Passkeys Reshape Payments: Mastercard and Pix Insights at Authenticate 2025

Every year, the Authenticate Conference gathers the world’s leading minds in digital identity and authentication. Organized by the FIDO Alliance, it serves as the central meeting point for security professionals, product leaders, and identity architects shaping the post-password era.

At Authenticate 2025, one theme stood out: Payments are becoming the next frontier for passkeys. What began as a technology for logging into apps and accounts is now transforming how people pay—whether in e-commerce checkouts, mobile wallets, or real-time transfer systems. The payment industry, long shaped by complex compliance requirements and entrenched legacy infrastructure, is now embracing passkeys to make authentication both phishing-resistant and frictionless.

This shift is not only about security. Card networks, banks, and regulators increasingly see passkeys as the key to faster approvals, fewer abandoned carts, and reduced fraud losses. From global players like Mastercard driving tokenized, biometric checkouts to Brazil’s Pix network making passkey-based authentication a national standard, the payments landscape is entering a new phase of identity-driven trust.

This post is part of Corbado’s Authenticate 2025 recap series and focuses on how leading payment systems are deploying passkeys at scale. In the sections below, we will answer the following questions:

• How does Mastercard plan to eliminate passwords and manual card entry by 2030 through passkeys in payments?
• How did Pix evolve from QR codes to biometric, device-bound verification to protect millions of users against phishing and SIM-swap attacks?

Mastercard's vision for the future of online payments is to match the security and speed that consumers already enjoy in physical commerce. Their bold goal is to eliminate manual card entry and passwords globally by 2030, replacing them with fast, secure methods like smiles and fingerprints.

Before outlining the solution, Mastercard highlighted the major pain points plaguing online checkout:

• Card-Not-Present (CNP) Fraud: This is estimated to cost US$15 billion. The majority of fraudulent transactions are either not authenticated or not authenticated correctly, leaving the system vulnerable.
• Cart Abandonment: A staggering 27% of all shopping carts are abandoned, primarily due to friction from complex or slow checkout processes.
• False Declines: Banks sometimes decline a legitimate transaction. This is a significant problem because over 40% of consumers are less likely to retry a purchase if it's declined the first time, resulting in lost sales.

Mastercard’s solutions are anchored on major industry standards from EMVCo, the FIDO Alliance, and W3C. Their core security principles aim to resolve the challenges above:

• Tokenization: This replaces the consumer's actual card number with an alternate, unique number (a token) that is tied to a specific domain (such as a merchant). This is key because:

• Secure and Seamless Authentication: Authentication methods like an Issuer app or biometrics (fingerprint, face scan) are used to ensure the legitimate card owner is performing the transaction, thereby avoiding account takeover.

• Enhanced Data Sharing: Utilizing dynamic and contextual data (details about the cardholder, the device, and the specific transaction) allows for much better risk decisioning by banks.

Passkeys, built on the FIDO standard, are Mastercard’s solution for a fast and secure checkout experience due to three key advantages:

• Speed: Passkeys are nine times faster than using a One-Time Passcode (OTP) because there's no waiting for a code to be delivered via text or email.
• Security: Using biometric authentication results in 2.5 times less fraud compared to traditional OTPs.
• Security and Scale: Public perception aligns with the facts: 90% of users believe biometrics are both more secure and more convenient than traditional passwords.

Mastercard has been rolling out Payment Passkeys since 2024 to deliver a seamless Multi-Factor Authentication (MFA) experience.

• Multi-Use: A single Payment Passkey on a device can be used for various scenarios, including:
  • Card on File (where your card details are saved)
  • Guest Checkout
  • Agentic Commerce (transactions initiated by AI/devices)
  • Click to Pay access
• Security Model: It uses MFA with passkey and device-bound credentials (meaning the passkey is tied to a specific device). If a new device is used, a new identity verification process is required.
• Transaction Flow: The authentication results and risk data are sent to the card issuer with every transaction to aid in approval decisions.
• Goal: Mastercard already reached the goal for its Payment Passkeys to be enabled at over 1,000 merchants in 2025.

Apart from e-commerce, Mastercard also communicated a clear stance on passkeys in payments: The company sees the criticality in adopting passkeys in payment systems, driven by stringent global regulations that hold card issuers (banks) explicitly liable for security failures.

To comply with global rules, a secure payment authentication system must be built upon three core principles according to Mastercard:

• Transparency in the Critical Path: The payment system must provide a transparent trust path for every authentication. This means clearly documenting how a credential was created, transmitted, and validated across all systems involved.
• Solve Integrity by Design: Security must be demonstrably built in, not merely assumed. Every system participating in the payment process must prove it is secure by design.
• Accountability Through Evidence: Every participant in the trust path must produce verifiable proofs, such as digital attestations and certifications, to establish end-to-end assurance.

The company's approach is shaped by regulatory mandates that assign security liability to the issuer:

To achieve the necessary security for payment use cases, synced passkeys must adhere to three strict principles:

• Keys must be generated in hardware: Hardware generation ensures verifiable custody and security by design.
• Syncing must be intentional and end-to-end encrypted: Synchronization to a new device should require explicit user choice. The new device must provide a wrapping key to securely transfer the private key.
• Certified ecosystem over trust-based: Every entity in the passkey chain must operate under independent certification and provide auditable evidence of compliance, moving away from a simple trust model.

