Passkeys Gain Traction with Ecommerce Shoppers

Passkeys allow users to log in to their secure accounts without passwords. Ecommerce businesses were first in line when the FIDO Alliance introduced passkeys in 2022. The trade association, which stands for Fast ID Online, launched in 2012 with a mission to reduce the world’s password reliance.

Andrew Shikiar, executive director of FIDO, said the past two years have been momentous for members and ecommerce businesses. “You want to attract customers to your site and protect them from account takeover, credential stuffing, and phishing attacks,” he said. “That’s why PayPal, eBay, Amazon, Walmart, Best Buy, and other ecommerce companies were the earliest adopters of passkey payments.”

Shikiar noted that passkey awareness has risen from 39% in 2022 to 57% in 2024, according to a FIDO survey of 10,000 consumers in the U.S., U.K., France, Germany, Australia, Singapore, Japan, South Korea, India, and China.

Dual Protection

Passkeys protect sign-ins and payments, Shikiar explained, adding, “How do I know that it’s really my customer or a legitimate guest who is signing in or making the purchase and not a fraudster? I want my customers to sign into my site as easily and securely as possible.”

Passkeys leverage public key cryptography, an encryption system involving a public “key” — a large string of numbers used to encrypt data — available to anyone and a private key known only to the user and stored on that user’s device, such as a phone or computer. Only a private key can decrypt a public one. The passkey sign-in process is quick and secure coming from the device storing the private key. Hence a fraudster must have access to a user’s device to sign in to her accounts.

Shikiar stated that sign-in success rates were a hot topic at FIDO’s October 2024 Authenticate conference in California, where Amazon reported a 15% sign-in success increase. Even a 5% sign-in increase is significant for merchants, and higher success rates typically mean sign-ins are faster than passwords and legacy two-factor authentication.

Passkey Readiness

Emily Baxter, a security consultant at RPY Innovations, a payments consultancy, advised merchants to consider internal and external factors when evaluating passkeys. “Merchant readiness could be viewed from two perspectives: the readiness of users and passkey providers,” she said. Essential questions for merchants include how they utilize passwords today, what integrations and vendors are required to enable passkeys, and how customers will experience the change.”

As always, ensure your security team is engaged in assessing your organizational readiness, Baxter added, noting that the best solutions are driven by a clear “why,” which she called the North Star of implementation.

“Your North Star may be a reputation as a safe and trusted merchant or providing an excellent user experience (especially increasing cart abandonment or addressing user frustrations), meeting provider requirements, or it could be something else entirely,” she said.

Baxter pointed out that passwords, despite their shortcomings, can be used anywhere, on any device, and at any time. Merchants must assess the passkey’s potential impact on the user experience by considering:

• Do shoppers typically sign in from their own devices or from, perhaps, public computers?
• Will user adoption of passkeys be voluntary or mandated?
• Will initial implementation require a dual password and passkey solution?
• What customer and employee training and education is necessary?

In addition to referencing FIDO’s Passkey Central, an education portal, Baxter advised merchants to consider how passkeys fit into an overall cybersecurity strategy.

She added that passkeys are configured and shared in different ways. A merchant could implement passkeys directly or via a third-party provider. A user’s private key could reside in, say, an iPhone’s operating system or even a password protection app. And vendors can facilitate any or all of the setup, with varying prices, scalability, and implementation support.

FIDO Certified Vendors

Shikiar agreed, stating that FIDO’s ecosystem has hundreds of certified solution providers that can help ecommerce and other companies implement passkeys quickly.

“We don’t dictate how to develop passkeys or promote vendor-specific solutions,” Shikiar added. “We advise companies to go into vendor discussions with their eyes wide open. Become informed before meeting with a vendor. While these are all FIDO-certified vendors, speaking the same language, having a strategy and clear objectives will help a vendor be more responsive to you and your passkey rollout.”

Combat AI-powered Fraud with AI, Experts Say

Fraudulent payments are 40% more likely to occur in ecommerce than physical stores, according to LexisNexis Risk Solutions’ “True Cost of Fraud Study: Ecommerce and Retail Report.” Published March 27, 2024, the 14th annual study found digital wallets, payment apps, buy-now-pay-later plans, and cryptocurrencies account for one-fifth of all payment fraud.

