KAYAK Passkeys: Analysis of Sign-ups and Logins with Passkeys

TL;DR

• Availability since Q4 2022
• Availability on both the KAYAK website and app
• Availability in both sign-up and login
• Sign-up and login entirely passwordless (besides passkeys, email magic link and social logins available)
• Partial availability of passkeys on all major platforms (iOS, macOS, Windows, Android)
• Seamless cross-device usage across platforms
• No education on passkeys by KAYAK themselves
• Avoidance of mentioning the term passkeys" except for account settings

1. Introduction

More and more companies from a wide range of industries are stepping into a password-free world and implement passkeys. Through this series of articles, we aim to provide a comprehensive overview of the passkey user experience of those companies. This should enable you to incorporate these findings and enhance your product login accordingly. In each article, we focus on a single company. Today, we dive into KAYAK. At KAYAK, passkeys are available since Q4 2022. According to Matthias Keller, chief scientist and SVP of technology at KAYAK, passkeys had a great start:

In the first three weeks after their introduction, thousands of their users had already set up their passkey logins, with 20% of them having actively opted them in in account settings. Unusual for a login feature, the feedback they received was stunningly positive.

Disclaimer:

1. Status of the analysis is June 2023. Passkey features are subject to change by companies on an ongoing basis.
2. Please refer to the use cases to find the devices we used for the analysis.

2. Key insights from KAYAK analysis

In this section, we present the most important insights we have gained from the analysis of KAYAK passkeys.

2.1 Highlights of KAYAK passkeys implementation

Wide range of availability across platforms: KAYAK offers passkeys on a wide range of combinations of platforms, browsers, and mobile apps. If passkeys are available, they can be used for both sign-up and login. This is quite innovative, considering most services that are currently offering passkeys only do so in their login.

Innovative approach to fallback: If passkeys arent available, KAYAK doesnt fall back to the use of passwords, but continues the authentication process with email magic links. By eliminating the possibility of using passwords entirely and instead providing only social logins as an additional mode of authentication alongside default email magic links, a profound comprehension of secure and user-friendly authentication is exemplified.

Conditional UI functionality: Conditional UI leverages the autofill function passkeys provide. KAYAK automatically prefills passkeys as soon as the user clicks on the username input field. This means that users no longer must search for their credentials manually (not even usernames!), as they are already stored in the device / browser and are automatically pre-filled.

2.2 Drawbacks of the current KAYAK passkeys implementation

No synchronization within the Windows platform: Currently, theres no solution to sync passkeys across Windows devices.Thats no fault of KAYAK as the technical implementation by Microsoft is still in progress and will probably be released rather soon than later. That means, a new passkey must be created for each Windows device that you want to link to your KAYAK account.

Occasional unavailabilities of platform-browser combinations: Due to their presumed phased rollout, passkeys arent yet available on all combinations on which they could be available from a technical perspective (e.g. Chrome on iOS).

No education on passkeys: Due to their cautious approach towards passkey integration, KAYAK doesn˜t educate the user on the use of passkeys. Except for the account settings and the browsers or devices own instructions, the term passkey isnt visible anywhere. Even in the instructions, there are no links, with which users could educate themselves on passkeys.

3. Analysis of the authentication process

To make the analysis of KAYAK passkeys as comprehensive as possible, we tested the login process with several device-browser-combinations. We have recorded the outcomes in the following use cases. To better understand the use cases, please read through the conceptual definitions of passkeys below before jumping into the use cases.

3.1 Important conceptual definitions of passkeys

Single-device passkey vs. multi-device passkey: Passkeys come in two distinct types which are single-device and multi-device credentials.Single- device passkeys are tied to a specific device, meaning that the passkey can only be used on the device it was generated on. Multi-device passkeys are the true passkeys that can be synced and transferred between devices. This means that users can use any of their devices that support passkeys to authenticate, regardless of whether the credential was created on that specific device. This greatly enhances the usability of passkeys, as users dont need to enrol each device.

3.2 Tested cases

Note that we have only performed the use cases with passkey-ready devices (e.g., no iPhone prior to iOS 16.0, no MacBook prior to macOS Ventura, no Android prior to Android 9, no Windows device prior toWindows 10) and on Safari, Chrome and the KAYAK mobile app.

3.1 Use case 1: MacBook Chrome initial passkey creation

We created the first KAYAK passkey for an account using a MacBook in Safari.

On KAYAK, the creation of a passkey is already possible during signup.

