Convincing a billion users to love passkeys: UX design insights from Microsoft to boost adoption and security
There’s no doubt about it: The password era is ending. Bad actors know it, which is why they’re desperately accelerating password-related attacks while they still can.
At Microsoft, we block 7,000 attacks on passwords per second—almost double from a year ago. At the same time, we’ve seen adversary-in-the-middle phishing attacks increase by 146% year over year.1 Fortunately, we’ve never had a better solution to these pervasive attacks: passkeys.
Passkeys not only offer an improved user experience by letting you sign in faster with your face, fingerprint, or PIN, but they also aren’t susceptible to the same kinds of attacks as passwords. Plus, passkeys eliminate forgotten passwords and one-time codes and reduce support calls.
In this blog, we’ll share how Microsoft approached this unique opportunity to bring passkeys to consumers.
Embracing the opportunity to improve sign-ins
In May 2024, Microsoft announced that you can sign in to your favorite consumer apps and services, such as Xbox, Microsoft 365, or Microsoft Copilot, using a passkey. Since passkeys are still a relatively new technology, as we began this journey, we asked ourselves: How are we going to convince more than a billion people to love passkeys as much as we do?
Somehow, we had to convince an incredibly large and diverse population to permanently change a familiar behavior—and be excited about it.
To make sure we got our passkey experience right, we adopted a simple methodology: Start small, experiment, then scale like crazy. The results have been encouraging:
- Signing in with a passkey is three times faster than using a traditional password and eight times faster than a password and traditional multifactor authentication.
- Users are three times more successful signing in with passkeys than with passwords (98% versus 32%).
- 99% of users who start the passkey registration flow complete it.
Step 1: Start small
Our first step was to build support for passkeys that could work across our apps. In May 2024, we added a simple option to the Microsoft account settings page to enroll a passkey:
We also added a new option to authenticate with a passkey on our sign-in page:
As thousands of people began enrolling and using passkeys every day, we learned a lot. For example, while the term “passkey” was sometimes unfamiliar, the phrase “face, fingerprint, or PIN” was generally well understood, so it was important to connect these two concepts in our user experience (UX).
Step 2: Experiment
With a good foundation in place, we began to experiment. We didn’t want passkeys to be “just another way to sign in.” We wanted them to be “the best way to sign in.”
To do this, we had to figure out when, where, and how to approach users to enroll a passkey. We developed a hypothesis that a passive approach (requiring users to visit their account settings on their own to enroll a passkey) would never yield the results we wanted, so we needed to proactively invite users to enroll a passkey.
When and where to nudge users
The most natural enrollment opportunity is when a user initially creates an account. But when and where would be the best time for existing users to create a passkey? Right after they sign in? During a password reset?
While we were cautious with any changes that might prevent our users from quickly accessing their accounts, we discovered that users were very enthusiastic about the invitation to enroll a passkey—even when they weren’t expecting it. About 25% of users who saw a nudge engaged with it—five times our pre-launch expectations. We also learned that the option to create a passkey where users manage their credentials accounted for fewer than 1% of total enrollments. These results confirmed our hypothesis.
Figure 3. Proactive nudges at key points in the UX proved more effective for getting users to enroll a passkey.
How best to nudge users
As we began to understand where and when to invite users to enroll passkeys, we also explored “how.” We ran multiple user studies and tested every pixel in our nudge screen to answer the question, “What would motivate a user to stop what they’re doing and enroll a passkey?”
First, we wanted to understand which value proposition would resonate most. Surprisingly, an easier sign in didn’t resonate with users as strongly as a faster or more secure sign in. Perhaps less surprising was discovering that security and speed resonated almost equally. Approximately 24% of users shown a message emphasizing security clicked through while approximately 27% of users shown messaging about speed clicked through.
Figure 4. Messaging about “better security” and “faster sign-in” enticed more users to enroll a passkey than “ease of use.”
If a user sees a nudge and chooses to enroll a passkey, great! But, if they see the nudge and decide that now isn’t the right time, we wanted to frame their decision in a positive way. The button text, “Skip for now,” respects that the user isn’t ready to enroll a passkey yet and lets them continue with what they were doing, but it also sets the expectation that we’re going to ask again. We’re implementing logic that determines how often to show a nudge so as not to overwhelm users, but we don’t let them permanently opt out of passkey invitations. We want users to get comfortable with the idea that passkeys will be the new normal.
