Payment Passkey Landscape: 4 Core Integration Models

The global payments landscape is at a critical inflection point. For decades, the industry has grappled with the inherent tension between security and user convenience, a challenge most acutely felt in the digital, Card-Not-Present (CNP) environment. The rise of sophisticated fraud has necessitated stronger authentication measures, while consumer expectations demand increasingly frictionless checkout experiences. This report provides a comprehensive analysis of this evolving ecosystem, with a specific focus on identifying the strategic integration points for passkey technology. It is designed to serve as a definitive guide for technology providers, payment service providers, financial institutions, and merchants seeking to navigate the transition to a passwordless future.

The payments landscape is undergoing a fundamental shift, driven by the need for stronger security like Strong Customer Authentication (SCA) and the commercial demand for frictionless user experiences. Phishing-resistant passkeys have emerged as the key technology to resolve this tension. Our analysis shows that the industry is converging around four distinct architectural models for passkey integration, each representing a competing vision for the future of payment authentication:

1. The Issuer-Centric Model (e.g. via SPC): While technically elegant, this model is hampered by a critical lack of browser support, most notably from Apple, making it an impractical solution for the near future.
2. The Merchant-Centric Model (Delegated Authentication): This powerful model allows large merchants to leverage their direct customer relationships, moving authentication upstream to create a seamless checkout, but it comes with significant liability and requires direct issuer trust.
3. The Network-Centric Model (Click to Pay): A major strategic play by card networks like Visa and Mastercard to own the guest checkout experience by offering a portable, network-level passkey for consumers.
4. The PSP-Centric Model (Wallets): A dominant model where large Payment Service Providers like PayPal use passkeys to secure and streamline the experience within their vast, established wallet ecosystems.

Each model presents a different answer to the core strategic question: "Who will become the primary Relying Party for payments?". This report dissects these competing architectures, mapping them to the ecosystem's players to provide a clear roadmap for navigating the future of payment authentication.

To understand where and how passkeys can be integrated, it is first essential to establish a clear and detailed map of the payment ecosystem's players and their distinct roles. The flow of a single online transaction involves a complex interplay between multiple entities, each performing a specific function in the movement of data and funds.

At the heart of every transaction are five fundamental participants who form the foundation of the payment value chain.

1. Customer / Cardholder:

   • Description: The individual or organization initiating a purchase. The cardholder obtains a payment card (credit or debit) from an issuing bank and is responsible for repaying any charges incurred.
   • Goal: Fast, simple, and secure checkout experience.
   • Examples: Any individual with a bank account and / or a payment card.

2. Merchant:

   • Description: The business selling goods or services and accepting electronic payments. To do so, the merchant must have the necessary infrastructure, typically provided by an acquiring bank or a payment service provider (PSP), to accept and process card payments.
   • Goal: Maximize sales conversion by minimizing checkout friction while mitigating fraud.
   • Examples: An e-commerce website, a retail store, a subscription service.

3. Issuing Bank (Issuer):

   • Descrption: The cardholder's bank or financial institution. The issuer provides the payment card to the customer, underwrites the associated credit risk, and is ultimately responsible for approving or declining a transaction based on the cardholder's account status and a risk assessment.
   • Goal: Receive the authorization request and send back a response code through the card networks.
   • Examples: Bank of America, Chase, Barclays.

4. Acquiring Bank (Acquirer):

   • Description: The merchant's bank, also known as a merchant bank. The acquirer maintains the merchant's account and facilitates the processing of card transactions on the merchant's behalf.
   • Goal: Receive payment details from the merchant, routes them through the card network to the issuer, and, upon approval, settles the funds into the merchant's account.
   • Examples: Wells Fargo Merchant Services, Worldpay (from FIS).

5. Card Networks (Schemes):

   • Description: The technological backbone connecting all other participants. Companies like Visa, Mastercard, American Express, and Discover operate these vast networks. They do not issue cards or open merchant accounts but provide the critical infrastructure, rules, and standards that govern transactions.
   • Goal: Facilitate the routing of authorization requests and the clearing and settlement of funds between issuers and acquirers.
   • Examples: Visa, Mastercard, American Express.

Between the core participants lies a complex and often overlapping ecosystem of technology and service providers. Understanding the distinctions between these intermediaries is crucial, as they are often the primary integration points for new technologies like passkeys. The lines between these roles have blurred significantly in recent years, as modern providers seek to offer more comprehensive, "all-in-one" solutions.

1. Payment Gateway:

   • Description: A payment gateway is the technology that acts as the secure digital portal for a transaction. Its primary role is to capture the customer's sensitive payment details from the merchant's website or point-of-sale (POS) system, encrypt them, and securely transmit them to the payment processor or acquiring bank. It is the "front door" of the transaction, responsible for the secure transmission of data but not the movement of funds itself.
   • Goal: To provide merchants with a secure and reliable way to accept online payments.
   • Examples: Authorize.net (a Visa solution), Braintree, Stripe Payment Gateway.

