Why PayPal's global Passkey Rollout makes sense: September 2023 Update & Insights into Passkey-Readiness
Passkeys

Why PayPal's global Passkey Rollout makes sense: September 2023 Update & Insights into Passkey-Readiness

This article is about the analysis of passkey-readiness and how things have changed from 2022 to 2023. Detailed real-life data that has been gathered over the past 12 months is analyzed. Findings regarding the type of passkeys (synced vs. non-synced), specific operating system and browser combinations are discussed, as well as three sample projects.

TL;DR

  • Analysis of three projects using Corbado's Passkeys Analyzer.
  • Data from various industries showing WebAuthn, platform authenticator and Conditional UI adoption.
  • +99% of devices now support WebAuthn and the majority is also passkey-ready (platform authenticator support).
  • Almost all mobile devices use synced passkeys, while most desktop devices (especially Windows) still rely on non-synced passkeys (this also explains to great extent why PayPal has aligned its rollout strategy accordingly)
  • Strong adoption of these new standards that has tremendously amplified since 2022, especially for Conditional UI
  • Passkey-support depends a lot operating system and browser combinations

Overview

1. Introduction

2. Synced and Non-Synced Passkeys

      2.1 Mobile (iOS, Android)

      2.2 Desktop (macOS, Windows)

      2.3 Detailed Operating System / Browser Combination Analysis

3. Definitions

      3.1 WebAuthn: Revolutionizing Authentication with Passwordless Standards

      3.2 Platform Authenticators: A Key Component in WebAuthn

      3.3 Understanding Conditional UI in Authentication Processes

4. Analysis of WebAuthn, platform authenticator and Conditional UI support

      4.1 Operating Systems and Browsers

      4.2 Projects

5. Conclusion

1. Introduction

This article delves into the web standard WebAuthn, platform authenticators and the role of Conditional UI in enhancing user authentication processes. It provides a comprehensive analysis of different operating system / browser combinations as well as three distinct projects that implemented the free Passkeys Analyzer. The tool offers valuable insights into the device capabilities of website visitors, thereby evaluating the readiness for WebAuthn, platform authenticators and Conditional UI. The article underscores the importance of these advancements in fortifying online security and streamlining authentication processes. It also highlights the significant strides made in technology adoption, with nearly all devices now supporting WebAuthn paving the way for passkey roll outs.

Before looking into specific operating system / browser combinations and projects we used for the analysis, you find an overview of the kind of passkeys that we collected in our developer panel (synced vs. non-synced in a cloud account). This analysis is based on anonymized data from our solution. Differentiation by device, operating system, and browser is based on HTTP user agents. In the following, you find the results:

2. Synced and Non-Synced Passkeys

A synced passkey (also called multi-device passkey) is a passkey that is synced across different devices within a platform account (e.g. Apple iCloud Keychain or Google Password Manager) or password manager.

Comparing mobile and desktop devices, the following split is detectable:

2.1 Mobile (iOS, Android):

Mobile Synced vs. Non-Synced Passkeys
Mobile Synced vs. Non-Synced Passkeys

2.2 Desktop (macOS, Windows):

Desktop Synced vs. Non-Synced Passkeys
Desktop Synced vs. Non-Synced Passkeys

2.3 Detailed Operating System / Browser Combination Analysis:

Combinations with little occurrence are neglected.

Detailed Operating System / Browser Combination Analysis
Detailed Operating System / Browser Combination Analysis

1. Description: If a passkey is synced or non-synced depends on different factors like device, operating system and browser. Some combinations show a very high percentage of synced-passkeys (e.g. on mobile devices), while others are rather low. For mobile devices, only the combination of Android / Firefox has not yet employed synced passkeys. On desktop devices, Windows devices in general have a low synced passkey ratio and macOS devices only with Chrome have a low synced passkey ratio.

2. Interpretation: Passkeys and the kind of passkeys depend a lot on the user’s technical setup (device, operating system, browser). All aspects need to be taken into account. In general, it can be seen that mobile devices have a really high synced-passkey ratio, while desktop devices have a rather low synced passkey ratio. Windows has not yet started to roll out synced passkeys (the small percentage of synced passkeys comes from password managers) and Chrome on macOS doesn’t sync passkeys yet as well.

3. Implications: If you want to provide the best UX, you should use synced-passkeys as often as possible, because recovery mechanisms are way better than with non-synced passkeys. Therefore, mobile devices with their high synced passkey ratio makes them perfect for a first passkey roll-out wave. To provide a similar UX for desktop devices, you should start with macOS and Safari, as this is currently the only operating system and browser combination that has strong synced passkey support. Windows has announced that they will make synced passkeys wide available with one of their next major updates, so it’s just a matter of time until higher percentage can be reached here. Also for macOS and Chrome combinations, it’s expected that synced-passkey functionality will be available soon.

