To understand the product management impacts of passkeys and explore additional topics like the role, and relevance of passkeys, we created a free white paper Passkey Bible for Product Managers.

Free Download

Product managers can leverage passkeys to improve usability and increase conversion rates while protecting users' personal information. The main benefits of passkeys for product managers are the following:

Passkeys provide an enhanced user experience by simplifying the login process and offering higher user convenience. Unlike passwords, which can be difficult to remember and should be changed frequently, passkeys replace passwords and can be easily used on any device. This reduces user frustration and encourages adoption, increasing user satisfaction and engagement.

Passkeys increase conversion rates by up to 25% by reducing the number of abandoned logins. When users can easily and quickly authenticate with a passkey, they are more likely to complete the login process and purchase or use a SaaS product. This results in increased revenue opportunities and improved conversion rates for your business.

In addition to boosting customer retention rates by up to 20%, passkeys can also contribute to higher customer satisfaction with login processes by ensuring that users do not get locked out of their accounts due to forgotten passwords. With passkeys, users no longer worry about remembering complex passwords or resetting them whenever they forget. This can create a sense of ease and comfort for customers, making them more likely to return to your website and make repeat purchases. As every product manager knows, existing customers are the easiest way to upsell / cross-sell, and by keeping them happy and satisfied, passkeys contribute to increased sales and revenue opportunities for your business.

Passkeys also improve your bottom line by reducing the costs associated with password-related support issues, such as password resets and account recovery. When users can easily access your service, they are less likely to require support from your business, reducing the need for customer service resources. This will lead to improved efficiency and cost savings for your company, contributing to a stronger bottom line.

With traditional email/password schemes, the user must remember the exact combination of the used identifier and password. Unless these credentials are saved in the browser (which is often discouraged), they must be manually entered each time. In contrast, passkeys automatically store the complete credentials (identifier and passkey), eliminating the need for manual entry. Additionally, many browsers already support Conditional UI, a new feature automatically pre-filling passkeys when users want to sign in (comparable to today's password autofill but more secure). This increases user comfort and reduces the risk of forgotten credentials significantly. According to data gathered throughout the past months, Conditional UI is already supported by 70% of device and browser combinations, with a substantial increase over time.

Passkeys are more secure than passwords as they use public-key cryptography instead of a shared secret to authenticate a user. This makes it impossible for cybercriminals to steal a user's login credentials. Moreover, passkeys are fixed to the specific domain for which the user has created the passkey and can only be used there, which prevents phishing attacks. By implementing passkeys, product managers can provide a more secure login, ensuring compliance with data protection and user privacy regulations. Passkeys also help prevent users from reusing passwords across multiple accounts, increasing security.

Building passkey authentication on your own is a complex and costly endeavour. Depending on the technical and organizational setup of your business, the costs may amount to more than € 100,000. In addition to paying experienced software developers, who are responsible for the technical implementation and testing, a large cost block results from the work of the product managers on several challenging tasks:

UX is much more than just creating a user-friendly interface. In general, device and user preference management, user communication, and customizable design for your corporate identity play a major role. Since passkeys are device-bound, product managers need to focus on device management to ensure flawless use of passkeys across all their users' devices. When it comes to user communication, it is necessary to educate users with predefined and tested user messages.

The open standards on which passkeys are based are poorly documented, making implementation into existing systems and integration into existing user flows challenging in practice. It rather requires coming up with user flows and setting up technical integrations from scratch. If you have users from different platforms (e.g., iOS, Android, Windows) using multiple devices, seamless integration becomes even more complex as passkeys are device-bound. When designing the flow from the beginning of registration or login to successful authentication, countless process steps need to be considered. Each use and edge case needs to be modelled and structured in complex logic trees.

Product managers must ensure that users can easily access their accounts across different devices and platforms while providing clear as well as concise user guidance and instructions at new device login. Another challenging task for product manager is to guarantee seamless integration of their product with various operating systems and devices to enable customers to access it flawlessly. This involves effective platform detection and management to enhance user experience and satisfaction.

Transitioning to fully passwordless options requires a shift in user behaviour. Product managers face the challenge of promoting the use of passkeys among users, as they may not be aware of its benefits or have concerns about security. Despite this, it is important for product managers to provide clear guidance to users on the use of passkeys. To address this challenge, product managers need to educate on the benefits of passkeys and ensure that the passkey creation and usage process is simple and user- friendly. Depending on the rollout strategy (as explained in "Rollout strategies for passkeys"), product managers may need to consider hybrid authentication by combining different methods like passkeys and passwords.

Product managers face challenges in providing recovery services to users who have forgotten or lost their device or password. Implementing self-service password resets requires careful planning. Product managers need to determine the most efficient and secure process for users to reset their passwords. In case users are unable to reset their password, it is important to have fallback options, such as biometric authentication or one-time passcodes. These options should be available to all users regardless of the browser and the device they are using. This ensures that users have a secure and convenient way to access their accounts.

