Consumers hate passwords. Fraudsters love them. There might be no better business case for passkeys, which are a biometric, digital alternative to manually selected and stored passwords. Passkeys have also been at the center of recent product introductions from Visa, Mastercard and other payments and financial services companies. The development and usage of passkeys is arguably one of the most important security stories of the year.
How do they work? The answer to that question has a very simple level and a very complex technological level. To see the simple level, it’s easiest to look at Visa’s May 16 series of announcements featuring an example that combines the physical and digital shopping and security experience. Passkeys will initially be introduced into Click to Pay, a service mainly used outside the U.S., which links a digital credential to the consumer’s device. During a purchase, merchants request a digital credential from Visa, which validates the device details and issues a payment token. For consumers, the process involves clicking the “buy now” button, a quick facial scan, and then their payment cards appear at checkout. They can then choose their preferred payment card.
“We’ve all had times when you try to buy something and it doesn’t go through and you have to call your bank and they tell you there’s something suspicious about the transaction,” Mark Nelsen, senior vice president and global head of consumer payments at Visa, told PYMNTS’ CEO Karen Webster in mid-May. “With Passkeys, if you do the facial scan immediately upfront, you can do that real quick check. That means all these transactions will go through seamlessly and you no longer have to confirm your identity after the fact.”
Not everyone in the banking and payments business has had the immersion in the technology that Nelsen and his team have had. But with the expected explosion in passkey usage it’s important to have more than a casual knowledge of the technology, because these replacements for traditional passwords could redefine how we safeguard sensitive information in an increasingly digital world.
With that in mind, we’ve identified and answered six common questions around the history, usage and use cases of passkeys:
Passkeys offer a user-friendly alternative to traditional passwords. Instead of the user needing to remember and input a password, a passkey uses a pair of cryptographic keys: a public key, stored on the server, and a private key, stored securely on the user’s device. During authentication, the device uses the private key to generate a cryptographic signature verified by the public key, ensuring a highly secure and user-friendly authentication process.
The concept of passkeys is rooted in the development of public key cryptography, which dates back to the 1970s. However, its application in digital payments has gained traction more recently. The adoption of passkeys accelerated with the introduction of the FIDO (Fast Identity Online) Alliance’s standards. The FIDO Alliance is an industry consortium that aims to improve online authentication by developing open, scalable and interoperable authentication standards. FIDO2, a set of specifications released in 2018, enabled passkeys for passwordless authentication, paving the way for their implementation in financial services. Major technology and financial companies have since begun adopting and promoting passkeys to enhance security and user experience.
Passkeys offer several security advantages:
Passkeys are typically generated during the account registration or login setup process. The user’s device creates a key pair: a private key, which remains on the device, and a public key, which is registered with the service provider. Passkeys are often integrated into secure hardware elements like TPMs (Trusted Platform Modules) or secure enclaves for ongoing management, ensuring they cannot be extracted or tampered with. User convenience is enhanced through the seamless integration with biometric authentication methods, such as fingerprint or facial recognition, allowing users to authenticate with a single touch or glance.
The Visa example has been the most high-profile example. Passkeys have been implemented by other by large tech companies like Apple, Google and Microsoft, which have integrated FIDO2 standards into their platforms. For instance, Apple’s introduction of “Sign in with Apple” uses passkeys to authenticate users without passwords, significantly reducing the risk of phishing and credential theft. Similarly, Google has integrated passkeys into its accounts to enhance security for millions of users.
There are dozens of other successful use cases. One that could point the way in the future comes from the FIDO alliance. In 2023, Japanese eCommerce giant Mercari, Inc., known for its marketplace services and payment solutions, implemented passkeys to enhance security and user experience. Previously reliant on passwords and SMS one-time passwords (OTPs), Mercari faced persistent real-time phishing attacks and high operational costs due to the extensive use of SMS OTPs. The introduction of passkeys met the stringent security demands of their new Bitcoin trading platform, Mercoin. By eliminating the need for additional authentication steps, passkeys not only improved security but also user satisfaction. The adoption has been successful, with 900,000 accounts registered and a sign-in success rate of 82.5%, significantly higher than the 67.7% achieved with SMS OTPs. Additionally, the average sign-in time dropped from 17 seconds with SMS OTPs to just 4.4 seconds with passkeys, marking a notable enhancement in efficiency.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More