Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Join us today!
Blog
/
Current article

Revolut's Passkey Implementation: Benefits, Challenges & Technical Aspect.

Last Updated:
February 2, 2026
Ben Rolfe
Revolut's Passkey Implementation: Benefits, Challenges & Technical Aspect
AWS Partner
Authsignal is an AWS-certified partner and has passed the Well-Architected Review Framework (WAFR) for its Cognito integration.
AWS Marketplace

Revolut, a leading neobank in London, has recently implemented passkeys to enhance security and user experience. This revolutionary approach to authentication aims to streamline and secure online payments for millions of users worldwide.

This analysis examines the implementation's technical aspects, impact on user experience, enhanced security, and broader implications for the fintech industry.

Understanding technology behind passkeys (FIDO2, WebAuthn)

Passkeys are built on the FIDO2 (Fast Identity Online) standard, which includes the Web Authentication (WebAuthn) specification. This open standard is supported by major technology companies and is designed to enable passwordless authentication across the web.

The WebAuthn protocol allows servers to register and authenticate users using public key cryptography instead of passwords.

When a user creates a passkey, their device generates a public-private key pair. The public key is sent to the server, while the private key remains securely stored on the user's device.

During authentication, the server sends a challenge to the user's device, which is signed using the private key. This signed response proves the user's identity without ever transmitting the private key itself.

Revolut's Implementation of Passkeys

Timeline of Revolut's passkey rollout

evolut has taken a phased approach to implementing passkeys, gradually rolling out the feature to different segments of its user base. The rollout began in early 2024, with significant updates throughout 2024 and into early 2025. As of January 2025, passkey functionality has been expanded across both Personal and Business accounts, with the "Continue with passkey" option now prominently displayed for both account types on web platforms.

Differences between personal and business account implementations

Our analysis revealed notable differences in how passkeys have been implemented for Revolut Personal and Business accounts:

Personal Accounts:

  • Uses phone number as the primary identifier
  • Passkey settings are available in the account security section
  • "Continue with passkey" button now prominently displayed on the login page (updated as of late 2024/early 2025)
  • Authentication is managed through a 6 to 12-digit passcode

Business Accounts:

  • Uses email address as the primary identifier
  • "Continue with passkey" button prominently displayed on the login page
  • Passkey promotional popup appears after successful login on new devices
  • Utilizes a 4-digit passcode and makes use of passwords in the default login process
  • Interestingly, even though the primary user identifier is email, passkeys are tied to phone numbers

Supported platforms and devices

Revolut's passkey implementation currently supports various platforms and devices:

  • Web browsers: Chrome, Safari, and other major browsers that support the WebAuthn standard
  • Desktop operating systems: Windows 11, macOS
  • Mobile operating systems: iOS, Android

However, it's important to note that the functionality and user experience may vary across these platforms, with some inconsistencies observed during testing, particularly with native mobile app integration.

How passkeys streamline online payments with Revolut

Simplified login process

The introduction of passkeys significantly simplifies the login process for Revolut users. Instead of remembering and typing in a complex password, users can now authenticate using their device's biometric sensors (such as fingerprint or facial recognition) or a simple PIN.

This streamlined process reduces friction in the user experience, particularly when making payments or accessing financial information quickly.

Reduction in authentication steps

Traditional multi-factor authentication (MFA) often requires users to go through multiple steps, such as entering a password, confirming a push notification, or entering a one-time code.

With passkeys, these steps are condensed into a single, secure action. For Revolut Business users, this means no longer needing to use a second device or email for 2FA, as passkeys inherently serve as a strong two-factor authentication method.

Cross-device functionality

Revolut's passkey implementation leverages cross-device functionality, with passkeys able to be synchronized across Apple, Google, or Microsoft cloud accounts. This allows users to access their passkeys across multiple devices within the same ecosystem. Users can easily access their Revolut account and make payments from any device without the need to remember different passwords or go through additional setup processes.

