Amazon Passkeys: Response to Consumer Demand with Poor Implementation

Amazon, the e-commerce behemoth, has recently and silently joined the passkey bandwagon. Recognizing the increasing demand by consumers to enhance security and in particular user convenience, Amazon rolls out passkeys widely across most devices and browsers. This underlines Amazons commitment to bend to consumer demand. This move follows the trend among tech giants, with Apple, Google, and others like TikTok, OnlyFans and Uber leading the passkeys wave, while Amazon rather late joins the party.

Screenshot 1: Amazon Passkey Sign in

The Upside of Amazons Passkey Integration

• Enhanced Security: Passkeys make users lives safer, mitigating phishing threats and eliminating the hassle of coming up and remembering passwords.
• Consumer Education: Given Amazon's vast user base, this rollout is set to familiarize a large segment of non-tech-savvy users with the benefits of passkeys. The ease of use might convince these users to demand passkeys from other online platforms as well.
• Industry Implications: The ripple effect of Amazon's move can potentially catalyze a widespread shift in the e-commerce and SaaS industry towards quick passkey adoption.

Screenshot 2: Amazon Passkey Overview & FAQ

Why Amazon Messed up its Passkey Implementation

• Relying Party ID Issues: Depending on a user's country that he has set, he may be redirected to different Amazon domains, requiring separate passkeys for each country / top-level domain. This is due to the security structure of passkeys, as each passkey needs to be registered for one Relying Party ID (e.g. amazon.com and amazon.de). In screenshot 3, you see that for one device (Windows 11 with Chrome) two passkeys were set up.
• Conditional UI Is Missing: By not implementing Conditional UI (Passkey Autofill), Amazon missed out on a critical feature that could have made passkey use even more seamless for users. The reasons behind are still unclear as other companies have implement Conditional UI already.
• Inferior Device Management: Current device detection and management for passkeys is clunky, possibly leading to user confusion, especially for those using browsers like Chrome on Mac, where a QR code was shown instead of explaining that a passkey is not available or just skipping passkeys (QR codes still being a major struggle for most consumers).
• No Native App Support: Surprisingly, native apps either for Amazon's shopping app or for Prime Video lack passkey support (see screenshot 4 and 5 below with the message that no passkey could be created) which could lead to user confusion if a passkey was created on this device via the web application.
• Redundant Verification Steps: If a user has set up 2-step verification, they still need to go through an additional one-time code verification, which is kind of an unnecessary steps as passkeys are 2FA by default.

Screenshot 3: Two Passkeys for Two Relying Party IDs on the Same Device (Windows 11 + Chrome 118)

Screenshot 4: Amazon Passkeys on Native Android App

Screenshot 5: Amazon Passkeys on Native iOS App

Looking Forward

Amazon has room for improvement. Prioritizing updates like making native apps passkey-ready, introducing Conditional UI, and refining device management can considerably enhance user experience. Addressing the Relying Party ID issue would also be a step in the right direction but here best practices in the industry for multi-national services still need to be defined.

In conclusion, while Amazon's venture into passkey authentication is a significant milestone, it's evident that the journey to perfecting this feature is just beginning. Lets hope that Amazon takes the feedback on board and iterate a better passkey implementation soon.