--- url: 'https://www.corbado.com/blog/payment-passkeys-case-studies-authenticate-2025' title: 'Payments Passkeys Cases: Mastercard & Pix (Authenticate ''25)' description: 'At Authenticate 2025, Mastercard and Brazil’s Pix showed how passkeys speed checkout, lift approvals and cut CNP fraud. See KPIs and rollout lessons.' lang: 'en' author: 'Vincent Delitz' date: '2025-10-30T10:05:04.784Z' lastModified: '2026-03-27T07:01:52.104Z' keywords: 'passkeys in payments Authenticate 2025 , Pix passkeys,passkeys CNP fraud, Pix biometric authentication Brazil' category: 'Authentication' --- # Payments Passkeys Cases: Mastercard & Pix (Authenticate '25) ## Key Facts - Mastercard and Pix demonstrated at **Authenticate 2025** that passkeys reduce CNP fraud, lift approvals and cut checkout friction, with Mastercard targeting full password elimination by 2030. - **Card-Not-Present (CNP) fraud** costs an estimated USD 15 billion annually; biometric passkeys deliver 2.5 times less fraud than OTPs across online transactions. - **Payment Passkeys** authenticate nine times faster than OTPs, directly addressing the 27% cart abandonment rate caused by slow or complex checkout processes. - Brazil's **Pix network** shifted from QR codes to device-bound biometric passkeys after phishing and SIM-swap attacks exploited OTP authentication at national scale. - Mastercard's **Payment Passkeys rollout** reached over 1,000 merchants in 2025, supporting card-on-file, guest checkout, agentic commerce and Click to Pay under a single credential. ## 1. Introduction: Payment Passkey Case Studies at Authenticate 2025 Every year, the Authenticate Conference gathers the world’s leading minds in [digital identity](https://www.corbado.com/blog/digital-identity-guide) and authentication. Organized by the [FIDO Alliance](https://www.corbado.com/glossary/fido-alliance), it serves as the central meeting point for security professionals, product leaders, and identity architects shaping the post-password era. At Authenticate 2025, one theme stood out: **Payments are becoming the next frontier for passkeys**. What began as a technology for logging into apps and accounts is now transforming how people pay - whether in [e-commerce](https://www.corbado.com/passkeys-for-e-commerce) checkouts, mobile [wallets](https://www.corbado.com/blog/digital-wallet-assurance), or real-time transfer systems. The [payment](https://www.corbado.com/passkeys-for-payment) industry, long shaped by complex compliance requirements and entrenched legacy infrastructure, is now embracing passkeys to make authentication both **phishing-resistant and frictionless**. This shift is not only about security. Card networks, banks, and regulators increasingly see passkeys as the key to faster approvals, fewer abandoned carts, and reduced fraud losses. From global players like [Mastercard](https://www.corbado.com/blog/mastercard-passkeys) driving tokenized, biometric checkouts to Brazil’s Pix network making passkey-based authentication a national standard, the [payments](https://www.corbado.com/passkeys-for-payment) landscape is entering a new phase of **identity-driven trust**. This post is part of Corbado’s Authenticate 2025 recap series and focuses on how leading [payment](https://www.corbado.com/passkeys-for-payment) systems are deploying [passkeys at scale](https://www.corbado.com/blog/introducing-passkeys-large-scale-overview). In the sections below, we will answer the following questions: - How does [Mastercard](https://www.corbado.com/blog/mastercard-passkeys) plan to [eliminate passwords](https://www.corbado.com/faq/boost-passkey-enrollment-reduce-password-otp)? and manual card entry by 2030 through passkeys in [payments](https://www.corbado.com/passkeys-for-payment)? - How did Pix evolve from QR codes to biometric, device-bound verification to protect millions of users against [phishing](https://www.corbado.com/glossary/phishing) and SIM-swap attacks? ## 2. Mastercard reimagines Online Checkout in E-commerce with Passkeys ![mastercard-logo.png](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/mastercard_logo_5b724ef154.png) [Mastercard's](https://www.corbado.com/blog/mastercard-passkeys) vision for the **future of online payments** is to match the security and speed that consumers already enjoy in physical commerce. Their bold goal is to eliminate manual card entry and passwords globally by **2030**, replacing them with