Mastercard Payment Passkey Service

In recent years, the finance sector has seen a surge in interest towards enhancing security and user experience with innovative authentication methods. Passkeys are now emerging as a very compelling and more and more preferred solution across banks (e.g. Revolut), fintechs (e.g. Finom), and payment providers (e.g. PayPal).

Our last blog posts extensively covered the implications of this technology shift, particularly in the context of PSD2 / Strong Customer Authentication (SCA):

• Device-Bound and Synced Passkeys
• Analysis of PSD2 & SDA Requirements
• What SCA Requirements mean for Passkeys
• PSD3 / PSR Implications for Passkeys
• Dynamic Linking.

As we continue to analyze the world of secure authentication, Mastercard has introduced a new service for passkeys: Mastercard Payment Passkeys. This service, also referred to by its technical framework name, Mastercard Token Authentication Service (TAS), represents a strategic move to replace outdated authentication methods with a secure, seamless and user-friendly approach leveraging biometrics (e.g. Face ID, Touch ID). The service aims to streamline the online checkout process, marrying security with convenience for millions of shoppers globally. The dual naming itself appears strategic. Payment Passkeys clearly communicates the user benefit of simplified, biometric login to consumers and merchants, while Token Authentication Service resonates with the technical implementation details relevant to developers and partners integrating the system.

This blog post analyzes Mastercard's approach, exploring the technology, user experience, benefits, and industry implications of Payment Passkeys.

The integration of passkeys into the financial services sector is a shift towards more secure and user-friendly authentication.

The driving force behind are consumer expectations. As Mastercard has revealed in previous statements, consumers hate passwords:

• 7 out of 10 consumers feel overwhelmed by the number of passwords they need to manage
• More than 80% of confirmed data breaches were due to passwords. Besides

Mastercard acknowledged that any shared secret, including OTPs, is becoming a target for cyber criminals. That’s why Mastercard wants to replace the password with person-based factors. Passkeys, by leveraging device biometrics (e.g. Face ID, Touch ID), address this need effectively.

Furthermore, passkeys eliminate traditional security pain points associated with passwords, such as phishing risks. By replacing passwords with cryptographic keys that are simple to use but difficult to exploit, passkeys offer a compelling solution for financial institutions aiming to both enhance security and streamline user interactions.

Passkeys' security model aligns with the stringent requirements of financial regulations like Strong Customer Authentication (SCA) under PSD2. SCA mandates multi-factor authentication for most electronic payments and account access, requiring validation using at least two independent elements from three categories:

• Knowledge (something the user knows)
• Possession (something the user possesses)
• Inherence (something the user is)

Passkeys naturally fulfill these requirements: the secure private key stored on the device represents the 'Possession' factor, while the biometric used to unlock it represents the 'Inherence' factor. If a device PIN is used, it can satisfy the 'Knowledge' factor. However, there is an ongoing discussion in the industry if synced passkeys need to provide some additional assurance regarding device binding.

Furthermore, payment regulations often require dynamic linking, ensuring that the authentication process cryptographically binds the specific transaction amount and payee to the user's approval. Passkey implementations, particularly when integrated with protocols like EMV 3DS or using extensions like Secure Payment Confirmation (SPC), are designed to incorporate these transaction details into the cryptographic signature, fulfilling this critical requirement.

Mastercard's introduction of Payment Passkeys is not an isolated event but the culmination of a long-term strategic commitment to advancing payment security and embracing passwordless authentication standards.

Mastercard is one of the early members of the FIDO alliance, the driving force behind passkeys & WebAuthn, where they joined already in 2012.

In the past, Mastercard has already launched the Mastercard Biometric Authentication Service, which was a first step into the passkey direction. This service was already designed on adhering to FIDO standards.

In September 2023, Mastercard provided an update on passkeys and Secure Payment Confirmation (SPC). In there, Mastercard shared their view on standard passkey vs SPC passkey potential processes. The mockups were already on a detailed level (as you’ll see below).

In August 2024, Mastercard launched its Payment Passkey Service in India, , a market characterized by high digital payment volume and significant mobile adoption. This initial launch likely served as a large-scale testbed for scalability and effectiveness, particularly in an environment where OTP-based fraud is a known concern.

Following the India launch, Mastercard expanded the service to other key regions, including Asia Pacific ( initially Singapore), Latin America ( starting with Brazil) and the Middle East and Africa (MEA), beginning with the United Arab Emirates. This region-by-region approach allows Mastercard to tailor its implementation and partnerships to local market dynamics and regulatory landscapes.

