implementation is the inconsistency across different platforms and account types.
For example, the passkey login option is prominently displayed for Business accounts but not for Personal accounts. Additionally, the functionality and availability of passkey features vary between web and mobile applications.
Native app integration issues
While passkey settings are visible in Revolut's native mobile apps, the functionality is not yet fully implemented. This creates a disjointed experience for users who switch between web and mobile interfaces. Revolut will need to address this to provide a truly seamless cross-platform experience.
User education and adoption hurdles
The concept of passkeys is still relatively new to many users. Revolut faces the challenge of educating its user base about the benefits and usage of passkeys. The lack of comprehensive documentation or guides about passkeys on Revolut's platform could hinder user adoption.
Technical limitations and potential solutions
Some technical limitations were observed, such as the 403 error encountered when creating a passkey on certain platforms. Revolut will need to address these issues to ensure a smooth user experience. Potential solutions could involve implementing consistent passkey support across all platforms and account types, improving error handling and providing clear user feedback, and enhancing the integration between web and native app authentication flows.
Impact on Revolut's Payment Ecosystem
Integration with existing payment flows
The introduction of passkeys has the potential to significantly streamline Revolut's existing payment flows. By reducing the friction in the authentication process, passkeys could enable faster and more secure transactions.
This is particularly relevant for frequent actions such as peer-to-peer transfers, bill payments, and online purchases.
Potential for new payment features enabled by passkeys
Passkeys open up possibilities for new payment features that prioritize both security and convenience. Some potential innovations could include:
- One-click payments: Leveraging passkeys for instant authentication during checkout processes
- Secure API access: Enabling third-party services to access Revolut accounts with user permission securely
- Enhanced subscription management: Simplifying recurring payment setups and modifications
Effect on transaction speed and security
The implementation of passkeys is expected to have a positive impact on both transaction speed and security:
- Speed: Faster authentication could lead to quicker transaction processing times
- Security: The phishing-resistant nature of passkeys reduces the risk of unauthorized transactions
Comparing Revolut with Competitors
Other fintech companies implementing passkeys
While Revolut is among the early adopters of passkeys in the fintech space, other companies are also moving in this direction. For example, PayPal has begun rolling out passkey support for its users, and Coinbase has implemented passkeys for enhanced account security.
Traditional banks' approaches to passwordless authentication
Many traditional banks continue to rely on conventional authentication methods, though some are exploring alternatives such as biometric authentication for mobile apps, hardware tokens for high-value transactions, and risk-based authentication systems. However, few have fully implemented passkey support, which could provide Revolut with a competitive advantage in this area.
Revolut's competitive advantage in the payment security space
By becoming an early adopter of passkeys, Revolut is positioning itself as a leader in payment security innovation. This could result in several competitive advantages: enhanced user trust due to improved security measures, attraction of security-conscious customers, and potential for faster and more seamless payment experiences compared to competitors.
Future Prospects for Revolut
Potential expansions of passkey functionality
As passkey technology matures, Revolut could expand its implementation in several ways: Cross-device synchronization of passkeys. Integration with hardware security keys for additional authentication options. Use of passkeys for internal operations and employee authentication.
Regulatory considerations (e.g., PSD2 compliance)
As Revolut continues to develop its passkey implementation, it will need to ensure compliance with relevant regulations. These include the PSD2 (Payment Services Directive 2) requirements for strong customer authentication, GDPR considerations for handling biometric data, and potential future regulations specifically addressing passwordless authentication.
Final thoughts
Revolut's early adoption of passkeys puts them at the forefront of secure and fast authentication. Success will depend on refinement, user education, and industry collaboration. Although still in early stages with challenges, Revolut's passkey implementation is a bold step towards a more secure and user-friendly future for online payments.