2. Payment Processor:

   • Description: A payment processor is the entity that executes the transaction messages between the various parties. After receiving the secure data from the payment gateway, the processor communicates with the card network and, by extension, the issuing and acquiring banks to facilitate the authorization and settlement of the transaction. One can think of the processor as the operational engine handling the technical communication required for the payment to occur, while the gateway is the secure channel for that communication.
   • Goal: To reliably and efficiently execute payment messages, manage transaction settlement, and handle dispute resolution between issuing and acquiring banks.
   • Examples: First Data (now Fiserv), TSYS, Worldpay.

3. Payment Service Provider (PSP):

   • Description: A Payment Service Provider is a company that offers merchants a comprehensive, bundled solution for accepting electronic payments. A modern PSP typically combines the functions of a payment gateway and a payment processor, and often provides the merchant account as well, all under a single contract. This "all-in-one" model greatly simplifies the process for merchants, who no longer need to establish separate relationships with a gateway provider and an acquiring bank. In some contexts, PSPs that aggregate various payment methods for merchants are also referred to as Payment Aggregators.
   • Goal: To offer merchants a one-stop-shop for all their payment needs, abstracting away complexity and simplifying payment acceptance.
   • Examples: Stripe, Adyen, PayPal, Mollie.

This consolidation of roles has profound implications. While academically distinct, in practice, a merchant's single point of contact is often a PSP that abstracts away the complexity of the underlying gateway, processor, and acquirer relationships. However, the capabilities of these PSPs can vary dramatically. A PSP that is merely a reseller of another company's gateway services has vastly different technical capabilities and strategic interests than a full-stack PSP with its own processing infrastructure and acquiring licenses. This distinction is important when evaluating integration opportunities for advanced authentication methods.

Furthermore, a deeper analysis of the payment flow reveals a foundational concept that clarifies the strategic motivations behind new authentication technologies: the role of the Relying Party (RP). In the context of FIDO authentication and passkeys, the Relying Party is the entity that is ultimately responsible for verifying a user's identity. In a standard payment transaction, the issuer bears the financial risk of fraud and is therefore the default Relying Party; it is their decision to approve or decline the payment.

The emerging architectural models for passkey integration can be best understood as a strategic negotiation over who acts as the Relying Party. In the Secure Payment Confirmation (SPC) model, the issuer remains the RP but allows the merchant to invoke the authentication ceremony. In Delegated Authentication (DA), the issuer explicitly delegates the RP function to the merchant or their PSP. And in the network-centric model, Visa and Mastercard position themselves as a federated Relying Party for guest checkout transactions. Therefore, the central question for any payment provider considering passkey integration becomes:

The answer points directly to the integration opportunity, the key decision-maker, and the underlying strategic objective.

To provide a clear visual representation of these relationships, a flowchart illustrating the payment lifecycle is essential. Such a diagram would depict two distinct but interconnected paths:

1. The Data Flow (Authorization): This path traces the journey of the authorization request. It begins with the customer submitting payment details on the merchant's site, flowing through the payment gateway to the processor/acquirer, then across the card network to the issuer for a risk decision, and finally, the approval or decline response travels all the way back to the merchant and customer. This entire process occurs in a matter of seconds.

2. The Value Flow (Settlement): This path illustrates the movement of money, which occurs after authorization. It shows the batched transactions being cleared, with funds flowing from the issuer, through the network, to the acquirer (minus interchange fees), and finally being deposited into the merchant's account, a process that typically takes a few business days.(Payment processing: How payment processing works | Stripe)

This visualization allows any participant in the ecosystem to immediately locate their position and understand their direct and indirect relationships with all other parties, setting the stage for a detailed analysis of where authentication interventions can occur.

While the payment ecosystem contains players of all sizes, the market for processing and acquiring is concentrated around several large players who vary by region. Global giants often compete with strong national and regional champions. The following table provides a snapshot of key players across different geographies.

Every online purchase triggers a complex, high-speed sequence of events that can be broken down into two main phases: authorization and settlement. Layered on top of this process is a critical security protocol known as 3-D Secure, which is central to understanding the modern challenges of online payment authentication.

The lifecycle of a single CNP transaction involves a near-instantaneous data exchange followed by a slower transfer of funds.

Authorization is the process of verifying that the cardholder has sufficient funds or credit to complete the purchase and that the transaction is legitimate. This phase occurs in seconds and follows a precise, multi-step path (Payment processing: How payment processing works | Stripe):

1. Transaction Initiation: The customer selects their items, proceeds to checkout, and enters their payment card details (card number, expiration date, CVV) into the merchant's online payment form.

2. Secure Transmission: The merchant's website securely passes this information to its payment gateway. The gateway encrypts the data to protect it during transit.

3. Routing to Processor/Acquirer: The gateway forwards the encrypted transaction details to the payment processor and/or the merchant's acquiring bank.

4. Network Communication: The acquirer sends the authorization request to the appropriate card network (e.g., Visa, Mastercard).

5. Issuer Verification: The card network routes the request to the cardholder's issuing bank. The issuer's systems perform a series of checks: verifying the card's validity, checking the available balance or credit limit, and running the transaction through its fraud detection engines.

6. Authorization Response: Based on these checks, the issuer approves or declines the transaction. This decision, in the form of a response code, is sent back along the same path: from the issuer to the card network, to the acquirer, to the processor/gateway, and finally to the merchant's website.

7. Completion: If approved, the merchant completes the sale and informs the customer. If declined, the merchant asks the customer for an alternative payment method.

