Payments Passkeys Cases: Mastercard & Pix (Authenticate '25)

Every year, the Authenticate Conference gathers the world’s leading minds in digital identity and authentication. Organized by the FIDO Alliance, it serves as the central meeting point for security professionals, product leaders, and identity architects shaping the post-password era.

At Authenticate 2025, one theme stood out: Payments are becoming the next frontier for passkeys. What began as a technology for logging into apps and accounts is now transforming how people pay - whether in e-commerce checkouts, mobile wallets, or real-time transfer systems. The payment industry, long shaped by complex compliance requirements and entrenched legacy infrastructure, is now embracing passkeys to make authentication both phishing-resistant and frictionless.

This shift is not only about security. Card networks, banks, and regulators increasingly see passkeys as the key to faster approvals, fewer abandoned carts, and reduced fraud losses. From global players like Mastercard driving tokenized, biometric checkouts to Brazil’s Pix network making passkey-based authentication a national standard, the payments landscape is entering a new phase of identity-driven trust.

This post is part of Corbado’s Authenticate 2025 recap series and focuses on how leading payment systems are deploying passkeys at scale. In the sections below, we will answer the following questions:

• How does Mastercard plan to eliminate passwords? and manual card entry by 2030 through passkeys in payments?
• How did Pix evolve from QR codes to biometric, device-bound verification to protect millions of users against phishing and SIM-swap attacks?

Mastercard's vision for the future of online payments is to match the security and speed that consumers already enjoy in physical commerce. Their bold goal is to eliminate manual card entry and passwords globally by 2030, replacing them with fast, secure methods like smiles and fingerprints.

Before outlining the solution, Mastercard highlighted the major pain points plaguing online checkout:

• Card-Not-Present (CNP) Fraud: This is estimated to cost US$15 billion. The majority of fraudulent transactions are either not authenticated or not authenticated correctly, leaving the system vulnerable.
• Cart Abandonment: A staggering 27% of all shopping carts are abandoned, primarily due to friction from complex or slow checkout processes.
• False Declines: Banks sometimes decline a legitimate transaction. This is a significant problem because over 40% of consumers are less likely to retry a purchase if it's declined the first time, resulting in lost sales.

Mastercard’s solutions are anchored on major industry standards from EMVCo, the FIDO Alliance, and W3C. Their core security principles aim to resolve the challenges above:

• Tokenization: This replaces the consumer's actual card number with an alternate, unique number (a token) that is tied to a specific domain (such as a merchant). This is key because:
• Secure and Seamless Authentication: Authentication methods like an Issuer app or biometrics (fingerprint, face scan) are used to ensure the legitimate card owner is performing the transaction, thereby avoiding account takeover.
• Enhanced Data Sharing: Utilizing dynamic and contextual data (details about the cardholder, the device, and the specific transaction) allows for much better risk decisioning by banks.

Passkeys, built on the FIDO standard, are Mastercard’s solution for a fast and secure checkout experience due to three key advantages:

• Speed: Passkeys are nine times faster than using a One-Time Passcode (OTP) because there's no waiting for a code to be delivered via text or email.
• Security: Using biometric authentication results in 2.5 times less fraud compared to traditional OTPs.
• Security and Scale: Public perception aligns with the facts: 90% of users believe biometrics are both more secure and more convenient than traditional passwords.

Mastercard has been rolling out Payment Passkeys since 2024 to deliver a seamless Multi-Factor Authentication (MFA) experience.

• Multi-Use: A single Payment Passkey on a device can be used for various scenarios, including:
  • Card on File (where your card details are saved)
  • Guest Checkout
  • Agentic Commerce (transactions initiated by AI/devices)
  • Click to Pay access
• Security Model: It uses MFA with passkey and device-bound credentials (meaning the passkey is tied to a specific device). If a new device is used, a new identity verification process is required.
• Transaction Flow: The authentication results and risk data are sent to the card issuer with every transaction to aid in approval decisions.
• Goal: Mastercard already reached the goal for its Payment Passkeys to be enabled at over 1,000 merchants in 2025.

Apart from e-commerce, Mastercard also communicated a clear stance on passkeys in payments: The company sees the criticality in adopting passkeys in payment systems, driven by stringent global regulations that hold card issuers (banks) explicitly liable for security failures.

To comply with global rules, a secure payment authentication system must be built upon three core principles according to Mastercard:

• Transparency in the Critical Path: The payment system must provide a transparent trust path for every authentication. This means clearly documenting how a credential was created, transmitted, and validated across all systems involved.
• Solve Integrity by Design: Security must be demonstrably built in, not merely assumed. Every system participating in the payment process must prove it is secure by design.
• Accountability Through Evidence: Every participant in the trust path must produce verifiable proofs, such as digital attestations and certifications, to establish end-to-end assurance.