3. Definitions

3.1 WebAuthn: Revolutionizing Authentication with Passwordless Standards

WebAuthn (Web Authentication) is a web standard established by the World Wide Web Consortium (W3C) and the FIDO Alliance for secure, passwordless authentication. It works through an API that enables servers to authenticate users via public key cryptography, instead of traditional passwords.

Authenticators, such as smartphones or hardware security keys, are used to create a pair of cryptographic keys - a private key securely stored on the user's device, and a public key sent to the server. Upon authentication, the server sends a challenge to the device, signed with the private key, and verifies the signed challenge using the public key.

This method significantly enhances online security, thwarting phishing, man-in-the-middle, and replay attacks by binding authentication to the original website and keeping the private key on the user's device.

3.2 Platform Authenticators: A Key Component in WebAuthn

Platform authenticators are a type of authenticators in the WebAuthn standard that enables the use of built-in authenticators on a user's device to securely verify their identity. These built-in authenticators can range from biometric verifiers like fingerprint readers or facial recognition systems to device-based PINs. By leveraging WebAuthn, platform authentication allows for a passwordless experience. It works by having the device's authenticators generate cryptographic proof of the user's identity, which is then validated by the server. This proof replaces or augments the need for a traditional password, making the authentication process more secure and user-friendly. The reliance on WebAuthn ensures that this process is universally applicable and interoperable across various platforms and devices.

3.3 Understanding Conditional UI in Authentication Processes

Though not a requirement in the use of passkeys, the implementation of Conditional UI (often also called “passkey autofill”) significantly enhances the user experience during authentication. In systems with Conditional UI, the web client initiates a mediation challenge prior to the authentication process.

This preemptive step enables a dynamic response from the UI, often manifesting as a dropdown menu showcasing the user's stored passkeys. Such a feature is a testament to the adaptability of Conditional UI, as it allows users to conveniently select from their stored passkeys instead of manually entering usernames.

Ultimately, even without being essential to the authentication process, the integration of conditional UIs contributes substantially to a smoother, more user-friendly experience. It streamlines authentication, simplifies user actions, and promotes an overall more efficient interaction with the system, as the user does not even need to remember the username used for a website or app anymore.

4. Analysis of WebAuthn, platform authenticator and Conditional UI support

Over the past year, we've meticulously monitored and picked some projects from different industries among Corbado customers and also used the Passkeys Analyzer on our own website. These ranged from two-week test phases to month-long live system operations, all drawn from active user visits of the respective websites and web apps. The objective was to evaluate WebAuthn, platform authenticator and Conditional UI support of the devices and browsers in use. Each project underwent a three-step evaluation:

  1. Description: The process started with a clear description of the data visualized in the associated charts, outlining what we observed from the users' devices and browsers.
  2. Interpretation: Next, we interpreted the observed patterns and trends, translating the raw data into meaningful insights about patterns .
  3. Implications: Lastly, we determined what these findings meant for passkey-readiness and potential adoption rates. We aimed to understand how effectively the current devices and browsers are ready for passkeys that are employed by online services, and how we might expect adoption to grow based on our findings.

This comprehensive and systematic approach allowed us to gain invaluable insights into passkey-readiness in general.

For our own website, we further broke down the analysis to get more specific data on the passkey-readiness of particular operating system and browser combinations. Therefore, we compared the data of 2022 to the data of 2023:

4.1 Operating Systems and Browsers

4.1.1 Overview

Key-takeaway: Strong growth rate of Conditional UI adoption across all major operating systems shows proves that new standards by Apple, Google and Microsoft are quickly adopted

Operating Systems: Overview

Description: The data reflects a strong support of WebAuthn across all four major operating systems. Platform auth is also slightly growing for most operating systems (only Android saw a small decline), while Conditional UI support gained most support across all operating systems.

Interpretation: The observed data makes clear that Conditional UI support has multi-folded over the past year, due to its widespread rollout in late 2022. This shows a strong and quick support of new technologies that are primed as new standard across operating systems. The small growth of WebAuthn and platform auth support can be explained as older devices are more and more replaced by new devices over time, thus steadily improving the passkey-readiness. The decline of WebAuthn and platform auth for Android smartphones can be explained as more older devices with older Android versions have visited our website compared to our inception in 2022.

