Visa has unveiled new digital products and services based on biometrics and passkeys, as it aims to address rapid changes in AI and digital identity technology. WhatsApp has expanded its passkey availability for all users. And the FIDO Alliance welcomes a new board member, while researchers question how airtight its security protocol really is.

Visa says passkeys among innovations transforming digital commerce

In a release, Jack Forestell, Visa’s chief product and strategy officer, says the digital payments industry is at a pivotal point, and that Visa has responded with “the next generation of truly digital-native payment card experiences,” which will “bring consumers into a more customized, convenient and secure future.”

Forbes predicts that 20 percent of payments in 2024 will be made online. At its annual Payments Forum in San Francisco, Visa showcased all the ways in which it is aiming to change secure payments, from a new flexible credential to the expansion of passkeys to its Click to Pay system.

The Visa Payment Passkey Service employs biometrics and cryptography to confirm a customer’s identity and authorizes online payments with a scan of face or fingerprint biometrics. Visa says the service, which is built to the latest FIDO standards, is intended as a defense against increased fraud. Its first deployment will integrate Visa Payment Passkey Service into its Click to Pay system.

Forestell says passkeys can replace passwords or one-time codes, enabling more streamlined, secure transactions.“There is a global desire to find commonality, interoperability and simplicity for online payments. Our passkeys, designed specifically for payments, represent a massive paradigm shift in our industry because it confirms identity without interrupting the checkout experience.”

Other digital payments products showcased at the forum include the Visa Flexible Credential, which will allow card users to access multiple accounts through a single card by toggling between options such as debit, credit and rewards points. The system is already live in Asia and will be launching with Affirm in the U.S. this summer.

As well, Visa has expanded its already wildly successful tap to pay program, which had reached 65 percent penetration globally by the end of 2023. Its Tap to Confirm feature simplifies identity authentication for online shopping, while Tap to Add Card increases security when adding a card into a wallet or app.

Bank-based payments, AI-based fraud monitoring of account-to-account payments, and a generative AI data token system for personalized shopping assistance in real-time. The new products and services will begin to roll out later this year.

WhatsApp expands passkeys on iOS

India Today reports that WhatsApp has made passkeys an option for all users, following a phased rollout on Android and iOS, the latter of which had lagged behind. The latest WhatsApp for iOS 24.9.78 update, now available on the App Store, has passkeys enabled. Verification and authentication can be conducted via including facial recognition, biometrics, or a PIN stored on Apple’s passkey manager. “Upon setting up a passkey, it will be securely stored in the iCloud Keychain, enabling users to access WhatsApp using their device passcode or biometric authentication instead of the conventional 6-digit code,” says the article.

Exposed session cookies could be FIDO2 Achilles’ heel

Recalling a cartoon in which someone tries to plug a leak, only to have another spring, an article in Dark Reading argues that the march to implement passkeys may be blinding some businesses to potential vulnerabilities.

“Many organizations that have implemented passwordless authentication via the FIDO2 standard may be undermining some of the security benefits of the approach by not properly securing the sessions that take place after authentication happens,” writes Jai Vijayan. He cites new analysis from Silverfort showing how man-in-the-middle (MITM) attacks can be used to try and steal session cookies and transact as a legitimately authenticated user.

Researchers are “concerned that organizations will have a false sense of security that they are completely protected from a MITM attack if they use FIDO2,” arguing that “Most applications do not protect the session tokens created after authentication is successful,” leaving them exposed to fraudsters. Dor Segal, a security analyst with Silverfort, says the firm “tested Yubico, EntraID, and Ping and in every case, we saw that FIDO2 did a great job securing the authentication, and the SSO provider. However, it did not prevent an attacker from stealing the session tokens, leaving the Web application vulnerable.”

In other FIDO news, a release says Arm, the semiconductor design company, has joined the alliance’s board of directors. “As FIDO Alliance membership now exceeds 100 participants, Arm is moving from sponsor to board membership, taking on an important leadership role within the FIDO ecosystem,” says Michael Barrett, president of the FIDO Alliance.

Article Topics

biometrics  |  FIDO Alliance  |  FIDO2  |  passkeys  |  passwordless authentication  |  Visa