The payment industry already uses certified hardware to manage sensitive data like customer PINs, utilizing Hardware Security Modules (HSMs), which are:

• Tamper-resistant and access-controlled devices that enforce key isolation.
• Governed by a certified ecosystem under mandates like FIPS 140-2/3 and PCI HSM certifications.

The goal is to integrate the proven security of certified hardware into the passkey process:

This process ensures the private key is generated and protected within a backend HSM and is never exposed in cleartext:

1. The Passkey Provider Application requests the Backend HSM to create the key.
2. The user’s device (Authenticator) sends its certificate for wrapping to the Passkey Provider.
3. The Backend HSM generates the key securely inside its module.
4. The Backend HSM uses the certificate to export the wrapped key to the Passkey Provider Cloud.
5. The Passkey Provider Cloud sends the wrapped key to the device to import the key, where it is securely unwrapped and stored.

This flow makes synchronization both intentional and verifiable via a secure channel:

1. Device 1 generates a QR code with a signature, verifying that the key holder authorized the sync request.
2. Device 2 scans the QR code and sends its certificate for wrapping.
3. Device 2 sends a Sync Passkey request to the Passkey Provider Cloud.
4. The Passkey Provider Cloud uses the Backend HSM to verify the signature from Device 1, confirming the request’s legitimacy.
5. Upon verification, the Backend HSM retrieves the key and exports the wrapped key using the certificate from Device 2.
6. The wrapped key is sent to the Authenticator on Device 2 to import the key, securely completing the sync.

Brazil’s instant payments network, Pix, has become a global benchmark for open, fast, and inclusive digital payments. In just four years since its 2020 launch by the Central Bank of Brazil, Pix has evolved from QR-based transfers to a biometric, device-bound authentication layer powered by passkeys—a shift now shaping the next phase of Brazil’s payment ecosystem.

• Pix is now the default way to pay in Brazil, handling real-time transfers between individuals, merchants, and institutions.
• For individuals, transfers remain free; for merchants, acceptance costs are minimal, supporting national financial inclusion goals.
• Pix is on track to surpass cards in total e-commerce volume by 2025, signaling a complete payment-method transformation.

This success creates both opportunity and responsibility. As volumes exploded, so did phishing and SIM-swap attacks targeting OTP-based authentication, pushing the ecosystem toward phishing-resistant, passkey-based verification.

At the security layer, Pix is adopting device-bound keys combined with local biometrics, removing shared secrets from every transaction.

Users register once and then assert locally on each payment, eliminating the recurring password or OTP step that attackers often exploit.

This approach builds directly on FIDO standards, with cross-platform passkey support spanning Android, iOS, and desktop browsers.

Credential managers now provide the reliability Pix needed to scale: autofill, sync, and recovery are all handled natively, enabling a consistent user experience across devices and form factors.

On the policy side, regulations now formally support in-app Pix payments (JSR), mandating participation by leading banks, and reinforcing government backing for a unified, frictionless authentication layer.

The central bank’s clear stance ensures ecosystem-wide demand for passkey adoption—not as an optional security add-on, but as the standard baseline for financial authentication.

Across the payment ecosystem, checkout friction remains one of the most expensive problems to solve. Manual card entry and OTP challenges consistently rank among the top reasons for cart abandonment, with up to one in four users dropping off before completing a transaction. Passkeys directly address this by reducing authentication to a single biometric gesture, eliminating form fields and waiting times. Early data shared at Authenticate 2025 showed that merchants implementing passkey-based authentication experienced both higher completion rates and shorter time-to-approve windows, proving that security and conversion no longer need to be trade-offs.

While initial deployments focused on e-commerce checkout, 2025 marked the expansion of passkeys across the entire payment journey. Card-on-file scenarios, guest checkouts, in-app payments, and even emerging agent-initiated commerce now rely on the same underlying passkey credentials. This consistency allows users to authenticate seamlessly across multiple contexts without additional setup, while issuers and payment service providers (PSPs) benefit from unified telemetry and reduced integration complexity. The success of Mastercard’s multi-use Payment Passkeys and Pix’s in-app biometric authentication demonstrate that passkeys can serve as a universal payment credential rather than a channel-specific feature.

As payment providers scale passkey authentication, success is increasingly measured through operational and risk metrics rather than adoption alone. Key indicators include approval rate uplift, reduced false declines, lower fraud losses per 1,000 transactions, and decreased average handling time in support. Passkeys generate richer authentication signals (such as device attestation and biometric proof) that improve risk decisioning and authorization outcomes. By systematically tracking these metrics, issuers and acquirers can quantify the ROI of phishing-resistant MFA, validate regulatory compliance, and continuously optimize the end-to-end payment experience.

Authenticate 2025 made one thing clear: Passkeys are becoming the foundation of how payments will work in the coming decade. From Mastercard’s push to make biometric checkout the default by 2030, to Pix’s nationwide rollout of device-bound credentials, the payments industry is moving decisively toward a model where security and convenience reinforce each other.