Learn about Yahoo! JAPAN's approach to improving passkeys adoption and user experience.
Yahoo! JAPAN is a part of LY Corporation, one of the largest media companies in Japan, providing services such as search, news, e-commerce, and e-mail. Over 55 million users are logged in to Yahoo! JAPAN services every month.
As they offer e-commerce and other money-related services, account security is the highest priority. To improve security, Yahoo! JAPAN has been shifting their users towards passwordless authentication since 2017. This included introducing SMS authentication, a password deactivation feature, and passkeys. This article will cover the results Yahoo! JAPAN has achieved and their approach in improving the user experience and user adoption of passkeys.
Success with passwordless authentication
As a result of moving to passwordless authentication, the percentage of inquiries involving forgotten login IDs or passwords has decreased by 25% compared to the period when the number of such inquiries was at its highest. With the increase in the number of passwordless accounts the rates of unauthorized access have declined as well.
Yahoo! JAPAN found that passkeys offer an exceptional user experience on both the authentication speed and authentication success rate fronts–passkeys have had a higher success rate than SMS authentication and 2.6 times faster authentication time.
Since their introduction, passkey usage has grown tremendously–today approximately 11% of all logins on Yahoo! JAPAN uses passkeys and on smartphone devices that number is 18%. This contributed to a significant decrease in costs related to SMS OTP authentication.
11 %
of all logins are with passkeys
18 %
of smartphone logins are with passkeys
2.6 x
faster authentication time
25 %
decrease in user inquries
Approach to passkey registration on Yahoo! JAPAN
Yahoo! JAPAN offers two opportunities to create a passkey:
- Showing users a passkey registration prompt following a login or sign up.
- Registering a passkey in the passkey management settings.
The first method is designed to engage users who are not particularly interested in passkeys.
The post-login passkey registration prompt page will not always be displayed upon logging in. For the most part, it will only appear under the following conditions:
- The device being used does not have a usable passkey.
- No usable passkey is registered on the server for the device being used and the account is not logging in with a passkey. For example, if the UA specified by the device being used is iOS, and a passkey is not registered on the server through iOS, and there is no synchronized passkey registered through iOS, iPadOS, or macOS.
- The device being used supports passkeys.
- The passkey registration prompt page is not being displayed at the time.
The second way to create a passkey is through the "Manage passkeys" screen in the account settings and it's aimed at users with an interest in passkeys. Users can also learn about the benefits of passkeys via newsletter and Yahoo! JAPAN ID information page and get to the Manage passkeys page from there.
Usage ratio of the passkey registration flows
Most users create a passkey after a passkey registration prompt page–97%, with a breakdown of 91% via login and 6% via sign-up. The "Manage passkeys page" accounts for the remaining 3%.
91 %
passkey registration prompt page via login
6 %
passkey registration prompt page via sign-up
3 %
Manage passkeys screen
These numbers suggest that the most appropriate time to offer users to create a passkey is immediately after logging in or signing up when they are already in the right mindset for dealing with authentication methods.
Testing different passkey registration prompts
The passkey registration prompt is displayed to a large number of users after logging in, but the number of times it can appear to any individual user is limited to avoid annoying users.
Yahoo! JAPAN has conducted A/B tests to improve the click-through rate (CTR) of the registration button on that page and this section will outline their results.
Initially the passkey registration prompt page was titled "Log in safely with fingerprint or facial recognition authentication".
In their testing, the label was changed to match the features of the operating system of the device, as below:
- iOS and macOS: "Log in to Yahoo! JAPAN using Face ID or Touch ID"
- Windows: "Log in to Yahoo! JAPAN using Windows Hello"
- Android: "Log in to Yahoo! JAPAN using Biometrics"
The following screenshots from the iOS version of Yahoo! JAPAN are showing the control group UX (left) and test group UX (right).
The screenshots have been translated to English for this blog post, showing control group (left) and test group (right).
The following screenshots from the Windows version of Yahoo! JAPAN are showing the control group UX (left) and test group UX (right), followed by the English translation.
They ran A/B tests over 6 days for the "Register" button CTR, with the following results:
OS | Control group→ Test | Difference |
---|---|---|
iOS | 63.56% → 65.85% | +2.29pt (statistically significant difference) |
macOS | 40.38% → 48.40% | +8.02pt (statistically significant difference) |
Windows | 25.60% → 40.95% | +15.35pt (statistically significant difference) |
Android | 52.06% → 51.40% | +0.66pt (no statistically significant difference) |
By including the usable features of each operating system in the page title, Face ID and Touch ID for iOS, or Windows Hello for Windows, the CTR of the registration button rose.
Changing the label from "fingerprint or facial recognition authentication" to "biometric authentication" on Android did not produce a statistically significant result.
This is in line with FIDO UX guidelines which suggest associating passkeys with familiar experiences and implies that using device-specific function names is more effective in motivating users to set up passwordless authentication, presumably because users are more familiar with them.
For more details on how to communicate passkeys to users check out Google's user experience guidelines.
Transition from device-bound passkeys to synced passkeys
Device-bound passkeys pose challenges for user experience because they become unusable when users switch to a new device.
Yahoo! JAPAN has supported passkey authentication since 2019, before the introduction of synced passkeys. They started supporting synced passkeys for iOS, iPadOS, and macOS in September 2022, and for Android devices in March 2023.
When Yahoo! JAPAN looked up a group of users who used passkeys on Android both in 2019 and 2022, the ratio of users continuing to use passkeys was 38%. The remaining 62% of users logged in using other authentication methods such as SMS. (Yahoo! JAPAN first supported passkeys on Chrome on Android, so the study is limited to such devices. Additionally, users who stopped logging in to Yahoo! JAPAN during this period have been excluded from the total.)
Passkeys that can be synchronized across multiple devices are a good solution for this challenge. Unlike device-bound passkeys, even when a user gets a new device, passkey authentication continues to be available if they backed up their passkey with the passkey provider.
As of May 2023, among already registered passkey credentials, the registration rate of synced passkeys is at about 8%. Yahoo! JAPAN continues to strive for wider adoption of synced passkeys which will allow continuous passkey authentication and improve the login experience.
Conclusion
Yahoo! JAPAN has been steadily working on increasing their passkeys user base and will continue to do so. As the results show, passkeys can offer an excellent user experience and business results.
As passkeys continue to evolve, new features will be introduced and further improve the user experience. Yahoo! JAPAN is committed to transitioning their users to passwordless authentication and plans to proactively follow up on new features, providing a cutting edge authentication system offering both convenience and security.