If users lose access to their passkey, they can sign into their Revolut account with their passcode and 2FA, with recovery happening securely within their Apple, Google, or Microsoft cloud account.

Impact on user experience

The streamlined authentication process offered by passkeys has a significant positive impact on the overall user experience:

  • Faster logins: Users can access their accounts and initiate payments more quickly
  • Reduced cognitive load: No need to remember complex passwords
  • Increased accessibility: Biometric authentication can be easier for users with certain disabilities
  • Consistent experience: Unified authentication method across web platforms

Security Improvements via Passkeys

Phishing resistance

One of passkeys' most significant security benefits is their inherent resistance to phishing attacks.

Unlike passwords, which can be stolen if a user is tricked into entering them on a fake website, passkeys are bound to the specific domain they were created for. This means that even if a user is directed to a phishing site, their passkey cannot be used on that fraudulent domain.

Elimination of password-related vulnerabilities

Passkeys address several critical vulnerabilities associated with traditional passwords:

  • Password reuse: Each passkey is unique to a specific service, eliminating the risk of credential stuffing attacks.
  • Weak passwords: The cryptographic strength of passkeys far exceeds that of even the most complex user-created passwords.
  • Password database breaches: Since passkeys are not stored on the server, there's no centralized database of credentials for attackers to target.

Biometric authentication integration

Integrating biometric authentication adds an extra layer of security to the passkey system. Biometrics are significantly harder to forge than passwords and provide a seamless user experience.

In Revolut's implementation, users can leverage their device's built-in biometric capabilities, such as Face ID or Touch ID on iOS devices or fingerprint sensors on Android and Windows devices.

Comparison with traditional 2FA methods

While traditional two-factor authentication (2FA) methods like SMS codes or authenticator apps do enhance security, they come with their own set of vulnerabilities and usability issues. 

Passkeys offer several advantages over these methods:

  • No risk of SIM swapping attacks (a vulnerability in SMS-based 2FA)
  • No need for a separate authenticator app or physical security key
  • Reduced risk of man-in-the-middle attacks
  • Improved user experience with faster, more seamless authentication

Read More: SIM Swap Attacks — Explained 

Technical Analysis of Revolut's Passkey Implementation

PublicKeyCredentialRequestOptions analysis

Our examination of Revolut's passkey implementation revealed interesting details about their use of PublicKeyCredentialRequestOptions:

  • The allowCredentials array is empty, allowing any registered passkey to be used for authentication.
  • The relying party ID (rpId) is set to "sso.revolut.com," which defines the scope of the passkey.
  • User verification is set to "preferred," striking a balance between security and usability.

This configuration suggests that Revolut prioritizes a flexible and user-friendly approach while maintaining strong security standards.

Relying Party ID configuration

The use of "sso.revolut.com" as the relying party ID is significant. It indicates that Revolut is using a centralized authentication domain, which could facilitate a unified passkey experience across different Revolut services and applications in the future.

Analysis of association files (assetlinks.json and apple-app-site-association)

Our investigation into the association files revealed some interesting insights:

  • The assetlinks.json file for Android was not found at the expected location (sso.revolut.com), but a version was discovered at app.revolut.com.
  • The apple-app-site-association file for iOS contained comprehensive information for the Business app but lacked web credentials details for the Personal app.

These findings indicate that Revolut has been working on additional configurations to fully enable cross-platform passkey functionality, particularly for seamless integration between web and native apps. The recent updates showing passkey buttons on Personal accounts suggest progress in this area.

Challenges and areas for improvement

Native app integration issues

While passkey functionality is now available on web platforms for both Personal and Business accounts, native app integration remains a work in progress. Passkey settings are visible in Revolut's native mobile apps, but full functionality is not yet implemented across all native platforms.

This creates a somewhat fragmented experience for users who switch between web and mobile interfaces. Revolut will need to continue developing native app support to provide a truly seamless cross-platform experience.

