Analysis of sign-ups and logins with passkeys: Best practices from eBay
This article series aims to provide a systematic overview of the passkey process and user experience for different companies as they move towards a password-free world. While the goal is to improve user-friendly and secure authentication, each company has its own unique way of implementing passkeys.
- Passkey support on eBay since Q4 2022
- Passkeys available in common browsers for mobile and desktop
- Sign-up only possible with password or social login
- Initial login with password (if created at sign-up)
- Pop-up-window for passkey adoption at initial login (opt-in)
- Utilization of the familiar concept of biometric authentication (e.g., fingerprint or Face ID)
- Avoidance of the term “passkeys"
More and more companies from a wide range of industries are stepping into a password-free world and implement passkeys on common platforms and operating systems. Although they all share the same goal of killing user-unfriendly and insecure authentication with passwords once and for all, every company manages the integration of passkeys into their product differently. Through this series of articles, we aim to provide a comprehensive overview of the passkey process and user experience for various companies. Additionally, we will analyze potential patterns, similarities, and disparities among them, enabling you to enhance your product accordingly. In each article, we focus on a single company. Today, we dive into eBay.
- Status of the analysis is April 2023. Passkey features are subject to change by companies on an ongoing basis.
- The analysis was performed using an Apple iPhone 13 Pro (iOS 16.4.1), an Apple MacBook Pro 2021 (Ventura 13.3.1), and an Android Mi 10 (11 RKQ1.200826.002).
Analysis of the sign-up process
At eBay, passkeys are available on in common browsers for mobile and desktop since Q4 2022.
Sign-up on mobile
However, the registration of a new account on both the app and the website is currently only possible by password or social login.
There could be several reasons why the creation of a new account on eBay is only possible with a password or social login, even though they already offer passkeys. Here are some possible explanations:
- Familiarity and ease of use: Passwords and social logins are familiar to most people and are easy to use. Passkeys, on the other hand, are a relatively new technology and may not yet be as well-known or widely adopted. For this reason, eBay may first want to stick with the tried-and-true methods of passwords and social logins in order to not overwhelm them.
- User preference: It’s possible that eBay's figured out that its user simply prefer the use of passwords and social logins. If eBay were to switch to passkeys immediately, it's possible that some users may find the new system confusing or difficult to use, which could lead to frustration and a decline in user engagement.
- Caution with technological innovations: eBay has a vast user base that they do not want to risk alienating. Therefore, they may opt for a more cautious approach when implementing new technologies, such as passkeys, to ensure that their users do not experience any disruptions or difficulties.
In conclusion, while there may be several reasons why eBay has not yet made passkeys the primary authentication method, it is worth noting that eBay is still one of the first major companies to offer passkeys at all. As eBay has nearly 150 million existing users, we anticipate that the widespread adoption of passkeys by eBay will lead to an increase in demand for the technology across other online services as well. As these eBay users begin to recognize the benefits of passkeys, they are likely to expect and request the same authentication method when using other online services.
After clicking on “Create account”, it may happen that the user receives a confirmation email to the specified email address. This confirmation email contains a six-digit numerical, one-time passcode which is called security code at eBay. Sending a numerical code is a common practice among many online companies when registering a new account to verify the user's identity (e.g., confirm the entered email address, prevent automated account creation) and ensure the security of their account (e.g., additional layer of security, prevent unauthorized access).
Once the six digits have been entered correctly within the 15-minute time window in which the code is valid, the user is automatically redirected and prompted to enter further contact details. This step cannot be skipped, as this information is stored in the account and will likely be retrieved automatically in the course of placing an order.
Once this contact information is filled in completely, the user manually presses “Continue” and has thereby successfully created its account. If the user doesn’t receive the security code, the account is automatically created. This is confirmed by a welcome email in the inbox.
Sign-up on desktop
The registration process on the eBay website using a desktop is slightlydifferent. It appears to be more straightforward as there are fewer steps involved. Already after clicking on “Create account”, the registration is successfully completed, and the new user receives a welcome email.
Analysis of the login process
Since eBay offers passkeys in addition to the authentication methods that can be selected during the registration process, we identified that very first login differs from the subsequent ones. This depends on the (passkey) settings that the user can optionally make in the login process. We will highlight these settings in more detail at the point where they occur in the login process.
First, we look at the initial login which is identical on the mobile and desktop.
To access the account, the user must enter the email address with which the account was created. If a password was created for registration, then this will be requested afterwards.
Promotion of passkeys
After the user entered the password and clicked on “Sign in”, the home page of the account is not displayed directly, but instead a user message pops up that looks identical on the mobile and desktop.
It is important to note that this message will only appear if the device the user is logging in with is passkey-ready. This means that eBay analyzes in the background whether this is the case or not. An overview of which platforms and devices can already support passkeys can be found in our passkeys adoption table (updated on an ongoing basis). If you want to gain further insights about your users’ technical passkey readiness, integrate our free passkeys analyzer with only two lines of code.