Ensuring backwards compatibility with legacy systems as well as maintaining a seamless user experience across different versions of browsers and operating systems requires product managers to take care of processes that detect passkey readiness, platform authenticators, and Conditional UI readiness. Also, product managers must be aware of users' needs and preferences when making changes to the login process. It is important to maintain familiar login flows for users who are used to traditional authentication methods as changes to the login process can be disruptive and confusing. Therefore, product managers should carefully integrate any changes to the login process to ensure a smooth transition and a positive user experience.

There are different types of passkeys and different evolutionary steps depending on the underlying operating system and platform. Device-bound passkeys need to be differentiated from synced passkeys.

Passkeys have become increasingly popular as a convenient and secure way for users to authenticate. Devices that can create and use passkeys for authentication are referred to as "passkey-ready" (e.g., through facial recognition or fingerprint scan).

Our data has revealed that over 90% of all devices support passkeys , and major companies roll out passkeys in their web and native apps. The broad support and growing adoption of passkeys across platforms, devices, and companies can be seen in the following graphic:

As passkeys are one of latest technologies out there, it is essential for companies, and product managers in particular, to develop a comprehensive understanding about the implementation of passkeys and the associated benefits and risks. We have developed this decision tree to assist companies in determining the most suitable rollout strategy for implementing passkeys. The decision tree is designed to provide a systematic breakdown of three different strategies:

• the passkey-only strategy
• the passkey-first / passwordless strategy
• the hybrid strategy

The passkey-only strategy involves implementing passkeys as the only authentication method. This strategy is only applicable for new products that are mobile, native apps without existing users. Passkey availability on those device types is extremely high. Without these existing users, the need to support other authentication methods drops and no user transition is required.

The passkey-first/passwordless strategy involves password-free authentication through passkeys or other passwordless methods like social logins, one-time passcodes (OTPs), or email magic links. This strategy works for new products that don't have existing users yet. It doesnt matter if the product is a web app, native app, or both. Without existing users and legacy authentication, you directly follow the future-ready, passwordless path.

The hybrid strategy involves offering both passkey and traditional password authentication to users. By providing both options, companies can gradually transition existing users to passkeys over time, while still maintaining a level of familiarity for those who prefer traditional passwords.

If you want to introduce and promote passkeys at sign-up and login, there is currently one proven way in practice serving as a best practice for passkey process flows: the KAYAK way. If you want to introduce and promote passkeys at login only, there are currently three ways in practice serving as a best practice for passkey process flows. These modes differ in terms of how users are introduced to passkeys during the login process: the Shopify way, the Google way, and the eBay, PayPal, and Binance way.

When signing up, new users can create an account in both the web app and the native app for iOS and Android without ever having to set a password anymore. Instead, a passkey is created for passkey-ready devices. If the user refuses this or their device does not support passkeys, then an email magic link is sent to the previously stored email address.

Here, passkeys are not actively promoted during the login process, but instead they are only available in the user's profile settings. There, the user can opt in to create a passkey. Shopify offers passkeys in their web and native app for iOS and Android.

Currently, to initially set up a passkey, the user must go to a dedicated domain: https://g.co/passkeys. The user is then redirected to the familiar Google login screen via this page. This is probably done to start with low risk and find bugs with early adopters (as passkeys flows, especially for cross-device and crossplatform processes, are quite complex to implement). To create a passkey for another device, the user needs to either visit this page or use the "Create passkey" button while logged into the Google account. The fact that users must proactively signal that they want to use passkeys by visiting this page shows that Google is gradually rolling them out to ensure a smooth process for every user. Even though this approach may be less user- friendly at the moment, it helps to gather feedback from early adopter usage and improve it for all nontechnical users who may not be familiar with passkeys as an additional login option. Therefore, all users can still use passwords to log in. If you want to learn more on how Google implemented passkeys, dive into our detailed analysis of Google passkeys.

Here, the user first logs in with the existing credentials (e.g., email and password). Afterwards, a pop-up window or a message is shown to the user, recommending the creation of a passkey, which can then be used instead of the password at the next login. Particular attention should be paid to intuitive user communication that does not overwhelm the user with (technical) terminology but encourages the user to switch to passkeys. The user should nevertheless be given the option of refusing to do so. In this case, it must also be ensured that the subsequent login one is also possible with legacy authentication methods. If you want to learn more on how eBay implemented passkeys, dive into our detailed analysis of eBay passkeys.

Corbado offers a full passkeys-as-a-service package that takes care of all major challenges product managers face when considering offering passkeys as a login method. With Corbado as an experienced passkey authentication provider, you can focus on your core business while we take care of the entire passkey integration process in less than one hour. Start your passkey journey on www.corbado.com now!