Finest practices for migrating customers to passkeys with Credential Supervisor

Posted by Niharika Arora (X and LinkedIn) – Senior Developer Relations Engineer and Vinisha Athwani – Technical Author (LinkedIn)

In a world the place digital safety is changing into more and more essential, passwords have change into a infamous weak hyperlink – they’re cumbersome, usually insecure, and a supply of frustration for customers and builders. However there’s excellent news: passkeys are gaining recognition as essentially the most user-friendly, phishing-resistant, and safe authentication mechanism accessible. For Android builders, the Credential Supervisor API helps you information your customers in direction of utilizing passkeys whereas making certain continued assist for conventional sign-in mechanisms, resembling passwords.

On this weblog, we talk about a few of the greatest practices it is best to comply with whereas encouraging customers to transition to passkeys.

Perceive authentication with passkeys

Earlier than diving into the suggestions for encouraging the transition to passkeys, right here’s an summary of the basics of authentication with passkeys:

• Passkeys: These are cryptographic credentials that substitute passwords. Passkeys are related to machine unlocking mechanisms, and are the beneficial technique of authentication for apps and websites.
• Credential Supervisor: A Jetpack API that gives a unified API interface for interacting with several types of authentication, together with passkeys, passwords, and federated sign-in mechanisms like Sign up with Google.

How do passkeys assist your customers?

There are a number of tangible advantages that customers expertise in apps that enable them to make use of passkeys to check in. The highlights of utilizing passkey for customers are as follows:

• Improved sign-in expertise: Customers get the identical UI whether or not they use passwords, passkeys or federated sign-in mechanisms like Sign up with Google.
• Diminished sign-in time: As an alternative of typing out passwords, customers use their telephone unlock mechanisms, resembling biometrics, leading to a easy sign-in expertise.
• Improved safety: Passkeys use public-key cryptography in order that knowledge breaches of service suppliers do not end in a compromise of passkey-protected accounts, and are based mostly on trade normal APIs and protocols to make sure they aren’t topic to phishing assaults. (Learn extra about syncing and safety right here).
• Unified expertise throughout gadgets: With the flexibility to sync passkeys throughout gadgets, customers profit from simplified authentication whatever the machine they’re utilizing.
• No friction on account of forgotten passwords!

Underscoring the improved expertise with passkeys, we heard from a number of outstanding apps. X noticed that login charges improved 2x after including passkeys to their authentication flows. KAYAK, a journey search engine, noticed that the typical time it takes their customers to enroll and check in lowered by 50% after they integrated passkeys into their authentication flows. Zoho, a complete cloud-based software program suite targeted on safety and seamless experiences, achieved 6x quicker logins by adopting passkeys of their OneAuth Android app.

What’s in it for you?

Whenever you migrate your app to make use of passkeys, you’ll be leveraging the Credential Supervisor API which is the beneficial normal for identification and authentication on Android.

Other than passkeys, the Credential Supervisor API helps conventional sign-in mechanisms, simplifying the event and upkeep of your authentication flows!

For all of those sign-in mechanisms, Credential Supervisor presents an built-in bottom-sheet UI, saving you growth efforts whereas providing customers a constant expertise.

When do you have to immediate customers to make use of passkeys?

Now that we’ve established the advantages of passkeys, let’s talk about how it is best to encourage your customers emigrate to passkeys.

The next are an inventory of UX flows in which you’ll promote passkeys:

• Person account registration: Introduce passkey creation prompts at key moments, resembling when your customers create their accounts:

Contextual Prompts throughout account creation
• Sign up: We advocate you encourage customers to immediate passkeys within the second after a consumer indicators in with an OTP, password, or other-sign in mechanisms.

Immediate passkey creation throughout sign-in
• Account restoration: The essential consumer journey (CUJ) for account restoration is one which traditionally presents friction to customers. Prompting customers to undertake passkeys throughout account restoration is a beneficial path. Customers who undertake passkeys expertise a well-known account restoration expertise as throughout sign-in.

Account Restoration move
• Password resets: That is the right second to immediate customers to create a passkey; after the frustration of a password reset, customers are sometimes extra receptive to the comfort and safety passkeys provide.

Create a passkey for quicker sign-in subsequent time

How do you have to encourage the transition to passkeys?

Encouraging customers to transition from passwords to passkeys requires a transparent technique. Just a few beneficial greatest practices are as follows:

• Clear worth proposition: Use easy, user-centric prompts to clarify the advantages of passkeys. Use messaging that highlights the advantages for customers. Emphasize the next advantages:
• Improved safety advantages, resembling security from phishing.
• No must sort out a password.
• Potential to make use of the identical passkey throughout gadgets/platforms.
• A constant authentication expertise.