Settlement is the process of actually moving the money from the issuer to the merchant. Unlike authorization, this is not instantaneous and typically occurs in batches.(Payment processing: How payment processing works | Stripe)

1. Batching: At the end of the business day, the merchant sends a batch file of all its approved authorizations to its acquirer.
2. Clearing: The acquirer submits the batch to the card network for clearing. The network sorts the transactions and forwards them to the respective issuing banks.
3. Funds Transfer: The issuing banks transfer the funds for the approved transactions to the acquiring bank, minus interchange fees, which are fees the acquirer pays to the issuer for each transaction.
4. Merchant Deposit: The acquirer then deposits the funds into the merchant's account, minus its own processing fees. This entire settlement process usually takes 1-3 business days.

Layered on top of every CNP transaction is a critical security protocol known as 3-D Secure (3DS). Managed by EMVCo, its purpose is to let the issuer authenticate the cardholder, reducing fraud and shifting liability for chargebacks from the merchant to the issuer.

Modern 3DS (also called 3DS2) works by exchanging a rich set of data between the merchant and the issuer's Access Control Server (ACS). This data allows the ACS to perform a risk assessment, leading to two outcomes:

• Frictionless Flow: If the transaction is deemed low-risk, it's approved silently in the background with no user interaction. This is the goal for most transactions.
• Challenge Flow: If the transaction is high-risk or mandated by regulations like PSD2, the user is actively challenged to prove their identity, typically with an OTP or a banking app notification.

This "challenge" is a major point of friction and a key battleground for conversion rates. The industry's goal is to maximize frictionless flows while making challenges as seamless as possible. It is this high-friction challenge that passkeys are perfectly positioned to solve, turning a potential point of failure into a secure and seamless step.

The advent of passkeys, based on the FIDO Alliance's phishing-resistant WebAuthn standard, is catalyzing a fundamental redesign of payment authentication. This is happening alongside a powerful industry trend: merchants are already adopting passkeys for standard user authentication (sign-up and login) to combat account takeover fraud and improve the user experience. This existing investment creates a natural foundation upon which payment-specific passkey models can be built.

In this model, the issuing bank remains in control of the authentication, and the passkey is cryptographically bound to the issuer's domain (e.g., bank.com). While a simple redirect to the bank's website is possible, it creates a poor user experience.

Who owns the passkey? In the Issuer-Centric model, the Issuer is the Relying Party (RP).

Adoption Flywheel & Network Effects: The reusability of an issuer's passkey creates a powerful flywheel. Once a user creates a passkey for their bank, that single passkey can be used to seamlessly approve challenged transactions at any merchant that uses the 3DS protocol. This enhances the value of the issuer's card for both consumers (better UX) and merchants (higher conversion).

The industry-designed solution for this is Secure Payment Confirmation (SPC), a web standard that allows a merchant to call the bank's passkey directly on the checkout page, avoiding a redirect. This process also uses dynamic linking to bind the authentication to the transaction details, which is crucial for SCA.

The Strategic Flaw: Despite its technical elegance, SPC is not a viable strategy today. It requires browser support that does not exist in Apple's Safari. Without Safari, SPC cannot be a universal solution, making it impractical for any large-scale implementation.

Delegated Authentication represents a more radical departure from the traditional model. Enabled by 3DS version 2.2 and supported by specific card scheme programs, DA is a framework where an issuer can formally delegate the responsibility of performing SCA to a trusted third party, most commonly a large merchant, PSP, or digital wallet provider.

Who owns the passkey? In this model, the Merchant or their PSP is the Relying Party (RP). The passkey is created for the merchant's domain (e.g., amazon.com) and is used for account login.

To qualify for DA, the initial authentication performed by the merchant must be fully compliant with SCA requirements. According to the European Banking Authority's guidelines on Strong Customer Authentication, this is not just a simple login; it must have the same strength as an authentication the issuer would perform itself. Passkeys, with their strong cryptographic properties, are an ideal technology to meet this high bar. However, a crucial point of regulatory uncertainty remains regarding synced passkeys. While device-bound passkeys clearly meet the "possession" element of SCA, regulators like the EBA have not yet issued a definitive opinion on whether synced passkeys, which are portable across a user's cloud account, meet the stringent requirement of being uniquely linked to a single device. This is a key consideration for any DA strategy in Europe.

In this model, the authentication event moves upstream in the customer journey. Instead of occurring at the end of the checkout process as a 3DS challenge, it happens at the beginning, when the customer logs into their account on the merchant's website or app. If the merchant uses a passkey for login, they can pass evidence of this successful, SCA-compliant authentication to the issuer within the 3DS data exchange. The issuer, having pre-established a trusted relationship with that merchant, can then use this information to grant an exemption and bypass its own challenge flow entirely. This can result in a truly seamless, one-click biometric checkout for logged-in users.

Adoption Flywheel & Network Effects: The flywheel here is driven by the merchant's direct customer relationship. As merchants adopt passkeys for login to reduce account takeover fraud and improve UX, they build a base of passkey-enabled users. This creates a natural pathway to leveraging these passkeys for DA in payments, unlocking a superior checkout experience. The network effect is strongest for PSPs who can act as the RP for multiple merchants, potentially allowing a single passkey to be used across a network of stores, creating a powerful incentive for other merchants to join that PSP's ecosystem.

