How to optimize for password-free checkout experiences

Leading payment networks are pushing for password-free checkout everywhere by 2030. Why? 

Passwords are hard for users to remember, introducing painful checkout friction that costs merchants $18 billion annually. They’re also not the most secure option — e-commerce fraud is growing, reaching a record high of $10.2 billion in estimated annual losses in 2024. With the projected rise of agentic commerce, this problem will likely worsen because agents buying on behalf of users can be easily jailbroken and manipulated. 

Delivering a seamless password-free checkout experience that’s secure for customers, payment networks, and merchants hinges on one critical ability: accurately identifying returning users. 

In this article, we’ll dive into the benefits of password-free checkout and the strengths and limitations of password alternatives. Then, we’ll look at how to offer a seamless checkout experience for trusted users by invisibly recognizing returning users.

The benefits of password-free checkout

We’ve all been there: Just as you’re ready to check out, you’re asked for a password for an account created months or years ago. Faced with this friction, 42% of customers abandon their cart when they can’t remember their password. It’s easy to see why passwords are a pain to remember — the average person manages 255 passwords across their personal and professional lives, leaving 70% of consumers feeling overwhelmed with password management. As a result, merchants lose customers due to cart abandonment, which also reduces transaction volume for payment networks. 

Beyond user frustration and conversion loss, there are also security risks. Passwords are easily compromised and regularly exposed, as seen in a recent report that revealed how 16 billion credentials have been leaked over the years. Attackers use these compromised credentials to breach other systems, creating a massive vulnerability in the ecosystem. In fact, 80% of data breaches are attributed to leaked passwords. 

These security vulnerabilities also contribute to higher rates of e-commerce fraud. Fraud is seven times higher for purchases made online compared to in-store, resulting in $10.2 billion in losses for merchants and card issuers (not to mention additional operational costs by payment networks to support fraud investigations). Additionally, higher levels of fraud can erode customer trust in card issuers and payment networks, potentially damaging brand reputation and reducing card usage. 

A password-free checkout flow can help merchants and payment networks overcome these challenges. If done right, it’s a win-win across the ecosystem: 

• Customers have an easier way to check out while still protecting their identity and data.
• Merchants convert more sales by reducing friction without increasing the risk of fraud or data breaches.
• Payment processors and networks see higher transaction volumes, build brand trust, and reduce fraud risk and disputed payments. 

Alternatives to traditional passwords: Challenges and limitations

Payment networks have developed new technologies to overcome the limitations of traditional password-based authentication, such as: 

• One-time password (OTP): An OTP requires a user to verify their identity by entering a code sent to their phone number or email. However, OTPs can be intercepted through man-in-the-middle, phishing, and SIM-swapping attacks (which have been increasing). 
• Passkeys and biometrics: A passkey uses public-key cryptography to authenticate users securely. On personal devices, a private key is stored locally and unlocked through biometrics (like their face, fingerprint, or voice pattern) or a fallback option such as a PIN. In ideal conditions, users can authenticate themselves using biometrics in under a second. This method is more secure than OTPs but not entirely foolproof — for example, voice phishing is actively on the rise.  

While less frustrating than passwords, these alternate approaches still introduce friction. Users have to wait for OTP codes or re-request them if they aren’t received. Biometrics can fail if users are in less-than-ideal conditions, like if they’re in a dimly lit area or if their fingers are wet or dirty. This friction creates a negative user experience, which can hurt conversion: 90% of shoppers say a smooth checkout is a make-or-break requirement for completing the transaction (and coming back). 

But while these methods can cause frustration, they can be helpful in higher-risk cases, such as when: 

• The user is new or unknown
• You suspect a fraudulent transaction 
• You want to introduce friction to provide an extra level of reassurance for trusted users (e.g., when they make a very large purchase). 

Identifying returning users invisibly

When a trusted user has already visited your website, you should be able to recognize them and give them a completely seamless checkout experience. Here’s an overview of the most common methods that can be used to identify returning users invisibly: 

• Cookies: Cookies are small bits of data stored in the browser that can store information about a user’s previous interactions with a website. While simple to implement and universally supported, they only recognize returning customers if they are using the same browser as before, and can be easily blocked or deleted by users. Additionally, cookies raise privacy concerns because they're often used to track users across multiple domains, leading to a global push by governments to enact regulations to protect user data.
• IP address: An IP address is a unique numerical identifier assigned to devices on a network that connects to the internet, which can be used to recognize returning users. However, it is a fragile signal. On average, they last for 7 months, but they can also change within a week. Additionally, the IP address associated with a user’s device can change depending on their behavior, such as when they switch between Wi-Fi and cellular networks or when they use a VPN. 
• Device intelligence: Instead of looking at a single piece of data like an IP address or relying on easily deleted and blocked cookies, device intelligence combines multiple signals from a user’s browser, device, and network to create a unique visitor ID for that specific device. This includes factors such as screen resolution, installed fonts, browser settings, and hardware specifications. Because the underlying attributes don’t change often, the device fingerprint persists for much longer than cookies or IP addresses, making it a reliable solution for invisibly and securely recognizing returning users. 

How to use device intelligence to build passwordless checkout experiences

Here’s how you can use device intelligence to provide a passwordless experience for trusted users while also protecting against bad actors:  

One-click checkout: After recognizing returning users, you can offer them their previously used card to complete transactions by linking sessions to EMV tokens (i.e., a substitute identifier for a user’s card number) and/or Click to Pay activity (i.e., digital wallet service that enables smooth checkout). These options allow users to simply click one button to securely complete the entire transaction. 

Prevent fraud: By linking sessions to device history, payment networks and merchants can stop two types of fraud: 

• Card-not-present (CNP) fraud: You can detect CNP fraud by flagging unknown or suspicious devices attempting to complete transactions. 
• First-party fraud: When customers falsely claim they didn't make a purchase, you can use the device's history as evidence to dispute these fraudulent chargebacks. If the user’s device has a track record of legitimate purchases, you can present this to payment networks to help win chargeback disputes.

Escalate friction based on threat levels: Use device intelligence signals to identify potentially suspicious activity (e.g., a login attempt from a new device in a new location). Then, you can dynamically adjust the user experience to introduce authentication friction, such as OTP or biometrics verification. 

Identify bots and AI agents: Malicious bots now account for 30% of internet traffic, and this problem is expected to worsen with the emergence of agentic commerce, as AI agents are highly vulnerable to hijacking via prompt injection attacks and jailbreaking. If an AI agent has access to a user’s payment information, it can easily become a new vector for payment fraud. To address this issue, companies should use signals like virtual machine detection and residential proxy detection to differentiate between legitimate and malicious AI agents and bots. 

Device intelligence powers password-free checkouts

Ultimately, a password-free checkout is about creating a safe, frictionless customer experience that elevates the e-commerce ecosystem. Device intelligence provides a foundation for building seamless and secure checkout experiences by identifying returning users without compromising security, privacy, or accuracy. 

A comprehensive device intelligence platform allows you to offer seamless login experiences for trusted devices while flagging fraudulent activity from humans, AI agents, and bots. 

Interested in learning how Fingerprint can help enhance a seamless checkout experience? Contact us for a personalized demo.