Following the introduction of passkeys for customer logins on Apple devices and Google Android services in the United States, PayPal has expanded the technology to Australia.
Passkeys allow users to log in without entering a password. Instead, the user is verified with cryptographic key pairs and digital credentials, such as fingerprint or facial recognition.
Passwords are no longer considered fit for purpose because people reuse the same, easy-to-remember logins for multiple apps and websites.
Passkey technology was developed by the FIDO Alliance and the World Wide Web Consortium and was designed to protect against phishing, “credential stuffing” and other remote attacks.
Because passkeys are linked to the app or website they were created for, users cannot be tricked into using their passkey to sign into a fraudulent app or website. They are encrypted, so that not even Apple or Google can read them.
They are more convenient than passwords because users do not have to create them, remember them or update them.
However, commentators have pointed out that the technology is new and not yet widely supported. Also, if the user’s device is lost or stolen, anyone who can unlock the device may be able to use the passkeys.
The financial services industry is keen to offer consumers more secure access to their services in the face of the growing risk of cybercrime but there are still issues to resolve.
In a recent paper on tokenisation (another secure online access technology), the Reserve Bank said such services play an important role in improving security but merchants and payment service providers continue to retain sensitive consumer details, which undermines the security benefits of tokenisation.
The RBA also said there may be a requirement to introduce some standardisation into the use of these technologies to ensure they work efficiently.