Uber Rolls Out Passkeys To Optimize Logins

Uber recently rolled out passkeys. As one of the leading tech giants, this move is indicative of the company's commitment to staying ahead in the digital curve and following the path of other tech leaders like Nintendo, OnlyFans, GitHub, TikTok or WhatsApp.

Uber's decision to adopt passkeys is not just solely based on technological reasons but also majorly on strategic ones. Here's why:

1. Mobile-First Approach as Perfect Angle for Passkey Rollout: A significant chunk of Uber's user base accesses its services via mobile devices. These devices are primed for the first wave of a seamless integration of passkeys (which is also backed by the passkey-readiness of mobile devices according to our recent analysis), making passkey rollout for Uber a logical step.
2. Reduce Global Operations and SMS OTPs costs: Operating in diverse locations worldwide, Uber heavily relies on SMS OTPs for authentication. By introducing passkeys, Uber can potentially reduce these operational costs, replacing them with more secure and convenient passkeys. A rationale that has been also seen at other major tech players in efforts to reduce costs.
3. Consistent Logins Across Diverse App Ecosystem: Uber isn't just about rides. With apps catering to drivers, passengers, and even food delivery via Uber Eats, the company has a broad spectrum of services. A unified authentication system across these platforms ensures consistency and ease of use for the entire user base.

Uber passkeys FAQ page

Besides the aforementioned strategic aspects, also technological benefits make sense for Ubers passkey rollout, as described in the following:

1. Performance in Varied Network Conditions: Uber's global reach encompasses areas with diverse network conditions. Thats why Uber is dedicated to ensuring a smooth signup and login experience at any place in the world. Delivering SMS OTP or email OTP in areas with bad network coverage is not as smooth and reliable as using passkeys for authentication.

2. Passkeys Align with Ubers Unified Signup and Login (USL) Approach: The USL initiative was crafted to offer a consistent signup and login experience across all Uber apps. Key objectives of this framework include:

• Maximized Client Support: A web-based approach ensures support for any client that can open a web browser.
• Developer Velocity and Maintenance: Rapid changes to flows or screens can be rolled out almost instantly to all clients.
• Enhanced User Experience: USL eliminates the need for users to toggle between login and signup, offering a seamless experience.

Passkeys are just a perfect next development step, as they are backed by all three major device manufacturers (Apple, Google & Microsoft) ensuring maximum client support. Moreover, they can be integrated into the existing web-based login approach and also tremendously improve the login experience for any user.

3. Addressing Past Inconsistencies: USL aims to rectify past discrepancies in the signup and login experiences across different Uber apps, ensuring a seamless user experience. Passkeys as an open standard just go into the same direction.

Uber's belief in passkeys is also underlined by Ramsin Betyousef (Sr. Director of Engineering @ Uber): "At Uber, we ware relentless in our push to create magical experiences without compromising user safety. Passkeys simplify the user experience and promote accessibility, while enhancing the security that comes from reducing the dependency on traditional passwords. Ultimately this is a win-win for Uber and Uber's customers. We've seen great results from launching passkeys across our apps and encourage all users to adopt passkeys."

We took a look at how Uber implemented passkeys technically to help you follow best practices and avoid mistakes.

Uber stands out by making passkeys available on a wide range of devices, browsers, and operating systems. Unlike some companies that have only partially rolled out passkeys (e.g. PayPal), Uber's implementation covers both their regular app and Uber Eats app, with accounts shared between the two. This comprehensive coverage extends to web apps as well, enabling passkey logins on Windows, macOS, iOS, and Android, thereby facilitating cross-device logins.

We observed that synchronization when using Chrome on macOS and iOS as well as the native iOS app is seamless (Safari is not supported / crashed during our tests however - see below)

The Conditional UI in the web app when using Edge and Chrome on Android, Chrome on Windows 11, as well as in the iOS app work smooth, enhances the user experience, making the login process intuitive.

Conditional UI in Windows 11 + Chrome 119

Conditional UI in Native iOS App

Conditional UI in Android 13 and Chrome 119

A critical issue we noticed is the flawed implementation of the WebAuthn server setting for ExcludeCredentials on the native Android and iOS app. This flaw allows the creation of multiple passkeys from the same Android / iOS device, contrary to the intended purpose of preventing repeated passkey creation on a single device.

Multiple passkeys for the same Android device (SM-G991B)

Multiple passkeys for the same iOS device (iPhone XS)

Despite the advantages of Conditional UI in making passkey logins smoother, Uber's native Android app implements this feature in an unusal way, as you cannot choose the passkey from the Conditional UI and instead the last created passkey is always used by default (which results to error - see below). Moreover, you have to click on the passkeys icon next to the mobile number to trigger the process

The absence of Conditional UI on Windows 11 and Edge is also a missed opportunity to streamline the user experience.

Deleting a passkey in the Uber Android / iOS app led to subsequent login failures (even though another passkey for this device existed). The system appeared to attempt using the deleted passkey, requiring an SMS OTP login and the creation of a new passkey for future logins. This issue highlights a significant gap in the app's resilience to changes in passkey settings.

We found that Firefox on Android does not support passkeys, defaulting to SMS OTP instead. Additionally, creating a passkey on Safari and macOS / iOS was not possible, even though the same device worked with Chrome. This inconsistency across browsers can lead to user confusion and diminished trust in the passkey system.

Error message after trying to create a passkey on iOS 17.1 + Safari

Moreover, from reading the browser console logs, we noticed that Uber is one of the first companies we have seen so far that uses GraphQL instead of REST APIs for their passkey implementation.

In conclusion, Uber's move towards passkeys is a testament to its dedication to enhancing user experience, optimizing operational costs, and streamlining developer workflows. However, there is still some work to do for Uber to optimize their passkey experience. For product managers and developers, this is a prime example of how strategic decisions, backed by technical prowess, can drive innovation and growth in the digital age as well as on what to consider when implementing passkeys from a technical point of view.