Passkey Adoption at Authenticate 2025: 6 Case Studies

Every year, the Authenticate Conference brings together the industry leaders in digital identity. Hosted by the FIDO Alliance, the event is the only industry conference dedicated exclusively to passkey authentication and adjacent topics.

In 2025, one message was clearer than ever: most major companies now recognize that passkeys are the best way to authenticate users. From banks and marketplaces to mobility platforms and social apps, organizations have realized that passkeys not only keep users safe but also make strong business sense, by reducing costs from SMS one-time passwords and lowering support requests. The common goal across all these companies is to drive high adoption rates of passkeys, making secure, passwordless sign-ins the default experience for their users.

For those working in security, product leadership or identity, Authenticate offers deep-dive case studies, best-practice sessions, networking opportunities and hands-on masterclasses to help organizations move beyond passwords and build usable, end-to-end secure identity journeys.

This post is part of a broader blog series summarizing the key talks from Authenticate 2025, highlighting how global companies are implementing passkeys at scale and what others can learn from their rollout strategies. In this first article, you will gain insights into the following questions:

• What was the most effective strategy eBay used to drive high rates of passkey adoption on the web?

• What key strategic insight did Uber discover that was essential for achieving mass adoption of passkeys among its user base?

• How did Roblox and TikTok prove that a strong UX focus directly translates into higher adoption and fewer support issues?

As an important e-commerce player eBay also shared insights into their passkey journey and provided facts and figures regarding their adoption of passkeys.

eBay has observed significant success in integrating Passkeys on the web, primarily through an auto-triggered biometric verification prompt.

When users are automatically prompted for biometric verification (like a fingerprint or face scan) to set up a passkey, it leads to a massive 102% increase in the passkey adoption rate. This highlights the power of making the enrollment process simple and immediate.

The majority of new passkeys created on eBay's platform come from the automatic, in-flow experience:

• 75%: Auto-triggered biometric verification prompt. This is the primary driver, where eBay detects a supported device and prompts the user right away to create a Passkey.

• 15%: Passkey upgrade (Silent upgrade post sign-in). This refers to passkeys being created or upgraded in the background after a user successfully signs in, often without a dedicated, prominent prompt.

• 10%: Manual user enrollment post sign-in. This represents users who actively navigate to their account settings to choose to set up a passkey themselves.

These statistics reflect the overall progress and success of the passkey initiative:

• Overall Share of Registrations: Passkeys account for 24% of all new user registrations on the major web browsers, Chrome and Safari, which are among the first to fully support the technology.

• Adoption Rate Increase: There has been a 12% increase in the passkey adoption rate when comparing users on supported browser versions to a baseline group.

To optimize the Passkey experience and manage the system effectively, eBay emphasizes the importance of collecting essential registration metadata, data points about the passkey being created.

This technical information provides context about the passkey and the device used:

• Client Context: Details about the user's browser, operating system, and the environment they are using.

• Transports: How the passkey is stored (e.g., on a security key, or synchronized through a cloud service).

• Authenticator Flags: Indicators about the type of authenticator

• AAGUID (Authenticator Attestation GUID): A unique identifier for the type of the authenticator (e.g., a specific type of Yubikey or a Windows Hello implementation).

• Device Identifier: Information to uniquely recognize the device being used for the Passkey.

• Other Metadata: Additional contextual data to aid in analysis.

Collecting this metadata is crucial for:

• Better Hinting: It allows eBay to provide more helpful and accurate prompts to users during sign-in, making the experience smoother.

• Cloud Sync Visibility: It helps eBay understand if a passkey is synced across multiple devices via a cloud service (like Apple iCloud Keychain or Google Password Manager).

• Lifecycle Management: It aids in managing the passkey over time, such as knowing when a passkey might need to be revoked or re-enrolled.

• Security Insights: Provides valuable data for identifying potential security risks or understanding user behavior related to authentication.

• Improved UX: Ultimately, all the above leads to a more robust, secure, and hassle-free sign-in process for eBay customers.

Uber’s passkey implementation is a great example in prioritizing speed and security to enhance a core business, moving people and delivering goods quickly. They went beyond basic implementation to create a strategy focused on maximizing user enrollment and platform security.

Uber chose to be an early passkey adopter because the benefits directly addressed core operational and security needs:

• Fast, Easy Sign-In: For a company focused on immediacy, minimizing the time a user spends logging in is essential. Passkeys deliver this instantly, contributing to a 5x faster sign-in and 2x higher success rate compared to traditional passwords.