Card networks are actively fostering this model through dedicated programs. Visa's Guide Authentication framework, for example, is designed to be used with DA to empower merchants to perform SCA on behalf of the issuer. Similarly, Mastercard's Identity Check Express program enables merchants to authenticate the consumer within the merchant's own flow. This model reflects the strategic vision of large merchants and PSPs:

However, this power comes with responsibility. Under European regulations, DA is treated as "outsourcing," meaning the merchant or PSP assumes the liability for fraudulent transactions and must adhere to stringent compliance and risk management requirements.

This model is a major strategic initiative driven by the card networks (Visa, Mastercard) to own and standardize the guest checkout experience. They have built their own FIDO-based passkey services, such as the Visa Payment Passkey Service, on top of the Click to Pay framework.

Who owns the passkey? In the Network-Centric model, the Card Network is the Relying Party. The passkey is created for the network's domain (e.g., visa.com).

Adoption Flywheel & Network Effects: This model possesses the most powerful network effect. A single passkey created for a card network is instantly reusable across every merchant that supports Click to Pay, creating immense value for the consumer and driving a classic two-sided market flywheel.

This model is centered around large Payment Service Providers (PSPs) that operate their own consumer-facing wallets, such as PayPal or Stripe (with Link). In this approach, the PSP is the Relying Party, and they own the entire authentication and payment flow.

Who owns the passkey? In the PSP-Centric model, the PSP is the Relying Party (RP). The passkey is created for the PSP's domain (e.g., paypal.com) and secures the user's account within that PSP's ecosystem.

Adoption Flywheel & Network Effects: This model also has an extremely strong network effect. A passkey created for a major PSP's wallet is reusable at every merchant that accepts that PSP, creating a powerful incentive for users and merchants to join the PSP's ecosystem.

A common and critical question is whether a passkey created for one model can be reused in another. For example, can a passkey a user creates for their bank to use with SPC be used to log in to a merchant's website in a DA flow? The answer is no, and it highlights the central role of the Relying Party (RP).

A passkey is fundamentally a cryptographic credential linking a user to a specific RP. The public key is registered on the RP's servers, and the private key remains on the user's device. Authentication is the act of proving possession of that private key to that specific RP.

• In the Issuer-Centric (SPC) model, the RP is the Issuer (e.g., chase.com). The passkey is registered with the bank.
• In the Merchant-Centric (DA) model, the RP is the Merchant or their PSP (e.g., amazon.com or stripe.com). The passkey is registered with the merchant for login.
• In the Network-Centric model, the RP is the Card Network (e.g., visa.com). The passkey is registered with the network for Click to Pay.
• In the PSP-Centric model, the RP is the Payment Service Provider (e.g., paypal.com). The passkey is registered with the PSP's wallet or service.

Because the passkey is cryptographically bound to the RP's domain, a passkey registered with chase.com cannot be validated by amazon.com. They are distinct digital identities from a technical standpoint. A user will need to create a separate passkey for each Relying Party they interact with.

The "reusability" and "portability" that make passkeys powerful come from two areas:

1. Passkey Syncing: Services like iCloud Keychain and Google Password Manager sync passkeys across a user's devices. So, a passkey created for chase.com on a phone is automatically available on the user's laptop, but it is still only for chase.com.
2. Federation: This is the model used by Click to Pay. A merchant can trust the Network (e.g., Visa) to authenticate the user. The user authenticates to Visa (the RP), and Visa then signals to the merchant that the user is legitimate. This is analogous to "Sign in with Google," where a website trusts Google to handle the login. The passkey isn't being reused by the merchant; the authentication event is.

Therefore, the four models are not just different technical paths but competing identity strategies. Each one proposes a different entity to be the primary Relying Party for payment authentication, and users will likely end up with passkeys for their issuers, favorite merchants, PSP wallets, and card networks.

While these models offer powerful new ways to authenticate, they also introduce a critical operational challenge that is often overlooked: passkey restoration and account recovery. Synced passkeys, managed by platforms like iCloud Keychain and Google Password Manager, mitigate the issue of a single lost device. However, they do not solve the problem of a user losing all their devices or switching between ecosystems (e.g., from iOS to Android). In these scenarios, a secure and user-friendly process for the user to prove their identity through other means and register a passkey on a new device is a non-negotiable prerequisite for any large-scale deployment. As Mastercard's own documentation notes, a user switching devices will need to create a new passkey, a process that may require identity validation by their bank.(Mastercard® payment passkeys – Frequently asked questions) This highlights that a complete passkey solution must encompass not only the authentication ceremony itself but also the entire lifecycle of passkey management, including robust recovery flows.

The four architectural models - Issuer-Centric (SPC), Merchant-Centric (DA), Network-Centric (Click to Pay), and PSP-Centric - translate into distinct integration opportunities for different players in the payment ecosystem. Each approach presents a unique set of trade-offs between user experience, implementation complexity, liability, and control. This section provides a pragmatic analysis of these integration points to guide strategic decision-making.