The company's approach is shaped by regulatory mandates that assign security liability to the issuer:

To make passkeys suitable for payments, implementations should follow three practical principles that align with FIDO / WebAuthn and current “payment passkey” deployments:

• Keys are created and bound to the authenticator: The private key for a passkey is generated on the user’s authenticator (platform device or security key) and does not leave it. Platform authenticators typically store keys in hardware‑backed keystores (e.g. Secure Enclave/TEE) or a certified security key.
• Sync is user‑mediated and end‑to‑end encrypted: When users opt into synced passkeys, copies of the credential are backed up and synchronized E2EE by the passkey provider (e.g. iCloud Keychain, Google Password Manager). New devices must be approved and can decrypt the backup. The provider cannot read the key material.
• Rely on appropriate certification for each component: Use FIDO‑Certified authenticators/servers for passkeys and continue using PCI/FIPS‑validated HSMs where they already protect payment system secrets (e.g. PIN keys, tokenization systems, or escrow services).

The payment industry already uses certified hardware (PCI PTS HSM, FIPS‑validated HSMs) to protect PINs and other sensitive payment keys. Those controls remain relevant on the server side (e.g., MDES/tokenization, 3‑DS servers, escrow), while passkey private keys remain authenticator‑resident.

This process ensures the passkey’s private key is created on and bound to the user’s authenticator:

1. The relying party (e.g., Mastercard payment passkey flow via the issuer or Checkout/Click to Pay) invokes WebAuthn registration on the user’s device.
2. The authenticator (platform or security key) generates a new key pair and returns the public key plus optional attestation to the relying party. The private key stays on the device.
3. If the user opts into synced passkeys, the passkey copy is encrypted on‑device and backed up via the passkey provider for use on their other devices

When a user adds a new device:

1. The user authorizes the new device to join their passkey provider’s E2EE sync (e.g., iCloud Keychain, Google Password Manager).
2. The provider delivers the encrypted passkey material to the new device, which can decrypt it only after local user verification (biometric/PIN) and account approval.
3. No party other than the user’s devices can access the private key in clear. Providers cannot decrypt backed‑up passkeys.

Brazil’s instant payments network, Pix, has become a global benchmark for open, fast, and inclusive digital payments. In just four years since its 2020 launch by the Central Bank of Brazil, Pix has evolved from QR-based transfers to a biometric, device-bound authentication layer powered by passkeys - a shift now shaping the next phase of Brazil’s payment ecosystem.

• Pix is now the default way to pay in Brazil, handling real-time transfers between individuals, merchants, and institutions.
• For individuals, transfers remain free; for merchants, acceptance costs are minimal, supporting national financial inclusion goals.
• Pix is on track to surpass cards in total e-commerce volume by 2025, signaling a complete payment-method transformation.

This success creates both opportunity and responsibility. As volumes exploded, so did phishing and SIM-swap attacks targeting OTP-based authentication, pushing the ecosystem toward phishing-resistant, passkey-based verification.

At the security layer, Pix is adopting device-bound keys combined with local biometrics, removing shared secrets from every transaction.

Users register once and then assert locally on each payment, eliminating the recurring password or OTP step that attackers often exploit.

This approach builds directly on FIDO standards, with passkey support spanning Android, iOS, and desktop browsers.

Credential managers now provide the reliability Pix needed to scale: autofill, sync, and recovery are all handled natively, enabling a consistent user experience across devices and form factors.

On the policy side, regulations now formally support in-app Pix payments (JSR), mandating participation by leading banks, and reinforcing government backing for a unified, frictionless authentication layer.

The central bank’s clear stance ensures ecosystem-wide demand for passkey adoption—not as an optional security add-on, but as the standard baseline for financial authentication.

Across the payment ecosystem, checkout friction remains one of the most expensive problems to solve. Manual card entry and OTP challenges consistently rank among the top reasons for cart abandonment, with up to one in four users dropping off before completing a transaction. Passkeys directly address this by reducing authentication to a single biometric gesture, eliminating form fields and waiting times. Early data shared at Authenticate 2025 showed that merchants implementing passkey-based authentication experienced both higher completion rates and shorter time-to-approve windows, proving that security and conversion no longer need to be trade-offs.

While initial deployments focused on e-commerce checkout, 2025 marked the expansion of passkeys across the entire payment journey. Card-on-file scenarios, guest checkouts, in-app payments and even emerging agent-initiated commerce now rely on the same underlying passkey credentials. This consistency allows users to authenticate seamlessly across multiple contexts without additional setup, while issuers and payment service providers (PSPs) benefit from unified telemetry and reduced integration complexity. The success of Mastercard’s multi-use Payment Passkeys and Pix’s in-app biometric authentication demonstrate that passkeys can serve as a universal payment credential rather than a channel-specific feature.

As payment providers scale passkey authentication, success is increasingly measured through operational and risk metrics rather than adoption alone. Key indicators include approval rate uplift, reduced false declines, lower fraud losses per 1,000 transactions, and decreased average handling time in support. Passkeys generate richer authentication signals (such as device attestation and biometric proof) that improve risk decisioning and authorization outcomes. By systematically tracking these metrics, issuers and acquirers can quantify the ROI of phishing-resistant MFA, validate regulatory compliance, and continuously optimize the end-to-end payment experience.

Authenticate 2025 made one thing clear: Passkeys are becoming the foundation of how payments will work in the coming decade. From Mastercard’s push to make biometric checkout the default by 2030, to Pix’s nationwide rollout of device-bound credentials, the payments industry is moving decisively toward a model where security and convenience reinforce each other.