Payments

What is a passkey? Here’s everything you need to know

August 29, 2024 | By Maggie Sieger

It’s no secret we’re suffering from password fatigue. Every website and app we touch seems to demand a password with eight digits and a slew of special characters. That explains why nearly 80% of people reuse the same password at least once.

Longer, more complicated passwords are supposed to maintain security. Yet 2023 was the worst year ever for data breaches, impacting 353 million Americans. That is, until this year, when more than a billion people had their data stolen in just the first six months of 2024, according to one survey.

Enter the passkey — a digital credential for logging into websites or apps. Unlike passwords, passkeys do all the remembering for you by eliminating the need to input your password or a one-time passcode, and requiring only the same biometrics you already use to unlock your phone to authenticate yourself.

passkey
/ˈ'pas-,kē/ • noun

1. a key that provides special access (as to a secure area)

2. an authentication method that uses biometrics (such as fingerprint or facial recognition) to identify and grant access to an authorized user

 

Passkeys are safer and more secure than passwords. If you haven’t been asked to set up a passkey yet, you soon will be.

What are passkeys?

Passkeys are a fast and secure authentication method that replaces passwords with biometric authentication, like facial recognition or a fingerprint, or a swipe pattern (a three-by-three grid of dots) or PIN, across all of a user’s devices, creating a passwordless login.

A group of tech companies, including Mastercard, banded together more than a decade ago to develop the FIDO (Fast Identity Online) Alliance to address the inherent weaknesses of traditional passwords to eventually to transition to passkeys. In addition to being easier and faster for users, these password alternatives help fight fraud by making data more difficult to hack or phish.

How do passkeys work?

Passkeys work using algorithms to encrypt data so users can verify their identity fast and securely. When users first sign into an account, their device creates a pair of keys: one that is public and shared with the website to validate the passkey, and one that is private on your device to unlock the passkey to access your account.

And it can work across devices from the same operating system: If you set up a passkey for an app or website on your phone, it can work if you log in from your laptop or tablet.

In October 2023, Google announced that passkeys would be its default login method for all users globally. Other large consumer companies, like CVS Health, Intuit and Nintendo, also have introduced passkeys as a password alternative. The state of Michigan already has started implementing passkeys on its website, resulting in 1,300 fewer calls related to password resets in a single month.

Are passkeys safe?

Passkeys are safe because they are linked to the website and the specific account and can only be unlocked by the legitimate user. They cannot be guessed, hacked or keylogged, and users cannot be tricked into entering a passkey on a fraudulent site.

Essentially, passkeys confirm that you are the owner of your device, using your chosen method of authentication, like your fingerprint or facial recognition.

Are passkeys going to replace passwords?

Passkeys are going to replace passwords. Eventually, logging into most websites or apps will require a passkey. Tech companies like Apple, Amazon and Mastercard already favor passkeys, because they are not only safer, but also easier and faster and offer a significantly improved user experience.

Who uses passkeys?

Passkeys are being used by all the major technology companies. Apple, Amazon, Google and Meta are promoting passkeys. By May 2024, 53% of people surveyed in the U.S. and the U.K. had enabled passkeys on at least one of their accounts, with 22% enabling them on every account they could.

How do I create a passkey?

To create a passkey with a company that supports them, usually you simply log into its website or app, look for the button labeled “create passkey” and follow instructions to enable passwordless login. 

How do I delete a passkey?

To delete a passkey, typically you log in to a website or app and go to the login and/or security section. You then select the passkey, hit delete and then confirm.

Are my biometrics shared when I create a passkey?

Your biometrics are not shared beyond your device when you create a passkey. Your biometric data never leaves your device because your biometrics are managed by the device, not the website or the app that you are trying to access.

Can passkeys be used for payments?

Passkeys can be used for payments. Payment passkeys offer a more secure and easier way for cardholders to authenticate themselves during e-commerce transactions on web or merchant apps. Payment passkeys use the same biometric authentication mechanisms that people are already using on their devices.

The Mastercard Payment Passkey Service enables participating merchants to offer biometric cardholder authentication for online payments with Mastercard passkeys across all guest checkout like , the online checkout service, and card-on-file checkout.

When passkeys and Click to Pay are combined with tokenization, the encryption technique that turns your card number into an alternate number so your data is never shared with a merchant, it creates true one-click checkout — no more forgotten passwords, annoying one-time passcodes or even typing in your card number. In fact, Mastercard recently announced that manual card entry would be eliminated for e-commerce transactions in Europe by 2030, and is rolling its Mastercard Payment Passkey Service first in India with a number of the nation’s largest payment players.   

The service is a game-changer for online checkout. A shopper simply chooses their Mastercard when checking out as a guest or selects a card already secured on file with a merchant. From there, a shopper can use the biometric authentication mechanism features on their device — for example, a fingerprint or face scan. Upon successful authentication, the payment is instantly completed.

Maggie Sieger, Contributor