A merchant’s returning customer attempts to complete a $1,800 luxury purchase on a mobile device, mistypes a password twice, triggers a reset email and leaves before the link arrives.
A reused password harvested in an unrelated breach enables a criminal to access a stored wallet and drain loyalty points.
Call them the twin engines of commerce’s breaking point: Authentication failure and credential-based fraud.
Conversion Pressure Meets Fraud Fatigue
PYMNTS reporting has noted that credential stuffing and phishing continue to exploit password reuse, creating operational and reputational damage for merchants and financial institutions.
High-income shoppers, who often maintain multiple digital accounts across retail, travel and financial services platforms, are especially sensitive to login friction. They are also attractive fraud targets because of higher balances and transaction values. The combination of elevated cart values and persistent credential-based attacks sharpens the business case for stronger, lower-friction authentication.
This is the context in which attention around passkeys is accelerating.
Advertisement: Scroll to Continue
Signals From Platforms
Passkeys are passwordless login credentials based on public-key cryptography that are stored on a user’s device and unlocked locally with biometrics or a PIN, eliminating shared passwords and reducing exposure to phishing and credential theft.
PayPal and Stripe grabbed their fair share of attention this week amid rumored dealmaking, but no matter what the outcome of any corporate action, their own efforts in moving beyond the password has been notable. PayPal has expanded support for passkey-based login for consumer accounts in the United States and additional markets, positioning the feature as a way to reduce phishing risk while simplifying sign-in.
Stripe has published developer guidance encouraging merchants to implement passkeys through WebAuthn standards to improve login resilience and speed. Both companies sit at critical junctions of online checkout and wallet activity. When large platforms integrate a security model into widely used login flows, adoption may follow.
We’d love to be your preferred source for news.
Please add us to your preferred sources list so our news, data and interviews show up in your feed. Thanks!
PYMNTS coverage of wallet competition has emphasized that conversion rates and security posture increasingly are valued by consumers, as evidenced by our continuing “How the World Does Digital” series.
If passkeys demonstrably reduce login friction and phishing exposure within major wallet ecosystems, merchants may view implementation as part of their near-term roadmaps.
Where Adoption Stands
Passkeys are built on standards developed by FIDO Alliance, which has promoted phishing-resistant authentication based on public-key cryptography. Major operating systems and browsers now support passkeys, enabling credentials to be stored on a device and unlocked locally through biometrics or a device PIN.
Financial institutions are testing passwordless authentication in limited deployments, often layering it alongside existing multifactor controls rather than replacing them outright.
Adoption remains uneven. Some merchants have integrated passkeys into account login flows. Others continue to rely on passwords and SMS one-time passcodes, citing integration costs, customer education hurdles and account recovery complexity.
From a regulatory standpoint, passkeys present both opportunity and scrutiny. Because biometric data typically remains on the user’s device rather than being stored centrally, the model may reduce exposure under state biometric privacy laws. However, institutions must still satisfy supervisory expectations around strong authentication and fraud mitigation.
Pain Points Addressed, Challenges Ahead
The commercial appeal is concrete. Passkeys eliminate password reuse, diminish phishing effectiveness and remove reliance on SMS codes that are vulnerable to SIM-swap fraud. They can shorten login time and reduce password reset support costs.
Enrollment requires consumer awareness and trust. Cross-device synchronization is improving but depends on platform ecosystems. Account recovery processes must be designed carefully to prevent lockouts without reintroducing weak fallback mechanisms.
In the meantime, merchants face measurable abandonment tied to authentication. Financial institutions face ongoing credential-based fraud. The trajectory of adoption will hinge on evidence as passkeys produce lower account takeover rates and improved conversion metrics within major wallet and checkout environments.