fast, secure methods like **smiles and fingerprints**. ### 2.1 Challenges in E-commerce that Mastercard wants to solve with Passkeys Before outlining the solution, [Mastercard](https://www.corbado.com/blog/mastercard-passkeys) highlighted the major pain points plaguing online checkout: - **Card-Not-Present (CNP) Fraud:** This is estimated to cost **US$15 billion**. The majority of fraudulent transactions are either not authenticated or not authenticated correctly, leaving the system vulnerable. - **Cart Abandonment:** A staggering **27%** of all shopping carts are abandoned, primarily due to **friction** from complex or slow checkout processes. - **False Declines:** Banks sometimes decline a legitimate transaction. This is a significant problem because **over 40%** of consumers are less likely to retry a purchase if it's declined the first time, resulting in lost sales. ### 2.2 The Passkey Solution Mastercard opts for Mastercard’s solutions are anchored on major industry standards from **EMVCo, the FIDO Alliance, and W3C**. Their core security principles aim to resolve the challenges above: - **Tokenization:** This replaces the consumer's actual card number with an alternate, unique number (a **token**) that is tied to a specific domain (such as a [merchant](https://www.corbado.com/glossary/merchant)). This is key because: - **Secure and Seamless Authentication:** Authentication methods like an **Issuer app** or **biometrics** (fingerprint, face scan) are used to ensure the legitimate card owner is performing the transaction, thereby avoiding **account takeover**. - **Enhanced Data Sharing:** Utilizing **dynamic and contextual data** (details about the cardholder, the device, and the specific transaction) allows for much better **risk decisioning** by banks. Passkeys, built on the FIDO standard, are Mastercard’s solution for a fast and secure checkout experience due to three key advantages: - **Speed:** Passkeys are **nine times faster** than using a One-Time Passcode (OTP) because there's no waiting for a code to be delivered via text or email. - **Security:** Using [biometric authentication](https://www.corbado.com/blog/passkeys-biometric-authentication) results in **2.5 times less fraud** compared to traditional OTPs. - **Security and Scale:** Public perception aligns with the facts: **90%** of users believe biometrics are both **more secure and more convenient** than traditional passwords. ### 2.3 Current Challenges Mastercard has already solved with Passkeys Mastercard has been rolling out **Payment Passkeys** since 2024 to deliver a seamless **Multi-Factor Authentication (MFA)** experience. - **Multi-Use:** A single [Payment](https://www.corbado.com/passkeys-for-payment) Passkey on a device can be used for various scenarios, including: - **Card on File** (where your card details are saved) - **Guest Checkout** - **Agentic Commerce** (transactions initiated by AI/devices) - **Click to Pay** access - **Security Model:** It uses MFA with passkey and **device-bound credentials** (meaning the passkey is tied to a specific device). If a new device is used, a new [identity verification](https://www.corbado.com/blog/digital-identity-guide) process is required. - **Transaction Flow:** The **authentication results and risk data** are sent to the card [issuer](https://www.corbado.com/glossary/issuer) with every transaction to aid in approval decisions. - **Goal:** Mastercard already reached the goal for its [Payment Passkeys](https://www.corbado.com/faq/payment-passkeys) to be enabled at **over 1,000 merchants in 2025**. ## 3. Mastercard embraces synced Passkeys in the financial Sector for Payments ![mastercard-logo.png](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/mastercard_logo_5b724ef154.png) Apart from [e-commerce](https://www.corbado.com/passkeys-for-e-commerce), Mastercard also communicated a clear stance on passkeys in [payments](https://www.corbado.com/passkeys-for-payment): The company sees the criticality in adopting passkeys in payment systems, driven by **stringent global regulations** that hold card **issuers** (banks) explicitly liable for security failures. ### 3.1 Regulatory and Issuer Principles To comply with global rules, a secure payment authentication system must be built upon three core principles according to Mastercard: - **Transparency in the Critical Path:** The payment system must provide a **transparent trust