Get ready to smile: as credit card issuers tap AI, cryptocurrency, and new security technologies to reshape the online shopping experience, your next credit card will verify your identity not with one-time passwords (OTPs), but by using ‘passkeys’ based on your face or fingerprint.
Passkeys will rapidly become ubiquitous after Mastercard – which issues 21 per cent of the world’s credit cards – recently announced plans to automatically enrol newly issued Australian cards in its Mastercard Payment Passkeys (MPP) and Mastercard Click to Pay (CTP) programs.
Its goal is to enable one-click checkouts for online shopping – allowing you to complete a purchase online without having to enter any personal details, then verifying your payment details with the merchant to complete the transaction without requiring any additional inputs.
Current online shopping requires an average of eight data points and 105 keystrokes to complete, the company said while noting that CTP can complete the same task with as few as four keystrokes and just one point of data entry – using your phone to scan your face.
“The future of payments in Australia is all about empowering people with complete control over their payments,” said Mastercard Australasia division president Richard Wormald.
“By transforming the banking app into the ultimate control tower for your payments, we’re not just enhancing convenience; we’re building and maintaining the chain of trust that cardholders establish when they open a bank account… making every transaction secure and seamless.”
The new online approach – which modernises conventional bank credit cards with a user experience already provided by the likes of Apple Pay and Google Pay – is part of a five-year plan that will see Mastercard and partner banks rolling a range of “cutting-edge payment technology”.
That includes plans for numberless credit cards; unique, one-time virtual cards that bolster security with numbers that can’t be stolen and sold by data-hungry criminals; enabling a single digital card for multiple payment types; and real-time payment settlements for merchants.
But what is a passkey, anyway?
Mastercard’s move reflects an industry-wide move away from passwords to passkeys, which featured heavily in commemorations of today being World Password Day – the tech industry’s annual reminder that your current password habits are probably terrible.
“In the age of generative AI, traditional password tricks such as substituting “a” with “@” or adding an exclamation mark at the end don’t offer enough protection,” Keeper Security APAC sales senior vice president Takanori Nishiyama said.
Criminals have graduated from trying to guess your password, with AI-based password cracking tools helping them guess your “clever” passwords more easily than ever, he added, warning that today’s tools “can guess common patterns and character swaps in a matter of seconds.”
With armies of malicious bots swarming the internet on a daily basis – and cybercriminals sharing and exploiting stolen passwords in their billions – passkeys, which mainstreamed with Apple’s 2022 iPhone launch and have since become widely adopted, promise a completely passwordless future.
Put simply, a passkey is a unique digital ‘token’ – defined by the FIDO2 authentication standard and its core WebAuthn component – that integrates information about you and your device, and is stored on that device in a secure way and then transmitted to a service when requested.
The passkey includes your biometric signature – a code generated by the device’s built-in face or fingerprint scanner – as well as technical details about your device and account, and other identifying information that prevents it being used by cybercriminals.
Tokens are tied to specific devices or applications, can be revoked if necessary, and can be set to expire after a certain period for temporary access – which is why despite challenges, Mastercard, rival Visa and others openly refer to passkeys and tokenisation as the future of e-commerce.
“Passwords are no longer fit for purpose,” Thales Australia strategic clients director for data security Erick Reyes said, adding that “passkeys are harder to crack, automatically generated and can be safely stored on devices.”
“They make it easier for the consumer, eliminating the need to create long, complex passwords or phrases… [and] enable greater privacy by granting authentication without handing over sensitive information – reducing the risk of data breaches.”
Soon, AI will do the shopping for you
Australia’s credit card-focused digital payments ecosystem has previously been slammed as archaic – but with the government now all-in on digital and issuers now doubling down on passkeys to facilitate secure digital payments, expect big changes as other technologies are added to the mix.
Visa, for its part, has just partnered with Stripe subsidiary Bridge to allow customers to pay for purchases using ‘stablecoins’ – controversial cryptocurrency, about which the RBA is still sceptical, whose value is pegged to specific real-world currencies or assets.
Also announced at Visa’s Global Product Drop was Visa Intelligent Commerce, an AI-based service – backed by OpenAI, Anthropic, Microsoft, IBM, Perplexity and others – that will integrate tokenised payment credentials with AI-based personal shopping driven by your payment history.
If you’ve been researching that new pair of headphones, for example, the AI agent will notice when there’s a sale on and offer to buy them for you, automatically.
If you’ve been listening to a lot of Katy Perry recently, the AI agent will keep an eye out for her next local concert and automatically secure you the best tickets.
You’ll be able to set spending limits and conditions for the agents, with Visa promising that “commerce signals” will be shared in real time with the company – helping the card issuer control transactions and manage any disputes that might arise.
“Soon people will have AI agents browse, select, purchase and manage on their behalf,” Visa chief product and strategy officer Jack Forestell said, noting that “these agents will need to be trusted with payments, not only by users, but by banks and sellers as well.”