A critical element of this strategy is the emphasis on partnerships. In each launch region, Mastercard has collaborated closely with key local players, including payment aggregators:

• Payment Aggregators:
  • India: Juspay, Razorpay or PayU
  • Latin America: Yuno
  • MEA: noon Payments, Tap Payments
• Online merchants:
  • India: bigbasket
  • Latin America: Sympla
• Leading banks: (like
  • India: Axis Bank
  • Singapore: DBS or UOB

These partnerships are essential for integrating the Payment Passkey service into existing payment ecosystems, dealing with local regulations and reaching a broad consumer base. This demonstrates a flexible, collaborative model rather than a top-down, one-size-fits-all approach.

Mastercard Payment Passkeys are enabled by the Mastercard Token Authentication Service (TAS). TAS is the underlying infrastructure that allows merchants and digital wallets to offer consumers the ability to authenticate their online transactions using biometrics linked to their Mastercard passkey, replacing traditional passwords or OTPs. This service doesn't operate in isolation. It's deeply integrated with other core Mastercard technologies, particularly tokenization and potentially the EMV 3DS framework, all while adhering to global standards.

An essential aspect of the service is its integration with Mastercard's Tokenization Service, often referred to as MDES (Mastercard Digital Enablement Service). Tokenization is a critical security measure that replaces the consumer's actual 16-digit Primary Account Number (PAN) with a unique digital identifier or "token". This token is specific to a particular device, merchant or transaction context. When a transaction occurs, only the token is transmitted, meaning the merchant never needs to store or handle the real PAN, significantly reducing the risk associated with data breaches. Mastercard Payment Passkeys then serve as the mechanism to authenticate the legitimate user's intent to use this tokenized credential for a specific transaction.

The authentication itself leverages the passkey stored on the user's device, unlocked via device biometrics ( fingerprint, face scan) or the device PIN/passcode. It is essential to understand that the biometric data used for unlocking the passkey remains securely on the user's device and is never shared with Mastercard, the merchant, or any other third party. The passkey mechanism simply confirms successful local authentication (e.g. Face ID, Touch ID) before allowing the cryptographic signature process to proceed.

While specific implementation details vary, Payment Passkeys likely operate within or alongside the EMV 3-D Secure (3DS) framework, the industry standard for securing card-not-present (CNP) transactions. EMV 3DS facilitates the exchange of rich transaction data between the merchant and the card issuer, allowing the issuer to perform risk assessments. If the transaction is deemed high-risk, the issuer can "challenge" the user to perform additional authentication (SCA). Mastercard Payment Passkeys provide a secure and potentially much smoother method for fulfilling this SCA challenge compared to traditional methods like OTPs. Mastercard's related services, like Identity Check Express and Delegated Authentication for Merchants, explicitly leverage FIDO / WebAuthn capabilities within the EMV 3DS flow, allowing merchants (with issuer permission) to perform authentication on the issuer's behalf using these modern methods.

The synergy between passkeys and tokenization creates a multi-layered security architecture. Passkeys secure the user authentication step, preventing unauthorized individuals from initiating transactions. Tokenization protects the underlying payment credential, minimizing the value of any data potentially exposed in breaches. This combined approach addresses fraud from multiple angles, making the entire transaction process significantly more resilient. Furthermore, integrating passkey authentication into the established EMV 3DS infrastructure is a pragmatic approach that facilitates adoption. It allows issuers and acquirers to enhance security and user experience by leveraging their existing investments in 3DS technology, rather than requiring the deployment of entirely separate authentication systems.

A primary goal of Mastercard Payment Passkeys is to revolutionize the online checkout experience, making it faster, simpler and more secure by eliminating the friction associated with passwords and OTPs. The user journey encompasses both the initial creation of the passkey and its subsequent use for authenticating payments

Users can be prompted to create a Mastercard Payment Passkey at several points in their interaction with Mastercard services. Common scenarios include:

• During Checkout: Often, the option to create a passkey is presented after a user has successfully completed a traditional authentication step for a transaction, such as an EMV 3DS challenge involving an OTP or another method. This contextual onboarding leverages the user's immediate experience with potentially higher-friction methods to highlight the benefit of a smoother future checkout.
• Within Issuer Applications: Banks issuing Mastercards can integrate the passkey creation flow directly into their mobile banking apps, allowing users to proactively link a passkey to their card.
• During Card Addition: The option might also be presented when a user adds their Mastercard to a digital wallet or saves it as a Card-on-File (CoF) with a merchant or service like Click to Pay.

Let’s briefly analyze the passkey creation example during the checkout.

After clicking on the “Pay” button, the user is redirected from the sample shop (https://decorshop.com) to a web page hosted by Mastercard (https://verify.mastercard.com). This site is part of the EMV 3DS authentication process.

After this process is completed successfully, the user has the option to create a passkey. Note that this passkey will be created for the Relying Party ID of Mastercard (e.g. verify.mastercard.com or mastercard.com). So, the passkey is not registered with the merchant where the user wants to transfer the money to. This allows the same passkey to be used across any merchant that use Mastercard’s Payment Passkey service and not only at this particular merchant.