User education and adoption hurdles

The concept of passkeys is still relatively new to many users. Revolut faces the challenge of educating its user base about the benefits and usage of passkeys. While Revolut has created support documentation explaining what passkeys are and how to use them, comprehensive guides about best practices and troubleshooting could further improve user adoption.

Technical limitations and ongoing development

Some technical limitations have been observed, such as:

  • Inconsistencies in passkey availability between web and native mobile apps
  • Potential 403 errors when creating passkeys on certain platforms during early rollout phases
  • Variations in user experience across different operating systems and browsers

Revolut continues to address these issues to ensure a smooth user experience. Potential solutions being implemented include:

  • Expanding consistent passkey support across all platforms and account types
  • Improving error handling and providing clearer user feedback
  • Enhancing the integration between web and native app authentication flows
  • Developing full native app support for iOS and Android

Impact on Revolut's payment ecosystem

Integration with existing payment flows

The introduction of passkeys has significantly streamlined Revolut's existing payment flows. By reducing the friction in the authentication process, passkeys enable faster and more secure transactions.

This is particularly relevant for frequent actions such as peer-to-peer transfers, bill payments, and online purchases.

Potential for new payment features enabled by passkeys

Passkeys open up possibilities for new payment features that prioritize both security and convenience. Some potential innovations could include:

  • One-click payments: Leveraging passkeys for instant authentication during checkout processes
  • Secure API access: Enabling third-party services to access Revolut accounts with user permission securely
  • Enhanced subscription management: Simplifying recurring payment setups and modifications

Effect on transaction speed and security

The implementation of passkeys is expected to have a positive impact on both transaction speed and security:

  • Speed: Faster authentication leads to quicker transaction processing times
  • Security: The phishing-resistant nature of passkeys reduces the risk of unauthorized transactions
  • Cost savings: Reduced reliance on SMS-based authentication can lead to significant cost savings for Revolut

Comparing Revolut with Competitors

Other fintech companies implementing passkeys

While Revolut is among the early adopters of passkeys in the fintech space, other companies have also moved in this direction:

  • PayPal has begun rolling out passkey support for its users
  • Coinbase has implemented passkeys for enhanced account security
  • Finom, another digital-first fintech, has rolled out passkeys globally
  • Other digital banks like Ubank are following suit

Traditional banks' approaches to passwordless authentication

Many traditional banks continue to rely on conventional authentication methods, though some are exploring alternatives such as:

  • Biometric authentication for mobile apps
  • Hardware tokens for high-value transactions
  • Risk-based authentication systems

However, few traditional banks have fully implemented passkey support as of early 2025, which provides Revolut and other digital-first banks with a competitive advantage in this area.

Revolut's competitive advantage in the payment security space

By becoming an early adopter of passkeys, Revolut is positioning itself as a leader in payment security innovation. This results in several competitive advantages:

  • Enhanced user trust due to improved security measures
  • Attraction of security-conscious customers who value cutting-edge protection
  • Potential for faster and more seamless payment experiences compared to competitors
  • Reduced operational costs through decreased reliance on SMS-based authentication
  • Regulatory compliance leadership in meeting strong customer authentication requirements

Future Prospects for Revolut

Potential expansions of passkey functionality

As passkey technology matures and Revolut's implementation evolves, the company could expand its functionality in several ways:

  • Full native app integration: Completing the rollout of passkey support in iOS and Android native apps
  • Cross-device synchronization: Enhanced synchronization of passkeys across different device ecosystems
  • Hardware security key integration: Adding support for hardware security keys as an additional authentication option
  • Internal operations: Using passkeys for employee authentication and internal systems
  • API authentication: Extending passkey support to developer API access

Regulatory considerations

As Revolut continues to develop its passkey implementation, it must ensure compliance with relevant regulations:

  • PSD2 (Payment Services Directive 2): Requirements for strong customer authentication (SCA)
  • GDPR: Considerations for handling biometric data
  • PSD3: Potential future regulations specifically addressing passwordless authentication and delegated SCA
  • Regional regulations: Compliance with various international financial regulations

Passkeys align well with regulatory requirements for strong customer authentication, as they provide inherent multi-factor authentication (something you have + something you are/know).

