In the never-ending arms race against cybercrime, passwords are increasingly showing their limitations as a protective shield. Compromised credentials are the entry point in a third of hacks, and as criminal tactics evolve — and AI ramps up the risk of complex attacks — the good guys need stronger armor.

Enter passkeys — the next-generation defense that replaces passwords with secure sign-in credentials unlocked with your device’s biometric information or  PIN. It makes it much easier and safer to prove it’s really you when you’re signing into an online account, or, with payment passkeys, paying for something. Developed by the FIDO Alliance, an international industry standards association with more than 250 members, payment passkeys are rapidly gaining traction across major platforms and devices, helping to insulate accounts and transactions against ever more sophisticated phishing and social engineering schemes.

Now FIDO is forging another layer of fraud protection. Working with Mastercard, tech giants and international governments, it aims to standardize the fragmented rules governing verifiable credentials. This will pave the way for a dramatic scale-up in the use of passkeys, allowing people to store driver’s licenses, passports and documents in secure cloud-based wallets. Verifiable credentials are also making it more secure and reliable for the ecosystem to participate in emerging payment experiences like AI-powered shopping.

The Mastercard Newsroom recently sat down with Andrew Shikiar, FIDO’s chief executive, to learn how the group is helping bolster protection in a rapidly changing digital world.

Shikiar: Passwords can be stolen; they can be guessed. They’re susceptible to human error. With passkeys, you have a virtual lock and key — the lock sits on the server, and the private key is only held by you. And that must match precisely. So the whole idea of remote attacks with a hacker pretending to be you and logging in is simply not possible — essentially eliminating this attack vector.  

Shikiar: Envision a future where all the assets and credentials in your physical wallet, and everything else that's not going to fit into your wallet, is now on your device or in the cloud, based on your verifiable identity. This can include payment credentials, your driver's license, your passport — or other attributes such as education history or loyalty programs. This digital approach is more secure, more private and a better user experience than the way we share our identity information today — which often involves giving third parties more information about you than they likely need. For example, think about how many hotels have taken a photocopy of your passport or driver’s license, when all they really need to do is validate that you are the person attached to the reservation.

A lot of these developments are being driven by government and regulators who are pushing to move towards mobile identity. By working with partners in the industry, we aim to create some commonality around foundational technology, certification and user flows for verifiable credentials. 

Shikiar: Mastercard has been a key contributor in extending the benefit of passkeys to more use cases. The Payments Working Group is aiming to bring trust, security and interoperability to digital transactions. What we've done for sign-in with passkeys, the working group can now focus on doing for digital transactions and payments. 

Shikiar: We should be able to make payments for e-commerce even faster, even easier and even more secure. Oftentimes, you have to use a one-time password to authorize payments. SMS more and more is being perceived as risky by consumers due to the growth of “smishing,” or SMS scams. Getting away from that sort of user experience into something that's both easier and more secure is going to be a big win. I see us extending all these capabilities beyond just digital remote payments and into brick-and-mortar environments. Biometric payment cards might have a higher level of assurance for higher transactions. Biometric payment terminals will be interesting as well. 

Shikiar: Agentic commerce itself is a great opportunity to provide convenience and efficiency to e-commerce. But it's new, very dynamic and moving very quickly. It's important to take a step back to ensure that a proper privacy-preserving and secure foundation for agentic commerce is put into place. Once the genie is out of the bottle, it's incumbent on the industry to make sure that agentic commerce flows are secure and have a positive user experience.

Agentic commerce needs to be conducted with the same ease and security as passkeys are today. So that's our collective North Star. 

Shikiar: Social engineering threats generated by AI are the biggest threat today — credential phishing and things like that. AI is in the middle of everything we're doing, for better or for worse. The FIDO Alliance wants to make sure that all these agentic-driven activities are safe, secure and as beneficial as possible. If we work together to ensure there's trust in transactions, payments and identity, the big win for payment networks — and for everyone — is making our connection to the economy safe and easy for all consumers.