Financial services firms face a problem that most passwordless authentication vendors have not solved. On one side, there is genuine and growing pressure to reduce friction: customers abandon onboarding flows that require repeated re-verification, lengthy authentication steps, and multiple document uploads. On the other side, there is regulatory obligation: every authentication event in a regulated context must meet defined identity assurance levels, produce an auditable trail, and withstand scrutiny from AML and KYC compliance teams.
Most passwordless solutions were built to solve the friction problem. They were not built to meet the compliance requirement. A passkey that authenticates a user in two seconds is excellent for a consumer app. It does not produce the verified identity evidence, liveness confirmation, or credential-linked audit trail that a regulated financial institution needs to satisfy AML/CTF obligations or to demonstrate KYC compliance to a regulator.
This article explains what compliance-grade passwordless authentication requires in a financial services context, maps the top approaches available in 2025, and describes how biometric-bound verifiable credentials, the model Truvera is built on, address both the friction and the compliance requirements simultaneously.
Why Standard Passwordless Authentication Falls Short for AML and KYC Compliance
Standard passwordless authentication, passkeys, magic links, device biometrics, solves the credential theft problem. It does not solve the identity assurance problem.
AML and KYC obligations in financial services require more than proof that the person logging in possesses a device or knows a secret. They require that the identity behind the authentication event has been properly verified, that the verification meets a defined assurance level (typically equivalent to NIST IAL2 or higher), that a liveness check confirms the person is physically present rather than using a recorded biometric or a photo, and that the authentication event is linked to a verifiable record of the original KYC process.
What passkeys miss for regulated financial services
A FIDO2 passkey proves that the person authenticating possesses and can unlock a specific device. It does not prove who that person is in a KYC sense. A passkey can be provisioned to a device that has not gone through identity verification. It does not carry the original KYC evidence as part of the authentication event. And it does not produce an audit record that links the authentication to a specific verified identity in a form that satisfies compliance review.
This is not a criticism of passkeys, they are excellent for their intended purpose. But their intended purpose is phishing-resistant authentication for consumer and enterprise access, not compliance-grade identity assurance in a regulated financial context.
What SMS OTP and magic links miss
The weaknesses of SMS OTP for regulated contexts are well-documented. SIM-swap attacks allow fraudsters to intercept OTPs sent to a phone number. SMS OTPs do not verify that the person receiving the OTP is the same person who completed KYC. And they do not produce a meaningful identity assurance record, they prove only that someone controlled the phone number at the moment of authentication.
KYC fraud frequently exploits the gap between the identity verification step (which happens once at onboarding) and the ongoing authentication mechanism (which may be a weaker signal like SMS OTP). Closing that gap requires authentication that is continuously tied to the original verified identity, not just to a device or a phone number.
What Compliance-Grade Passwordless Authentication for AML and KYC Actually Requires
For a passwordless authentication solution to meet AML and KYC compliance requirements in financial services, it must satisfy four conditions that consumer-grade passwordless tools do not.
Verified identity proofing linked to every authentication event
The authentication event must be traceable back to a verified identity, one that was established through a KYC process meeting the relevant assurance level. This means the authentication mechanism must carry or reference the original identity verification, not just prove possession of a device.
A credential-based approach achieves this by design: the verifiable credential issued to the user at KYC completion carries the identity attributes established during that process. Every subsequent authentication using that credential is inherently linked to the original KYC evidence.
Liveness verification at authentication time
AML/CTF frameworks increasingly require that authentication events in high-risk contexts include liveness verification, confirmation that the person authenticating is physically present, not using a photograph, a video replay, or a mask. This rules out basic facial recognition and requires active liveness detection as part of the authentication flow.
Biometric authentication platforms with certified liveness detection, such as those offered by Daon and Youverse, both partners of Dock Labs, address this requirement. When combined with biometric-bound verifiable credentials, liveness confirmation at authentication time is tied to the same credential that carries the original KYC evidence.
A tamper-evident audit trail linked to credential identity
Compliance functions require an audit trail that demonstrates, for each authentication event: who authenticated, which credential was used, when the authentication occurred, and whether the credential was valid and unrevoked at that time. A log entry showing "User ID 12345 authenticated via passkey at 14:32" is not sufficient. An audit record showing "Credential [issuer DID: X, holder DID: Y, issued: date, scope: KYC Level 2] was presented and verified at 14:32, revocation status: valid" is.