• Improved Security: Preventing account takeovers caused by phishing is vital for enhancing platform safety and building user trust. Passkeys are phishing-resistant by design.

• Reduced SMS Cost: A welcome benefit was the ability to become less reliant on costly SMS for sending one-time codes to legitimate users, allowing the company to reserve that channel for more aggressive defense against serious fraud.

Uber launched passkeys successfully across all platforms: Android, iOS apps, and the web, maintaining a steady daily enrollment rate right from the start.

To move passkeys from a niche feature to a platform-wide standard, Uber focused on three strategic pillars: Usability, Adoption, and Security.

The goal here was to ensure that users who had created a passkey were actually using it.

• The strategy emphasized creating consistent and obvious login entry points to make the process effortless.

• The guiding principle was: "Don't make users think about how passkeys work."

This focused on continuous growth of the user base by making enrollment highly accessible.

Uber strategically chose to bring passkeys to the user in relevant contexts rather than expecting organic discovery. Metrics tracked included daily enrollments and registration success rates.

The final pillar focused on leveraging passkeys to create a more secure ecosystem.

• After a user added a passkey, Uber would take away weak login paths to force better protection.

• This also enabled a strategic shift in risk management: from merely counting factors (like 2FA) to choosing the strongest factors available (the passkey).

Uber discovered that integrating passkey enrollment into the immediate user journey was the most effective strategy for mass adoption.

Uber ran experiments to test if the short-term friction of enrollment would create a long-term net positive experience. They began by targeting users who had just experienced login frustration, such as those who clicked "forgot password," then expanded the prompt.

• The Key Learning: Over 90% of all enrollments came directly from these timely, in-line nudges at the login and signup stages.

• Challenges: Conversion rates for the new enrollment screens varied greatly by device, app, and location, ranging widely from 10% to 50%. This taught them that the success of a new screen is highly sensitive to the user's specific context.

Before aggressively pushing passkeys at login, Uber used Account Settings as a testing ground.

• This location provided a low risk of interrupting the core user experience (ordering a ride) because users were already in an "account maintenance mindset."

• While this context yielded a high conversion rate, it provided a low volume of users.

• The success here gave the team the confidence needed to expand these "upsell" prompts to the higher-volume login and signup flows, ultimately driving mass adoption.

Example Nudge: The Uber Account Checkup feature prompts users with a message like, "You have recommended account actions to improve your Uber experience and enhance your account security. Create a passkey for an easier, faster, and more secure sign in."

For years, companies hesitated to go passwordless because they assumed users wouldn’t “get” passkeys. VicRoads’ rollout shows the opposite: when you meet people where they already are, on devices they unlock constantly with biometrics, adoption follows. The constraint isn’t user cognition. It’s whether your rollout is staged, instrumented and relentlessly UX-driven.

Myth-busting KPIs

• People already authenticate with biometrics ~80 times per day on their phones, so the gesture you need for passkeys is deeply habitual rather than novel.

• In modern markets, device readiness exceeds 95%, meaning the vast majority of your base can use passkeys today without new hardware or apps.

• Non-technical users frequently become the strongest advocates once they try passkeys, because the experience is quicker and less error-prone than password + OTP flows.

1. Integrate passkeys and test for mass adoption: Start by assessing your device, app and MFA landscape so you know exactly who is eligible on day one. Design end-to-end flows that minimize choice and make passkeys the obvious path. Integrate telemetry into your enterprise stack so risk, analytics and support see the same truth; and validate every combination of OS, browser, and authenticator you expect in production.

2. Run a staged pilot with risk-free fallbacks: Roll out by OS (latest first) to capture the cleanest UX and the highest readiness cohorts; keep safe fallbacks available during the pilot to de-risk edge cases; and track creation, usage, and error rates by OS and browser so you can fix issues before widening exposure.

3. Engineer explicitly for adoption, not just availability: A/B-test copy and UI prompts to find language that removes doubt at the decision moment. Encourage users to add extra passkeys when they switch or add devices so you don’t lose coverage and enable identifier-first plus one-tap login so the default path is fast and recognizable.

4. Launch in native apps (iOS and Android) with parity: Mirror the successful web flow inside your apps and re-use existing passkeys so users don’t have to re-enroll. Match passkey prompts to your app’s established patterns to preserve trust and keep each decision anchored to adoption impact rather than theoretical “best practices.”

5. Enforce and mandate once the signals are green: Track passkey-readiness at the user or segment level to know who can be moved. Escalate to stronger prompts when a segment chronically ignores the upgrade, announce a clear timeline for retiring passwords and proactively explain benefits to late adopters to reduce pushback and support load.

