FIDO Passkeys in 3-D Secure: A Powerful Step Forward, but No Silver Bullet

Passkeys and the broader FIDO ecosystem are poised to transform how card-not-present payments are authenticated. EMV 3-D Secure (3DS) was built to enable issuers to verify cardholders during e-commerce transactions, but in practice it has often relied on brittle mechanisms such as passwords, SMS one-time passcodes (OTPs), or clunky app redirects. FIDO-based passkeys offer a way to modernize that challenge step with phishing-resistant, cryptographic authentication while remaining within the EMV 3DS framework.

For financial institutions (FIs) and card issuers, this is an attractive proposition: stronger fraud controls, improved regulatory alignment, and reduced customer friction. However, passkeys are not a universal solution, nor are they always optimal when deployed directly within live 3DS challenge windows. To achieve banking-grade results, issuers must understand where FIDO excels, where it faces challenges in 3DS environments, and how it should be combined with existing fraud and risk-management capabilities.

Why are passkeys important for 3DS authentication?

3DS plays a critical role in protecting online card payments, but many traditional challenge flows still rely on authentication methods that are vulnerable to phishing, credential theft, SIM-swap attacks, and social engineering. Passkeys and FIDO-based authentication offer a phishing-resistant, low-friction alternative that improves both security and customer experience.

How does FIDO authentication work for card issuers?

Passkeys are built on FIDO2/WebAuthn standards, which replace shared secrets such as passwords and OTPs with asymmetric cryptographic key pairs stored in secure device hardware. The issuer or merchant stores only a public key, while the private key never leaves the consumer’s device. Consumers unlock the private key using familiar actions such as Face ID, fingerprint recognition, or a device PIN.

What are the benefits of FIDO passkeys for 3DS authentication?

The strengths of FIDO align naturally with the objectives of 3DS:

• Passkeys are highly resistant to phishing and credential replay attacks.
• Passkeys can satisfy Strong Customer Authentication (SCA) requirements while reducing customer friction.
• FIDO-based authentication aligns with EMVCo’s long-term direction for browser-based payments.

How does FIDO work within EMV 3DS?

Both issuer-side challenges and merchant-delegated authentication are explicitly supported in industry guidance and technical specifications, each with its own trade-offs. The goal is to integrate FIDO’s strong authentication capabilities into the EMV 3DS ecosystem rather than replace it.

When implemented successfully, passkeys can make the 3DS challenge process both stronger and more seamless.

What are the limitations of FIDO passkeys for live 3DS interactions?

Despite these advantages, passkeys are not a perfect fit for every live 3DS challenge scenario. Several practical issues emerge when moving from concept to production deployment.

• 3DS challenges often appear in iframes, pop-ups, or webviews that can feel visually disconnected from the merchant experience. Cardholders may encounter a small branded window requesting biometric authentication or device unlock with limited context. If the transition from “Confirm Purchase” to a biometric prompt is not clear and intuitive, customers may hesitate or abandon the transaction.
• Device and platform diversity is amplified at checkout. In issuer-controlled applications and websites, supported platforms can be managed and optimized. In a live 3DS challenge, however, customers may be using a borrowed device, an outdated browser, a corporate laptop, or a merchant application running within a constrained webview.
• 3DS is inherently transaction-centric, whereas passkeys are identity-centric by design. WebAuthn authenticates the user to a relying party, while 3DS must confirm that the user has approved a specific payment transaction.
• Consumer-grade credential synchronization and recovery mechanisms introduce assurance challenges. Many passkeys are synchronized through platform cloud accounts, which greatly improves usability. However, it also shifts some aspects of credential lifecycle management and recovery into environments that are not directly controlled by the issuer or merchant.

None of these challenges are insurmountable, but they demonstrate that passkeys deliver the best outcomes when implemented alongside deep expertise in 3DS, fraud management, and user experience design.

Why is risk-based authentication still so important?

Even with an ideal passkey deployment, 3DS cannot reduce fraud prevention to a simple question of whether authentication succeeded. Strong authentication is a necessary but insufficient condition for securing card-not-present transactions.

Fraud patterns such as synthetic identities, mule accounts, and socially engineered purchases can still succeed despite strong authentication. Malware and remote-access tools may also operate behind otherwise legitimate passkey flows. In these situations, the passkey has performed exactly as intended by verifying that the individual interacting with the device is the registered user. The issue is that the authenticated user may not be acting in their own best interests.

A modern 3DS strategy must therefore remain risk-based. Passkeys should be treated as a powerful positive signal within a broader decisioning framework that incorporates device intelligence, behavioral biometrics, network risk signals, historical spending patterns, merchant risk assessments, and transaction-specific analytics.

A transaction that is FIDO-authenticated on a trusted device, demonstrates familiar behavior, and involves a typical purchase amount may safely proceed with minimal friction. Conversely, a transaction that is FIDO-authenticated but exhibits highly anomalous behavior, unfamiliar device characteristics, or suspicious payment patterns should still be challenged further or blocked entirely.

In other words, passkeys strengthen the answer to the question, “Who is this?” However, issuers must continue asking, “Is this activity safe?” for every transaction.

How do issuers build banking-grade FIDO for 3DS?

For issuers, banking-grade FIDO within a 3DS environment is less about different cryptography and more about effective placement, orchestration, and lifecycle management.

A pragmatic approach includes:

• Using passkeys extensively within issuer-controlled environments such as online banking portals and mobile applications, where user experience and platform constraints can be carefully managed.
• Reusing those strong authentications within a 3DS context by passing FIDO-derived signals into the issuer’s Access Control Server (ACS) and risk engines, thereby reducing the need for additional challenges when recent strong authentication already exists.
• Introducing passkey challenges directly into 3DS flows only where platforms and integrations are well understood, such as thoroughly tested browser-based or app-to-app experiences, while always presenting clear transaction context.
• Maintaining robust fallback authentication methods that continue to meet compliance, security, and fraud-control requirements when passkeys are unavailable.

What is the role of fraud intelligence in secure FIDO passkey deployments?

Critically, FIDO data should be integrated into existing fraud-management ecosystems rather than treated as a standalone capability. Passkey events should feed into fraud-management platforms, behavioral biometric engines, device-fingerprinting systems, and case-management tools.

Combining these signals enables issuers to maintain low challenge rates, make more accurate risk decisions, and prioritize alerts when suspicious activity occurs despite strong authentication.

Conclusion: The path to FIDO authentication for issuers

When implemented appropriately and supported by risk-based decisioning and established fraud-management capabilities, FIDO passkeys can significantly reduce phishing risk and authentication friction. However, they are not a standalone solution.

Banking-grade security emerges when FIDO is integrated as one component of a layered, intelligence-driven 3DS strategy—not when it is treated as a standalone solution capable of eliminating fraud on its own.

‍