# Passkeys
source: https://developer.mastercard.com/ob-accept-payments/documentation/features/return-user-experience/passkeys/index.md

Note: This feature is currently in preview mode so the documentations will change during the pilot and release phase, including screenshots.

## 1. Introduction {#1-introduction}

Open Finance payments already give merchants a seamless way to accept payments directly from consumer bank accounts. A passkey-based cross-merchant return user experience speeds up Open Finance payments by securely pre-filling in the consumer's bank and account details during payment initiation, reducing two SCAs to one for banks that enforce double authentication and removing bank or account selection for those that do not.

After a consumer's first successful payment, a secure, passkey-protected profile is created using email address and phone number, enriching it with the consumer's selected bank account. This allows returning consumers to authenticate quickly using a passkey or a one-time passcode as fallback, before reusing their saved account details with any merchant using Mastercard Open Finance services.

As a result, consumers benefit from a consistently streamlined, secure experience, with no need to reselect their bank and bank account on subsequent payments. For integrators and merchants, using this feature requires minimal to no additional engineering effort.

### How it works: {#how-it-works}

**1. First-time payment and setup**   

The consumer completes their first Open Finance payment using the standard flow. After a successful payment, they are invited to enable Passkeys. If they accept, they will be informed about the profile setup and passkey creation process.

**2. Profile and passkey creation**   

The consumer verifies their mobile number with a one-time passcode and then creates their Mastercard payment passkey. Once set up, they are redirected back to the merchant's website. Their profile now contains their verified contact details and the bank account used for the completed payment.

**3. Returning user experience**   

For future payments, Mastercard recognises the consumer's profile and triggers the passkey prompt. The consumer authenticates with device biometrics like facial recognition, fingerprint or device pin, and their previously selected account is automatically pre‑filled. They are then redirected to their bank to authorise the payment. Banks needing double SCA will skip the first login. During payment authorisation step, the account selection is either entirely skipped or the account is preselected for the consumer, further optimising payment steps. After a successful payment, consumers are then redirected back to the merchant.

**4. Fallback when Passkey is not available**   

If the consumer's profile is recognised but a passkey can not be used for any unforeseen scenarios, Mastercard sends a one-time passcode for authentication to the registered email or phone. After verifying, the consumer can pay using their saved account, and is prompted to set up a passkey for future use.

**5. Changing accounts Later**   

If the consumer would like to pay with a different account in future, they can always select a new bank, complete a normal Open Finance payment and save the new bank account used for payment to their current profile. Such a new bank account will then available for refilling the next time they return on any merchant using Mastercard Open Finance Services.

### User flows {#user-flows}

The below Figma files demonstrate typical end-to-end flows for a first time user, a return user. and a user using the one-time passcode fall back option.

For the best viewing experience, click the **full screen** option.
**First-time user**
**Return user**
**One-time passcode recovery**

The following Figma board shows the complete user flows for each path: first-time use, return user, return user using one-time passcode, and adding a new bank account.

For the best viewing experience, click the **full screen** option or **zoom** using the controls located on the right.

### Enabling passkeys {#enabling-passkeys}

To enable Passkeys, PSPs and merchants must complete the following steps:

* Contact your Customer Delivery representative with a list of merchants for whom you would like Passkeys based return user experience to be enabled.
* Ensure that a consumer's email address or mobile number is passed in the API request.

Note: Passing both an email address and a mobile number is recommended, as this accelerates enrolment by removing the need for manual data entry by end consumer. If neither an email nor a mobile number is provided, the API will not trigger Passkeys.

### Opting out of passkeys {#opting-out-of-passkeys}

If you do not want passkeys to be enabled in specific scenarios:

* For a specific merchant: Do not enable Passkeys for that merchant, or contact Customer Support to have it disabled.
* For a specific payment: Do not pass the consumer's email address or mobile number in the API request.

Note: It is the merchant's responsibility to determine how consumer consent is obtained before sending an email address or mobile number to the Mastercard Open Finance Services API to enable this feature.