path** for every authentication. This means clearly documenting how a credential was created, transmitted, and validated across all systems involved. - **Solve Integrity by Design:** Security must be **demonstrably built in**, not merely assumed. Every system participating in the payment process must prove it is **secure by design**. - **Accountability Through Evidence:** Every participant in the trust path must produce **verifiable proofs**, such as digital [attestations](https://www.corbado.com/glossary/attestation) and certifications, to establish **end-to-end assurance**. The company's approach is shaped by regulatory mandates that assign security liability to the [issuer](https://www.corbado.com/glossary/issuer): | **Regulator** | **Liability Mandate** | | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **RBI (India)** | The issuer must ensure the **robustness and integrity** of the authentication mechanism and must **compensate the customer in full** for losses arising from non-compliant transactions. | | **PSD/PSR (EU)** | The payment service provider (issuer) must **immediately refund** unauthorized payments, unless the user was fraudulent or grossly negligent. | | **MAS (Singapore)** | Financial institutions must **assume liability** for losses from unauthorized transactions unless the user acted negligently or fraudulently. | ### 3.2 Mastercard's Principles for synced Payment Passkeys and the Role of certified Hardware To make passkeys suitable for payments, implementations should follow three practical principles that align with FIDO / WebAuthn and current “payment passkey” deployments: - **Keys are created and bound to the authenticator**: The private key for a passkey is generated on the user’s [authenticator](https://www.corbado.com/glossary/authenticator) (platform device or [security key](https://www.corbado.com/glossary/security-key)) and does not leave it. Platform [authenticators](https://www.corbado.com/glossary/authenticator) typically store keys in hardware‑backed keystores (e.g. [Secure Enclave](https://www.corbado.com/glossary/secure-enclave)/TEE) or a certified [security key](https://www.corbado.com/glossary/security-key). - **Sync is user‑mediated and end‑to‑end encrypted**: When users opt into synced passkeys, copies of the credential are backed up and synchronized E2EE by the [passkey provider](https://www.corbado.com/blog/passkey-providers) (e.g. [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain), [Google Password Manager](https://www.corbado.com/blog/how-to-use-google-password-manager)). New devices must be approved and can decrypt the backup. The provider cannot read the key material. - **Rely on appropriate certification for each component**: Use FIDO‑Certified [authenticators](https://www.corbado.com/glossary/authenticator)/servers for passkeys and continue using [PCI](https://www.corbado.com/blog/pci-dss-4-0-authentication-passkeys)/FIPS‑validated HSMs where they already protect payment system secrets (e.g. PIN keys, tokenization systems, or escrow services). The payment industry already uses certified hardware (PCI PTS HSM, FIPS‑validated HSMs) to protect PINs and other sensitive payment keys. Those controls remain relevant on the server side (e.g., MDES/tokenization, 3‑DS servers, escrow), while passkey private keys remain [authenticator](https://www.corbado.com/glossary/authenticator)‑resident. #### 3.2.1 Payment passkey creation This process ensures the passkey’s private key is created on and bound to the user’s [authenticator](https://www.corbado.com/glossary/authenticator): 1. The [relying party](https://www.corbado.com/glossary/relying-party) (e.g., Mastercard payment passkey flow via the [issuer](https://www.corbado.com/glossary/issuer) or Checkout/Click to Pay) invokes WebAuthn registration on the user’s device. 2. The authenticator (platform or [security key](https://www.corbado.com/glossary/security-key)) generates a new key pair and returns the public key plus optional [attestation](https://www.corbado.com/glossary/attestation) to the [relying party](https://www.corbado.com/glossary/relying-party). The private key stays on the device. 