Following this staged plan, VicRoads saw adoption and reliability climb as friction was engineered out of the journey and weak paths were gradually deprecated.

• Amount of all logins using passkeys (40–70%) grew with each expansion wave: early cohorts on the latest OS versions hit the upper bound quickly, while legacy browsers settled nearer the lower bound until UI prompt and default-path tweaks closed the gap.

• Mobile activation rate (70–90%) benefited directly from identifier-first and one-tap flows, where native biometrics made enrollment feel like “just unlocking my phone,” pushing iOS/Android cohorts toward the high end.

• Speed (4–6x faster logins) came from removing login + password median sign-ins collapsed to a few seconds, which reduced abandonment.

• Support load (20–30% fewer password/MFA resets) fell as users stopped bouncing between codes, lockouts and recovery emails. Fallbacks remained for true recovery, not as a parallel primary path.

• Scale (+2M passkeys created) accrued through reuse across web and apps plus timely prompts to add an extra passkey on new devices, which preserved coverage during device churn.

• Reliability (~95% fewer errors via Passkey Intelligence)

Roblox faces a unique mix: half of daily users are under 13 (prone to weak, reused passwords) while creator accounts can hold assets worth millions - prime phishing targets. Password resets dominated support, recoveries failed, and churn followed. Roblox’s move was simple but decisive: put passkeys in signup, keep a gentle fallback, then engineer away password habits.

KPIs of Passkeys at Roblox at a glance

• 70% of Customer Support volume was tied to “account ownership”

• 12% of users in the new sign-up flow added a passkey

• 85% of all passkey adds came from sign-up (not later nudges)

• 15% reduction in account takeovers was achieved after adoption of passkeys

• 50% of mobile users had saved passwords (enabling conditional passkey creation)

Rather than teaching a new concept, Roblox preserved the signup rhythm users already know and inserted a native passkey step. Keeping a straightforward fallback prevented drop-offs while impact was measured. That alone yielded a 12% opt-in rate.

As more users switched to passkeys, the platform saw a small but meaningful retention gain and a 15% drop in account takeovers. The mechanism is intuitive: faster, fewer-step sign-ins reduce early friction and recovery failures. Phishing-resistant credentials cut the attack surface that drives “account ownership” tickets.

Old habits still surfaced. Even with an OS passkey dialog at login, 21% of users who had a passkey reached for the password box out of muscle memory. Roblox treated this as a UI/defaults problem, not a user-education problem: make the passkey path visually primary and progressively gate the password path so the safest route is also the easiest.

To sweep the long tail, the team leaned on what users already had. About half of mobile users stored a saved password, so Roblox conditionally created passkeys from saved passwords at trusted, successful logins. This removes the perception of “setup work,” converts in the background (or with one native prompt), and steadily shrinks the population that reverts to passwords.

TikTok treated passkeys as a core product change: start on iOS where readiness is highest, make creation feel native, default sign-in to the safest path, and then evolve toward reversible passwordless accounts. The payoff shows up immediately in speed, reliability, and lower reliance on SMS.

• +90% sign-in success with passkeys

• 20x faster than phone/email login

• 1.9 s median sign-in; ~6× faster than other social logins

• 3% reduction in SMS OTP logins

• 99% of passkey creations driven by a profile-popup upsell (with a secondary entry in Settings)

TikTok’s creation strategy was simple: a profile upsell that triggers the native iOS passkey prompt (plus a “Create passkey” option alongside the password entry in Settings). With a passkey on file, the app auto-starts identifierless passkey sign-in on the login screen turning login into a single biometric gesture.

They then shortened sign-up for eligible iOS 16+ users by placing a passkey-first option before password signup, collapsing the flow from seven steps to four and introducing passwordless accounts. To support scale and device churn, they added a management page to view, add, and delete passkeys. Users can also remove their password after creating a passkey and re-add it later if they choose.

• Q3 2023 - iOS first & workforce enablement. TikTok launched passkey support on iOS for consumers and introduced enterprise SSO with passkeys so employees could authenticate with the same phishing-resistant flow.

• Q1 2024 - Platform coverage. Passkeys rolled out on Android, bringing mobile parity and expanding the eligible base for passkey creation and sign-in.

• Q2 2024 - Passkey-first signup & enterprise pilot. TikTok experimented with passkey-first signup (i.e., creating accounts without setting a password) and ran an Enterprise Webshell passkey auth pilot to bring the same model to internal tools.