Based on a survey of 346 risk and fraud executives in the U.S. (272) and Canada (74), the study revealed a 60% increase in attacks in 2023 compared to the previous year, led by fraudulent chargebacks and identity theft. Researchers advised that AI technologies are the best defense against these attacks.

“Advanced real-time transaction verification solutions using artificial intelligence and machine learning are especially crucial as they work in the background to help prevent fraudulent transactions with minimal impact on customers,” researchers wrote, emphasizing that these advanced technologies are the best defense against widescale, automated attempts.

High Cost, High Volume

Researchers noted that fraud is expensive. Fees, fines, and the cost of replacing products make every sale lost to fraud approximately three times more than its original value. These costs will only multiply, they added, as fraudsters continue to exploit weaknesses in back office and payment processing systems.

The report identified the top three attack schemes for all merchants (online and in-store): synthetic identity fraud, payment card fraud, and malicious bot attacks. Researchers also found that card-not-present fraud (25%) outranked all other forms of payment fraud, including counterfeit cards (22%), stolen or lost cards (20%), card ID theft (17%), and fake or doctored card fraud (17%).

Researchers found that the current threat environment makes it especially challenging to separate fraudsters from legitimate customers, especially in digital transactions. Survey respondents cited the use of mobile channels (47%), the rise of synthetic identities (47%), and limited or no real-time transaction tracking tools (46%) as the top three challenges of digital consumer verification.

Frictionless Tools

While 69% of survey respondents have implemented fraud prevention tools in digital channels, most found it difficult to deflect fraudsters without inconveniencing legitimate customers, particularly at the point of purchase. Researchers offered the following recommendations for creating a secure but frictionless experience:

Employ advanced, multi-tiered solutions. Use automated solutions, such as transaction scoring, to eliminate friction among low-risk shoppers. Transaction scoring creates a risk score to approve or deny a transaction and eliminate unnecessary steps in customer verification. When integrated with AI, biometrics, and other behavior-based authentication methods, these fraud prevention tools continuously evaluate customer identity and transaction risk while facilitating internal and external data sharing and collaboration.

Appoint a fraud management administrator. Assign an administrator to take ownership of a company’s fraud management, with responsibility for configuring, monitoring, maintaining, and continuously updating the system. This designated administrator will safeguard the customer journey, from account openings and checkouts to logins, an approach that protects all stakeholders — employees, customers, service providers — from card payment fraud and adjacent threats.

Risk-based, data-driven approach. Prioritize fraud mitigation to thrive in the ecommerce ecosystem. Leverage emerging technologies whenever possible to build a robust posture against fraud and reduce fraud losses, which can elevate conversions and trust.

Human, AI Oversight

As LexisNexis Risk Solutions noted, the growth of ecommerce has created more opportunities for criminals, with surprisingly little effort. A significant number of attacks in 2023 were prompted by human error, according to Verizon’s “Data Breach Investigations Report,” published May 1, 2024.

Chris Novak, senior director of cybersecurity consulting at Verizon Business, observed that 68% of data breaches in 2023 resulted from people making innocent mistakes or falling victim to social engineering attacks. “The persistence of the human element in breaches shows that there is still plenty of room for improvement with regard to cybersecurity training,” he said in a statement.

The Verizon Business data-breach team advised taking a multilayered approach to fraud prevention. “We (and many others) have said it before: Multifactor authentication goes a long way toward mitigating these types of attacks. For that matter, so does not letting your kids use your corporate computer to find ways of making free [gaming] V-Bucks,” they wrote. “As with anything else security-related, the most effective controls are typically the ones that leverage the human element along with technical resources.”

LexisNexis Risk Solutions proposed more than personal attributes — name, address, date of birth — to identify customers in the digital world. Merchants must also assess device risk, transaction risk, and online and mobile behaviors. AI-powered tools can do all of this and more, researchers stated, calling the approach the “new norm in fraud management.”