3. If the user opts into synced passkeys, the passkey copy is encrypted on‑device and backed up via the [passkey provider](https://www.corbado.com/blog/passkey-providers) for use on their other devices #### 3.2.2 How synced passkeys roam between devices When a user adds a new device: 1. The user authorizes the new device to join their [passkey provider](https://www.corbado.com/blog/passkey-providers)’s E2EE sync (e.g., [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain), [Google Password Manager](https://www.corbado.com/blog/how-to-use-google-password-manager)). 2. The provider delivers the encrypted passkey material to the new device, which can decrypt it only after local [user verification](https://www.corbado.com/blog/webauthn-user-verification) (biometric/PIN) and account approval. 3. No party other than the user’s devices can access the private key in clear. Providers cannot decrypt backed‑up passkeys. ## 4. Passkeys in Payments: Pix’s biometric Evolution in Brazil ![Pix-logo.png](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/Pix_logo_68c1afd918.png) Brazil’s instant payments network, **Pix**, has become a global benchmark for open, fast, and inclusive digital payments. In just four years since its 2020 launch by the **Central Bank of Brazil**, Pix has evolved from QR-based transfers to a **biometric, device-bound authentication layer** powered by passkeys - a shift now shaping the next phase of Brazil’s payment ecosystem. ### 4.1 Scale and Impact of Passkeys for Pix - Pix is now the **default way to pay in Brazil**, handling real-time transfers between individuals, [merchants](https://www.corbado.com/glossary/merchant), and institutions. - For individuals, transfers remain **free**; for [merchants](https://www.corbado.com/glossary/merchant), **acceptance costs are minimal**, supporting national financial inclusion goals. - Pix is **on track to surpass cards in total e-commerce volume by 2025**, signaling a complete payment-method transformation. This success creates both opportunity and responsibility. As volumes exploded, so did **phishing and SIM-swap attacks** targeting OTP-based authentication, pushing the ecosystem toward **phishing-resistant, passkey-based verification**. ### 4.2 How Pix is modernizing Authentication At the security layer, Pix is adopting **device-bound keys combined with local biometrics**, removing shared secrets from every transaction. Users **register once** and then **assert locally on each payment**, eliminating the recurring password or OTP step that attackers often [exploit](https://www.corbado.com/glossary/exploit). This approach builds directly on **FIDO standards**, with **passkey support** spanning [Android](https://www.corbado.com/blog/how-to-enable-passkeys-android), [iOS](https://www.corbado.com/blog/webauthn-errors), and desktop browsers. Credential managers now provide the reliability Pix needed to scale: **autofill, sync, and recovery** are all handled natively, enabling a consistent user experience across devices and form factors. ### 4.3 Regulatory and Ecosystem Momentum On the policy side, **regulations now formally support in-app Pix payments (JSR)**, mandating **participation by leading banks**, and reinforcing [government](https://www.corbado.com/passkeys-for-public-sector) backing for a unified, frictionless authentication layer. The central bank’s clear stance ensures **ecosystem-wide demand for passkey adoption**—not as an optional security add-on, but as the standard baseline for financial authentication. ## 5. Key Takeaways on Passkeys in Payments from Authenticate 2025 ### 5.1 Checkout Conversion and Cart Abandonment Outcomes Across the payment ecosystem, checkout friction remains one of the most expensive problems to solve. Manual card entry and OTP challenges consistently rank among the top reasons for [cart abandonment](https://www.corbado.com/blog/ecommerce-authentication), with up to one in four users dropping off before completing a transaction. Passkeys directly address this by reducing authentication to a single biometric gesture, eliminating form fields and waiting times. Early data shared at Authenticate 2025 showed that [merchants](https://www.corbado.com/glossary/merchant) implementing passkey-based authentication experienced both higher completion rates and shorter time-to-approve windows, proving that security and conversion no longer need to be trade-offs. ### 5.2 Deployment Scope across Payment Contexts While initial deployments focused on [e-commerce](https://www.corbado.com/passkeys-for-e-commerce) checkout, 2025 marked the expansion of passkeys across the entire payment journey. Card-on-file scenarios, guest