PayPal Passkeys: Analysis of Sign-Ups and Logins with Passkeys

TL;DR

• First available in Q4/2022 in the U.S. and then rolled out gradually to different countries and platforms
• Passkeys are only available at login, not at initial sign up for an account (yet)
• Creation currently only works manually via the ˜Login and Security section in the PayPal account settings
• PayPal is the first company to synchronize passkeys between the website and the native app
• Does not work with Chrome on iOS or with Windows in general
• Conditional UI functionality is enabled, providing a seamless user experience
• Sophisticated passkey management and smart detection on browser-operating in the account settings

1. Introduction

More and more companies from a wide range of industries are stepping into a password-free world and implement passkeys. Through this series of articles, we aim to provide a comprehensive overview of the passkey user experience of those companies. This should enable you to incorporate these findings and enhance your product login accordingly. In each article, we focus on a single company. Today, we dive into PayPal. Since October 2022, existing PayPal users in the U.S. can create passkeys for their account and log in with them. Since early 2023, passkeys have then been successively rolled out in additional countries as well. With over 400 million users, PayPal is one of the world's leading digital payment platforms, now providing passkeys to make online payments and transfers more secure and user-friendly.

Disclaimer:

1. Status of the analysis is August 2023. Passkey features are subject to change by companies on an ongoing basis.
2. Please refer to the use cases to find the devices we used for the analysis.

2. Key insights from PayPal passkeys analysis

In this section, we present the most important insights we have gained from the analysis of PayPal passkeys.

2.1 Highlights of PayPal passkeys implementation

2.1.1 Phased implementation approach

PayPal passkeys are currently limited to logging into already existing PayPal accounts. There is only one way to set up a passkey for the device in use: Users can navigate to the To enable a passkey on a device, users must go to the 'Login and security' tab in their account settings and activate the passkeys manually. PayPal first introduced passkeys in the U.S. with A/B testing in October 2022, subsequently rolling it out in various regions. The new login option was initially provided to iPhone, iPad, and Mac users, later reaching other platforms that supported passkeys. By choosing this rollout strategy, PayPal has been able to minimize risks and identify potential bugs through feedback from its early adopters. This staggered introduction ensures a smooth transition, particularly accommodating those unfamiliar with the concept of passkeys as an alternate sign-in method.

2.1.2 Passkey synchronization between native app and web app

PayPal has incorporated the creation and usage of passkeys within its native apps for both Apple and Android devices. This user-friendly feature permits mobile users to directly access their PayPal accounts via the app using passkeys, bypassing the necessity to navigate to the website. PayPal stands out as the first company to synchronize passkeys between the browser and app, granting users the ease of browser login with a synced passkey.

2.1.3 Enabled Conditional UI feature

One prominent features of PayPal passkey implementation is the immediate integration of Conditional UI. The powerful feature allows leverages the autofill function passkeys provide, enhancing user convenience. It automatically suggests and prefills passkeys as soon as the user clicks on the username input field. From the very beginning, PayPal users can experience the time-saving benefits of passkeys without the need for manual search or entry of credentials (not even usernames!), as they are already stored in the device / browser and are automatically pre-filled.

2.1.4 Insightful passkey properties

In the 'Login and security section where users can view all their saved passkeys, PayPal offers insightful details about each passkey. It indicates the device on which the passkey was generated and its synchronization status. Moreover, timestamps provide when the passkey was established.

2.1.5 Helpful user education

PayPal uses the term "passkeys". To assist users who are unfamiliar with passkeys or are looking for more information, PayPal provides detailed explanations that cover passkeys in general, as well as setup, synchronization, and deletion. Besides, any questions that may arise are answered in a FAQ, in order to counteract any possible fears of users at an early stage. This highlights their effort to persuade users about the benefits of passkeys and promote passwordless authentication.

2.2 Drawbacks of GitHub passkeys implementation

2.2.1 Occasional unavailability of platform-browser combinations

Currently, Passkeys cannot be used on all devices or browser-operating system combinations. For example, you can't use passkeys on Windows in general or Chrome on Mac yet. Therefore, users still have to log in with their password every now and then, which decreases the overall user experience.

3. Passkey setup in your PayPal account

PayPal has published a comprehensive FAQ that provides a detailed explanation of passkeys and guides users through the setup process. This reflects their recognition of the need to educate users about the technology and functionality behind passkeys, as not everyone may be familiar with them yet.

