Mastercard Passkeys: Token Authentication Service

1. Introduction: Mastercard Passkeys
2. The Rise of Passkeys in Financial Services
3. Mastercard’s Path to Passkeys

    3.1 Example: Passkey Creation During Checkout

    3.2 Example: Passkey Login During Checkout

4. Mastercard’s Token Authentication Service
5. The Benefits of Mastercard Passkeys
6. Implications for Merchants and Developers
7. Conclusion

In recent years, the finance sector has seen a surge in interest towards enhancing security and user experience with innovative authentication methods. Passkeys are now emerging as a very compelling and more and more preferred solution across banks (e.g. Revolut, fintechs (e.g. Finom), and payment providers (e.g. PayPal).

Our last blog posts extensively covered the implications of this technology shift, particularly in the context of Strong Customer Authentication (SCA) (see part 1, part 2, part 3 and part 4 of our series) required by PSD2, including the crucial role of dynamic linking.

As we continue to analyze the world of secure authentication, Mastercard has taken a significant leap by introducing a new service for passkeys - Mastercard Token Authentication Service. This pioneering initiative allows shoppers to create a passkey that streamlines the authentication process during payments, marrying convenience with robust security. This blog post explores Mastercard's innovative approach to passkeys and what it means for the future of payment security.

The integration of passkeys into the financial services sector is a shift towards more secure and user-friendly authentication. The driving force behind are consumer expectations. As Mastercard has revealed in previous statements, consumers hate passwords (7 out of 10 feel overwhelmed by the number of passwords they need to manage). Moreover, more than 80% of confirmed data breaches were due to passwords. Besides, Mastercard acknowledged that any shared secret, including OTPs, is becoming a target for cyber criminals. That’s why Mastercard wants to replace the password with the person-based factors. Passkeys, by leveraging biometric and device-based authentication, address this need effectively.

Furthermore, passkeys eliminate traditional pain points associated with passwords, such as phishing risks. By replacing passwords with cryptographic keys that are simple to use but difficult to exploit, passkeys offer a compelling solution for financial institutions aiming to both enhance security and streamline user interactions.

Historically, the Payment Services Directive 2 (PSD2) in the European Union has mandated Strong Customer Authentication (SCA) to enhance the security of electronic payments. This regulation requires that payment transactions are authenticated using at least two factors from two authentication categories: something the user knows, has, or is. Passkeys fit neatly within this framework, particularly under the criteria of 'something the user is' (fingerprint / face being scanned with e.g. Face ID, Touch ID or Windows Hello) and 'something the user has' (private key securely stored in the device’s secure enclave, TEE or TPM).

Mastercard is one of the early members of the FIDO alliance, the driving force behind passkeys & WebAuthn, where they joined already in 2012.

In the past, Mastercard has already launched the Mastercard Biometric Authentication Service, which was a first step into the passkey direction. This service was already designed on adhering to FIDO standards.

In September 2023, Mastercard provided an update on passkeys and Secure Payment Confirmation (SPC). In there, Mastercard shared their view on standard passkey vs SPC passkey potential processes. The mockups were already on a detailed level (as you’ll see below).

Let’s briefly analyze the passkey creation example during the checkout. Note that Mastercard mentions that the passkey does not necessarily need to be created during the checkout process but can also be during card addition or within an issuer application (e.g. in a native iOS / Android app).

After clicking on the “Pay” button, the user is redirected from the sample shop (https://decorshop.com) to web page hosted by Mastercard (https://verify.mastercard). This site is part of the EMV 3DS with issuer authentication process.

After this process is completed successfully, the user has the option to create a passkey. Note that this passkey will be created for the Relying Party ID of Mastercard (e.g. verify.mastercard.com or mastercard.com). So, the passkey is not registered with the merchant where the user wants to transfer the money to. This allows to use this passkey across different sites that use Mastercard’s service and not only at this particular merchant.

Taken from https://www.w3.org/2023/Talks/mc-passkeys-20230911.pdf

After deciding to create a passkey, the local authentication (here an Android smartphone that stored the passkey in Google Password Manager) is conducted. After finishing the passkey creation, the user is redirected back form Mastercard’s website to the shop.

Taken from https://www.w3.org/2023/Talks/mc-passkeys-20230911.pdf

Now that we have seen how a passkey can be created after an EMV 3DS issuer authentication, let’s have a brief look at the process of using the passkey for authentication in checkout processes. Note, that we assume that there is a passkey at Mastercard already created before. When the user clicks on the “Pay” button, there are be two options depending on the standard passkey flow or an SPC passkey flow (this depends on the implementation by the merchant):

1. Standard Passkey Flow: The user is redirected to https://verify.mastercard.com where they can use the passkey in the regular WebAuthn authentication way. After successful authentication, the user directed back to the merchant’s shop. We are here in a first-party payment context, as we’re using a passkey, that was registered at Mastercard, at a domain of Mastercard.
2. SPC Passkey Flow: The user stays on the merchant’s domain (no redirect) and a the SPC popup appears, where payment information is displayed and the user conducts the authentication. After successfully authenticating, the user sees the success manage directly. We are here in a third-party payment context, as we’re using a passkey registered at Mastercard at a domain of the merchant. Please note that SPC passkeys are still in a concept phase and it’s decided if they will every reach general availability (mainly due to Apple not giving it a go).

Taken from https://www.w3.org/2023/Talks/mc-passkeys-20230911.pdf

Mastercard's launch of the Mastercard Token Authentication Service is a significant advancement for passkeys in the space of payment, as Mastercard is the first of the three big credit card issuers to offer a dedicated passkey service. With the Mastercard Token Authentication Service, traditional password-based authentication can be fully replaced. The integration with the Token Authentication Service ensures that once a user has created a passkey at Mastercard, this passkey can be used to authenticate transactions across any participating merchant's site without the need to create new passkeys each time the users visits a new merchant site.

For merchants, adopting Mastercard's Token Authentication Service means

• Reduced risks of fraud and chargebacks, as the authentication process is tied directly to the user's biometric data.
• Minimized friction at checkout, leading to a smoother transaction process, higher approval rates and higher conversion rates.

For shoppers, this service enables:

• Seamless checkout process (across different devices and different merchants’ shops)
• Enhanced security with phishing-resistant MFA, which will further improve the defense against all sort of credit card scams and phishing.

We will write a more detailed technical analysis on how to integrate the Mastercard Token Authentication Service into existing system once Mastercard publishes more information. To stay up-to-date, subscribe to our Passkeys Substack or join our Passkey Community on Slack to not miss this update.

Until then, we recommend to take a look at the official video by Mastercard that explains the concept in more detail.

The adoption of passkeys in the payment provider landscape by Mastercard's Token Authentication Service is a huge milestone for the entire industry. This innovative approach not only enhances transaction security through biometric authentication but also offers a seamless and frictionless user experience, thereby addressing two of the most critical aspects in the payment industry today.

For merchants, the integration of Mastercard passkeys means a significant reduction in fraud and chargebacks, while for consumers, it promises a more secure and streamlined checkout process. Developers and product managers are encouraged to explore the integration of this technology to stay at the cutting edge of payment security and user experience.

One of the open questions after Mastercard’s passkey move is: what are Visa and American Express planning in regards to passkeys and catching up with Mastercard (both of which are also board level members of the FIDO alliance)?

At Corbado, we are committed to providing the tools and expertise needed to integrate these advanced solutions effortlessly. As we continue to explore the evolving world of passkeys and their applications, stay tuned for more insights and detailed analyses on how these technologies are shaping the future of digital interactions.