Amazon Passkeys: Response to Consumer Demand with Poor Implementation
Amazon introduces passkeys, signaling a shift in e-commerce authentication. While the move is great in general, its implementation can be improved.
Corbado is an AWS certified partner, and its Cognito integration has passed the Well-Architected Review Framework (WAFR)
Go to AWSAmazon, the e-commerce behemoth, has recently and silently joined the passkey bandwagon. Recognizing the increasing demand by consumers to enhance security and in particular user convenience, Amazon rolls out passkeys widely across most devices and browsers. This underlines Amazons commitment to bend to consumer demand. This move follows the trend among tech giants, with Apple, Google, and others like TikTok, OnlyFans and Uber leading the passkeys wave, while Amazon rather late joins the party.
Screenshot 1: Amazon Passkey Sign in
Read also our in-depth analysis on e-commerce funnels at Amazon.
- Relying Party ID fragmentation forces Amazon users to register separate passkeys per regional domain (e.g., amazon.com vs. amazon.de), creating a disjointed experience for international shoppers on the same device.
- Conditional UI (Passkey Autofill) is absent from Amazon's implementation, a feature competitors have already adopted, reducing sign-in seamlessness for returning users.
- Native app support is missing: Amazon's shopping app and Prime Video both lack passkey functionality, causing confusion when a passkey created via the web cannot be used in mobile apps.
- Redundant OTP prompts remain for users with 2-step verification enabled, despite passkeys being two-factor authentication by default, adding an unnecessary friction step.
- Amazon's passkey rollout across most devices and browsers mirrors moves by Apple, Google, TikTok and Uber, signaling broader e-commerce industry adoption momentum.
The Upside of Amazons Passkey Integration#
- Enhanced Security: Passkeys make users lives safer, mitigating phishing threats and eliminating the hassle of coming up and remembering passwords.
- Consumer Education: Given Amazon's vast user base, this rollout is set to familiarize a large segment of non-tech-savvy users with the benefits of passkeys. The ease of use might convince these users to demand passkeys from other online platforms as well.
- Industry Implications: The ripple effect of Amazon's move can potentially catalyze a widespread shift in the e-commerce and SaaS industry towards quick passkey adoption.
Screenshot 2: Amazon Passkey Overview & FAQ
Subscribe to our Passkeys Substack for the latest news.
Why Amazon messed up its Passkey Implementation#
- Relying Party ID Issues: Depending on a user's country that he has set, he may be redirected to different Amazon domains, requiring separate passkeys for each country / top-level domain. This is due to the security structure of passkeys, as each passkey needs to be registered for one Relying Party ID (e.g. amazon.com and amazon.de). In screenshot 3, you see that for one device (Windows 11 with Chrome) two passkeys were set up.
- Conditional UI Is Missing: By not implementing Conditional UI (Passkey Autofill), Amazon missed out on a critical feature that could have made passkey use even more seamless for users. The reasons behind are still unclear as other companies have implement Conditional UI already.
- Inferior Device Management: Current device detection and management for passkeys is clunky, possibly leading to user confusion, especially for those using browsers like Chrome on Mac, where a QR code was shown instead of explaining that a passkey is not available or just skipping passkeys (QR codes still being a major struggle for most consumers).
- No Native App Support: Surprisingly, native apps either for Amazon's shopping app or for Prime Video lack passkey support (see screenshot 4 and 5 below with the message that no passkey could be created) which could lead to user confusion if a passkey was created on this device via the web application.
- Redundant Verification Steps: If a user has set up 2-step verification, they still need to go through an additional one-time code verification, which is kind of an unnecessary steps as passkeys are 2FA by default.
Screenshot 3: Two Passkeys for Two Relying Party IDs on the Same Device (Windows 11 + Chrome 118)
Screenshot 4: Amazon Passkeys on Native Android App
Screenshot 5: Amazon Passkeys on Native iOS App
Looking Forward#
Amazon has room for improvement. Prioritizing updates like making native apps passkey-ready, introducing Conditional UI, and refining device management can considerably enhance user experience. Addressing the Relying Party ID issue would also be a step in the right direction but here best practices in the industry for multi-national services still need to be defined.
In conclusion, while Amazon's venture into passkey authentication is a significant milestone, it's evident that the journey to perfecting this feature is just beginning. Lets hope that Amazon takes the feedback on board and iterate a better passkey implementation soon.
About Corbado
Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →
Frequently Asked Questions#
Why does Amazon make me use a different passkey for each country's website?#
Amazon redirects users to regional domains (such as amazon.com or amazon.de) based on their country setting, and each passkey is cryptographically bound to a specific Relying Party ID. Because amazon.com and amazon.de are distinct Relying Party IDs, a separate passkey must be registered for each, meaning a single device can end up storing multiple Amazon passkeys.
What is Conditional UI and why should Amazon add it to its passkey flow?#
Conditional UI, also called Passkey Autofill, surfaces available passkeys directly in the username field so users can authenticate without navigating extra menus. Amazon has not implemented this feature despite other companies already doing so, making its passkey experience less intuitive than the current industry standard.
Can I sign into the Amazon shopping app or Prime Video with a passkey?#
No. As of this analysis, neither Amazon's native shopping app nor Prime Video supports passkey authentication. Users who create a passkey through Amazon's web application may encounter an error or unexpected behaviour when trying to sign in through the mobile apps.
Why am I still asked for a one-time code after signing into Amazon with a passkey?#
Amazon still triggers an OTP prompt for accounts that have 2-step verification enabled, even after a successful passkey authentication. This step is redundant because passkeys inherently satisfy two-factor authentication requirements by combining device possession with biometric or PIN verification.
Share this article
Related Articles
Table of Contents