After clicking Continue with email and then entering the email, the user is supposed to click Create your account.

The display is then instantly overlaid with Safaris passkey creation screen.

There are three things, that are interesting about this:

First of all, its noteworthy that KAYAK offers passkey sign-ups at all contrary to many other large companies that only offer passkeys in the login process and collect a password at sign-up as fallback. The possible reason could be KAYAK's intention to introduce users to complete passkey authentication, marking a significant shift from the traditional username- password model.

Secondly, it's interesting to observe that KAYAK themselves do not educate the user on the use of passkeys at any point before the browser's built-in feature prompts them and instructs them how to use the feature. A potential reason for this could be a cautious approach towards technological innovation. KAYAK boasts a vast user base that they wouldn't want to risk alienating by abrupt changes. By subtly integrating new technologies like passkeys within the existing ecosystem, they aim to offer a smooth transition, minimizing disruptions or difficulties for their users.

Lastly, the phrase Create your account used in the sign-up process might give an impression that the account is immediately created, even though a passkey still needs to be set up, or a magic link needs to be confirmed. This could be an intentional nudge to encourage users to just proceed with the sign-up process, creating an impression of immediacy despite there being further steps to complete. Such subtle cues play a significant role in improving the overall user experience and increasing sign-up completion rates.

After the passkey is created, the user is already logged in.

Since the passkey was successfully created, it is now also stored in the account. This is now a multi-device passkey, which means that it is available on multiple devices of the same platform. As this passkey was generated on a MacBook in this use case, it becomes accessible on all Apple devices associated with the same iCloud account. This synchronization occurs through the Apple iCloudKeychain, allowing the passkey to be available across multiple Apple devices.

The other modes of sign-up are social logins, which work just as you would them expect to, and email magic links, which are usable in the case in which the user denies the use of passkeys after clicking Create your account.

Whats noteworthy about this is that traditional password sign-ups are not an option on KAYAK anymore. This could be attributed to their focus on higher security standards and also user preference. Its plausible that KAYAK has discerned that its users prefer the use of social logins and magic links over conventional passwords. An immediate switch to passkeys might confuse some users, potentially leading to frustration and a decline in user engagement. KAYAK's hybrid strategy can be seen as an intermediate stage on the way to a passkey-only strategy.

3.2 Use case 2: iPhone Safari passkey login

In this case we show how a login with the passkey created on MacBook in use case 1 looks like when logging in via iPhone on Safari.

What is interesting here is that KAYAK puts the social login with Apple in first place and hides the social login with Google in "More sign-in options". When using an Android device, it is the other way around.

After clicking Continue with email, KAYAK recognized that a passkey has already been created for this account and the user is immediately prompted to retrieve his passkey.

Again, there is no mentioning of passkeys or biometric authentication.

As all the other passkey login flows look exactly alike, in the rest of our analysis we wont shed more light on the exact procedure of KAYAKs login flows.

3.3 Use case 3: iPhone App passkey login

With the same account, we tested the login via the iOS native app, which works the same as the browser login.

After clicking Continue with email and entering the mail of the account created above, the user is immediately prompted to enter his passkey.

3.4 Use case 4: MacBook Chrome passkey sign-up

Next, we created a passkey for a MacBook in Chrome. Please note that we did not use the account from use cases 1 and 2 for this but created a new account.

The first steps are the same as the ones in use case 1: Clicking Continue with email leads to Create your account which leads to the user being prompted to create a passkey.

The passkey creation looks slightly different but works just the same.

But this time, as we used a MacBook in Chrome, the type of passkey is a single-device passkey which is not synced across Apple devices.

3.5 Use case 5: MacBook Chrome passkey login

To demonstrate, that the passkey from use case 4 isnt synced among Apple devices, in this case we logged in the same account on Chrome with another passkey-ready MacBook.

After entering the email address of our KAYAK account, KAYAK recognized that a passkey exists, and we were prompted to use it.

However, due to the non-synchronised passkey, selecting Use a phone or tablet will just display a QR-code to scan with the device the passkey is stored. So, we clicked Cancel and continued with email magic link.

3.6 Use case 6: Android Chrome passkey sign-up

In this case, we used an Android device to sign up a new KAYAK account on Chrome.This process follows the familiar pattern: Continue with email leads to Create your account which leads to the user being prompted to create a passkey.

Typically, on Android devices facial recognition is used to create the passkey. However, for the purpose of testing, we opted to use the phone's pattern lock as an alternative for generating the passkey.

