E-commerce Funnel Analysis: Why Amazon & Shopify win

Authentication Analytics Whitepaper:
Track passkey adoption & impact on revenue.

Get Whitepaper

When you buy something on Amazon, you don't really checkout. You click a button and the item arrives. There is no wall. There is no decision required.

For most other online stores, the checkout involves a series of active choices that create cognitive load: Guest or Account? PayPal or Credit Card? Manually enter details or go through a password reset?

This gap is a fundamental difference in strategy. While many teams focus on incremental improvements to squeeze out small immediate gains, the market leaders are dismantling the funnel as a whole. They understand the one truth that defines modern e-commerce: friction is the enemy.

They lead not only because they are large, but because they try to systematically remove every barrier between "I want this" and "I bought this." They have created a two separate effects: First their conversion rates outperform the market while secondly setting a new standard that makes traditional checkouts feel slow in comparison. The bar has moved. Why? Lets find out.

The structure of an e-commerce transaction has remained remarkably consistent for a decade. Whether you are buying sneakers, booking a flight or reserving a hotel room, the logic is the same. The user arrives, finds a product, adds it to their cart and then faces the funnel's critical test: the checkout.

This process is defined by a lot of factors, but today we'll focus on two invisible walls that stand between interest and purchase:

• Checkout Wall: The moment the user clicks "Begin Checkout" they are forced to make a choice. Do they continue as a guest, use an express provider or log in? This decision points to one of the largest sources of drop-off in the entire funnel.
• Payment Barrier: Even after clearing the first wall, manual entry remains the baseline of friction. Finding a credit card, typing 16 digits, checking the expiry date and entering the CVV is a high-effort task. Every additional second spent here increases the chance of abandonment.

The industry's answer has been to introduce conversion multipliers, payment options like PayPal, Apple Pay and Klarna that capture users who would otherwise leave. But simply adding third-party providers isn't enough in the long run. The real winners understand the psychology behind the three main paths to purchase.

For a first-time buyer, the path of least resistance is almost always guest checkout. Consider the typical scenario: a user searches for winter shoes, clicks an ad and lands on a shop they’ve never heard of. They like the product, but they have no intention of returning. They already have accounts at Amazon, Zalando and a dozen other retailers. They don't want another password. They just want the shoes.

From the merchant's perspective, forcing an account feels logical since they need the email and address anyway. But for the user, that password field represents a mountain of cognitive load. It means creating a secure password (that matches the custom password policy of the shop), typing it twice (probably with copy-past protection), and fearing the inevitable email verification loop. It triggers fatigue of yet another set of credentials, and the suspicion that this account will only serve as a vector for future marketing.

Convenience always wins. Established brands with loyal followings can afford to demand accounts, but for everyone else, the guest checkout is the safety valve. Smart shops understand that you can’t force a relationship on the first date; they focus on reducing friction first and worry about retention later.

Read also our detailed analysis on the guest checkout vs. forced login debate.

Subscribe to our Passkeys Substack for the latest news.

Subscribe

If guest checkout is the side road, express checkout is the highway. Providers like PayPal, Google Pay and Apple Pay have fundamentally changed user behavior by pre-filling the tedious parts of the form. Shipping addresses, payment details and contact info are injected with a single tap. The friction of data entry disappers.

Shopify recognized this shift early and built Shop.app, a neutral express checkout layer that sits on top of thousands of independent stores. It’s a brilliant strategic move: it gives small merchants the power of a network effect without forcing them to sacrifice their brand to a larger marketplace.

The best implementations are device-aware and optimize automatically. An iPhone user sees Apple Pay. An Android user sees Google Pay. This can be optimized further when this option appears on the product page itself, allowing the user to bypass the cart entirely like Amazon's One-Click purchase (which was actually patented by Amazon in the US for 20 years). This direct path to purchase is why express options consistently convert 20-40% better than standard flows. It's not just a button. It's a shortcut through the funnel. If a consumer knows the express checkout method and its convenience, they know they can be done in seconds.

In e-commerce, convenience is synonymous with speed. Every second saved and every decision removed translates directly to a completed sale.

The diagram below illustrates how these three checkout paths compare in terms of friction and conversion impact.

The third path is the most complex: the account. This is where the tension between security and usability is most acute.

The worst experience in e-commerce is the guessing game in the sake of security. A user enters their email and password and the system refuses to say if an account exists or if the password is wrong.

This ambiguity creates a frustrating loop. As companies age, more users forget they ever signed up. Merchants want them to log in to access loyalty perks and order history, but hiding the existence of an account (a practice born from security concerns about "account enumeration") often leads to abandonment. Research from the Baymard Institute shows that strict password rules can lead to up to 19% checkout abandonment, because users struggle to sign in or the password-reset process is too slow.

