Skip to main content
View raw markdown

Passkeys confuse everyone. Canadian financial institutions may start pushing users towards them anyways.


Banks and financial institutions in Canada make a lot of money. In the first quarter of 2026, the big 6 hit $19 billion in profit, up from $14 billion the year prior[1]. They have refined their businesses to be well-oiled machines, yet fraud and unauthorized transactions are increasingly a thorn in their sides. Not only do compromised accounts cause bad press when customers don’t end up getting reimbursed for unauthorized transactions, they also consume an immense amount of resources in support tickets. Every case is unique and needs to be handled with care. The support agent needs to determine if the person on the other end of the line genuinely needs help regaining access to their account, or if it is a scammer on the other end of the line trying to start a scam of their own.

Banking and investment fraud is particularly impactful on older Canadians, not because they are more susceptible to being scammed overall (they aren’t) but because they have the most amount saved from a lifetime of work and are thus the biggest targets.

Age Range # of Reports # of Victims % Victimized Dollar Loss Average Dollar Loss per Victimization
19 and under 1,201 1,115 92.8% $1,103,302 $990
20 - 29 5,186 4,275 82.4% $15,291,870 $3,577
30 - 39 6,336 5,048 79.7% $39,442,512 $7,813
40 - 49 5,910 4,546 76.9% $60,336,571 $13,272
50 - 59 5,556 3,997 71.9% $87,926,642 $21,998
60 and above 12,801 8,327 65.0% $179,900,453 $21,604
Not Specified & Unknown 13,830 8,279 59.9% $259,104,569 $31,297

Source: Canadian Anti-Fraud Centre report 2024

Despite the catastrophic consequences fraud has, in some situations it’s not clear what the bank should have done differently. Stories of large scams are tragic, but banks also need to allow individuals the freedom to conduct transactions in their own accounts. If you went to the store to make a large purchase only to have your card declined because your bank was being too cautious, you would also be frustrated.

The problem presented here is nothing new; we have had to deal with the threat of account takeover since the early days of the internet. With finance, the only difference is the magnitude of the consequences. If your gym account gets hacked, maybe you miss your next fitness class. If your bank account gets hacked, maybe you miss your next rent payment. The fact that the gym account and bank account use many of the same authentication techniques (i.e. a username and a password) highlights just how far we have to go. Additionally, many newer financial institutions in Canada are online only; there is no branch down the street to go to, which can make proving your identity difficult outside of that username/password combination.

The curse of being big

For the big 6 banks, the strategy to combat fraud has boiled down to two main pillars: education, and tying everything to their own app. On the social engineering side (i.e. phishing) they are hoping that continuous education will help bring down fraud rates. On the malware side, they are hoping that by controlling the application you use to approve logins and transactions, they can reduce the risk of an infection logging a 6-digit MFA code. Most now provide MFA requests through a push notification which you have to click through, rather than information you could communicate over the phone or internet.

The tech stacks of the big banks are also slow moving, with app changes or website updates taking years. In general, those that have an account with the bigger banks don’t like things to change much—they are picking that business because they want the reputation and stability of an institution that has been around for over a hundred years. However, there has been some innovation on the support side, with most of those institutions now using voice recognition technology to help authenticate clients over the phone. This initiative worked so well because it didn’t require any behavioural changes from the client, it happens silently in the background.

Smaller companies are trying to move the needle on passkeys

Passkeys are a newer method of authentication that uses public/private key cryptography instead of a shared secret like a password. When you setup a passkey, you are setting up a key on that particular device[2]. Since the key resides on the device itself, you as the user only need to prove to the device that you are who you say you are, which on a phone means using biometrics or a pin.

This method helps out with a few challenges outlined above. Since you don’t know the secret, you can’t give it to someone else over the phone. For malware, it makes it more difficult to obtain the passkey beside it resides in secure portions of the operating system, as opposed to being typed in from the keyboard (where a keylogger could grab it). No computer system is 100% immune to being compromised, but passkeys are unquestionably a big step up from passwords.

Given this, it’s not surprising that a few smaller financial companies are beginning to nudge their users towards using them. EQ bank and Wealthsimple have recently released updates to allow for passkey sign-on. The most interesting development, is that Wealthsimple ties the adoption of passkeys to an “Account guarantee” that offers particular additional assurances for unauthorized transactions provided you meet the criteria specified. This is the first time that I have seen such a clear incentive for the adoption of passkeys. To my knowledge, even technology companies like Google do not change their account recovery processes and guarantees depending on whether you have setup passkeys or not.

Financial scams of the future

Assuming that passkeys ultimately get adopted, fraud is still likely to be a continuous challenge. Deepfake videos or photos, in which individuals may be scared into sending money to help a friend or relative in distress, are predicted to rise. In the most aggressive estimate, fraud will have tripled from 2023 levels by 2027.

An image of a line chart produced by Deloitte showing the expected rise in financial fraud due to generative AI

Source: https://www.deloitte.com/us/en/insights/industry/financial-services/deepfake-banking-fraud-risk-on-the-rise.html. Used with permission as per non-commercial informational use. See weblink for full acknowledgements and attributions.

In these cases, there is nothing that the bank could do to stop you that wouldn’t also prevent you from sending money in a real emergency, and passkeys don’t change anything about this fact. The account guarantee that Wealthsimple provides outlines this clearly in what is not covered by the guarantee.

Transactions you authorized, consented to, or contributed to, including scams where you were deceived into approving a transaction.

Conclusions

Unfortunately, technical solutions can only go so far in preventing financial fraud. Passkeys are a step in the right direction, though there is a lot of leg work to be done in helping everyone understand what a passkey is and why they should use it. If younger financial institutions can innovate on the user experience of adding passkeys to an account, then this is a development that can be a win-win for everyone.


  1. https://www.bnnbloomberg.ca/markets/currencies/2026/02/27/big-six-banks-exceed-expectations-hit-19-billion-in-q1-profit/ ↩︎

  2. There may be nuance in the exact implementation with password managers or with Apple IDs, but generally it is one key per device. ↩︎