Implications: The hypothesis that passkeys and conditional UI become quickly the norm, once Apple, Google and Microsoft agree on a new standard is strengthen by the observed data. Especially the strong growth rates for Conditional UI support prove this. On Windows, it’s expected to see more platform auth and Conditional UI support, once Microsoft rolls out more passkeys features in the near future.

For the subsequent detailed analysis of operating systems and browser combinations, we only picked the most prevalent combinations.

4.1.2 Android

Key-takeaway: Android smartphones offer robust platform authentication support. Over the past year, support for Conditional UI has increased fivefold, making Android smartphones the ideal devices for passkey rollouts.

Operating Systems: Android

Description: The data shows a small decline of WebAuthn and platform auth support, while Conditional UI support has 5-folded.

Interpretation: The decline of WebAuthn and platform auth can be explained as more older devices with older Android versions have visited our website in 2023 compared to 2022. Conditional UI support growth is caused by the major rollout and browser updates by the end of 2022 which went on in 2023.

Implications: As most modern Android smartphones with Android version 9+ (initial release in 2018) have support for WebAuthn and platform auth, it’s obvious that a huge portion of devices is passkey-ready and is a brilliant first group for rolling out passkeys. Most devices nowadays from every price class come with out of the box fingerprint and face scanning capabilities. Also it’s expected that Conditional UI support continues to rise once more and more Android manufacturers upgrade their systems and browsers. Further, it’s expected that platform auth (due to new devices and updated operating systems) and Conditional UI support due to updated operating systems and browsers will increase over the next 12 months.

4.1.3 iOS

Key-takeaway: iOS devices show very strong passkey-support in terms of a very high platform and Conditional UI support making them ideal devices for passkey rollout

Operating Systems: iOS

Description: Independent of the browser, support for WebAuthn, platform auth and Conditional UI has increased (only WebAuthn support on Safari decreased a little). Conditional UI support was already quite high in 2022 but has now doubled in 2023.

Interpretation: iOS devices were among the first ones in 2022 with support for Conditional UI on Chrome and Safari. That’s why their level was the highest among all operating systems in 2022 but over time this adoption rate further increased. The strong support of platform auth can be explained that most modern iOS devices come with Face ID or Touch ID (only very old iOS devices are shipped without them).

Implications: iOS devices with their strong support of platform auth and Conditional UI are a perfect device group for a widespread rollout of passkeys. Most iOS users are used to work with Face ID and Touch ID and due to passkeys’ nature to leverage the built-in biometric capabilities, no big user education is needed. Moreover, it’s expected that platform auth and Conditional UI increase even further over the upcoming 12 months.

4.1.4 macOS

Key-takeaway: Besides 100% WebAuthn support most macOS devices support both platform auth and Conditional UI. Support for these, especially in Chrome, has increased significantly over the past year.

Operating Systems: macOS

Description: WebAuthn support has increased to 100% across both major browsers on macOS. Moreover, the platform auth on Chrome has increased and especially the Conditional UI support. On Safari, platform auth has slightly declined, while Conditional UI support has doubled.

Interpretation: Conditional UI support for Chrome on macOS came relatively late in 2022, but then the adoption of it increased tremendously in 2023, which shows that new standards are quickly adopted among macOS devices. Also the 100% WebAuthn support rate shows that macOS is an operating system with strong capabilities. The small decline in platform auth on Safari, can be explained that Apple enforces an activated Keychain for platform auth in the latest iOS version 16. Conditional UI support on Safari and Chrome is expected to increase to even higher levels.

Implications: Together with iOS devices, macOS devices make a perfect combination for passkeys rollout. The synchronization features via Apple iCloud Keychain and Apple’s strategy to enforce passkeys via the Keychain bring a superior user experience. The general increased adoption of WebAuthn, platform auth and Conditional will continue (especially for the latter two), so that macOS devices will be a great choice for rolling out passkeys to users.

4.1.5 Windows

Operating Systems: Windows

Description: Support for WebAuthn has reached nearly 100% across all major browsers on Windows. Platform authentication is strongest on Edge, with Firefox at around 40% and Chrome at approximately 20%. Support for Conditional UI is quite low, with Firefox nearing 0%. However, over the past year, support has increased three to fourfold for both Chrome and Edge.

Interpretation: The relatively low adoption rate of the platform can be attributed to the numerous Windows devices that haven't yet activated Windows Hello, even if their hardware is compatible. In Windows 11, Microsoft mandates the use of Windows Hello. As a result, it's anticipated that as time progresses, and possibly with an updated version of Windows 10, a greater number of users will embrace Windows Hello. This is especially likely when Microsoft enables passkey synchronization for its Microsoft accounts, prompting many Windows 10 users to willingly activate Windows Hello. Additionally, the Firefox team is in the process of developing conditional UI support for Windows devices, suggesting that adoption rates could increase substantially in the upcoming 12 months. Furthermore, both Edge and Chrome are expected to enhance their Conditional UI support, bringing them closer to platform authentication standards within the next year.