• Opportunity: The primary opportunity for issuers and the Access Control Server (ACS) vendors that serve them is to enhance the 3DS "challenge flow" by replacing legacy methods like OTPs and passwords with Secure Payment Confirmation (SPC).
• Target Prospect: This integration is aimed at ACS providers (e.g., Netcetera, CA Technologies/Arcot), technology vendors serving the issuer space, and large issuing banks that operate their own in-house ACS platforms.
• Provider's Role: A passkey-as-a-service provider like Corbado would offer an embeddable FIDO server or software module that is fully compliant with the SPC specification. This module would be integrated into the core ACS platform, allowing the ACS to trigger an SPC flow when its risk engine determines a challenge is necessary.
• Pros:
  • High Security & Regulatory Compliance: SPC's use of cryptographic dynamic linking provides strong, auditable proof of user consent for specific transaction details, directly addressing key requirements of regulations like PSD2 SCA.
  • Improved User Experience over OTPs: Authenticating with a quick biometric scan is significantly faster and less prone to error than manually entering a code received via SMS, which can lead to a measurable increase in challenge conversion rates.
  • Clear Liability Model: This model fits seamlessly within the existing 3DS framework. When a transaction is successfully authenticated via SPC, the liability for fraudulent chargebacks shifts from the merchant to the issuer, just as it does with other 3DS challenge methods.
• Cons:
  • Still a "Challenge" Flow: While SPC improves the challenge experience, it does not eliminate it. The user is still interrupted at checkout with an authentication step. This experience, though better, is inherently more frictional than a completely passive "frictionless" flow or a successful Delegated Authentication flow.
  • Dependent on Issuer Risk Logic: The adoption and frequency of SPC use are entirely dependent on the issuer's ACS and its RBA engine. The ACS still decides if and when to trigger a challenge.
  • Ecosystem Readiness Lag: Widespread use requires the ecosystem to adopt EMV 3DS version 2.3 or higher, and for user browsers to support the SPC Web API. As discussed, lack of universal support, especially on mobile platforms like iOS, is a significant inhibitor.

• Opportunity: To implement Delegated Authentication (DA), allowing the merchant or their PSP to perform SCA at the point of customer login, thereby creating a completely seamless checkout experience for returning, authenticated users.
• Target Prospect: This is most relevant for large e-commerce merchants, full-stack PSPs (like Stripe or Adyen), and digital wallet providers who have a direct relationship with the consumer and have already invested in a secure account and login system.
• Provider's Role: A passkey provider would supply the core passkey authentication solution for the merchant's login flow. Crucially, the solution must also provide the necessary data outputs and cryptographic proofs that can be packaged into the 3DS authentication request to signal to the issuer that a compliant SCA has already occurred.
• Pros:
  • Optimal User Experience: This model offers the most frictionless payment flow possible for authenticated users. It moves the authentication step to a natural and familiar part of the user journey (account login) and can eliminate the 3DS challenge entirely, enabling a true one-click checkout.
  • Highest Conversion Potential: By removing the final point of friction at checkout, DA has the potential to deliver the most significant uplift in payment conversion rates. A Stripe pilot with Wise cardholders reported a 7% conversion uplift for transactions using their DA solution.
  • Strengthens Merchant-Customer Relationship: The entire authentication and checkout experience remains within the merchant's branded environment, reinforcing their direct relationship with the customer.
• Cons:
  • Complex Commercials and Liability: DA is not a simple technical switch. It requires explicit, often bilateral, agreements between issuers and the merchants/PSPs they choose to trust. Furthermore, the party performing the delegated authentication assumes the liability for fraud, and the arrangement is subject to stringent regulatory oversight as a form of "outsourcing," which carries a significant compliance burden.
  • Dependent on Issuer Trust: The entire model hinges on an issuer's willingness to trust the merchant's authentication process. This trust will likely be extended only to the largest, most secure, and most strategic partners initially.
  • Fragmented Adoption: Unlike a universal standard, DA will be adopted on a per-issuer, per-merchant basis, leading to a fragmented landscape where the experience is not consistent for all cardholders at all merchants.

• Opportunity: To enable the network-branded passkey experience for the massive volume of guest checkout transactions.
• Target Prospect: Payment Gateways and PSPs who want to offer a modern, standardized guest checkout solution to their base of merchant clients.
• Provider's Role: The provider can act as a crucial integration partner. Given that Visa and Mastercard have developed separate, proprietary passkey services, a passkey provider can offer a unified SDK or an "orchestration layer" that abstracts away the complexities of integrating with each network's distinct APIs, providing a single, simplified point of integration for the PSP.
• Pros:
  • Standardized Guest Checkout Solution: Click to Pay with passkeys solves a major industry pain point: the high-friction, high-abandonment guest checkout. It offers a consistent, recognizable, and trusted experience.
• Network-Driven Adoption: Visa and Mastercard are putting their full weight behind this initiative, which will drive rapid adoption from issuers, merchants, and consumers. PSPs will face competitive pressure to support it.
• Simplified Liability and Security Burden: The card network, acting as the federated Relying Party, shoulders the primary burden of building and securing the FIDO authentication infrastructure, simplifying the security and liability posture for the merchant.
• Cons:
  • Loss of Control and Branding: The primary drawback is that the merchant and their PSP cede control over the checkout user experience to the card network. The checkout becomes a "Visa checkout" or a "Mastercard checkout," featuring their branding and user interface.
  • Potential for Disintermediation: By becoming the central identity provider for e-commerce, the networks could weaken the direct data and branding relationship between the merchant and the customer over time.
  • "Black Box" Implementation: The internal workings of the network's FIDO server, risk engines, and authentication logic are opaque to the merchant and PSP. They are integrating with a service whose rules and user experience they do not control.

