Entering the passkey era of identity in payments

By Matt Charpentier, Vice President, Global Head of Authentication, Identity and Tap, Visa

Picture this: every time you make an online payment, behind the scenes is a high-stakes game of chess. One where – whether you know it or not – you’re navigating a landscape fraught with potential threats, from hackers trying to steal your information through sophisticated scams designed to trick you. Each transaction you make is a move on this digital chessboard, where the stakes are your personal and financial security. But this game isn’t just a metaphor – in today’s very real digital age, the cornerstone of secure payments is identity, and as online fraud surges, identity theft poses a significant threat, driving consumers and businesses to seek experiences that deliver trust and security.

Cybercrime looms large in any industry, but especially in payments. U.S. adults lost $10 billion in scams in 2023, a grim milestone as bad actors succeed in bypassing traditional defenses. Some 80 percent of organizations were victims of payment fraud last year, with digital transaction fraud rates seven times higher than card present.

Fortunately, advancements in technology, data, and ecosystem readiness are poised to unlock a wave of change, allowing for safer, more personalized, and seamless payments experiences for consumers and businesses. New digital identity authentication methods based on digital passkey technology will act like a shield against threats and hold the key to customer satisfaction with a more frictionless payment process. Later this year, we’ll start to see big inroads in this area. When deployed at scale, payment passkeys will be poised to enhance the payment experience by making authentication more seamless and more secure.

Moving toward a trusted digital identity

One of the biggest challenges in e-commerce is ensuring that the consumer attempting a transaction is the person they say they are. Historically, it’s been up to merchants and issuers to verify a customer during or after a transaction. If they accept payment, the authorization chain flows across the ecosystem and its varied risk defenses.

The injection of friction that comes with that process is poised to fade. The rise of real-time payment networks (RTP) and open banking frameworks have pushed the concepts of ‘digital identity’ and active authentication to the forefront, where authentication can’t wait until a transaction is taking place or after. With RTP, a verified user moves money in near-real time to a vetted recipient. That concept of ‘known’ identity will spread. Going forward, a known and trusted digital identity will act as a foundation that consumers and merchants can lean on and trust to streamline a purchase transaction.

Interoperable standards such as FIDO2 (Fast Identity Online), EMV and Secure Payment Confirmation, a W3C Candidate Recommendation, play an important role in advancing innovation in this area with passkeys that are more secure than passwords or SMS-based one-time passcodes and simpler for consumers to use.

Passkeys were initially developed to replace passwords, but they are quickly expanding to other use cases, including moving into the payments world. A payment passkey is a next-gen authentication credential stored locally on a consumer device. You can authenticate a payment the way you unlock your phone – with a fingerprint or facial scan providing cryptographic proof of authentication with biometric data that stays on the device. Unlike OTPs (one-time passwords), passkeys are phishing resistant because they use public-key cryptography, ensuring that authentication credentials cannot be intercepted or misused by attackers.

For instance, in Australia, there is a growing effort to move away from relying solely on SMS One-Time Passwords (OTPs) because of their vulnerability to AI-driven fraud. Financial institutions are increasingly adopting advanced authentication methods such as biometric authentication, in-app authentication, or passkeys. This transition aims to better protect consumers against sophisticated scams and fraud, highlighting the necessity of evolving security standards to keep pace with technological advancements such as biometric authentication, in-app authentication, or passkeys. This transition aims to better protect consumers against sophisticated scams and fraud, highlighting the necessity of evolving security standards to keep pace with technological advancements.

Connecting the dots between biometrics and payment credentials

In payments, a passkey connects the dots between a user’s biometric identity – something they are – to both a device – something they have and a payment credential like a device token and binds them together.

The potential reach is vast. Every smartphone shipped in the last 10 years has had some biometric capabilities built into it.  The FIDO Alliance has developed industry standards for using biometrics to authenticate identities online using similar public key infrastructure used in contactless chip cards; FIDO is supported natively on more than 4 billion devices and on all major operating systems and browsers.

Building on passkeys, novel authentication methods like Secure Payment Confirmation (SPC) can help in meeting regulatory requirements while helping to reduce fraud in online transactions. Visa is now piloting SPC, which provides high-level protection against online threats and supports Strong Customer Authentication (SCA) under the EU’s “Revised Payment Services Directive (PSD2). It employs a FIDO authentication provided by the issuer and performed by the merchant, prioritizing security while providing users with a familiar checkout flow. Initial pilots show SPC removes friction in the authentication process, reduces abandonment and improves the competitiveness of card-based payments.

As more of our day-to-day activities become digital, proving ‘you are you’ becomes more crucial than ever – and commerce sits at the center. Payment passkeys are the first step to revolutionize the way the world pays. The industry is not just facilitating transactions; it is creating trust and ensuring peace of mind for every party involved.

About the author

Matt Charpentier is Vice President, Global Head of Authentication, Identity and Tap, at Visa. 

Article Topics

biometric authentication  |  biometric payments  |  biometrics  |  consumer adoption  |  digital identity  |  ecommerce  |  passkeys  |  payment passkey  |  Visa