Physical Cards Hold the Keys to a Passwordless Future

Payment methods, authentication, Adam Lowe, CompoSecure, Arculus

It’s a problem that has dogged chief information and security officers at companies big and small: You have to fight fraud at all costs, and just as importantly, you need to make sure the payments experience goes off with minimal friction.

It’s a tension that has not escaped the attention of Adam Lowe, chief product and innovation officer at metal premium card issuer CompoSecure, whose digital security platform Arculus streamlines digital authentication processes and secures digital assets.

The password has proven to be sticky — and effective — across the decades. But FinTechs, merchants and banks, Lowe told PYMNTS in a recent interview, need new levels of trust and authentication — and the physical card itself can become a vehicle for a hands-free conduit to seamless commerce.

The company’s “tap to authenticate” passkeys mean that the cards themselves become a way to authenticate users. In doing so, said Lowe, there’s the ability to take a payment form factor that’s in millions of consumers’ pockets, while tying in digital features that keep people safe and secure as they go about their everyday financial lives.

At a high level, he said, passkey technology exists, essentially, as a digital key that unlocks an event — where the holder signs a digital message from which a “public” key can be extracted, proves the holder has possession of that key … and with that possession, there’s certainty that someone is who they say they are.

Lowe added that passkeys are often housed in a connected device — a mobile device, most visibly — that would be considered “hot — which means it’s connected to the Internet.” Those keys, he said are often synced to the cloud.

Building It Into the Hardware

Hardware-bound passkeys still function in the ways that cloud-based keys do, but are “burnt” into hardware that’s offline, said Lowe. Built into the cards issued by CompoSecure and underpinned by Arculus, he said, “it lives securely in my pocket — instead of being synced to the cloud, where it could potentially be hacked.”

With hardware-based passkeys in the mix, he said, preventing account takeover will be part of a “massively better customer experience, with reduced fraud — and provisioning new devices will keep the ecosystem secure.”

The broader stage’s set for the adoption of passkeys, he said, as the tech giants such as Apple, Microsoft and Meta have been throwing their support behind passkeys as a means to access accounts. Governments have joined on, too.

Burning those passkeys into the cards, he said, has been an initiative governed by a startup principle that identifies a need and sets out to address that need.

At the moment, he said, financial services firms’ executives are relatively less aware of passkeys built into physical cards. But the cards themselves address the pain points inherent in striking a balance between friction, authentication and the customer experience. CFOs and other executives, he said, are keenly aware of account takeovers and fraud — and they know something needs to be done, but need to enlist the aid of Lowe’s company to get the balance right.

Lowe said, too, that the cards are part of a larger ecosystem.

“I can be working on my laptop or desktop and either push to the mobile or I can scan a QR code … no matter what interface you’re on, we can still have it work seamlessly with the card,” he said.

With “one tap” and secure transactions, he said, there’s also zero trust architecture.

“So this is the best of both worlds,” he said, adding that with that combination of security and seamlessness, sales conversations often involve a broad array of stakeholders, from business owners, bankers and chief information security officers.

“You’re talking to the fraud teams and the chief experience officers,” he said, “so you need to touch on engagement [with consumers] too.”

One visible use case: tapping to pay for, or even win Beyonce tickets, or cutting down on time spent with call centers by tapping a card into an automated system that proves the customer’s identity cryptographically — cutting down on banks’ operating costs.

“There’s been a huge ROI, he said, “that shows a CFO how the platform can benefit them.”

As he told PYMNTS, echoing chef Alton Brown, “you should never have something in the kitchen that does only one thing — and the card in your pocket should not do just one thing, either. It should be your payment card, your hardware authenticator. And if you’re into Web3, it should be your hardware wallet as well.”