Passkeys are a passwordless authentication method based on cryptographic keys that enhances digital security. They eliminate credential theft risks, reduce fraud and improve user experience in digital payments and financial services by verifying identity directly on the user’s device.
For decades, passwords have been the primary protection mechanism in the digital environment. They have been present in virtually every aspect of our online lives, from email access to shopping, from banking apps to service platforms. However, the rise of fraud, data breaches, and social engineering techniques has called into question the true effectiveness of this model.
In 2025, researchers from the cybersecurity website Cybernews identified more than 19 billion exposed username and password combinations across approximately 30 major data sets accessible on the internet, aggregating information leaked from multiple incidents worldwide. The analysis also indicates that around 94% of these passwords were reused or duplicated across multiple services, while only 6% were unique combinations, a scenario that significantly amplifies the impact of each breach.
These figures highlight how the traditional password-based model has become one of the main risk vectors in the digital environment. Even with investments in defense mechanisms, credentials remain the primary target in phishing and social engineering attacks. In the payments sector, this vulnerability becomes even more critical.
Within the financial system, password weaknesses combine technological challenges with risks that directly affect asset security and user trust.
Brazil recorded 10.8 million fraud attempts by September 2025, according to Serasa Experian’s Fraud Attempt Indicator, with projections exceeding 14 million cases by year-end. Banks and financial institutions are targeted in 6 out of 10 card fraud attempts. This equates to one incident every 2.2 seconds, figures that reveal both the scale and the increasing sophistication of criminal activities.
In response, the sector has sought to mitigate risks through multiple layers of protection, such as multi-factor authentication, biometrics, and behavioral monitoring. Tokenization, for example, has represented a significant advancement by replacing sensitive information, such as the card BIN, with temporary codes that have no value outside their specific context, thereby reducing the impact of data breaches on transactions.
However, while these solutions strengthen data and payment security, many still rely on passwords as the initial authentication step. And it is precisely at this stage where the structural vulnerability lies. The growing complexity of credentials, with requirements for long combinations, special characters, and frequent updates, has increased user friction but has not eliminated risk.
As payments become more integrated, instant, and invisible within the consumer journey, driven by Open Finance, digital wallets, and embedded finance, reliance on passwords becomes a barrier to both security and user experience. It is in this context that passkeys emerge.
How passkeys work
Passkeys are based on a cryptographic model that replaces passwords with a system of digital keys. When a user registers for a service, two keys are generated: a public key, stored on the company’s servers, and a private key, securely stored on the user’s device.
This private key is never shared and can only be used after local authentication, such as facial recognition, fingerprint scanning, or another device-based security mechanism. This means that even in the event of a system breach, there are no passwords to steal. Without access to the device, an attacker cannot impersonate the user.
Users simply confirm their identity on their own device to access services or authorize payments quickly and securely. For the payments industry, the adoption of passkeys represents a redefinition of the trust model.
With stronger authentication, risks such as account takeover, unauthorized transactions, and social engineering attacks are significantly reduced. At the same time, eliminating passwords lowers friction, enhances user experience, and contributes to higher conversion rates.
Moreover, more advanced authentication models strengthen fraud prevention strategies and help institutions meet increasingly stringent regulatory requirements. In an environment shaped by instant payments, Open Finance, and embedded financial services, digital identity becomes one of the system’s most valuable assets. And it is not possible to build the next generation of the industry on an authentication model designed decades ago.
