Stories

Jan 23, 2025
Solving the Convenience and Security Equation

by Mathilde Bonneau, Government Relations

PayPal has remained at the forefront of the digital payment revolution for more than 25 years by creating innovative experiences that empower over 400 million consumers and merchants to move money easily and securely.

Safety is a cornerstone of our global operations, and we are committed to protecting our users across the approximately 200 markets that we serve. In this piece, we detail the latest developments in authentication security and share recommendations for policymakers to enable increased safety in the digital economy.
 

Passwords: An Ancient Solution

Passwords can be traced back to ancient Rome where ‘watchwords’ were used by the Roman military to sustain trust within communities. Today, passwords are ubiquitous online, with a typical customer requiring a vast number of passwords to access their frequently used websites and apps.

This poses a number of challenges. Creating, remembering, and managing hundreds of unique passwords is extremely complex. In addition, passwords can be easy for criminals to guess or steal, and many passwords are no longer a secret following several large-scale data breaches.

Criminals now actively trade passwords in bulk online and deploy credential stuffing attacks, taking advantage of users who reuse passwords across multiple accounts to gain unauthorized access to their other accounts. 87% of breaches now involve stolen, weak, or default passwords.

Multi-factor authentication (MFA) is frequently proposed as a method to mitigate these problems. However, there are multiple approaches to MFA, with some approaches weaker than others. Criminals have established ways to circumvent and compromise traditional MFA e.g by exploiting one-time passcodes through techniques such as SIM swapping.
 

Towards A Modern Solution

At PayPal, we believe customers must be able to leverage the most secure technologies for authentication. This is not always a password or a one-time code.

An optimal authentication experience must remove cognitive pressure from users, must be less prone to phishing and other attack vectors, and must be secure and convenient.

The transition from completing payments with physical coins in ancient Rome to digital payments today mirrors our current crossroads with authentication. We must now move towards a modern solution: one that embraces the technologies of our era for superior security and usability.

That’s where Passkeys come in.
 

Introducing Passkeys

Passkeys enable users to sign into apps and websites through the same seamless and familiar experience that users unlock their device such as biometrics (fingerprint, face scan). This modern and innovative MFA solution is based on an industry standard created by the FIDO Alliance and the World Wide Web Consortium.

Passkeys are designed to replace traditional passwords since they are resistant to phishing and do not need to be remembered for each of the user’s websites or mobile apps, making them significantly more secure and user-friendly. Behind the scenes, technology based on hidden cryptographic key pairs handles the authentication process between the user’s device and the app or website.

signing in with a saved passkey on android 15
Signing in with a saved Passkey on Android 15

 

But does it work?

Rakan Khalid, Senior Director, Identity Product at PayPal, and FIDO Alliance board member shares:

“PayPal was a founding member of the FIDO Alliance. We have been deploying Passkeys to users, first in the US and now increasingly around the world. We plan to accelerate the availability of Passkeys across PayPal in 2025 based on the significant security and convenience gains we continue to observe. For example, we see a 10%+ increase in login success rate with Passkeys compared with traditional password methods. Moreover, Account Takeover (ATO) rates for transactions where a Passkey is used for authentication are 70% less compared to password-based authentication”.
 

Making Passkeys more ubiquitous

User adoption will be key to making the technology a success.

Passkeys are gaining traction with support from major tech companies. They are being integrated into browsers, operating systems, and other services, paving the way for broader adoption and a potential shift away from traditional passwords. Industry should take a customer-first approach to Passkey deployment, to ensure that the experience is intuitive to use across websites, mobile apps, browsers and devices.

Government agencies now increasingly recognize Passkeys too. In the US, NIST has cited the phishing resistance of Passkeys in new guidance, as have the Dutch and UK national cybersecurity centers, and in Australia, citizens can access government services using Passkeys.

Passkeys represent an excellent step forward. Still, more needs to be done to increase the security of the digital economy.
 

Recommendations For Policymakers

Payment providers must be able to deploy the best authentication solutions possible: ones that are the most secure and most convenient. Regulation must therefore be innovation friendly and future-proof, to enable Passkeys today, as well as the innovations of the future.

To deliver this outcome to customers, and to increase the security of the digital economy as a whole, PayPal encourages policymakers to:

  1. Promote legislative and regulatory standards that are risk- and outcomes-based. Regulation should focus on the outcomes that are sought within an established accountability and transparency framework, leaving the how to the industry to develop and innovate. Overall outcomes (i.e., fraud reduction, convenient customer experiences, consumer trust, competitiveness, and innovation) should be considered, with a view to deliver the optimal outcome for the end-user.
  2. Design technology neutral legislation and regulation. Prescriptive technological guidelines tend to bring the level of security and customer experience down to the lowest common denominator. Payment providers with advanced authentication solutions that are more convenient and secure may not be able to deploy them optimally and instead must scale back to subpar approaches. 
  3. Recognize that increased user friction is not correlated with increased security. Security can be delivered together with convenience to reduce the cognitive pressure on users e.g. via new innovative authentication methods like Passkeys that are capable of utilizing a combination of factors (inherence/knowledge and possession).
     

Detailed Recommendations

In the EU, we welcome the European Commission’s proposal in the draft Payment Services Regulation (PSR) to make the Strong Customer Authentication (SCA) framework more flexible. This will improve the industry’s ability to bring secure, innovative, and accessible solutions to EU consumers.

  • To ensure an outcomes-based approach, we recommend that the PSR mandates the EBA to review the technical standards in a way that removes prescriptive guidelines and that the objectives of fraud reduction and accessible customer experiences are considered equally.
  • To promote a risk-based approach, we recommend that policymakers clarify that the outcome of transaction monitoring determines the application of SCA. An approach truly based on risk would incrementally add controls when transaction monitoring analysis considers the transaction as higher risk.

  • To improve the accessibility, security and convenience of SCA solutions, the rules should encourage SCA methodologies that can be performed on the same device on which the customer is transacting (e.g., only a laptop), without the need for a second device such as a smartphone or tablet. Technologies like Passkeys or behavioral biometrics permit this without compromising security.

In the UK, PayPal welcomes the National Payments Vision released in November 2024, which introduces three core principles of innovation, competition, and security to guide future governmental and regulatory activity on payments.

  • In the area of authentication, we especially welcome the announcement to repeal restrictive SCA rules, with aspects of the existing technical standards instead incorporated into the FCA's rules and guidelines.
  • We are committed to supporting the UK’s ambitions for the payments sector to deliver world-leading payments and economic growth. We look forward to contributing to these objectives through our support of the Vision Engagement Group.

Related Articles

Creating A Future-Proof Framework For Payments In Europe

7 Highlights from the Singapore Fintech Festival 2024

 
(Newsroom Ad tile) The Modern Enterprise
(Newsroom Ad tile) Small Business Spotlight
Stay up to date.

Sign up to receive the latest news to your email.

Subscribe