In this EMV® Insights post, Sami Tikkala, Chair of the EMVCo Digital Identity and Payments Task Force, explains how passkeys can help to support more seamless and secure online payment experiences.
What is a passkey?
A passkey is a consumer-facing term for a Fast Identity Online (FIDO) authentication credential. Passkeys allow a user to authenticate themselves on a device with the same process that they use to unlock it, such as a biometric, a PIN or a pattern.
Passkeys are FIDO cryptographic credentials that are tied to a user’s account. They can be bound to a particular device (known as device-bound passkeys), or may be synced across a user’s different devices. More information about passkeys is available on the FIDO Alliance website.
Can passkeys be used in payments?
Yes. The main use-case for passkeys is as a phishing resistant replacement for passwords as the first / primary factor for account authentication. However, passkeys can also be used across different use-cases where trust and convenience are integral – including online payments.
What are the benefits for passkeys in payments?
Passkeys mark an improvement to the user experience and security compared to the use of passwords and one-time passcodes (OTP) by SMS or email for authentication. Initial research undertaken by EMVCo shows that consumers also recognise the security benefits and convenience of using passkeys for payments.
Which EMV Technologies currently support the use of passkeys?
EMV Secure Remote Commerce (SRC) and EMV 3-D Secure (3DS) support passkeys. At a high-level, the use of passkeys in EMV SRC supports cardholder identification. The use of passkeys in EMV 3DS supports cardholder authentication.
How does EMV SRC support passkeys?
EMVCo has been exploring how passkeys can be leveraged within the EMV SRC ecosystem to simplify the customer journey.
New additions within the EMV SRC API/SDK Specifications Version 1.5 – which have now been published – will enable consumers to create a passkey to access the enrolled cards linked to their Click to Pay profile (known as card listing). EMVCo is investigating how passkeys could remove the need for the consumer to enter an OTP each time they want to select their payment cards.
How does EMV 3DS support passkeys?
Before exploring how EMV 3DS supports passkeys, it is important to understand the two primary 3DS flows – the Frictionless Flow and the Challenge Flow. The Frictionless Flow enables issuers to accept transactions without a step-up authentication. However, if a transaction is deemed high-risk by the issuer or needs confirmation by the cardholder, the Challenge Flow is triggered. This requires the cardholder to provide additional information directly to the issuer for the transaction to take place.
The Challenge Flow is flexible to support various authentication methods to suit different preferences and industry requirements, which include using FIDO-based WebAuthn and Secure Payment Confirmation (SPC). SPC is a candidate recommendation by the World Wide Web Consortium (W3C) that is built on WebAuthn and leverages the security and usability benefits of passkeys to support streamlined authentication. The use of passkeys for authentication within SPC can also help to better determine the legitimacy of a transaction to reduce the risk of fraud across both issuer-initiated and merchant-initiated transactions
How is EMVCo advancing the use of passkeys within EMV 3DS?
To improve the consumer experience when SPC is used, EMVCo and its Associates have provided feedback to W3C to enhance the SPC user interface (UI). Looking ahead, EMVCo is exploring UI improvements of authentication via passkeys for recurring and non-payment transactions.
EMVCo is also working with FIDO Alliance to address device binding and attestation requirements, which are needed to support local regulation. This follows the release of EMVCo’s white paper on the use of FIDO Data in 3DS messages.
Who is EMVCo collaborating with on passkeys?
Industry collaboration is integral to EMVCo’s ongoing work to explore and enhance the use of passkeys in payments. Key initiatives include a liaison agreement with the FIDO Alliance – which has now been established for almost 10 years – to support the development of specifications and initiatives that improve security and payment experiences around the world.
EMVCo, FIDO Alliance and W3C also established the Web Payments Security Interest Group (WPSIG) in 2019 to enhance the security and interoperability of web payments to support seamless e-commerce checkout experiences. Identifying new functionality, use-cases and user experiences for EMVCo, FIDO and W3C technologies is a priority for the group, including updates to SPC to promote streamlined strong customer authentication and understanding how passkeys can combine with other technologies.
In addition, EMVCo has convened a dedicated Digital Identity and Payments Task Force to investigate further areas for collaboration across EMV Technologies. Looking ahead, and as the use of passkeys and other digital identity initiatives in payments advances, EMVCo is committed to ongoing engagement with EMVCo Associates, Subscribers and industry partners.
by Oliver Manahan
by Arman Aygen