Making Sense of the New Security Paradigm
Consumers hate passwords. Fraudsters love them. There might be no better business case for passkeys, which are a biometric, digital alternative to manually selected and stored passwords. Passkeys have also been at the center of recent product introductions from Visa, Mastercard and other payments and financial services companies. The development and usage of passkeys is arguably one of the most important security stories of the year.
How do they work? The answer to that question has a very simple level and a very complex technological level. To see the simple level, it’s easiest to look at Visa’s May 16 series of announcements featuring an example that combines the physical and digital shopping and security experience. Passkeys will initially be introduced into Click to Pay, a service mainly used outside the U.S., which links a digital credential to the consumer’s device. During a purchase, merchants request a digital credential from Visa, which validates the device details and issues a payment token. For consumers, the process involves clicking the “buy now” button, a quick facial scan, and then their payment cards appear at checkout. They can then choose their preferred payment card.
“We’ve all had times when you try to buy something and it doesn’t go through and you have to call your bank and they tell you there’s something suspicious about the transaction,” Mark Nelsen, senior vice president and global head of consumer payments at Visa, told PYMNTS’ CEO Karen Webster in mid-May. “With Passkeys, if you do the facial scan immediately upfront, you can do that real quick check. That means all these transactions will go through seamlessly and you no longer have to confirm your identity after the fact.”
Not everyone in the banking and payments business has had the immersion in the technology that Nelsen and his team have had. But with the expected explosion in passkey usage it’s important to have more than a casual knowledge of the technology, because these replacements for traditional passwords could redefine how we safeguard sensitive information in an increasingly digital world.
With that in mind, we’ve identified and answered six common questions around the history, usage and use cases of passkeys:
How are passkeys different from traditional passwords in digital payments?
Passkeys offer a user-friendly alternative to traditional passwords. Instead of the user needing to remember and input a password, a passkey uses a pair of cryptographic keys: a public key, stored on the server, and a private key, stored securely on the user’s device. During authentication, the device uses the private key to generate a cryptographic signature verified by the public key, ensuring a highly secure and user-friendly authentication process.
How were passkeys developed?
The concept of passkeys is rooted in the development of public key cryptography, which dates back to the 1970s. However, its application in digital payments has gained traction more recently. The adoption of passkeys accelerated with the introduction of the FIDO (Fast Identity Online) Alliance’s standards. The FIDO Alliance is an industry consortium that aims to improve online authentication by developing open, scalable and interoperable authentication standards. FIDO2, a set of specifications released in 2018, enabled passkeys for passwordless authentication, paving the way for their implementation in financial services. Major technology and financial companies have since begun adopting and promoting passkeys to enhance security and user experience.
What are the main security advantages of using passkeys?
Passkeys offer several security advantages:
- Elimination of Phishing Risks: Since passkeys do not involve shared secrets like passwords, they are not vulnerable to phishing attacks.
- Resistance to Credential Theft: Passkeys are stored locally on the user’s device and are never transmitted or stored on the server, making them immune to server-side breaches.
- Strong Cryptographic Assurance: The use of public key cryptography ensures a highly secure authentication process.
- Reduction of Credential Reuse: Each passkey is unique to a specific service, eliminating the risk of credential reuse across different services.
- Enhanced User Privacy: Passkeys provide a more private authentication method, as the private key never leaves the user’s device.
How are passkeys generated and managed to ensure a positive user experience?
Passkeys are typically generated during the account registration or login setup process. The user’s device creates a key pair: a private key, which remains on the device, and a public key, which is registered with the service provider. Passkeys are often integrated into secure hardware elements like TPMs (Trusted Platform Modules) or secure enclaves for ongoing management, ensuring they cannot be extracted or tampered with. User convenience is enhanced through the seamless integration with biometric authentication methods, such as fingerprint or facial recognition, allowing users to authenticate with a single touch or glance.
What are real-world examples or case studies where passkeys have significantly improved the security of digital payment systems?
The Visa example has been the most high-profile example. Passkeys have been implemented by other by large tech companies like Apple, Google and Microsoft, which have integrated FIDO2 standards into their platforms. For instance, Apple’s introduction of “Sign in with Apple” uses passkeys to authenticate users without passwords, significantly reducing the risk of phishing and credential theft. Similarly, Google has integrated passkeys into its accounts to enhance security for millions of users.
There are dozens of other successful use cases. One that could point the way in the future comes from the FIDO alliance. In 2023, Japanese eCommerce giant Mercari, Inc., known for its marketplace services and payment solutions, implemented passkeys to enhance security and user experience. Previously reliant on passwords and SMS one-time passwords (OTPs), Mercari faced persistent real-time phishing attacks and high operational costs due to the extensive use of SMS OTPs. The introduction of passkeys met the stringent security demands of their new Bitcoin trading platform, Mercoin. By eliminating the need for additional authentication steps, passkeys not only improved security but also user satisfaction. The adoption has been successful, with 900,000 accounts registered and a sign-in success rate of 82.5%, significantly higher than the 67.7% achieved with SMS OTPs. Additionally, the average sign-in time dropped from 17 seconds with SMS OTPs to just 4.4 seconds with passkeys, marking a notable enhancement in efficiency.