Final thoughts 

Revolut's early adoption of passkeys puts them at the forefront of secure and fast authentication. As of early 2025, the "Continue with passkey" option is now available for both Personal and Business accounts on web platforms, addressing the earlier inconsistency noted in the original analysis.

Success will depend on completing native mobile app integration, enhancing user education, and continued industry collaboration. Although still in development stages with some challenges remaining, Revolut's passkey implementation is a bold step towards a more secure and user-friendly future for online payments.

Try out our passkey demo
Passkey Demo
Have a question?
Talk to an expert
Related Resources
No items found.
NewsletterDemo PasskeysView docs
Passkeys Implementation Analysis
Implementation
PSD2
FIDO2
Passwordless authentication
You might also like
Account recovery is the identity industry's most overlooked challenge
February 12, 2026
Account recovery is identity's weakest link. Learn why most companies get it wrong, how attackers exploit recovery flows, and practical steps to build secure, user-friendly account recovery that doesn't compromise your authentication strategy.
Account recovery
Authsignal launches Canada data region for enterprise authentication
January 30, 2026
Authsignal launches Canadian Region with in-country data centers. Deploy passkeys and modern authentication while meeting PIPEDA compliance requirements.
Announcements
Authsignal
Passwordless authentication
How to deploy passkeys that drive real adoption: Insights from Yubico and Authsignal
January 30, 2026
Learn how to deploy passkeys that users actually adopt. This guide covers FIDO2 implementation strategies, UX best practices, and security controls that drive 60-70% adoption rates, with insights from Yubico and Authsignal's real-world deployments.
Passkeys
FIDO2
Passwordless authentication

Secure your customers’ accounts today with Authsignal

Schedule a callCreate account

Authsignal delivers passwordless and multi-factor authentication as a service. Focused on powering mid-market and enterprise businesses to rapidly deploy optimized good customer flows that enable a flexible and risk-based approach to authentication.

AICPA SOCFido Certified
LinkedInTwitter
Passwordless / multi-factor authentication (MFA)
Pre-built UI (low code)UI components (customizable)Custom UI (flexible)
Why Authsignal?
Drop-in authentication
Risk-based authentication PasskeysBiometric authenticationWhatsApp OTPSMS OTPEmail OTPMagic linksAuthenticator apps (TOTP)Push authenticationPalm biometricsDigital Credential Verification API
Rules and policies engine
User observability
Industries
Financial services
Marketplace
e-Commerce
FinTech
Crypto
View all industries
Teams
Engineers
Use cases
Account takeovers (ATO)
Go passwordless
Call center
SMS cost optimization
Existing apps
View all use cases
Identity providers (IDPs)
Amazon Cognito
Auth0
Azure AD B2C
Custom identity provider
Duende IdentityServer
Keycloak
NextAuth.js
Integrations
ASP.NET
C#
Java
Node.js
Open ID Connect (OIDC)
PHP
Python
React
Ruby
Ruby on Rails
Compare
Twilio Verify vs AuthsignalAuth0 vs AuthsignalAWS Cognito vs Authsignal + AWS Cognito
Resources
BlogDeveloper docsFree Figma mobile passkeys templateFree Figma desktop passkeys templateFree Figma webapp passkeys template
Company
About usWhy AuthsignalCareersPress releasesPartnersContact us
What is
What is IP Spoofing? Definition & Guide
Passwordless authentication
What is MFA (multi-factor authentication)?
United States
+1 214 974-4877
Ireland
+353 12 676529
Australia
+61 387 715 810
New Zealand
+64 275 491 983
© 2026 Authsignal - All Rights Reserved
Terms of servicePrivacy policySecuritySystem statusCookies