Figure 5. We don’t let users permanently opt out of passkey invitations, but we keep the messaging friendly.
The exciting results of our experiments are helping us craft the best experience possible for our users, and we’re continuing to evolve. We encourage you to run your own experiments as well. Your products and users are different from ours and you might discover different outcomes. However, if you’re looking for a good place to start, messaging about speed and security is probably a safe bet. We also encourage you to reference the fantastic research that the FIDO Alliance has done, along with the UX guidelines they’ve published.
Step 3: Scale
As our users began to enroll passkeys at scale, our sign-in experience needed to behave more intelligently to encourage passkey use. As we redesigned the experience, we followed these guiding principles:
- Secure: A great sign-in experience should prioritize security without sacrificing usability.
- Low cognitive load: A great sign-in experience should have low cognitive load. People don’t want to stare at a list of sign-in options to try to decide which one to use. They just want in, and we should make that easy for them.
- Evolving: A great sign-in experience should not only prioritize the best available method, but also continuously move users to more secure methods.
With these principles in mind, we came up with a completely reimagined sign-in experience. If the user has a passkey available, it’s always the preferred method. We don’t list all the different ways the user can sign in and ask them to choose one, we just show the passkey sign in user interface (UI) and that’s it. They are safely and quickly signed in.
Figure 6. The sign-in experience defaults to passkey if the user has one available.
If the user doesn’t have a passkey yet, we determine the next best available credential. Once the user successfully authenticates, we immediately invite them to enroll a passkey. If they do, then the next time they sign in, their passkey will be the best available credential and is set as the new default. Our initial launch of this new design saw a 10% drop in password use and a 987% increase in passkey use.
With data to support our design decisions, we’ve started setting defaults and introducing passkeys at a global scale:
- New users are invited to enroll a passkey when they create an account.
- Existing users are invited to enroll passkeys at key pivot points, such as after they sign in or during a password reset.
- Passkeys are set as the default sign-in option for users who have them.
Based on the current adoption rate, we project that hundreds of millions of new users will create and use passkeys over the coming months.
The passwordless journey
While enrolling passkeys is an important step, it’s just the beginning. Even if we get our more than one billion users to enroll and use passkeys, if a user has both a passkey and a password, and both grant access to an account, the account is still at risk for phishing. Our ultimate goal is to remove passwords completely and have accounts that only support phishing-resistant credentials.
In 2022, we made it possible for users to completely remove their password and sign in with alternative methods. Since then, millions of users have deleted their passwords and protected themselves against password-based attacks. Now with passkeys, we can truly replace passwords with something faster, safer, and easier to use. It’s an ambitious vision, but we firmly believe in a phishing-resistant future for all scenarios, including account recovery and bootstrapping.
Learning from our experience
Here are a few suggestions based on our learnings:
- Don’t be shy about inviting users to enroll passkeys. Our experiments show that people love passkeys and are ready for them. If they don’t enroll when you first ask, don’t assume their decision is permanent. Make sure to test a few variations of your designs and copy to determine what’s most effective. We found that messages around sign-in speed and improved security resonate strongly.
- Make it as easy as possible to enroll and use passkeys. People want quick and secure access to their accounts. They don’t want to think about signing in. Set defaults to prioritize the best available method when possible.
- Raise the floor. Passkeys are an important step on the path towards a more secure and seamless authentication future. Start planning ahead now to use only phishing-resistant credentials.
Finally, we believe that passkey adoption is a virtuous cycle, and transitioning the world away from passwords is bigger than any one company. As more relying parties prioritize passkey support, passkeys will first become recognized, then familiar, then expected—everywhere you sign in. As people become increasingly familiar with the usability and security benefits of passkeys, they’ll be more likely to enroll and use them on more sites. Together, we can convince billions and billions of users to enroll passkeys for trillions of accounts! We’re proud to be part of this collective effort and hope you will share learnings as well as you progress in your passkey journey.
Learn more
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
1Microsoft Digital Defense Report 2024.
READ MORE HERE