Japanese version of this article is available here.
Intro
Hi, I'm Yamato(@8ma10s) from the Money Forward ID development team.
It has been almost half a year since we released passkey support using Passkey autofill in Money Forward ID. Following the release of Passkey usage report vol.1 in May and Passkey usage report vol.2 in August of this year, we will summarize the passkey registration and usage reports as of November.
Changes made since Vol. 2
As of Vol. 2, the promotion page was only displayed to users who were using Money Forward ME and not to users who were trying to log in to the corporate product. Around the end of August, we started displaying the promotion page to the users of Money Forward Cloud products as well. By doing so, we were expecting the following:
- Simple increase in passkey registrations due to more users becoming eligible for promotion
- Increase in the number of passkeys registered and used from Windows, the primary OS used by users of corporate products.
Passkey Registration Status @ 2023 Nov.
Perhaps due to the fact that several months have passed since the promotion was launched and that the promotion has been expanded, the number of passkey registrations, which was around 56,000 in August, is now approaching 320,000.
The breakdown per OS is as follows
| Percentage of total (last time → this time) | |
|---|---|
| iOS | 65% -> 63% |
| Android | 18% -> 17% |
| macOS | 8% -> 10% |
| Windows | 5% -> 7% |
The slight increase in MacOS and Windows registrations may be due to the launch of passkey promotions for corporate product users.
Passkey Usage @ 2023 Nov.
| Percentage actually used for authentication (last time → this time) | |
|---|---|
| iOS | 15% -> 20% |
| Android | 22% -> 20% |
| macOS | 24% -> 26% |
| Windows | 16% -> 18% |
Compared to the previous survey, there has been an increase in usage. This could be due to the fact that users who registered their passkey in a promotion a few months ago had their login session expired and are now being asked to log in.
For reference, we have also produced usage rates by selecting only "passkeys that have been registered more than one month ago" and "passkeys that have been registered more than two months ago".
| OS | Usage rate of all passkeys | Usage rate of passkeys that have been registered more than 1 month ago | Usage rate of passkeys that have been registered more than 2 months ago |
|---|---|---|---|
| iOS | 20% | 25% | 32% |
| Android | 20% | 28% | 38% |
| macOS | 26% | 34% | 42% |
| Windows | 18% | 24% | 31% |
Thus, the hypothesis that passkeys that have been registered for only a short time are not used yet because they have not had a chance to log in seems to be correct.
Nevertheless, as can be seen from the above data, nearly 60% of passkeys are not used even after several months of registration. This could be because users are not aware that passkeys are available, or because the password manager has displayed options other than passkeys (e.g., passwords) as preferred candidates.
As we mentioned in my previous article, passkey login using Passkey autofill is based on the assumption that the OS or other password manager will encourage the use of passkeys, and that the password manager will actively encourage the use of passkeys. We hope that more password managers would behave this way.
Effectiveness of passkey promotion
As mentioned briefly in the previous article, the flow of the promotion page displayed at user login in Money Forward ID is as follows.
- explain the passkey and offer users the option to "register" or "skip".
- display a browser-native registration modal for users who press "Register". If registration fails, return to the screen in step 1.
As of November, about 50% of users selected "skip" in Step 1 above, unchanged from the previous month, and about 40% of users left in Step 2 as well. As a result, only about 30% of users whose promotional pages are registered successfully register.
Also, while Step 1 is unlikely to be OS-dependent, Step 2 will include OS- and browser-native registration modals, so the success rate is expected to be highly dependent on the UI of those modals. Therefore, we also provided the success rate for Step 2 by major operating systems and browsers.
| OS | Success rate of registration among users who selected "Register". |
|---|---|
| iOS, Safari | 40% |
| Android, Chrome | 64% |
| macOS, Safari | 58% |
| macOS, Chrome | 75% |
| Windows | 55% |
The significantly lower success rate on iOS compared to the others, and the markedly different success rates on Safari and Chrome on macOS, suggest that the UX around iCloud Keychain, which is common to all of these, may be affecting the success rate.
This is just one hypothesis, but in the case of the iPhone, if a user disables iCloud Keychain and tries to register a passkey, they will be sent to the Settings app for Keychain activation. If the user has intentionally disabled it, they will skip the passkey registration without enabling it. Even if Keychain was disabled unintentionally,some users will still skip it because of the hassle of changing the settings.
Unfortunately, it is impossible for us on the WebAuthn RP side to know the detailed reason why navigator.credentials.create fails or to detect users who have disabled the iCloud Keychain, so the above story is just a hypothesis. However, we believe that if it becomes possible to do so through an API or other means, we may be able to conduct a more detailed investigation and take countermeasures.
The low Windows registration success rate may be due to the UX of Windows Hello, or it may be due to the fact that many Windows users are using corporate products in the first place.
Comparison with other means of authentication
In the previous comparison, Passkey was the fourth largest authentication method behind passwords, Google Sign-in, and Sign in with Apple, but as of November, it has overtaken Sign in with Apple to take third place.
| Authentication method | % of total logins |
|---|---|
| password | 83% |
| Google Sign-in | 7% |
| passkey | 5% |
| Sign in with Apple | 3% |
| Others | 2% |
In addition, when limited to logins to products other than Money Forward ME (mainly corporate products), it has superseded Google Sign-in to become the second largest authentication method.
As noted in the section on "Passkey Usage," we have found that usage increases after a few months of registering a passkey. In the coming months, the percentage of users logging in with passkeys will further increase as more users log in with passkeys as their login sessions expire.
Final thoughts
The number of passkey registrations has increased due to promotions and other factors, and passkey has become the primary means of login for Money Forward IDs, but this is not enough to increase passkey usage in the future. Rather than having the service side promote the passkeys at the cost of user experience, if the OS and browser side actively encourage the registration and use of passkeys, we may be closer to a state where users are "using the passkeys before they know it."
Nevertheless, just by looking at the passkey registration and utilization rates for our own services, it is difficult to separate out whether "it's just us," or whether many WebAuthn RPs have passkey registration and usage issues and the WebAuthn API itself needs to be improved. We hope to see such figures from other companies' services that have implemented logins using passkey, so that there will be further discussion in this area.