Verifiable credential presentations produce exactly this kind of auditable record, because the credential itself carries the identity and assurance metadata, and the verification event is recorded against the credential rather than against an opaque user session.
Re-authentication triggers tied to risk signals
Regulated firms must be able to trigger step-up authentication, requiring re-verification, when risk signals indicate elevated fraud risk: unusual transaction patterns, high-value transfers, access from unfamiliar devices or locations. The authentication mechanism must support dynamic step-up, not just a fixed authentication level at login.
Verifiable credential-based systems support step-up by requesting a fresh credential presentation, with liveness check, at the point the risk signal is triggered. Because the credential carries the original KYC evidence, the step-up produces a verified identity confirmation, not just a re-authentication of device possession.
The Top Passwordless Authentication Approaches for AML and KYC Compliance in 2026
Biometric-bound verifiable credentials (highest assurance)
This is the approach that addresses all four compliance requirements. The user completes KYC onboarding, identity document verification, liveness check, data matching, and receives a verifiable credential issued by the financial institution or its IDV provider. The credential is biometrically bound: the user's biometric is captured at issuance and linked to the credential cryptographically, so that only the user whose biometric matches can present it.
At subsequent authentication, the user presents the credential with a liveness-checked biometric confirmation. The relying party verifies: the credential's issuer signature (linked to the original KYC), the biometric match (confirming the rightful holder), and the credential's revocation status (confirming it has not been withdrawn). The authentication event produces an auditable record that satisfies compliance review.
This is the model Truvera is built on. Biometric-bound credentials combine verifiable credential infrastructure with biometric binding, so that passwordless authentication in a financial context carries the full weight of the original KYC process into every subsequent interaction.
FIDO2 with identity-linked credential (medium assurance)
Some implementations combine FIDO2 passkey authentication with a separately maintained identity record linked at registration. When a FIDO2 authentication event occurs, the system looks up the identity record associated with the authenticating device and uses it to assert the user's KYC status.
This approach is stronger than passkeys alone for compliance purposes, because it ties the authentication event to an identity record. Its limitation is that the link is maintained in the relying party's backend, it is not cryptographically embedded in the authentication event itself, which means the audit trail depends on the integrity of that backend record rather than on the credential.
Biometric verification at authentication (step-up, not continuous)
Several financial institutions deploy biometric verification (facial recognition with liveness detection) as a step-up mechanism rather than as the primary authentication flow. Standard login uses a passkey or device biometric; high-risk events trigger a liveness-checked facial verification against the enrolled identity.
This addresses the liveness requirement for step-up events but does not produce a continuous link between authentication and KYC evidence for every session. For use cases where full compliance-grade assurance is required at every login, high-value account access, transaction authorization for large amounts, step-up biometric alone is not sufficient.
How Reusable KYC Credentials Reduce Re-Verification Overhead Across a Firm's Product Lines
One of the most operationally significant applications of biometric-bound verifiable credentials in financial services is reusable KYC. When a customer completes KYC for one product, a current account, a brokerage account, a credit card, the verified identity data is packaged into a verifiable credential the customer holds. When the same customer onboards for a second product from the same firm, or from a partner institution, the credential is presented and verified without repeating the full KYC process.
This creates a meaningful operational improvement. KYC duplication within a financial institution is expensive and drives customer friction. KYC duplication across partner institutions is worse, the same individual may complete full KYC three or four times in a year for products that rely on the same identity data. Reusable identity powered by verifiable credentials allows that KYC to be done once and trusted everywhere the credential is accepted.
The compliance implication is important: the reused credential carries the original KYC evidence, including the assurance level at which verification was performed. A verifier accepting a reused credential can confirm that KYC was performed at the required level, by a recognized IDV provider, on a specific date, all from the credential itself, without requesting the underlying documents again.
For IDV providers in the KYC and identity verification space, this is also a revenue opportunity: each time a credential they issued is re-verified by a downstream institution, there is a mechanism to generate revenue through privacy-preserving credential monetization, without the IDV provider learning which specific user or credential was verified.
How Truvera Delivers Compliance-Grade Passwordless Authentication
Dock Labs builds Truvera, a digital identity platform whose biometric-bound credential infrastructure is designed specifically for the compliance requirements that standard passwordless solutions miss.
