Germany Advances with Passkey, Issues Draft Guidelines

Published Date : 10/2/2025 

Germany's Federal Office for Information Security (BSI) has released a draft document outlining technical considerations for configuring passkey servers, aiming to boost passwordless authentication in the country. 

Germany’s Federal Office for Information Security (BSI) has taken a significant step towards enhancing digital security by requesting public comments on a draft document that outlines technical considerations for configuring passkey servers. The draft was published on September 30 and seeks input from relevant stakeholders, as announced in a news release by the BSI.

The BSI TR-03188 Passkey Server guidelines are available as a draft in version 0.9. This document was drafted within the scope of FIDO2 and WebAuthn standards, among others. Interested parties have until November 16 to submit their feedback.

The guidelines represent a major step forward by the German government towards joining the passwordless authentication trend. In an introductory statement to the draft, the BSI emphasizes the importance of passkeys in combating cybercrimes such as phishing. However, for passkeys to be effectively used, websites and other online services require passkey servers configured according to certain technical standards.

The draft document details these standards, which, if endorsed, will serve as a digital security blueprint for those operating websites or offering online services and intending to use passkeys as an authentication tool. Apart from recommendations, the document also defines trust levels and provides practical guidance on integrating passkey servers into real-world systems.

BSI President Claudia Plattner highlighted the critical importance of cybersecurity, emphasizing the need to simplify it without compromising robustness. “We must make cybersecurity as simple as possible while at the same time ensuring it is robust. Passkeys are a perfect example of how technical solutions can address technical challenges. They are the future,” she said.

The draft document includes guidelines on different integration options, aiming to make passkeys a common two-factor authentication (2FA) method for enhanced online security in Germany. It defines six threats and attacker models, proposes three security assurance levels, and suggests detailed configuration rules for passkey servers. These recommendations include always verifying user presence and user verification flags, enforcing privacy, allowing users to register multiple credentials per account for backup, optionally disabling password fallback once passkeys are active, and having a strong preference for device-bound passkeys for high assurance.

There has been a growing preference for passkeys over passwords due to the increasing sophistication of cyber fraud. Major tech companies like Facebook and WhatsApp have already introduced passkeys, and Microsoft has even threatened to delete passwords of account users who have not shifted to passkeys.

Germany’s push towards full passkey adoption will require some work, as a 2024 report showed that only 38 percent of Germans were aware of what a passkey is, according to Techradar. Despite this, the BSI’s draft guidelines are a crucial step in educating the public and enhancing digital security in the country. 

Frequently Asked Questions (FAQS): 

Q: What is the purpose of the BSI TR-03188 draft document?

A: The BSI TR-03188 draft document outlines technical considerations for configuring passkey servers, aiming to enhance digital security and combat cybercrimes such as phishing.

Q: When was the draft document published, and what is the deadline for feedback?

A: The draft document was published on September 30, and the deadline for feedback is November 16.

Q: What are passkeys, and why are they important for cybersecurity?

A: Passkeys are a passwordless authentication method that enhances security by eliminating the need for passwords. They are important for cybersecurity as they help prevent cybercrimes like phishing.

Q: Which major tech companies have already adopted passkeys?

A: Major tech companies like Facebook, WhatsApp, and Microsoft have already introduced passkeys or are planning to phase out passwords in favor of passkeys.

Q: What percentage of Germans were aware of passkeys as of 2024?

A: According to a 2024 report, only 38 percent of Germans were aware of what a passkey is. 

More Related Topics :