checkouts, in-app payments and even emerging agent-initiated commerce now rely on the same underlying passkey credentials. This consistency allows users to authenticate seamlessly across multiple contexts without additional setup, while [issuers](https://www.corbado.com/glossary/issuer) and payment service providers (PSPs) benefit from unified telemetry and reduced integration complexity. The success of Mastercard’s multi-use [Payment Passkeys](https://www.corbado.com/faq/payment-passkeys) and Pix’s in-app [biometric authentication](https://www.corbado.com/blog/passkeys-biometric-authentication) demonstrate that passkeys can serve as a universal payment credential rather than a channel-specific feature. ### 5.3 Operational KPIs and Monitoring As payment providers scale passkey authentication, success is increasingly measured through operational and risk metrics rather than adoption alone. Key indicators include approval rate uplift, reduced false declines, lower fraud losses per 1,000 transactions, and decreased average handling time in support. Passkeys generate richer authentication signals (such as device [attestation](https://www.corbado.com/glossary/attestation) and biometric proof) that improve risk decisioning and authorization outcomes. By systematically tracking these metrics, [issuers](https://www.corbado.com/glossary/issuer) and [acquirers](https://www.corbado.com/glossary/acquirer) can quantify the ROI of [phishing](https://www.corbado.com/glossary/phishing)-resistant MFA, validate [regulatory compliance](https://www.corbado.com/blog/cybersecurity-frameworks), and continuously optimize the end-to-end payment experience. ## 6. Conclusion Authenticate 2025 made one thing clear: Passkeys are becoming the foundation of how payments will work in the coming decade. From Mastercard’s push to make [biometric checkout](https://www.corbado.com/blog/ecommerce-authentication) the default by 2030, to Pix’s nationwide rollout of device-bound credentials, the payments industry is moving decisively toward a model where **security and convenience reinforce each other**. ## Frequently Asked Questions ### How do Mastercard Payment Passkeys reduce cart abandonment at checkout? Mastercard Payment Passkeys authenticate nine times faster than OTPs by eliminating code delivery wait times. Combined with biometric verification, they produce 2.5 times less fraud than OTPs, improving issuer approval rates. Together these factors directly address the 27% cart abandonment rate caused by slow or complex checkout processes. ### How did Pix migrate from OTP to biometric passkey authentication in Brazil? Pix, launched by Brazil's Central Bank in 2020, originally relied on QR codes but faced rising phishing and SIM-swap attacks targeting OTP authentication. The network adopted FIDO-based device-bound keys with local biometrics, requiring users to register once and verify locally per payment. Brazilian regulations now mandate bank participation, making passkey authentication the national baseline rather than an optional add-on. ### Which global regulators hold payment issuers liable for authentication failures? Three major frameworks assign liability directly to issuers. India's RBI requires full customer compensation for losses from non-compliant transactions. The EU's PSD/PSR mandates immediate refund of unauthorized payments. Singapore's MAS requires financial institutions to assume liability for unauthorized transaction losses unless the user acted negligently or fraudulently. ### What is Mastercard's timeline and current progress for eliminating passwords from payments? Mastercard targets elimination of manual card entry and passwords globally by 2030, replacing them with biometrics such as fingerprints and facial scans. The company already enabled Payment Passkeys at over 1,000 merchants in 2025. Surveys show 90% of users consider biometrics both more secure and more convenient than traditional passwords. ### What operational KPIs should payment issuers track when deploying passkey authentication? Key metrics include approval rate uplift, reduced false declines, lower fraud losses per 1,000 transactions and decreased support handling time. Passkeys generate richer authentication signals such as device attestation and biometric proof that improve risk decisioning. Tracking these metrics enables issuers and acquirers to quantify ROI and validate regulatory compliance.