The transition to passkey-based payment authentication is not a theoretical exercise; it is being actively driven by the industry's largest players. Their strategies, pilot programs, and public statements provide a clear view of the competitive dynamics and the likely trajectory of adoption.

• PayPal: As a founding member of the FIDO Alliance and a digital-native payment provider, PayPal has been one of the most aggressive early adopters of passkeys. They began a phased global rollout in late 2022, starting in the U.S. and expanding to Europe and other regions. Their implementation is a case study in best practices, leveraging features like Conditional UI to create a one-tap login experience that automatically prompts for a passkey when the user interacts with the login field. PayPal has reported significant early success, including increased login success rates and a substantial reduction in account takeover (ATO) fraud. Their strategy also includes actively advocating for regulatory evolution in Europe, pushing for an outcome-based approach to SCA that recognizes the inherent security of synced passkeys.

• Visa: Visa's strategy is centered on its Visa Payment Passkey Service, a comprehensive platform built on its own FIDO server infrastructure. This service is designed as a federated model, where Visa handles the complexity of authentication on behalf of its issuing partners. The primary vehicle for this service is Click to Pay, positioning Visa to own the guest checkout experience. Visa's messaging extends beyond simple payments, framing their passkey service as a foundational element of a broader digital identity solution that can be used across the commerce ecosystem. They are actively piloting the technology, including SPC, and report that biometric authentication can cut fraud rates by 50% compared to SMS OTPs.

• Mastercard: Mastercard has mirrored Visa's strategic focus on a network-level service, launching its own Payment Passkey Service built upon its existing Token Authentication Service (TAS). Their go-to-market strategy has been characterized by a series of high-profile global pilots. In August 2024, they announced a major pilot in India, partnering with the country's largest payment aggregators (Juspay, Razorpay, PayU), a major online merchant (bigbasket), and a leading bank (Axis Bank). This was followed by launches in other key markets, including Latin America with partners Sympla and Yuno and the UAE with Tap Payments. This approach reveals a clear strategy: partner with ecosystem aggregators (PSPs, gateways) to achieve scale quickly. Mastercard has made a bold public commitment to phase out manual card entry in Europe by 2030, moving entirely to tokenized, passkey-authenticated transactions.

The strategies of these pioneers reveal a critical dynamic. The guest checkout experience, historically a fragmented and high-friction area, has become the strategic beachhead for the card networks. By creating a superior, passkey-enabled solution for guest users via Click to Pay, the networks can establish a direct identity relationship with consumers. Once a consumer creates a network-level passkey during one guest checkout, that identity becomes portable to every other merchant supporting Click to Pay. This allows the networks to effectively "acquire" user identities and offer a seamless experience across the web, a powerful move to capture the central role of identity provider for digital commerce.

The concerted efforts of these major players, combined with broader technological and regulatory trends, point toward an accelerated and inevitable shift in payment authentication.

• The Inevitable Demise of OTPs: The industry-wide push for passkeys signals the beginning of the end for SMS-based one-time passcodes as a primary authentication method. OTPs are increasingly viewed as a liability due to both their high-friction user experience and their growing vulnerability to attacks like SIM swapping and sophisticated phishing campaigns. As passkeys become more widespread, the reliance on OTPs will be relegated to a fallback or recovery mechanism, rather than a primary challenge method.

• Regulatory Tailwinds: While current regulations like PSD2 created the initial mandate for SCA, their rigid, category-based definitions have created some uncertainty around new technologies like synced passkeys. Upcoming regulatory updates, such as PSD3 in Europe, are expected to adopt a more technology-neutral, outcome-focused approach. This will likely favor authentication methods that are demonstrably phishing-resistant, providing a clearer regulatory pathway for the broad adoption of passkeys as a compliant SCA method.

• The Rise of Federated Payment Identity: The strategic moves by Visa and Mastercard are about more than just securing payments; they are about establishing a new paradigm for digital identity. By building federated passkey services, they are positioning themselves as the central, trusted identity providers for the entire digital commerce ecosystem. This can be seen as a direct strategic response to the powerful identity platforms controlled by Big Tech (e.g., Apple ID, Google Account). The future of online payments is inextricably linked to this larger battle over who will own and manage consumer identity on the web.

While the core payment transaction is the primary focus, passkey technology is poised to eliminate friction and enhance security across a wide range of adjacent financial services. Many processes that still rely on passwords or clumsy OTPs are ideal candidates for a passkey upgrade.