The passkey generated during this step is stored within the Google account that is logged into Chrome. This enables the passkey to be synchronized with the Google Password Manager of that particular Google account, facilitating its retrieval on other devices.

3.7 Use case 7: Android Chrome passkey login

To test whether the synchronization of the passkey created in use case 6 works between different Android devices, we used a new Android device in this use case. To accomplish this, we pre-logged into Chrome using the Google account associated with the synchronized passkey.

To login, we followed the same steps as in use case 2. Before even entering the email address of our KAYAK Account, KAYAK recognized that a passkey has already been created for this account. We think this as a great form of Conditional UI!

After selecting the passkey, the user is seamlessly prompted to enter the phones (the Samsung Galaxy S21s) credentials, which leads to a successful login.

3.8 Use case 8: Windows Chrome passkey login

In this use case we used a Windows device and tried to log in with the KAYAK account that we already used in use cases 6 and 7.

Since we already created a passkey for this account, KAYAK again suggested that we use this passkey to log in.

After clicking on Create your account, we received the Windows Security pop-up below. This is because KAYAK recognizes that a passkey exists for this account and searches for options to retrieve it.

We get prompted for a hardware token / security key.

As we do not have a security key, we clicked Cancel.

Next, we were prompted to use a passkey. Our passkey is only synced within the Android ecosystem and therefore cannot be accessed with a Windows device. In such cases, KAYAK falls back to using an email magic link.

3.9 Use case 9: MacBook Chrome manual passkey creation

In this case we explored the manual setup of a passkey for a new KAYAK account in the KAYAK account settings on a MacBook using Chrome. As demonstrated in use case 1, this combination allows for the use of passkeys.

After selecting Account in KAYAKs Your account-settings, at the bottom of the Preferences field, we clicked Set up passkey.

This initiates the regular passkey creation process on MacOS using Chrome, as known from use case 1.

3.10 Use case 10: iPhone Chrome passkey creation

In this case, we used an iPhone to sign up a new KAYAK account on Chrome. This process follows the familiar pattern: Continue with email leads to Create your account.

This time, however, we werent prompted for creating a passkey, but had to use an email magic link. Surprisingly, the combination of iOS and Chrome doesnt support the use of passkeys.

3.11 Use case 11: iPhone Chrome manual passkey creation

To contrast case 7, we then tried to set up a passkey for a new KAYAK account in the account settings of an iPhone using Chrome. As shown in use case 8, this combination doesnt allow for the use of passkeys during sign-up.

We used the approach from use case 7: Selecting Account in KAYAKs Your account-settings. But this time, at the bottom of the Preferences field, we didnt find a Set up passkey option.

This is interesting as both the browser and device individually support passkeys. Chrome supports passkeys on MacOS (among others) and iOS supports passkeys on Safari.

If KAYAK would just not offer passkeys on iOS and Chrome for sign-ups, this could be explained with their cautious rollout strategy: They wouldnt want to confuse their users with a potentially unknown authentication method right away.

But the fact that they dont even enable the creation of passkeys if a user actively enters the account settings to set one up, cant be explained with avoidance of user confusion.

Instead, it appears that KAYAK is choosing a phased rollout of the passkey feature, selectively enabling it across different platforms and devices. This cautious strategy likely aims to monitoring user responses and troubleshooting any unforeseen issues in a controlled manner. Another explanation could lie in the assumption that few iOS users utilize Chrome as their preferred browser: KAYAK doesnt prioritize allocating their resources on developing passkeys for a case that is scarcely used.

4. Conclusion

As one of the leading travel booking companies, KAYAK offers passkeys on both sign-up and login for mobile and desktop. This sets them apart from eBay, Google and Shopify, which also offer passkeys, but only at login.

However, they decided to not offer passkeys even within account settings for some combinations in which it would be possible from a technical perspective (e.g.,Chrome on iOS). This speaks for a phased rollout.

Further, they decided for a subtle integration approach, avoiding the explicit use of the term "passkeys. By nonchalantly leading to the use of passkeys without prior notice, KAYAK moves their users to just accept passkeys as new mode of authentication.

Paired with their hybrid strategy with a fallback to email magic links, potential user disruption is minimized.

With the integration of passkeys KAYAK has raised its user experience to a higher level and their nuanced approach to the introduction shows a profound understanding of UX. However, as passkey adoption continues to increase, we can expect that KAYAK's approach will evolve accordingly.