While banks must hide account existence to prevent targeted phishing, e-commerce operates under different incentives. The leading shops have realized that the conversion benefit of helping a user log in outweighs the theoretical risk.

The real threat today isn't someone guessing if an account exists (enumeration). It's attackers who already have the credentials from other breaches (credential stuffing) or phishing. The defense against this is intelligence. Leading platforms use bot protection (like Cloudflare) and risk-based MFA to block malicious login attempts at scale and preventing account enumeration, while still allowing them to explicitly tell legitimate users: "Welcome back, please log in."

How users log in is also changing. Social login (Google, Apple) is dominant in apps and growing on the web because it removes the friction of registration and in a lot of cases also verifiying the email adress. However, large brands often resist it to avoid dependency on Big Tech.

The default remains email and password, but it's a dying standard. Passwordless methods like OTPs and magic links are gaining ground, though they introduce their own friction since waiting for an email code disrupts the flow. Interestingly, established platforms often see high quick success rates with passwords simply because browser autofill has become so good and established customers have saved their password in the browser for a long period of time. Especially on Apple, extremely high saved password rates are quite common for well-built password implementations that allow saving and autofill.

But the industry is moving toward a new horizon where passwords don't exist at all. For a detailed breakdown of how 50 leading brands implement these methods, see our E-Commerce Authentication Benchmark.

Want to find out how many people use passkeys?

View Adoption Data

For web-first brands, the native app is the holy grail. It represents the ultimate relationship state where friction virtually disappears.

Getting a user to install an app is difficult since you can't interrupt a purchase to ask for a download. But once that app is on the home screen, the game changes. The strategy is simple but powerful: allow browsing without login, but enforce authentication only at the first checkout. Once they log in, they stay logged in. Forever.

Universal links seal the deal. When a user with the app installed clicks a link in an email or ad, they aren't taken to a mobile web page where they might need to log in again. They are deep-linked directly into the app, already authenticated, ready to buy.

The compounding benefit is huge. Personalization becomes immediate. The friction of sign-up and login disappers. And critically, you stop paying to re-acquire the same customer through paid channels. For app users, the Customer Acquisition Cost (CAC) drops closer to zero.

The problem with passwords is that they require memory. The problem with apps is that they require installation. The solution that bridges this gap is biometrics.

Mobile phones have already normalized this. Touch ID and Face ID are the standard for unlocking our lives. Consumers have voted with their thumbs: convenience beats privacy concerns every time. Outside of niche groups, the expectation is set.

Native apps capitalized on this immediately. But the web lagged behind, until now. Passkeys are bringing the "Face ID experience" to the browser. They replace "what you know" (a password) with "who you are" (biometrics), layered on top of the device's own security. According to the FIDO Alliance, 74% of consumers are now aware of passkeys and 69% have enabled at least one.

Critics point out that this locks users into Apple (iCloud) or Google ecosystems. This is true. But look at who is adopting them: Amazon, Stripe and PayPal. These are direct competitors to them, yet they are aggressively rolling out passkeys. See real passkey implementations from 18 major retailers. Why?

Because they know that friction is the enemy.

The underlying technology (WebAuthn) has existed for years, but adoption is driven by conversion, not standards. Amazon and PayPal aren't guessing. They are looking at the data. They see that a user who can log in with a glance is a user who buys.

Biometrics solve two problems at once:

1. No identifier to forget: You don't need to remember which email you used.
2. No password to forget: You are the password.

This creates a "one-click" reality. An enrolled PayPal customer knows that they are only one Face ID check away from a purchase. They will never type a credit card number again. Once a consumer experiences this level of flow, going back to a password feels like using a typewriter. The bar has moved and it’s not going back.

Amazon and Shopify represent two different approaches to winning in e-commerce, yet they share the same obsession with removing friction.

Amazon is the walled Garden. It is the end-game for established e-commerce. Its strategy is built on a hard account wall, you simply cannot buy without being part of the system (=logged in). But inside that wall, frictionless checkout is the norm. Payment methods are stored, addresses are saved and "Buy Now" is a literal One-Click action. Because of their native app distribution, most customers are permanently logged in. They don't need express checkout buttons because the entire Amazon experience is an express checkout.

Shopify is the Enabler. It solves a different problem: enabling independent shops to compete with Amazon's convenience. A merchant starting on Shopify today gets a funnel that is optimized out of the box. Shopify democratizes the tech stack:

• OS-optimized Checkout: Serving Apple Pay to iOS users and Google Pay to Android users automatically. Of cours in addition to Shop.app.
• Network Effects: Through Shop.app and Shop Pay, it recognizes users across thousands of different stores, carrying their credentials with them like a digital passport.
• Future-Proofing: Participating in technical initiatives like Google's FedCM to further reduce authentication friction without the merchant needing to understand the engineering behind it (you probably dont know what FedCM is, surprisingly Google & Shopify are very vocal in the development of the standard and Apple is blocking it).