• Digital Wallet Provisioning: The process of adding a credit or debit card to a digital wallet like Apple Pay or Google Pay often requires a verification step, such as an SMS OTP sent by the issuer. This is a point of friction that can be replaced by a passkey flow.
• Open Banking & Account Linking: The foundation of open banking is allowing third-party applications (like budgeting apps or other fintech services) to access a user's bank account data. This requires the user to authenticate with their bank, a process that is often cumbersome. Passkeys offer a much smoother and more secure way to grant this consent, replacing awkward redirects and manual password entry with a simple biometric authentication.
• Securing Card-on-File (CoF) Tokens: Beyond just securing the login for an account with a saved card, passkeys can be used to secure the initial act of saving the card. A challenge at the moment a user adds their card provides strong evidence that the legitimate cardholder is present, reducing fraud from stolen credit card numbers being used to create CoF profiles for later misuse.
• BNPL and Instant Lending: Buy Now, Pay Later services and other forms of instant credit involve both an initial onboarding and per-transaction risk assessments. Passkeys are already used by pioneers like Klarna to replace passwords for login. They can also be used as a step-up authentication method for high-value purchases or when a user applies for a new line of credit, providing a stronger, lower-friction signal of user intent than traditional methods.

The rise of stablecoins (like USDC or EURC) presents a new, blockchain-based payment rail. However, a major barrier to mainstream adoption has been the poor user experience and security of crypto wallets. Traditionally, these wallets are secured by a "seed phrase" (a list of 12-24 words) that the user must write down and protect. This is incredibly user-unfriendly and makes account recovery a nightmare.

Passkeys are set to completely transform this experience. The industry is moving toward a model where the private key that controls the on-chain assets is secured by the device's passkey.

• Eliminating Seed Phrases: Instead of writing down a seed phrase, a user's wallet is created and secured by their device's built-in security. To authorize a transaction, such as sending stablecoins to a merchant, the user simply authenticates with Face ID or a fingerprint scan. This makes a crypto payment feel as seamless and secure as using Apple Pay.
• Enabling Account Recovery: By using wallet architectures like "smart accounts" (or "account abstraction"), recovery mechanisms can be built in. A user could designate trusted friends, family, or institutions as "guardians" who can help them recover their account if they lose all their devices, a vast improvement over the all-or-nothing nature of seed phrases.

This evolution could significantly reduce the friction and risk associated with using stablecoins for payments, potentially making them a more viable and mainstream alternative to traditional payment rails.

The analysis of the payment landscape and the emerging passkey integration models reveals several distinct and actionable opportunities. For a passkey-first authentication company like Corbado, the goal is to empower every player in the ecosystem to achieve their strategic goals by providing the foundational technology needed to navigate this transition.

• The Goal: To modernize the 3DS challenge flow, replacing high-friction OTPs to increase conversion rates, enhance security, and meet PSD2/PSD3 compliance head-on.
• How Corbado Helps: We provide an embeddable passkey authentication module designed for straightforward integration into existing Access Control Server (ACS) platforms. We help ACS vendors offer a best-in-class, low-friction challenge experience that benefits their entire network of banks and merchants.

• The Goal: To own the end-to-end customer journey and deliver the ultimate checkout experience through Delegated Authentication (DA), eliminating the 3DS challenge for logged-in users.
• How Corbado Helps: Corbado delivers a comprehensive DA enablement solution. This includes not only a best-in-class passkey login system but also the tools and APIs to generate the cryptographic proofs required by issuers to grant DA exemptions. We act as a technology partner, enabling merchants and PSPs to maximize conversion and strengthen their brand.

• The Goal: To effortlessly offer the latest network-mandated features like Click to Pay and keep platforms competitive without costly, duplicative development efforts.
• How Corbado Helps: Corbado offers a "Passkey Orchestration" layer. We help with the integration of services of both Visa and Mastercard and also provide ways how merchants can simultaneously offer their own passkey solution to offer a modern guest checkout.

• The Goal: To secure the entire wallet ecosystem, creating a seamless and secure login and payment experience that is portable across the PSP's entire merchant network.
• How Corbado Helps: We provide the core passkey infrastructure that allows large PSPs and wallet providers to become the central Relying Party for their users. By integrating our solution, they can replace passwords for their wallet logins (e.g., for PayPal, Stripe Link, or Klarna). This not only secures the account against takeover but also streamlines the payment authorization into a one-click biometric step, creating a powerful, branded authentication experience that locks in users and attracts merchants.

This analysis highlights a critical success factor for any passkey-based strategy: user adoption. A solution that can demonstrably increase passkey creation and usage from a baseline of ~10% to over 50% addresses the primary challenge facing the rollout of these new authentication models. Based on the ecosystem and the strategic goals of its players, the following organizations and sectors are prime candidates for such a solution.

• Core Problem: High friction in the 3DS challenge flow leads to abandoned carts and lost revenue for merchants, making an issuer's card less competitive.
• How Adoption Helps: A higher adoption of passkeys directly translates into more successful, low-friction challenges. This improves conversion rates, enhances security, and makes the issuer's payment credentials more valuable to both merchants and consumers.
• Prime Candidates: Major issuing banks (Bank of America, Chase, Barclays), and the ACS providers who supply their 3DS technology (Netcetera, CA Technologies).

• Core Problem: The desire to own the customer journey and eliminate checkout friction is often blocked by the need for a 3DS challenge.
• How Adoption Helps: The entire Delegated Authentication (DA) model is predicated on the merchant being able to strongly authenticate the user at login. High passkey adoption is not just an enhancement but a prerequisite for a successful DA strategy. Enabling DA for a majority of users is a powerful competitive differentiator.
• Prime Candidates: Global e-commerce leaders (Amazon, Walmart), digital subscription services (Netflix, Spotify), and the full-stack PSPs that serve them (Stripe, Adyen, Checkout.com).

