Passkeys can make online payment authentication easier, but it’s complicated

If passkeys are adopted for online payments, the technology’s user base could scale rapidly. But payments are complicated, leading the FIDO Alliance to ask a panel at Authenticate 2024; “can we use passkeys to authenticate users in online card transactions”?

Payments were one of the use cases for passkeys that the conference focused on, with a dedicated track on Wednesday afternoon.

The discussion between Jonathan Grossar of Mastercard, Henna Kapur of Visa and Sean Estrada of Stripe was moderated by FIDO Alliance CEO and ED Andrew Shikiar.

The standards and infrastructure, or “rails” that underlie payment technology predate digital transactions, Estrada pointed out at the beginning of the discussion.

Authentication for payments is different than for account access, Shikiar says, and Grossar explained that the difference in risk introduced by the prospect of financial loss sets the bar higher. That means using passkeys as one of several authentication factors, along with device and card ownership.

Passkeys fit with the Strong Customer Authentication (SCA) requirement of Europe’s PSD2, but only in combination with another factor. If the passkey is based on biometrics, a knowledge or possession factor is needed.

PSD3 is coming, too. Kapur suggests that the new regulation may make the use of passkeys in online payments easier. In India, where Mastercard has introduced passkeys, regulations are different. In Southeast Asia and Africa are more different regulations, and many payments are made with QR codes.

Passkeys could also fit into automative payments in the future, with Kapur explained, with the car’s digital system as an acceptance channel and authentication through voice biometrics. The standards and technologies are still being worked out, however.

Ultimately, Grossar says, if passkeys are going to meet the needs of the global payment industry, the standards need to further evolve.

In the meantime, the answer to the question posed to the panel is “yes.”

Article Topics

Authenticate Conference  |  biometric authentication  |  biometric payments  |  biometrics  |  ecommerce  |  FIDO Alliance  |  passkeys  |  PSD2