OneSpan - Securing Digital Identity for the Era of Agentic Commerce

Commerce continues to evolve — from physical storefronts, to ecommerce, and now toward an emerging paradigm where AI agents act, decide, and transact on behalf of users. In this new era, identity becomes the control plane that determines trust, security, and user experience across automated digital interactions.

Rolf Lindemann of OneSpan highlights why digital identity must be verifiable, privacy-preserving, and interoperable to support this transformation — and why the shift represents both an immense opportunity and a growing challenge for businesses worldwide.

From Storefronts to E-commerce: How Scale Rewired Trust

Traditional brick-and-mortar commerce relied on physical presence and direct human interaction. You saw the product, exchanged cash or an EMV-protected card, and walked out with the goods. Trust was local and did not scale through network effects.

Ecommerce rewired the model entirely. Digital platforms built two-sided networks where buyers and sellers fueled each other’s growth. Data-driven recommendations boosted search, relevance, and conversion. But scale also empowered attackers: card-not-present fraud, account takeover (ATO), and refund abuse surged globally.

Industry estimates placed global ecommerce fraud losses at USD 44 billion in 2024, with projections exceeding USD 100 billion by 2029. Many organizations report losing nearly 8% of annual revenue to fraud. Identity became not just a security measure, but a determinant of customer retention — every password reset, delay, or failed login risks an abandoned cart.

Passwordless Authentication: A More Secure and Frictionless Experience

To reduce friction without compromising security, leading ecommerce providers are replacing passwords with phishing-resistant authentication such as passkeys. Companies like Amazon and Costco have already deployed them at scale.

Passkeys — based on FIDO authentication — use a cryptographic challenge-response mechanism tied to a biometric or device gesture. They offer:

• Strong protection against phishing
• A seamless login process
• Lower risk of ATO
• Higher conversion thanks to more logged-in sessions

When implemented correctly, passkeys improve both security and user experience — a crucial step toward preparing for automated, agent-driven interactions.

The Rise of Agentic Commerce

The next wave of digital commerce is defined by AI agents that can:

• Compare products
• Negotiate prices
• Execute payments
• Track delivery
• Delegate tasks to other agents

Today, users remain “in the loop” before finalizing a purchase. Tomorrow, they may only define rules, budgets, and preferences — letting agents act autonomously within those guardrails.

This shift changes where persuasion, trust, and verification occur. Instead of competing on UI, merchants must optimize:

• Machine-readable catalogues
• Authenticated product claims
• Structured metadata for AI consumption

Major ecommerce vendors are already adjusting product data to remain visible to AI-driven search and evaluation systems.

Agentic commerce also raises new identity questions: Businesses must differentiate not only humans from fraudsters, but trusted agents from untrusted or malicious ones.

Sharing passwords with AI agents — or expecting agents to complete CAPTCHAs — is not viable. Instead, companies will need verifiable digital credentials that can be presented by both users and their agents.

Digital Credentials: The Identity Layer for Agentic Commerce

The future requires a generalized version of the FIDO concept: cryptographically secure digital credentials, issued by trusted authorities, that can be shared by humans or AI agents in a privacy-preserving way. These credentials must be:

• Interoperable — usable across platforms and vendors
• Verifiable — anchored in cryptographic trust
• Privacy-preserving — minimizing personal data exposure
• Scalable — functioning at internet scale

This is the identity foundation that will make safe agentic commerce possible.

What Good Looks Like: Steps to Take Now

All players in the commerce ecosystem can begin preparing today.

Merchants

• Publish agent-readable catalogues and enforce clear policy terms.
• Deploy passkeys to reduce friction and prevent ATO.
• Strengthen protection against bot-driven attacks.

AI Agent Providers

• Build transparent trust models for agent behaviour.
• Use modern digital credentials, not stored user passwords.
• Support consumer-controlled guardrails and merchant verification.

Identity & Payments Providers

• Support digital credentials with personhood attributes.
• Implement secure agent delegation APIs.

Authentication Platforms (like OneSpan)

• Provide mechanisms to distinguish humans, trusted agents, and bots.
• Deliver seamless passwordless authentication at scale.

Policymakers

• Back interoperable identity standards.
• Promote privacy-preserving methods to prevent Sybil attacks.
• Ensure safe automation without sacrificing user protection.

Outlook: Scaling Trust Faster Than Fraud

Physical retail proved that trust drives commerce. E-commerce proved that identity-driven scale beats geography. Agentic commerce will prove that verifiable identity and consent for both humans and agents will expand trust faster than fraud can exploit it.

Businesses that align early with open digital identity standards, agent attestation frameworks, and privacy-preserving credentials will lead the next wave of network effects. Others risk negotiating with decisions made by someone else’s agent.