• Q1 2025 - Auto-upgrade & internal adoption. On iOS, TikTok enabled password→passkey auto-upgrade, converting existing accounts during trusted logins; internally, ~50% of employees were using passkeys, and a Signal API integration was completed to support the broader authentication stack.

• Q3 2025 - Full lifecycle & web. TikTok shipped passkey management, passwordless account controls (remove/re-add password), and expanded passkey sign-in on web, rounding out cross-platform coverage.

DocuSign framed passkeys as the fastest route to “default secure” sign-ins and then built toward a reversible, recovery-safe passwordless state. The results point to both near-term ROI and a clear endgame.

Key numbers

• 95% of users are open to use passkey login

• 11M+ passkeys/security keys created since launch

• 13k/day new creations; 130k/week active usage

• 99% passkey sign-in success rate.

• 20x faster vs. phone/email logins; 1.9s median sign-in and 6x faster than other social logins.

• 3% reduction in SMS OTP logins (early displacement of phishable fallback).

• 4.76% additional growth potential identified, headroom to lift adoption further from today’s baseline.

How they got there: DocuSign moved users along a maturity curve rather than flipping a switch. They started with passwords & SSO (enterprise SSO, 2FA as table stakes), then introduced security keys & biometrics to harden high-risk cohorts.

With passkeys and cross-device support, login became passwordless for eligible users and the team actively drove creation and usage with product nudges. The target state is True Passwordless: passkey as the default sign-in, recovery paths that don’t regress to phishable factors, and pragmatic additions like magic link for edge cases. This sequencing explains the metrics: creation at scale (11M+), very high reliability (~99%), and meaningful speed wins (1.9s median), all while beginning to taper SMS OTP.

The same approach powered DocuSign’s ID Wallet flows. By registering passkeys directly in the wallet context and making reuse effortless, they see ~11k successful wallet registrations per month and ~15k wallet reuses per month, saving an estimated ~158 hours of user time in the measured period (about 7 days of aggregate time recaptured). Faster, fail-safe reuse compounds the platform effect: fewer recovery tickets, smoother repeat transactions and higher trust in digital identity operations.

The most successful rollouts shared one common pattern: passkey creation was embedded directly into the natural flow of the product. Uber, eBay, and TikTok all saw that when users are prompted to create a passkey during login, signup, or after password recovery, adoption skyrockets. These in-line, context-aware nudges work because they meet users at moments of intent, right when they need to authenticate, rather than expecting them to explore settings or account menus. By treating passkey enrollment as part of the normal journey rather than a separate feature, companies were able to achieve double- or even triple-digit growth in adoption rates within weeks of rollout.

Across every case study, simplicity consistently outperformed explanation. When passkey setup “just happens” through a native biometric prompt or identifier-first flow, users adopt without hesitation. eBay’s auto-triggered biometric prompt doubled adoption; TikTok’s passkey-first signup and single-gesture login cut authentication time to under two seconds. Similarly, VicRoads’ one-tap flows reframed enrollment as a natural action, “just unlocking my phone.” These examples prove that UX, not user education, is the decisive factor for mass adoption.

Organizations that achieved scale didn’t go all-in overnight. VicRoads, TikTok, and DocuSign demonstrated that progressive rollout, introducing passkeys first to the most ready cohorts, builds confidence and reliability over time. Early phases focused on users with compatible OS and browser versions, allowing teams to validate telemetry, measure errors, and fine-tune messaging before broad expansion. Maintaining temporary password or OTP fallbacks also helped prevent user lockouts and reduced support load. Once adoption stabilized, weaker paths gradually phased out. This staged, data-driven approach turned potential rollout risk into predictable success.

In this article, we covered the most important passkey rollout case studies of the Authenticate 2025 in order to understand the industry standards and analyze how the future of passkeys might look like in the upcoming years. We also covered some of the most important questions regarding the topic:

• What was the most effective strategy eBay used to drive high rates of passkey adoption on the web? Automatically prompting users for biometric verification to set up a passkey upon login resulted in a massive 102% increase in the passkey adoption rate.

• What key strategic insight did Uber discover was essential for achieving mass adoption of passkeys among its user base? Over 90% of all passkey enrollments came from timely, in-line nudges integrated directly into the login and signup stages of the user journey.

• How did Roblox and TikTok prove that a strong UX focus directly translates into higher adoption and fewer support issues? When passkeys are built around intuitive UX, like in-flow prompts, identifier-first logins, and native biometric dialogs, adoption rises sharply while support requests and recovery issues decline