The flow works as follows. At onboarding, the user completes KYC, document verification and liveness-checked biometric capture, typically via a partner IDV provider such as Daon or Socure. Truvera's credential issuance API issues a verifiable credential to the user that carries their verified identity attributes and biometric binding. The credential is delivered to a digital identity wallet the user controls.
At subsequent authentication, the user presents the credential with a real-time biometric confirmation. The relying party verifies the issuer's signature, the biometric match, and the credential's revocation status. The authentication event is auditable: it is linked to the credential, the issuer, and the KYC assurance level embedded in the credential, not just to a session or a device.
Revocation is immediate and universal. If a customer's KYC status changes, they are flagged under AML review, their identity document expires, or their account is suspended, the credential is revoked in Truvera's registry. The credential is invalid everywhere from the moment of revocation.
For compliance and fraud teams who need to step up authentication at the point of a risk signal, Truvera supports on-demand credential presentation requests, requiring the user to present their biometric-bound credential fresh, with liveness confirmation, before a high-risk action proceeds.
Compliance-Grade Passwordless Is No Longer a Trade-Off
The assumption that compliance-grade authentication and frictionless customer experience are in tension has driven financial services firms to accept poor authentication experiences as the price of regulatory safety. Biometric-bound verifiable credentials dismantle that assumption.
The same mechanism that eliminates passwords and OTPs, a cryptographically verifiable credential tied to the user's biometric, is also the mechanism that satisfies AML and KYC assurance requirements, produces a compliant audit trail, and enables reusable identity across the firm's product lines and partner ecosystem.
If you are a compliance, fraud, or IAM professional at a regulated financial institution evaluating compliance-grade passwordless authentication, the KYC and IDV industry page describes how Dock Labs approaches this for financial services specifically. You can also request a free consultation to discuss what a biometric-bound credential deployment looks like for your institution's compliance requirements.
Frequently Asked Questions About Passwordless Authentication for AML and KYC Compliance
Why do standard passwordless solutions fail for AML and KYC compliance?
Standard passwordless solutions, passkeys, magic links, device biometrics, authenticate that a person possesses a device or a biometric signal. They do not prove that the identity behind the authentication meets a KYC assurance level, carry liveness verification, or produce an audit trail linked to the original KYC evidence. Regulated firms require all three for compliance-grade authentication.
What is a biometric-bound verifiable credential?
A biometric-bound verifiable credential is a cryptographically signed identity credential that is tied to the holder's biometric at issuance. At presentation, the relying party checks both the credential's cryptographic validity and a live biometric match, confirming the credential is genuine and that the rightful holder is physically present. This combines the portability of verifiable credentials with the liveness assurance of biometric authentication.
How does reusable KYC reduce compliance overhead for financial institutions?
When a customer's KYC is packaged as a verifiable credential, subsequent onboarding events for additional products, from the same institution or from partners, can accept the credential instead of repeating full KYC. The credential carries the original KYC evidence, so the verifier can confirm the assurance level was met without requesting documents again. This reduces cost and customer friction while maintaining compliance.
How does credential revocation work in a regulated financial services context?
When a customer's KYC status changes, AML alert, expired identity document, account suspension, the issuing institution revokes the credential in Truvera's registry. All subsequent presentation attempts return a revoked status, regardless of which relying party the user presents to. Revocation is immediate, universal, and requires no coordination with individual systems.
What liveness verification options does Truvera support?
Truvera works with certified biometric identity partners including Daon and Youverse, both of which provide liveness detection meeting the standards required for regulated financial services contexts. Liveness verification can be integrated at the point of credential issuance (KYC) and at re-presentation for step-up authentication.
Can a verifiable KYC credential be accepted across multiple regulated institutions?
Yes, where the institutions have agreed to recognize each other's KYC credentials within a trust framework. Truvera's ecosystem tools support configuring multi-institution trust registries, defining which issuers' KYC credentials are accepted by which verifiers. This is the mechanism that makes cross-institution reusable KYC operationally practical.
How does compliance-grade passwordless authentication affect the customer experience?
Done correctly, it improves it significantly. A customer who completes KYC once and holds a biometric-bound credential can authenticate to any product or partner that accepts the credential with a biometric confirmation, no document re-upload, no SMS OTP, no knowledge-based authentication. Authentication that takes minutes is reduced to seconds. The compliance rigour is in the credential; the experience for the customer is frictionless.