• Core Problem: The success of strategic, network-level identity services like Click to Pay is directly dependent on widespread consumer enrollment.
• How Adoption Helps: An easy and appealing passkey creation experience is essential for the growth of these federated identity networks. The networks could embed an adoption-focused solution into the SDKs they provide to merchants and PSPs, accelerating the rollout and uptake of their proprietary passkey services.
• Prime Candidates: Visa (for its Visa Payment Passkey Service) and Mastercard (for its Token Authentication Service).

• Core Problem: The value of the wallet (e.g., PayPal, Stripe Link) is directly tied to the number of active, engaged users. Friction at login or checkout weakens the ecosystem.
• How Adoption Helps: Driving mass adoption of passkeys for the wallet's own domain (paypal.com, etc.) is a core strategic goal. It reduces fraud, improves the user experience, and strengthens the network effect, making the wallet more attractive to both consumers and merchants.
• Prime Candidates: Global PSPs with wallet offerings (PayPal, Stripe Link, Klarna), and large regional players (Mercado Pago, Block).

• Core Problem: National payment schemes face pressure to modernize their infrastructure and provide digital identity solutions to remain competitive against global technology companies.
• How Adoption Helps: These networks must ensure their new digital payment and identity services see widespread use. For a player like Australian Payments Plus (AP+), driving adoption for services like PayTo (for real-time payments) and ConnectID (for digital identity) is a core strategic objective. A solution that boosts passkey enrollment is a direct enabler of this strategy.
• Prime Candidates: Australian Payments Plus (AP+) and other national payment infrastructure bodies.

The large technology companies operate sophisticated digital wallets that play a unique and powerful role in the payments ecosystem. They sit at the intersection of the user's device, their platform identity, and the traditional payment rails, giving them a distinct position and strategy regarding passkey adoption.

Apple Pay and Google Pay are best understood as a technology and authentication layer that sits on top of the existing payment card infrastructure. They do not issue cards or process transactions themselves but instead securely store and transmit tokenized versions of a user's existing payment cards.

• Position in the Ecosystem: They act as a secure "container" for a user's cards. When a user pays online, instead of entering their card details, they select Apple Pay or Google Pay. The wallet then passes a secure, single-use token to the merchant's payment gateway. The transaction still flows through the acquirer, network, and issuer as normal.
• How They Leverage Passkeys: They authenticate the user with face or fingerprint scan to the wallet, authorizing it to release the payment token. This is a powerful, low-friction authentication event, but it is distinct from the 3DS/SCA authentication that the card issuer is responsible for. An issuer can still technically trigger a 3DS challenge on a transaction initiated via Apple Pay, although the strong device-level authentication makes this less likely.
• Opportunities & How They Benefit from Adoption:
  • Streamlining Wallet Provisioning: The process of adding a card to a wallet often requires an OTP from the issuer. This is a key point of friction. Apple and Google could work with issuers to replace this with an in-app passkey flow, using a passkey to verify the user instantly. An adoption solution for their issuer partners would make their wallets easier to load and use.
  • Becoming a Delegated Authority: Their ultimate strategic goal is to leverage their powerful platform authentication to become the definitive, trusted authenticator for payments. If issuers formally recognize the Apple Pay or Google Pay authentication as meeting SCA requirements, they could become Delegated Authorities, eliminating the 3DS challenge entirely. High adoption of their own platform passkeys is critical to making this a compelling proposition for issuers.

Amazon Pay and Meta Pay operate more like a traditional merchant with a very large Card-on-File (CoF) wallet that can be used on third-party sites and within their own ecosystems (e.g., for social commerce on Instagram).

• Position in the Ecosystem: They are a classic example of the Merchant-Centric model. Users store their payment cards directly in their Amazon or Meta account. When they use Amazon Pay or Meta Pay to check out, they are authenticating to their main account, and that platform processes the payment on their behalf.
• How They Leverage Passkeys: Their primary use of passkeys is to secure the user's main account login (e.g., the passkey for Amazon.com). By moving their vast user bases from passwords to passkeys for account login, they dramatically reduce the risk of account takeover fraud and protect the valuable stored payment credentials.
• Opportunities & How They Benefit from Adoption: Their benefit is direct and immediate. A solution that drives passkey adoption for their core user accounts:
  1. Reduces Fraud: Massively decreases the attack surface for account takeover, a major source of financial loss and customer dissatisfaction.
  2. Reduces Friction: Creates a seamless and secure login and checkout experience, which is proven to increase conversion rates. For these players, a solution that boosts passkey adoption is a direct investment in the security and performance of their core commerce business. They are therefore prime candidates for such a solution.

The payment industry is at the dawn of a new era of authentication. The long-standing compromise between security and convenience is finally being resolved by the maturation and adoption of passkey technology. The analysis presented in this report demonstrates that this is not a monolithic shift but a complex transition with multiple competing visions for the future. Issuers seek to enhance the existing 3DS framework with SPC; large merchants and PSPs aim to seize control of the experience through Delegated Authentication or by building their own wallet ecosystems; and the card networks are creating a new, federated identity layer with Click to Pay. Each model is vying to become the new standard for user trust and convenience.