To register new passkeys for your PayPal account, follow these steps:

1. Click the setting icon (web browser) or profile icon (app) in the top right corner

2. Click on Security (web browser) or Login and security (app)

3.Click on Passkey

4. Click on the Create a passkey button

4. Analysis of the login process

4.1 Tested cases

Note that we have only performed the use cases with passkey-ready devices (e.g., no iPhone prior to iOS 16.0, no MacBook prior to macOS Ventura, no Windows device prior to Windows 10). We use the same PayPal account for every use case.

4.1.1 Use case 1: iPhone PayPal iOS app passkey creation

To initially set up the first passkey for our PayPal account, we click on 'Create a Passkey' as previously shown in section 3.

It is noteworthy that at this point the user is again informed about what passkeys are all about. This shows that PayPal wants to educate users who do not yet know passkeys.

After clicking on 'Create a Passkey', PayPal requires the confirmation of our identity through two-factor authentication.

Once this has been successfully verified, a passkey can be created, and the default Apple passkey pop-up appears that prompts us to use Face ID.

Once successfully registered, we receive a notification confirming the successful generation of the passkey.

In the login and security settings we can now view details about the passkey or even remove it again. The properties include information about the device on which the passkey was created and whether it was synchronized, along with a timestamp for creation.

When using the same browser-operating system combination for which a passkey has already been stored, PayPal detects this and does not display the 'Create a Passkey' option. Only after the passkey has been removed from the device again, you can install a new one.

If we want to log in to the PayPal iOS app, we use the passkey previously created on this device. As soon as we open the app, the default Apple passkey pop-up appears that prompts us to use Face ID to log in. If the username input field is empty, the passkey window will not appear immediately, but due to the enabled conditional UI the stored passkey will be automatically suggested and pre-filled as soon as we click on the field.

After verifying our identity with Face ID, the passkey is successfully retrieved, granting us access to our account.

4.1.2 Use case 2: MacBook Safari passkey login

Currently, it is not yet possible to create a passkey on a MacBook - however, we can log in with one that is synced on the Apple Keychain. In this use case, we retrieve the passkey that we registered on our iPhone in use case 1.

As soon as we enter the PayPal page in the browser, we are presented with the familiar Safari passkey pop-up. Here, we selected 'iPhone, iPad or Android device', which includes the iPhone on the keychain that holds the passkey from use case 1.

We scan the QR code with the device our passkey is stored on (in this case from use case 1).

After logging in with the passkey on the iPhone, we still need to confirm our identity with 2FA when we use it for the first time for our MacBook as well, before we are then logged into our PayPal account.

4.1.3 Use case 3: PayPal Android app passkey creation

In this use case, we generate a passkey on an Android device using the PayPal app and store it in the Google Password Manager. The process for generating the passkey for the Android PayPal app is the same as the one for the iPhone PayPal iOS app, with the only difference being that we create the passkey on Android using Touch ID instead of Face ID and that in this step it is possible to specify the Google account where the created master key will be stored. Once our fingerprint was successfully registered, we receive a notification confirming the successful generation of the passkey. The passkey is now displayed in the 'Passkeys' section in the login and security settings.

Unlike the iPhone, the Android phone does not recognize that a passkey already exists on the device and continues to display the 'Create a Passkey' option. If users then want to set up a passkey, PayPal detects this and prevents the creation of a new and overwriting of an existing passkey.

Further, the phone does not recognize if there is already a passkey for another Android phone stored in the Google Password Manager and allows the creation of a second passkey.

If we want to log in to the PayPal Android app, we use the passkey previously created on this device. As soon as we open the app, the default Android passkey pop-up appears that prompts us to use Touch ID to log in. If the username input field is empty, the passkey window will not appear immediately, but due to the enabled conditional UI the stored passkey will be automatically suggested and pre-filled as soon as we click on the field.

After verifying our identity with Face ID, the passkey is successfully retrieved, granting us access to our account.

5. Conclusion

Adobe's entry into the world of passkeys underscores the industry's shift toward passwordless authentication, enabling greater security without compromising the user experience. Adobe particularly stands out for pushing the transition to passkeys among their current users and, even more important, new users by highlighting the passkey creation option and providing informative user education. They are also constantly adding new features to further improve the user experience. For instance, since the introduction, Conditional UI has been added and more details about the stored passkeys are displayed to the user. This also demonstrates how important Adobe consider the transition to passkeys.