Independent Challenge

This leaves a critical question: Is there long-term room for retailers who are neither Amazon nor on Shopify?

The answer is yes, but the technical stakes have risen. Large brands running on custom stacks or legacy platforms (e.g. Salesforce, Adobe, Magento) now face a difficult reality. They must build what Amazon and Shopify provide out of the box. They have to engineer their own express lanes, their own passkey integrations and their own identity graphs. The room exists, but only for those willing to treat checkout infrastructure as a core product, not just a utility.

The following diagram contrasts these two winning strategies side by side.

If the benefits of frictionless authentication and native apps are so clear, why isn't everyone adopting them? The answer lies in how we measure success.

E-commerce is a game of inches, measured in conversion rates. But conversion is a complex metric, influenced by everything from brand trust to shipping costs. In the chaos of data, teams often fall into a trap.

Most funnel optimizations are addictive because they provide instant gratification. Add a guest checkout option? See a lift in days. Add PayPal? See results in a week. These are "transaction-adjacent" changes. They happen right before the money changes hands, so their impact is easy to attribute.

Cart abandonment is the classic enemy here. Teams spend millions on email retargeting and exit-intent popups because the ROI is visible on a dashboard immediately.

Structural changes like migrating to passkeys or driving native app adoption are harder to justify in a quarterly review.

Scale is the first hurdle. You need volume to see a statistically significant lift from a new login method. Time is the second. Social login or passkey adoption doesn't happen overnight; it requires months of users slowly enrolling. Budgeting for this involves uncertainty. How many users will actually use this? is a hard question to answer when you haven't built it yet.

This creates Measurement Bias we manage what we can measure, and we ignore what we can't.

Corporations act rationally within their incentives. If a Product Manager is rewarded for this quarter's conversion lift, they will optimize the checkout button color, not the authentication architecture especially if he does not have deep information about how authentication can help improve conversion rate. They will focus on the measurable drop-off at the "Place Order" step or other immediate measurables.

Amazon and Shopify win because they ignore this bias. They optimize for the long game and have dedicated teams providing full observability into what improves conversion rates, even within smaller cohorts large enough to be statistically significant, and they have the tools to prove it. They understand that convenience compounds, and that today's friction is tomorrow's lost customer.

You can't fix what you can't see. We built Corbado as a passkey observability and adoption platform specifically for this purpose. We realized that authentication and e-commerce analytics were speaking different languages. Marketing teams watched Google Analytics; Engineering teams watched server logs. No one was watching the friction in between.

For large B2C enterprises with in-house identity teams, the challenge isn't just implementing passkeys; it's understanding them. You might have a custom IDP or a complex stack, but without granular observability, you are flying blind. You need to know more than just "did they sign up?" You need to know:

• Authentication Success Rates: How does passkey login speed and success actually compare to passwords or social login?
• Drop-off Details: How many users abandoned the biometric prompt? How often does autofill fail?
• Business Impact: What is the revenue difference between a logged-in user and a guest?

This is how Amazon and Shopify operate. They track every mouse movement, every field focus and every hesitation. They treat authentication not as a security gate, but as a conversion step.

The following video demonstrates how Corbado enables this approach: analyzing the login funnel with the same rigor as an e-commerce funnel, zooming in on every authentication decision point.

Corbado brings this level of insight to your existing stack. We don't replace your IDP or your current implementation. We add the observability layer that allows Product Managers to defend long-term projects with hard data, proving that a "technical" change like WebAuthn has a direct line to revenue.

The diagram below visualizes this observability gap between what marketing and engineering teams typically see.

The "Value Tree" is a mental model for understanding how these optimizations compound. It organizes interventions by their distance from the transaction.

These sit right before the purchase. They are easy to measure and A/B test with quick confidence.

• Payment Methods: Adding PayPal or Klarna can lift conversion by 5-15%. According to PayPal, 13% of shoppers abandon carts simply because their preferred payment method isn't available.
• Express Checkout: For the users who choose it, conversion jumps significantly. Shopify reports that Shop Pay increases conversion by up to 50% compared to guest checkout.
• Guest Checkout: Removing it is a conversion disaster. 24% of abandonment is driven directly by forced account creation.

As you can see, there is a myriad of numbers quoted by express-checkout providers and Shopify that naturally underline their own interests. While this doesn't mean they are incorrect, without actual proof or observability into which changes have which effect, it is difficult to steer the shopping strategy effectively.