With this user message, the user is made aware for the first time in the entire authentication process to use passkeys instead of passwords.
However, the term “passkeys” isn’t mentioned at all to neither overwhelm nor confuse users since passkeys as a new technology are still rather unknown. What should look familiar to most users instead is the image that is shown in the center. The image serves as a reference for biometric data (e.g., fingerprint or Face ID), which are used to unlock every modern device nowadays. It is no coincidence that this reference is used, because from the user's point of view, passkeys work the same way as unlocking a mobile or desktop. This is intended to give the user the feeling that this is a well-known and trustworthy technology.
The use of the question below
Tired of passwords?
is a clever way to introduce the concept of passkeys to eBay users who may not be familiar with the technology. By framing the question in this way, eBay highlights the inconvenience and security risks associated with traditional passwords, while also positioning their solution (passkeys) as an alternative that can solve the pain points of passwords. The reason eBay may avoid using the term "passkeys" in this message is that it may not be a widely recognized term among users. This message implies that product managers or other online services that intend to roll out passkeys for their users need to consider how they can effectively introduce the concept to their users. It is important to identify the pain points associated with traditional authentication methods and position passkeys as a convenient and secure alternative. By doing so, product managers can help users become more familiar with the technology and increase adoption rates.
In connection with this very simply phrased question, which is placed just as prominently as the image above it, it can also be discussed whether the user should not simply be encouraged to click on “Turn on” without much thought.
Regardless of which approach ultimately applies, eBay intentionally does not use the term “passkeys”. This also becomes clear when looking at the subtitle of the question.
Depending on your device, you can sign in with your fingerprint, face, or PIN.
By focussing on fingerprint, face, or PIN the offered solution (passkeys) may seem more approachable and less intimidating to users. This phrasing suggests that using biometric data or a PIN to log in is a common and accepted practice, rather than a new and potentially unfamiliar concept. By presenting the feature in this way, eBay may be attempting to reduce user anxiety or scepticism about the feature and increase adoption rates. Product managers or other online services that intend to roll out passkeys for their users may benefit from eBay's approach by using language that is clear and easy to understand. Using jargon or technical terms that users may not be familiar with can make the feature seem more complicated or intimidating than it actually is. This is all part of eBay's strategy to educate its users on the benefits of passkeys. As we described in a previous blog article, the key here is user communication. With simple and understandable wording and terminology, users are more likely to feel appealed and click “Turn on”.
Since the three different choices “Turn on”, “Maybe later”, and “Don’t ask me again” allow eBay users to decide for themselves if they want to use passkeys, this is an opt-in option. If users choose to activate passkeys, the passkey will be created via Face ID on the iPhone and via Touch ID on the MacBook.
This passkey, which is linked to the account, is then automatically stored in the Apple iCloud Keychain.
Compared to Apple devices, Android users also receive a confirmation email that the biometric data has been successfully set up.
As soon as the user logs in a second time and has previously created a passkey, he or she is no longer asked for the password, but can click directly on "Sign in".
This triggers the retrieval of the stored passkey from the Apple iCloud Keychain, which has to be confirmed with Face ID or Touch ID, depending on the Apple device.
If this matching of the biometric data was successful, the user is now logged into the account without ever having to remember a password again.
Comparison of the sign-up and login processes across different platforms and devices
Depending on the platform and device, the sign-up and login process may differ, or passkeys may not be universally supported. If that is the case for the company we are analyzing here, then you’ll find a brief comparison.
The only platform where passkeys are available on eBay is the website. The registration and login process on the website is almost identical between the different devices. The passkeys flow in terms of sequence and user communication also doesn't differ much either on these devices.
Overview of the variations
- iOS vs. Android (mobile):
Login: Android users receive a confirmation email that the biometric data for the use of passkeys has been successfully set up.
- Android (mobile) vs. MacOS (desktop):
Login: Android users receive a confirmation email that the biometric data for the use of passkeys has been successfully set up
eBay is one of the largest companies to have already rolled out passkeys for its users. Since the end of 2022, passkeys have been available on the website for all Apple, Android, and Windows devices on which passkeys are supported. Since most users probably don't know what passkeys are all about yet, they are slowly being introduced to the latest authentication technology. Therefore, the sign-up process still relies on traditional passwords and social logins. Only when logging in for the first time a pop-up window appears, behind which the passkeys are hidden. However, the term "passkeys" is intentionally not used in the wording of the user message, as it is probably still unknown to most users. Instead, the security and convenience problems of passwords are addressed subliminally and the subsequent authentication with known and familiar biometric data is suggested. In summary, it can be said that eBay is currently still taking a cautious approach to the intended adoption of passkeys. However, this may change quickly if adoption among users increases.
Enjoyed this read?
Stay up to date with the latest news, strategies and insights about passkeys sent straight to your inbox!