Passkeys: Secure, Seamless, Passwordless

E-commerce Platforms: Reduce checkout abandonment with one-touch payment authentication. Enable stored payment methods that customers can authorize instantly without memorizing passwords or waiting for OTPs. Increase conversion rates while exceeding PSD2 Strong Customer Authentication requirements.

Payment Service Providers: Deliver seamless authentication for merchants accessing dashboards, processing refunds, and managing settlements. Support multi-user account structures with role-based authentication that's both secure and convenient. Accelerate PSP onboarding with streamlined KYC and authentication enrollment.

Wealth Management & Investment Platforms: Provide secure access to sensitive financial information and high-value transaction capabilities. Enable quick authentication for time-sensitive trading while maintaining audit trails. Balance the need for robust security with the speed required in financial markets.

Digital Wallets: Create frictionless wallet access for frequent micro-transactions while maintaining security for wallet funding and peer-to-peer transfers. Support multiple device types and operating systems with consistent authentication experiences.

Passkey authentication is a passwordless login method based on FIDO2 and WebAuthn standards that uses cryptographic key pairs instead of passwords. When you register a passkey, your device generates two mathematically linked keys: a private key that stays securely on your device (never transmitted or stored on servers), and a public key that's registered with the service.
 

The key differences from passwords:

• No shared secrets: Unlike passwords that are sent to and stored on servers (where they can be stolen in data breaches), passkeys use public key cryptography where the server only holds the public key—which is useless to attackers without the corresponding private key
• Biometric authentication: Users authenticate with fingerprint, facial recognition, or device PIN instead of remembering complex passwords
• Phishing-resistant: Each passkey is cryptographically bound to the specific service's domain, making it mathematically impossible to use on fake phishing sites
• No password reuse: Every passkey is unique to both the user and the service, eliminating credential stuffing attacks

For financial institutions, this means replacing the authentication method responsible for 81% of data breaches with technology that's faster, more secure, and easier for customers to use.

Yes, passkeys provide significantly stronger security than traditional password-based authentication and are specifically designed to meet stringent financial services regulatory requirements.

Security advantages for financial services:

• Phishing immunity: Passkeys cannot be tricked into working on fraudulent sites, even if customers are socially engineered
• Breach resistance: Server-side database breaches yield only public keys, which are cryptographically useless to attackers
• Device-bound security: Private keys are protected by device secure enclaves (TPM, Secure Element) and cannot be extracted even by malware
• Biometric privacy: Biometric data never leaves the device—services receive only cryptographic signatures, never fingerprints or facial scans

Regulatory compliance:

Passkeys inherently satisfy multi-factor authentication requirements:

• Possession factor: The device holding the passkey
• Inherence factor: Biometric authentication (fingerprint, Face ID)
• Knowledge factor: Device PIN (alternative to biometric)

For PSD2 Strong Customer Authentication (SCA), passkeys meet all requirements including dynamic linking when implemented via Secure Payment Confirmation (SPC). For the upcoming PSD3 regulations, passkeys satisfy the phishing-resistant authentication mandate that will be required for high-risk transactions by October 2027.

Major card schemes (Visa, Mastercard) have certified passkey authentication for payment transactions, and regulatory bodies including the European Banking Authority recognize FIDO2-based authentication as meeting enhanced security standards.

Passkeys integrate with EMV 3-D Secure in multiple ways, offering financial institutions flexibility based on their role in the payment ecosystem:

For Card Issuers (via Access Control Server):

When your Access Control Server (ACS) requires step-up authentication during a 3DS transaction, passkeys replace SMS one-time passwords in the challenge flow. Instead of customers waiting 20-45 seconds for an SMS code, they authenticate with biometrics in 3-8 seconds. This can be implemented through:

• Standard WebAuthn integration: Passkey authentication within your ACS challenge page
• Secure Payment Confirmation (SPC): Browser-native authentication dialog displaying transaction details (amount, merchant, payee) with passkey authentication—meeting dynamic linking requirements without redirecting customers

For Merchants (Delegated Authentication):

Large merchants using passkeys for account login can pass FIDO authentication data to issuers via the 3DS request. Issuers recognize this strong authentication as a trust signal

and can approve transactions frictionlessly without additional challenges—improving conversion by 15-25% while maintaining security.

For Payment Service Providers:

PSPs implementing Netcetera's 3DS Server can support both models—processing FIDO data from merchant passkeys for frictionless flows, and integrating with issuers' passkey-enabled ACS for challenge flows.

For Payment Networks:

Visa Payment Passkey and Mastercard Payment Passkey services provide network-level passkey authentication that works across all participating merchants, integrated with their 3DS infrastructure and Click to Pay services.

Netcetera's 3-D Secure solutions (ACS for issuers, 3DS Server for PSPs/acquirers) support passkey integration across all these scenarios, with SPC readiness built into our roadmap.

Modern passkey implementations solve the device loss challenge through secure synchronization and multiple recovery options—making passkeys actually more recoverable than passwords while maintaining security.

Multi-Device Synchronization:

Passkeys created on one device automatically sync to all of a user's devices within the same ecosystem using end-to-end encrypted cloud storage:

• Apple ecosystem: iCloud Keychain syncs passkeys across iPhone, iPad, and Mac
• Google ecosystem: Google Password Manager syncs across Android devices and Chrome browsers
• Microsoft ecosystem: Microsoft Account syncs across Windows devices

Importantly, this synchronization maintains security—passkey material is encrypted on the device before cloud storage, and the cloud provider (Apple, Google, Microsoft) cannot access the private keys even though they host the encrypted data.

What this means for device loss:

If a customer loses their phone, their passkeys remain accessible on their other devices (tablet, computer, etc.). When they get a new phone and sign in to their Apple ID, Google Account, or Microsoft Account, their passkeys sync to the new device automatically.

Recovery Options for Financial Institutions:

For customers who lose all their devices or are setting up a new ecosystem, Netcetera's passkey authentication supports multiple recovery strategies:

1. Secondary passkey enrollment: Customers can register multiple passkeys (e.g., phone + laptop) during initial setup

2. Backup authentication methods: Time-limited fallback to alternative authentication during recovery period

3. Supported account recovery: Enhanced identity verification process (multiple knowledge-based questions, document verification, video identity confirmation) followed by new passkey enrollment

4. Device-based recovery: For mobile banking apps, users can re-register passkeys after reinstalling the app and completing strong identity verification

Better than password recovery:

Traditional password recovery often relies on email or SMS—both vulnerable to interception. Passkey recovery leverages the security of device ecosystems and multi-factor identity verification, providing more secure recovery than password reset flows.

Financial institutions can configure recovery policies based on their risk tolerance, with Netcetera providing flexible implementation options from highly automated (for low-value accounts) to heavily supported (for high-net-worth or corporate accounts).