For decades, passwords have been our digital shield. However, in an era of instant payments and hyper-connectivity, this method has become the weakest link in security. The solution is here, and it’s called Passkey.
At Evertec, we analyze this trend that promises to transform authentication in the financial ecosystem.
1. What is a Passkey and how does it work?
A Passkey is a cryptographic digital credential that allows users to log in to websites and apps without typing a password.
Passkeys represent the implementation of the FIDO (Fast IDentity Online) standard, backed by tech giants like Apple, Google, and Microsoft. Its goal: to replace password-based authentication with something more secure and user-friendly.
The key mechanism: asymmetric cryptography
Unlike passwords (which are stored and can be leaked), a Passkey uses a pair of cryptographic keys:
- Public key: Stored by the website or service (e.g., your bank portal or a fintech). This key is safe, public, and cannot be used to log in.
- Private key: Stored securely on the user’s device (phone, tablet, or PC) and protected by the device’s biometrics (fingerprint, Face ID, or PIN). It is never shared with the server.
When logging in, the service sends a challenge to the device. The device signs it with the private key, and the server verifies it with the public key. The password never travels across the network!
2. Why Passkeys outperform previous systems
Passkeys solve the three major problems of traditional security: usability, fraud, and complexity.
A. Immune to phishing
Phishing—the theft of credentials through fake sites—is the leading cause of security breaches.
- Passwords: Can be entered on any fake site.
- Passkeys: Are cryptographically tied to the website’s URL. If a user tries to use a Passkey on a phishing site (a different URL), it simply won’t work. Phishing becomes ineffective.
B. Goodbye forgotten and weak passwords
Passkeys eliminate password fatigue:
- Simplification: Nothing to remember—you authenticate with your fingerprint or face.
- Security: Cryptographic keys are far stronger than any combination of letters and numbers a human could create.
C. Built-in Multi-Factor Authentication (MFA)
While traditional MFA adds a second step (like an SMS code), Passkeys combine device possession and identity verification (biometrics) in one seamless step. MFA by design—without user friction.
3. Evertec’s impact on the ecosystem
Mass adoption of Passkeys will not only improve consumer security but also deeply impact payment infrastructure:
- Greater trust in e-commerce: By reducing phishing-related fraud, digital transaction conversion rates will rise.
- Seamless integration: We’re closely monitoring these standards to ensure our issuer and acquirer processing platforms are ready for Passkey authentication—keeping onboarding and transactions smooth and secure.
- Simplification for fintechs: Partners working with us will adopt this technology faster, delivering a world-class user experience.
Conclusion
Passkeys aren’t just an improvement—they’re a paradigm shift driven by the industry. Replacing passwords with asymmetric cryptography and biometrics is a decisive step toward a truly secure, frictionless payment ecosystem.