Taken from https://www.w3.org/2023/Talks/mc-passkeys-20230911.pdf

After deciding to create a passkey, the local authentication (here an Android smartphone that stored the passkey in Google Password Manager) is conducted. After finishing the passkey creation, the user is redirected back form Mastercard’s website to the shop.

Taken from https://www.w3.org/2023/Talks/mc-passkeys-20230911.pdf

Once a user has a Mastercard Payment Passkey associated with their card credential, the checkout process at participating merchants becomes significantly streamlined:

1. Card Selection: The user initiates checkout and selects their Mastercard. This could be a card stored securely via Mastercard's Click to Pay service, saved directly with the merchant (Secure Card on File - SCOF) or even entered during a guest checkout flow.
2. Authentication Prompt: Instead of being asked for a password, CVV or OTP, the user is prompted to authenticate using their Mastercard Payment Passkey. The exact flow can vary:
   • Standard Passkey Flow: The user might experience a brief, seamless redirection to a Mastercard-controlled domain (e.g. verify.mastercard.com). Here, the standard WebAuthn prompt appears, asking the user to confirm the transaction using their device's biometric sensor or PIN. Upon successful local authentication, they are redirected back to the merchant site to complete the purchase. This flow occurs within a first-party context, where the user authenticates directly with Mastercard.
   • Secure Payment Confirmation (SPC) Flow (Potential): An alternative, potentially more seamless flow involves SPC. In this scenario, the user remains on the merchant's website. A browser-native pop-up appears, displaying key transaction details (merchant name, amount, partial card info) and prompting for passkey authentication directly. This eliminates redirection entirely and provides strong dynamic linking by embedding transaction details in the authentication request. Please note that SPC passkeys are still in a concept phase and it’s not decided if they will ever reach general availability (mainly due to Apple not giving it a go). This flow would operate in a third-party context, where the merchant invokes authentication for the Mastercard passkey, likely using credentials shared via EMV 3DS.

Taken from https://www.w3.org/2023/Talks/mc-passkeys-20230911.pdf

The synergy between Mastercard Payment Passkeys and Click to Pay is particularly noteworthy. Click to Pay provides a standardized, secure way for consumers to store their tokenized card details for easier online checkout across participating merchants. Payment Passkeys serve as the modern, biometric authentication layer for accessing and using these stored Click to Pay credentials. This combination is key to achieving a true "one-click" checkout experience, eliminating both manual card entry and password/OTP challenges. The global-first launch of an integrated Click to Pay with Payment Passkey service by Mastercard and Tap Payments underscores this strategic direction. This leverages the existing Click to Pay infrastructure and merchant network, providing a powerful scaling mechanism for Payment Passkey adoption.

The table below summarizes the key characteristics of potential authentication flows:

For merchants, adopting Mastercard's Payment Passkey Service / Token Authentication Service means

• Reduced Fraud and Chargebacks: This is arguably the most significant benefit. By tying authentication directly to the user's unique biometrics or device PIN via phishing-resistant passkeys, the risk of unauthorized transactions plummets. The underlying use of tokenization further protects card data. This stronger authentication can also lead to liability shifts for certain types of fraud, similar to the benefits seen with EMV 3DS adoption. Case studies, such as the one involving noon Payments, explicitly report decreased fraud incidence after implementing Payment Passkeys and Click to Pay.
• Increased Approval and Conversion Rates: Checkout friction is a major cause of cart abandonment. Eliminating the need for password recall or OTP entry smooths the payment flow, leading to higher completion rates. Furthermore, the strong authentication signal provided by passkeys gives issuing banks greater confidence to approve transactions, reducing the likelihood of costly false declines. Higher approval rates directly translate to increased sales and revenue. Partners like Yuno have noted that passkeys drive higher conversion rates.
• Improved Customer Experience and Brand Image: Offering a cutting-edge, secure and effortless checkout process enhances customer satisfaction and builds trust in the merchant's brand. Providing a demonstrably safer way to pay can be a competitive differentiator.

For consumers, this service enables:

• Seamless and Faster Checkout: The most immediate benefit is the removal of hassle. Users no longer need to remember complex passwords or wait for and manually enter OTPs. Authentication happens quickly using the same familiar biometrics (e.g. Face ID, Touch ID) used to unlock their phone. The "enroll once, use everywhere" nature across participating merchants adds significant convenience.
• Enhanced Security and Peace of Mind: Payment Passkeys offer fundamentally stronger security than passwords or OTPs. They are resistant to phishing and many forms of online fraud. Knowing that transactions are protected by biometrics provides consumers with greater confidence and peace of mind when shopping online.
• Privacy Protection: As biometric data remains on the device and tokenization protects the actual card number, less sensitive information is transmitted during the transaction

The following table summarizes the value proposition for each stakeholder group:

For merchants and developers looking to leverage the benefits of Mastercard Payment Passkeys, integration occurs through the Mastercard Token Authentication Service (TAS). TAS is designed to work in conjunction with Mastercard's existing tokenization and checkout solutions, primarily Click to Pay and Secure Card on File (SCOF). Essentially, TAS provides the advanced biometric authentication layer for transactions using credentials already tokenized and stored via these services.

