Consumers hate passwords. Fraudsters love passwords. There's no better business case for Passkey, a biometric digital alternative to manually selected and stored passwords, and it's been at the center of several recent product launches. visa, master Card and Other payments and financial services companies. The development and use of passkeys is perhaps one of the most important security news stories of the year.
How does it work? The answer to that question can be very simple or very complex technical. The easiest way to see the simple level is to look at a series of announcements from Visa on May 16th, which featured examples of combining physical and digital shopping and security experiences. Passkey will first be deployed to Click to Pay, a service used primarily outside the US that links a digital credential to a consumer's device. At the time of purchase, the merchant requests the digital credential from Visa, which then validates the device details and issues a payment token. For the consumer, the process involves:[今すぐ購入]With the click of a button and a quick scan of your face, your payment cards will be displayed at checkout, after which you can choose your preferred payment card.
“We've all had the experience of trying to buy something and it not working out, then calling the bank and being told there's something fishy about the transaction.” Mark NelsenSenior Vice President and Global Head of Consumer Payments visa“With Passkeys, you can scan your face up front and verify it really quickly, so all of these transactions happen seamlessly and you don't have to verify your identity after the fact,” PYMNTS CEO Karen Webster said in mid-May.
Not everyone in banking and payments is as immersed in technology as Nelsen and his team, but with the expected explosion of passkeys, how to use It's important to have more than just a little bit of knowledge technology, That's because these alternatives to traditional passwords have the potential to redefine how we protect sensitive information in an increasingly digital world.
With that in mind, we've identified and answered six frequently asked questions. The surrounding area History, Usage and Examples of using a passkey:
How is a passkey for digital payments different from a traditional password?
A Passkey is a user-friendly alternative to traditional passwords. Rather than requiring users to remember and enter passwords, a Passkey uses two cryptographic keys: a public key stored on a server and a private key stored securely on the user's device. During authentication, the device uses the private key to generate a cryptographic signature that is verified by the public key, ensuring a highly secure and user-friendly authentication process.
How was the Passkey developed?
The concept of a passkey has its roots in the development of public key cryptography, which dates back to the 1970s. However, its application to digital payments has only recently gained traction. The adoption of passkeys has FIDO (Fast Online Identity) Alliance Standards. The FIDO Alliance is an industry consortium that aims to improve online authentication by developing open, scalable, and interoperable authentication standards. FIDO2, a set of specifications released in 2018, enabled Passkey for passwordless authentication, paving the way for its implementation in financial services. Since then, leading technology and financial companies have begun to adopt and promote Passkey for enhanced security and user experience.
What is the main security advantage of using a passkey?
A passkey has several security benefits:
- Eliminates phishing risks: Because passkeys don't contain a shared secret like passwords, they are not vulnerable to phishing attacks.
- Resistant to credential theft: Passkeys are stored locally on the user's device and are never sent or stored on the server, making them immune to server-side compromises.
- Strong encryption guarantee: The use of public key cryptography ensures a highly secure authentication process.
- Reduced credential reuse: Each passkey is unique to a particular service, eliminating the risk of credential reuse across different services.
- Enhanced user privacy: Passkey provides a more private method of authentication because the private key never leaves the user's device.
How are passkeys generated and managed to ensure a good user experience?
A passkey is typically generated during the account registration or login setup process. The user's device creates a key pair: a private key that remains on the device and a public key that is registered with the service provider. The passkey is often integrated into a secure hardware element, such as: TPM (Trusted Platform Module) Or you can create a secure enclave for ongoing management, ensuring no extraction or tampering is possible.Seamless integration with biometric authentication methods such as fingerprint or facial recognition provides greater user convenience, allowing users to authenticate with a single touch or glance.
What are some real-world examples or case studies where passkeys have significantly improved the security of digital payment systems?
The Visa example is the most famous one. other Big Technology Apple, Google and MicrosoftCompanies are integrating FIDO2 standards into their platforms. For example, Apple introduced “Sign in with Apple” which uses a passkey to authenticate users without a password, greatly reducing the risk of phishing and credential theft. Similarly, Google is integrating passkey into their accounts, enhancing security for millions of users.
There are many other successful examples. One that may point the way to the future is the FIDO Alliance. In 2023, Japanese e-commerce giant Mercari Inc. Mercari, known for its marketplace services and payment solutions, introduced Passkey to enhance security and user experience. Previously, the company relied on passwords and SMS one-time passwords (OTPs), but faced relentless real-time phishing attacks and high operational costs due to the widespread use of SMS OTPs. The introduction of Passkey enabled the company to meet the stringent security requirements of Mercoin, a new bitcoin trading platform. By eliminating the need for additional authentication steps, Passkey improved not only security but also user satisfaction. The introduction was successful, with 900,000 accounts registered and a sign-in success rate of 82.5%, significantly higher than the 67.7% achieved with SMS. OTPAdditionally, the average sign-in time dropped from 17 seconds using SMS OTP to 4.4 seconds using passkey, demonstrating significant efficiency gains.
