Passkeys and Passwordless Authentication: A PCI Perspective on the Future of Identity

The beginning of the end of passwords

The humble password has been at the heart of authentication since the early days of the internet. It has also been the root cause of countless breaches. As attackers automate credential stuffing and phishing attacks, reuse stolen credentials and harvest login details through malware, businesses have been left defending an ever growing attack surface. Meanwhile users struggle with password fatigue, leading them to choose simple or recycled combinations that are easy to guess.

A new authentication paradigm is emerging. Passkeys are FIDO2 based credentials that live on devices rather than in central databases, promising a future where users tap a trusted device or biometric sensor instead of typing a secret. Adoption is accelerating. Market analysts predict that more than half of workforce authentication transactions and over one fifth of customer logins will be passwordless by 2025. Industry research shows that many organisations are actively transitioning away from passwords, with FIDO2 protocols projected to be used in over a quarter of multifactor authentication transactions within the same timeframe. Recent studies report that passkey authentications have more than doubled in a year, reaching well over a million per month, and more than one billion people have already created at least one passkey.

For merchants that handle payment data, the shift to passkeys is not just a matter of convenience. It is a strategic security decision that can reduce compliance burden, strengthen defence against AI driven credential attacks and build customer trust. This post explores how passkeys work, why they matter for payment environments and what steps merchants should take to adopt passwordless authentication responsibly.

How passkeys work

Passkeys replace shared secrets with asymmetric cryptography. When a user registers on a site that supports passkeys, their device generates a unique key pair: a public key that is stored by the service and a private key stored securely on the user’s device. Authentication works by proving possession of the private key, typically by unlocking the device with a fingerprint or facial recognition. Because the private key never leaves the device, there is nothing for attackers to steal or reuse. Key characteristics include:

• Phishing resistant: Passkeys are bound to the origin where they were created. A fake login page cannot trick the authenticator into sending a valid proof because the cryptographic challenge must match the legitimate domain.
• Unique per service: Each site gets its own key pair, so a breach of one service does not expose credentials for another.
• Biometric friendly: Modern devices integrate passkeys with platform biometrics. A fingerprint or face scan simply unlocks the key; biometric data never travels to the service.
• Synced across devices: Major platforms support syncing passkeys between a user’s devices through secure cloud escrow. This enables seamless sign in on a new phone or laptop while keeping the keys tied to the user’s identity.
• Standards based: Passkeys rely on open standards such as FIDO2 and WebAuthn, ensuring broad interoperability and vendor neutrality.

Why payment providers should care

Payment environments are prime targets for credential theft. Attackers use automated tools to take over customer accounts, reroute funds and harvest card numbers. PCI DSS 4.0.1 already requires multifactor authentication for all non console administrative access and for any user who can view cardholder data. Passkeys can help meet these requirements while improving usability. Their benefits include:

• Reduced account takeover risk: Phishing resistant credentials prevent attackers from reusing stolen passwords or one time codes. Passkey adoption in e commerce has already led to double digit reductions in account takeover attempts.
• Lower support costs: Password resets and lockouts burden help desks. Organisations implementing passkeys report shorter login times and higher success rates, which translate to fewer support tickets.
• Streamlined customer experience: A quick biometric gesture at checkout can decrease cart abandonment and increase conversion. As more large merchants make passkeys the default, customers will come to expect frictionless login.
• Smaller compliance scope: By authenticating users via strong device bound keys, merchants can reduce the reliance on shared secrets and may scope out certain password storage systems from their PCI assessment. However, they must still protect the key registration and recovery flows and maintain logs.
• Alignment with zero trust: Passkeys complement zero trust principles by validating both device and user identity. Combined with segmentation and continuous monitoring, they strengthen the entire payment ecosystem.

Adoption trends and industry momentum

The move to passkeys is no longer a theoretical exercise. Real world deployments show rapid growth:

• E commerce and fintech pioneers: Major online retailers and payment providers have rolled out passkeys, accounting for nearly half of all passkey authentications. Financial platforms such as cryptocurrency exchanges have seen hundreds of percentage points of growth in passkey use.
• Big tech alignment: Google, Apple and Microsoft have made passkeys the default option for new accounts, resulting in exponential increases in authentications. Their support ensures that consumers can rely on passkeys across devices and ecosystems.
• Consumer awareness rising: FIDO Alliance research found that more than one billion people have activated at least one passkey and consumer awareness jumped from 39 percent to 57 percent in just two years.
• Regulatory expectations: Analysts predict that passkeys will be used in over one quarter of multifactor transactions by 2025 and in more than half of workforce logins. As these methods become the norm, regulators and assessors will expect merchants to adopt them or justify why they remain on legacy authentication.

