How Do Passkeys Work?

At Affirm, we prioritize our customers' financial safety on our platform, and we’re always working to enhance user experience and security. That’s why we’ve decided to implement Passkeys as one of our authentication mechanisms.

When customers log into Affirm today, they’re prompted to enter a 6-digit authentication code, also known as a one-time password. This is sent via text message (SMS) to ensure that they’re the owner of the device. While this approach offers numerous security benefits, it is dependent on a physical device and the ability to receive SMS messages—both of which can be stolen or accessed illegally.

Passkeys address these risks, enabling users to log into Affirm from their device with a more convenient and secure validation method. Here’s how they work:

  • A passkey refers to your device-specific secret. When you create a passkey, your device generates a cryptographic pair of keys—one private, one public. The private key is stored on your device, while the public key is registered with Affirm.
  • When you log in with a passkey, Affirm sends a challenge to your device, which responds with a unique signature tied to the private key. You’ll then be prompted to use the associated PIN or biometric input (like a fingerprint or face scan) to authorize the authentication process.
  • From there, Affirm verifies the signature by using the previously registered public key and any information collected during the device registration.

Once the authentication logic is performed and you’re confirmed as the owner of the device, you’ll find it much easier (and secure) to use Affirm. We hope you enjoy the added peace of mind that passkeys provide and wish you safe browsing!