For decades, passwords have been our digital shield. However, in an era of instant payments and hyper-connectivity, this method has become the weakest link in security. The solution is here, and it’s called Passkey.
At Evertec, we analyze this trend that promises to transform authentication in the financial ecosystem.
1. What is a Passkey and how does it work?
A Passkey is a cryptographic digital credential that allows users to log in to websites and apps without typing a password.
Passkeys represent the implementation of the FIDO (Fast IDentity Online) standard, backed by tech giants like Apple, Google, and Microsoft. Its goal: to replace password-based authentication with something more secure and user-friendly.
The key mechanism: asymmetric cryptography
Unlike passwords (which are stored and can be leaked), a Passkey uses a pair of cryptographic keys:
- Public key: Stored by the website or service (e.g., your bank portal or a fintech). This key is safe, public, and cannot be used to log in.
- Private key: Stored securely on the user’s device (phone, tablet, or PC) and protected by the device’s biometrics (fingerprint, Face ID, or PIN). It is never shared with the server.
When logging in, the service sends a challenge to the device. The device signs it with the private key, and the server verifies it with the public key. The password never travels across the network!
2. Why Passkeys outperform previous systems
Passkeys solve the three major problems of traditional security: usability, fraud, and complexity.
A. Advanced protection against Phishing
Phishing—the theft of credentials through fake sites—is the leading cause of security breaches.
- Passwords: They are vulnerable to multiple risks: they can be stolen, guessed, or entered on fake sites, among other methods. That’s why it’s essential to strengthen their security with practices such as multi-factor authentication and password managers.
- Passkeys: They are cryptographically linked to the company’s web service where you want to log in. If a user tries to use their Passkey on a phishing site that does not belong to that service, it simply won’t work. This makes phishing attempts ineffective.
B. Goodbye forgotten and weak passwords
Passkeys eliminate password fatigue:
- Simplification: Nothing to remember—you authenticate with your fingerprint or face.
- Security: Cryptographic keys are far stronger than any combination of letters and numbers a human could create.
C. Built-in Multi-Factor Authentication (MFA)
While traditional MFA usually requires a second step such as a code sent via SMS, which is susceptible to interception or social engineering, Passkey combines device possession verification and identity proof (biometrics) in a single, automatic step. It’s native MFA, without user friction and with stronger protection against attacks.
3. Evertec’s impact on the ecosystem
Mass adoption of Passkeys will not only improve consumer security but also deeply impact payment infrastructure:
- Greater trust in e-commerce: By reducing phishing-related fraud, digital transaction conversion rates will rise.
- Seamless integration: We’re closely monitoring these standards to ensure our issuer and acquirer processing platforms are ready for Passkey authentication—keeping onboarding and transactions smooth and secure.
- Simplification for fintechs: Partners working with us will adopt this technology faster, delivering a world-class user experience.
Conclusion
Passkeys aren’t just an improvement—they’re a paradigm shift driven by the industry. Replacing passwords with asymmetric cryptography and biometrics is a decisive step toward a truly secure, frictionless payment ecosystem.