This is where measurement gets tricky. Effects are mixed between immediate lift and long-term retention. In most high-volume funnels, only ~15% of users are already authenticated. These users pass through checkout with near-zero friction. The remaining ~85% face the login wall, where 35-60% drop off. This is why early authentication matters: at this high-commitment decision point, cognitive load must be minimal.

graph TD
    A[Product] --> B[Cart]
    B --> C{Auth Decision}
    
    C -->|"~15% Already Logged In"| D1[Checkout - No Friction]
    C -->|"~85% Not Logged In"| D2[Login / Signup]
    
    D2 -->|"35-60% Drop-off"| X[Abandoned]
    D2 -->|"40-65% Complete Auth"| D3[Checkout]
    
    D1 --> E[Payment]
    D3 --> E
    E --> F[Success]
    
    style C fill:#3b82f6,color:#fff
    style D2 fill:#f59e0b,color:#000
    style X fill:#ef4444,color:#fff
    style D1 fill:#22c55e,color:#fff

The compounding effect of fixing this "middle funnel" stage is massive. For a typical enterprise:

• A 10% improvement in authentication success doesn't just improve the login rate.

• It flows directly to the bottom line, often resulting in a 3-5% total revenue lift after full optimizations take effect.

• Social Login: Increases registration completion by 10-20%.

• Passkeys: Can cut failed logins in half. If 20 out of 100 users currently give up trying to log in (forgotten password, reset fatigue), passkeys can reduce that to 10. Fewer lost logins means more completed purchases. Requires months to measure as adoption grows, but the compounding effect on repeat buyers is massive.

• Autofill: The hidden benchmark. If you aren't better than browser autofill, you're adding friction.

These have the highest long-term leverage but are the hardest to attribute.

• Native App: Once installed, future CAC goes closer to zero.
• Brand Trust: Unmeasurable directly, but it's the only reason Amazon can force you to log in.
• Stored Payments: The "one-click" end state.

Individual optimizations don't add up. They multiply. Three separate 10% improvements don't give you a 30% lift. They yield a ~33% total improvement. Amazon wins because they have optimized every step. They stack multipliers on top of multipliers. This creates a conversion rate that competitors cannot match by just fixing one part of their funnel. The companies that solve the measurement problem gain a compounding advantage that widens every single year.

The Value Tree shows what to prioritize. The next section provides a concrete checklist for executing on the authentication layer.

Before optimizing authentication, you need to understand where friction exists. Most shops use Google Analytics or similar tools to track funnel drop-offs, but these lack the granularity to diagnose why users abandon at the authentication step. Start by establishing KPIs that split orders by checkout type (Guest, Account, Express), then break the authentication funnel into measurable steps.

The checklist below is designed for high-scale custom shops running on platforms like Salesforce, Adobe, or Magento. Items marked with 📊 require dedicated observability to measure effectiveness and should be instrumented before or during implementation.

These strategic choices have the highest impact on conversion and should be decided before any UX work begins.

The login experience is where most authentication friction lives. Optimize for speed and minimize user input.

This is where security and conversion directly conflict. The solution is layered defense.

Even when moving to passkeys, most shops keep passwords as fallback. If so, follow modern guidance.

Recovery is where funnels leak money. A frustrated user who can't reset their password will abandon.

You do not want universal MFA prompts in checkout. You want targeted step-up based on risk.

Authentication that breaks carts is worse than no authentication.

If you cannot measure it, you cannot optimize it. These are the metrics that matter.

Every decision involves a tradeoff. Here is how to navigate the spectrum for a high-scale shop.

Where a company lands on this spectrum is often driven by culture, location, local laws, and the strength of security and compliance teams. This is not to say compliance is unimportant, but risk appetite differs, and that must be respected. What matters is that the decision is conscious: if you sacrifice conversion for security, know how much you are sacrificing.

Friction is the enemy. Convenience is the key. Amazon, Shopify, and PayPal are winning because they work hard on all aspects: the obvious short-term benefits, but also engaging in long-term strategies that provide conversion rate improvements in the uture, thereby optimizing the choice between "easy" and "secure." They have moved the industry from the classic checkout to one-click checkouts with biometrics and durable logins.

The barriers are falling. We are moving toward a web where the checkout button is the only button you need to press. In a time where agentic checkout is something everybody is talking about, establishing a brand and direct contact with the customer is even more important. The war over who owns the customer account is in full swing.

When optimizing the e-commerce funnel, it is important to look at all components: the short-term and the long-term. While authentication and checkout have not changed for a decade and remained a very static process, going forward there are more options for convenience. As consumers start to learn the new, easier way, convenient authentication (whatever you choose) needs continuous optimization; once consumers get used to this way, legacy logins immediately stain the quality of the brand.

The bar has moved. It's time to catch up.