The Password Problem
Passkeys represent a fundamental shift in how users authenticate: combining cryptographic security with seamless user experience. Designed for a world where users juggle hundreds of digital identities across personal and professional contexts, passkeys eliminate the need to remember, manage, or replicate sensitive login credentials. By binding authentication to the user's device and leveraging biometrics or PINs, they offer strong, phishing-resistant login flows that are both intuitive and secure. In an environment increasingly threatened by data breaches and account takeovers, passkeys offer a future-ready solution—delivering speed and security without friction.
What Is a Passkey?
A passkey represents a significant evolution in digital authentication, built on the standards developed by the FIDO Alliance to improve security by minimizing the reliance on passwords. Instead of entering a password, users authenticate through a familiar action on their device, such as a biometric scan (fingerprint or face) or a local PIN. This simple act verifies the user's identity and securely authorizes the login without transmitting any secrets that can be stolen or reused.
What Is the FIDO Alliance?
The FIDO (Fast Identity Online) Alliance is a global consortium of technology companies, financial institutions, and government agencies working together to create open and interoperable standards for passwordless authentication. Founded in 2012, its primary mission is to solve the world's password problem by developing specifications that are more secure, private, and easier to use.
Key members include major tech leaders like Google, Apple, Microsoft, Amazon, and Meta. By collaborating, these companies ensure that the authentication methods they develop work seamlessly across different platforms, browsers, and devices, preventing vendor lock-in and promoting widespread adoption.
How Is the FIDO Alliance Related to Passkeys?
The FIDO Alliance is the creator of the core technology that makes passkeys possible. The relationship can be broken down into these key points:
- They Created the Blueprint: Passkeys are built directly upon the FIDO2 standards, which consist of the WebAuthn standard and the Client to Authenticator Protocol (CTAP).
- Enabling Interoperability: The FIDO Alliance's work ensures that a passkey you create on an iPhone can be used to log into a service on a Windows PC or an Android tablet. This cross-platform compatibility is a central goal of the FIDO standards.
- Driving Adoption: By bringing together the biggest names in technology, the FIDO Alliance drives the global shift away from passwords. When companies like Google and Apple simultaneously adopt a FIDO-based technology like passkeys, it becomes a viable, mainstream alternative for millions of users and developers overnight.
How Do Passkeys Work?
Passkeys replace passwords with a cryptographic key pair: a private key stored by your password manager on your device and a public key stored by the service trying to verify your identity. To log in, the user simply authenticates with their device's biometrics or PIN. This action uses the signature generated by the private key to prove their identity to the service, which verifies it with the public key.
Crucially, passkeys are bound to a domain, meaning a key created for one website will not work on another. The private key is never transmitted and cannot be used on a fraudulent site, making passkeys resistant to phishing. For the user, the entire process is as quick and intuitive as unlocking their phone.
Key Terms
- Relying Party
The "relying party" securely verifies your identity instead of using a password. - FIDO authenticator (OS who implements biometric / PIN/ face)
The FIDO Authenticator is the secure component of your device (phone, computer) that creates and stores your private keys. When the user verifies their identity using a fingerprint, face, or PIN, the authenticator is granted permission to sign using the appropriate private key. - FIDO client
The FIDO Client is the software that acts as the middleman, and it's almost always your web browser (like Chrome, Safari, Firefox) or a component of your mobile app.
Its job is to:
- Receive the login request from the website (Relying Party).
- Communicate with the FIDO Authenticator on your device to get the cryptographic proof.
- Send that proof back to the website to complete the login.
- CTAP protocol
CTAP (Client to Authenticator Protocol) is the specific language or set of rules that the FIDO Client (your browser) uses to communicate with the FIDO Authenticator (the secure vault on your device).
It's the internal command system that lets your browser ask your device's secure hardware to perform actions like "create a new passkey" or "sign this login challenge."
Why Do Passkeys Matter for Payments Today?
Over the past decade, regulators across the world have taken a firm stance on customer authentication. In the West, the EU led the way with PSD2 and its Strong Customer Authentication (SCA) mandate, requiring multi-factor verification for most digital payments. In the East, India’s RBI enforced two-factor authentication for all card payments and has been proactive in securing digital infrastructure across UPI and internet banking. Similarly, countries across Southeast Asia, such as Singapore and Indonesia, are tightening authentication norms in response to rising fraud.
While digital adoption has surged globally, phishing, SIM swaps, and social engineering attacks have grown in parallel—exposing the vulnerabilities of legacy systems like OTPs and passwords. This combination of regulatory pressure and real-world threats has pushed both the East and the West to rethink their authentication models.
The West and the East have now converged on the advantages of passkeys for authentication, their approaches have been distinct. Especially in the last ten years, the motivation to adopt passkeys has come from a legacy of friction in the West whereas in the East, it has been that of reducing fraud.
Over the past decade, the West, especially in the early days of e-commerce, leaned towards minimizing friction to encourage online spending. The prevailing logic was that a seamless checkout process would lead to higher conversion rates. This risk-based approach meant that most transactions would go through without any additional security checks, with sophisticated algorithms in the background assessing the fraud risk of each transaction. Only when a transaction was flagged as high-risk would the user be prompted for additional verification.
In the East, India’s digital growth was driven by mobile-first onboarding and the ubiquity of the SMS OTP. The launch of UPI in 2016 brought millions online, with OTPs powering everything from account creation to high-value payments. However, this convenience, the OTPs, had soon become a prime target for phishing, vishing, and SIM-swap attacks.
Banks, e-commerce sites, and regulators realised protecting users was a critical task, which meant the need for a replacement that was just as convenient but safe became extremely apparent.
As both regions converge towards a more secure authentication framework, passkeys provide a superior security model (an un-shareable key) with an even better user experience (a biometric scan) than the OTP.
Passkeys offer a unifying solution, combining security and usability. They maintain user involvement through biometrics or device unlocks, preserving trust, while eliminating the friction of OTPs, passwords, or PINs. Across both the low-trust, low-friction West and the high-trust, high-friction East, passkeys provide a secure, universal authentication factor ready for broad adoption.
How Does Juspay Help?
In partnership with Mastercard and Visa, Juspay has introduced authentication using Passkeys—streamlining the checkout experience with the use of biometrics used to unlock their devices to complete a payment. Consumers can use Passkeys to make one-click payments without requiring a password or pin.
A one-click payment option significantly minimizes the abandonment of carts due to inefficient payment processes, as users must wait for OTPs to complete a payment. Instead, a password-less payment experience allows for quick transactions that are streamlined and secure, eliminating friction at checkout and saving businesses substantial revenue.
Juspay combines the advantageous passkey with tokenization, enabling businesses and consumers to make secure transactions that are not only convenient but aligned with the future of fraud-resilient passwordless payments.