Passkey immediate with clear worth proposition
• Present a seamless consumer expertise:
• Use the unified UI supplied by Credential Supervisor to point out all accessible sign-in choices, permitting the consumer to decide on their most popular technique with out having to recollect which one they used final.
• Use the official passkey icon to construct consumer familiarity and create a constant expertise.
• Be sure that customers can fall again to their conventional sign-in strategies or a restoration technique, resembling a username and password, if a passkey just isn’t accessible or if they’re utilizing a distinct machine.

• Present customers with readability about credentials inside your app’s Settings UI: Make sure that your customers perceive their authentications choices by displaying useful details about every passkey inside your app’s settings. To be taught extra about including credentials metadata, see the Credential Supervisor documentation.

Passkey Metadata on App’s Settings display

• Educate customers: Complement the messaging to undertake passkeys with in-app academic assets or hyperlinks that specify passkeys intimately.
• Progressive rollout: Think about a phased rollout to introduce passkeys to a subset of your consumer base to assemble suggestions and refine the consumer expertise earlier than a broader launch.

Developer Case Research

Actual-world developer experiences usually spotlight how small design selections—like when and the place to floor a passkey immediate—can considerably affect adoption and consumer belief. To see this in motion, let’s discover how prime apps have strategically surfaced passkey prompts at key moments of their apps to drive stronger adoption :

Uber

To speed up passkeys adoption, Uber is proactively selling passkeys in varied consumer journeys, alongside advertising methods.

Uber has shared : “90+% of passkey enrollments come from selling passkey creation at key moments contained in the app as in comparison with onboarding and authentication CUJs“, underscoring the effectiveness of their proactive technique.

Key learnings and techniques from their implementation:

• Provide passkeys with out disrupting the core consumer expertise: Uber added a brand new account checkup expertise of their account settings to focus on passkey advantages, leading to excessive passkey adoption charges.

Person Account checkup move

• Proactively deliver passkeys to customers: They discovered to not look forward to customers to find passkeys organically as a result of counting on natural adoption would have been slower regardless of noticed advantages like quicker sign-ins and elevated login success charges for passkey customers.
• Use further mediums to advertise passkeys: Uber can also be experimenting to advertise passkeys by electronic mail campaigns or banners on a consumer’s account display to focus on the brand new sign-in technique, making their subsequent sign-in simpler and safer.
• Respect your consumer’s selection: Recognizing that not all customers are prepared for passkeys, Uber carried out backoff logic in essential flows as check in, signup screens and, in some contexts, presents passkeys alongside different acquainted authentication strategies.

Right here’s what Uber has to say:

At Uber, we’ve seen customers who undertake passkeys take pleasure in a quicker, extra seamless, and safer login expertise. To assist extra customers profit from passkeys, we’ve added nudges to create a passkey at key moments within the consumer expertise: account settings, signup, and login. These proactive outreaches have considerably accelerated our passkey adoption. 

Ryan O’Laughlin

Senior Software program Engineer, Uber

Financial Instances

Financial Instances, a part of the Instances Web ecosystem, used a seamless consumer expertise as the first motivation for customers to transition to passkeys.

After introducing focused nudges, Financial Instances noticed ~10% enhancements in passkey creation completion fee inside the preliminary rollout interval.

Key learnings and techniques from their implementation:

• Strategic passkey era prompts: Initially, Financial Instances was aggressively prompting passkey creation in a number of consumer flows, however it was noticed that this method disrupted business-critical journeys resembling subscription purchases or unlocking premium options and was resulting in deserted carts.
• Refined method: Financial Instances made a deliberate resolution to take away passkey era prompts from delicate flows (such because the subscription checkout move) to prioritize fast motion completion.
• Focused prompts: They strategically maintained passkey era in areas the place consumer intent to sign-in or handle authentication is excessive, resembling preliminary sign-up flows, specific check in pages, or account administration sections.
• Constructive final result: This refined deployment resulted in improved passkey era numbers, indicating sturdy consumer adoption, with out compromising consumer expertise in essential enterprise flows.

Passkeys Administration Display screen

Conclusion

Integrating passkeys with Android’s Credential Supervisor is not nearly adopting new know-how; it is about constructing a essentially safer, handy, and pleasant expertise in your customers. By specializing in clever passkey introduction, you are not simply securing accounts–you are constructing belief and future-proofing your utility’s authentication technique.

To supply your customers the perfect, optimized and seamless expertise, comply with the UX tips whereas implementing passkeys authentication with Credential Supervisor. Take a look at the docs right now!