Challenges and considerations

Despite the momentum, moving to passkeys requires careful planning. Some of the challenges include:

• Legacy integration: Many existing applications do not support WebAuthn natively. Merchants may need to update authentication flows, identity providers and SDKs. A phased rollout, starting with customer facing portals or internal dashboards, can help manage complexity.
• User education: Customers and employees must understand why passkeys are secure and how to register and manage them. Clear instructions during onboarding, along with accessible recovery options, are essential.
• Account recovery: Because passkeys are tied to devices, losing a phone or laptop can lock a user out. Provide multiple passkeys stored on separate devices, backup codes or an identity verification process to ensure continuity.
• Device trust and attestation: Passkeys rely on the integrity of the device’s secure enclave. Organisations should evaluate device attestation and manage risk for devices without hardware protection. When possible, enforce biometric confirmation on trusted devices and establish policies for high risk transactions.
• Fallback and multi factor: For certain high value actions or in cases where passkeys are not available, merchants should retain a secondary authentication method. This ensures compliance with multifactor requirements and accommodates users who cannot register a passkey.

Implementing passkeys: a roadmap for merchants

Adopting passwordless authentication should follow a structured approach:

1. Assess readiness and scope: Identify user groups and systems that handle cardholder data or could benefit from stronger authentication. Document legacy systems that may require upgrades.
2. Engage stakeholders: Involve compliance, security, development and customer experience teams to align on objectives. Recognise that strong authentication is both a security control and a business enabler.
3. Select a standards based solution: Choose authentication providers or platforms that support FIDO2/WebAuthn and can integrate with existing identity systems. Ensure they offer device attestation, biometric support and secure syncing.
4. Pilot and iterate: Start with a pilot group, such as internal administrators or a small segment of customers. Gather feedback on user experience, error rates and recovery flows. Use analytics to measure reductions in password related incidents and changes in login success.
5. Plan for recovery and support: Develop clear procedures for users who lose access to their devices. Provide support staff with scripts and tools to verify identity without reverting to insecure methods.
6. Update policies and documentation: Revise access control policies, incident response plans and training materials to reflect passwordless processes. Include passkey enrolment, revocation and auditing procedures in your PCI documentation.
7. Monitor and improve: Continually monitor authentication logs for anomalies. Use behavioural analytics to detect suspicious activity even when passkeys are used. Stay informed about evolving standards and vulnerabilities.

Aligning with PCI DSS 4.0.1

Passkeys fit naturally into PCI DSS 4.0.1’s emphasis on continuous risk management and strong authentication. When implemented correctly, they help meet requirements for:

• Requirement 8 (Identification and Authentication): Passkeys can satisfy multifactor authentication by combining something you have (the registered device) with something you are (biometric) or know (device unlock PIN). Because each key is unique to a service and not reusable, the risk of credential replay is greatly reduced.
• Requirement 11 (Testing and Monitoring): Logging and monitoring of authentication events remain vital. Merchants must ensure that passkey usage is captured in audit trails and that detection systems can recognise anomalous use, such as attempts from unregistered devices.
• Requirement 12 (Security Policy): Adoption of passkeys should be reflected in security policies, training programs and incident response procedures. Clear governance is critical as the organisation transitions away from passwords.

Implementing passkeys does not automatically exempt an organisation from other PCI controls. You must still protect cardholder data, maintain segmentation, patch systems and perform regular vulnerability scanning. Passkeys are a powerful tool within a broader security and compliance strategy.

Looking ahead

The rapid rise of passkeys marks a turning point in the way organisations authenticate users and protect sensitive transactions. Attackers are already leveraging generative AI to craft sophisticated phishing lures, automate credential stuffing and bypass weak multifactor methods. Passwordless authentication offers a resilient defence by eliminating shared secrets and anchoring identity to the physical devices and biometrics under a user’s control. As more e commerce, fintech and enterprise platforms adopt passkeys, consumers will expect a secure, frictionless experience everywhere they shop, bank or subscribe.

For payment providers and merchants, now is the time to explore passwordless authentication. By piloting passkeys, planning for recovery and integrating them into your broader security architecture, you can reduce risk, improve customer experience and stay ahead of evolving compliance requirements. The future of identity is arriving quickly, and those who embrace it will be better positioned to defend against the next generation of cyber threats.