This approach of integrating passkey authentication into established services like Click to Pay and SCOF aims to minimize disruption for merchants. Rather than requiring a completely new integration pathway, businesses already utilizing these Mastercard solutions may find adding passkey support to be a more streamlined process, leveraging their existing infrastructure.

Mastercard provides resources for integration through the Mastercard Developers portal (developer.mastercard.com). These resources include SDKs and APIs designed to facilitate the implementation of TAS functionalities. While detailed technical specifications require accessing the portal, documentation snippets reveal specific use cases and API calls related to passkey management within the payment context, such as "Create Passkey after ID&V" (Identity & Verification), "Create Passkey after Transaction Authentication," and " Use Passkey for Transaction Authentication". The existence of these defined functions suggests a structured and mature integration framework is available for developers.

An official video explaining the concept is also available:

Merchants and developers interested in implementing Mastercard Payment Passkeys should consult the Mastercard Developers portal for detailed documentation, SDKs, APIs, and specific integration guides relevant to their chosen platform (e.g., Click to Pay, SCOF) and technical environment.

Mastercard's launch of its Payment Passkey Service is a significant development, marking a clear commitment by a major payment network to move beyond passwords and OTPs towards more secure and user-friendly biometric authentication. This aligns with Mastercard's broader vision for the future of e-commerce, which includes phasing out manual card entry entirely by 2030 in regions like Europe, relying instead on tokenization and seamless authentication methods like passkeys.

Mastercard is not alone in this endeavor. Visa has launched its own, similarly named Visa Payment Passkey Service. Like Mastercard's offering, Visa's service is built on FIDO standards, utilizes device biometrics, aims to replace passwords/OTPs, integrates with tokenization and Click to Pay, and emphasizes the dual benefits of enhanced security ( fraud reduction) and improved user experience. Visa highlights potential fraud rate reductions of up to 50% compared to SMS OTPs and notes broad OS and browser support for FIDO. One potential distinction mentioned in Visa's materials is the concept of "Visa-managed authentication support" or a "federated model," where Visa handles the core FIDO authentication complexity, potentially simplifying integration for merchants and issuers. The parallel strategies and even similar naming conventions adopted by the two largest card networks strongly suggest an industry-wide convergence around FIDO passkeys as the future standard for authenticating online payments. This coordinated push benefits the entire ecosystem by promoting interoperability and reducing fragmentation.

American Express is also actively incorporating modern authentication technologies. While they haven't launched a distinct "Payment Passkey Service" brand like Visa and Mastercard (as of May 2025), they have integrated FIDO/WebAuthn-based biometric capabilities (facial and fingerprint recognition) directly into their existing SafeKey platform. SafeKey itself is built upon the EMV 3-D Secure standard. American Express, also a FIDO Alliance board member, is thus leveraging the same core passwordless technology but embedding it within their established security framework. This might reflect a different branding strategy, leveraging the recognition of SafeKey, or potentially architectural differences stemming from their network model. Nonetheless, the direction is consistent: leveraging on-device biometrics and FIDO standards for stronger, smoother online authentication.

The introduction of the Mastercard Payment Passkey Service represents a watershed moment in the evolution of online payment security and UX. By embracing FIDO passkey standards and integrating them tightly with tokenization and existing checkout solutions like Click to Pay, Mastercard is addressing the critical shortcomings of traditional password and OTP-based authentication.

This initiative offers substantial benefits across the payments ecosystem. For merchants, it promises a significant reduction in fraud losses and chargebacks, coupled with higher transaction approval rates and improved conversion due to a frictionless checkout process. For consumers, it delivers a faster, more convenient and demonstrably more secure way to pay online, leveraging familiar device biometrics while eliminating the need to manage passwords or handle OTPs.

The technological underpinnings - combining phishing-resistant authentication with the data minimization of tokenization, all within the framework of established EMVCo standards – create a strong, layered defense against fraud. Mastercard's strategic, partnership-driven global rollout further signals the significance and long-term commitment behind this technology.

As Visa follows a parallel path with its own Payment Passkey Service and American Express integrates similar biometric capabilities into SafeKey, the direction is clear: passkeys are rapidly becoming the new standard for securing digital payments.