Implications: Windows devices have historically lagged behind in terms of passkey support, particularly due to their limited platform auth and Conditional UI support when compared to Android, iOS, and macOS. However, Microsoft has announced significant passkey enhancement plans for 2023. Over the next 12 months, Windows devices are expected to show some of the most robust growth rates in platform auth and Conditional UI support. When deploying passkeys, it's prudent to introduce them to compatible Windows devices, while also providing alternatives for Windows-operated devices that are not yet ready for passkeys.

4.2 Projects

Having taken a closer look at the various operating system and browser combinations in relation to their passkey-readiness, we will now examine different projects to observe how the passkey-readiness of distinct user groups evolves:

Project Industry
1 Web Development
2 Hospitality
3 HR Administration

4.2.1 Project 1: Software Development Platform

Industry Web Development
Target Group Developers, Product Managers
Area Germany
Analysis Period 07/2022 - today

Key-takeaway: Developers and product managers tend to run modern hardware which is reflected in the passkey- / and Conditional UI readiness. Especially Conditional UI readiness has almost six-folded within one year.

Description: The data reflects an increase in relative terms of devices capable of supporting conditional UI. Furthermore, devices ready for Conditional UI consistently represent more than half of the total since Q1 2023.

Interpretation: The observed data suggests an ongoing shift towards devices capable of rendering Conditional UI. The significant presence of Conditional UI-ready devices indicates an increasing affinity for advanced technological interfaces among the visitors.

Implications: The underlying hypothesis derived from these observations is that software developers and product managers value modern devices, up-to-date browser versions and thus have the required hardware for passkeys. This places them at the vanguard of technological evolution, driving demand for advanced features such as Conditional UI.

4.2.2 Project 2: Hospitality Administration System

Industry Hospitality
Target Group Employees, HR Managers
Area Germany
Analysis Period 03/2023 - today

Key-takeaway: In mid-2023, devices who support platform authenticators mostly also support Conditional UI.

Description: In the period from May 2023 to August 2023, we've observed a nearly constant share of WebAuthn, platform auth and Conditional UI support. WebAuthn support is strong, while platform auth is supported at around 30% and also slowly increasing. About 25% of all devices in use support Conditional UI, which has slowly increased.

Interpretation: Despite a stable user base and a significant number of visitors, only a quarter of devices can handle Conditional UI. Considering the current date, this represents a relatively low level of platform auth support Conditional UI readiness, compared to other projects.

Implications: The observations underscore a need to promote the adoption and upgrade of devices capable of supporting platform authenticators and Conditional UI, especially given the evolution of technological standards and user expectations for a more dynamic and responsive user experience. The reason behind these low levels is that many users in the observed project work with classical, old-fashioned desktop devices and not many with modern or mobile devices. Also the user base are merely business users on Windows machines.

4.2.3 Project 3: HR Tool

Industry HR Administration
Target Group Employees, HR Experts
Area Germany
Analysis Period 09/2022 - 11/2022

Key-takeaway: Conditional UI support has doubled when rollout for Chromium-based browsers and Safari started in October / November 2022

Description: Within the three-month timeframe from mid-September to mid-November, the share of Conditional UI—rolled out officially around October 2022—grew from less than 6.2% in September to 12.8% by the end of November.

Interpretation: Despite a slow start following the official roll out, the steady rise in the share of Conditional UI usage strong adoption of this new standard in the first two months afterwards.

Implications: The data points towards an encouraging trend of Conditional-UI-readiness after the roll out began in October 2022. It shows that most browsers update automatically and make use of Conditional UI when possible. . This trend underscores the importance of continued efforts to foster user familiarity and comfort with these new standards to further accelerate their adoption.

5. Conclusion

As we survey the landscape in from 2022 to 2023, it is evident that nearly all devices now support WebAuthn, while the majority (especially on Android, iOS and macOS) supports platform auth making these devices passkey-ready. The strong growth of this support, especially of Conditional UI support illustrates the significant strides made in technology adoption. This rapid acceptance of WebAuthn, platform authenticators and Conditional UI over the past year has been largely driven by the updates browsers and operating systems of big tech. The adoption of platform authenticators is expected to further increase throughout the near future, as all modern devices – not matter from which manufacturer – that come out have full platform auth support.

While Conditional UI support isn't as pervasive as WebAuthn or platform auth support yet, a comparison of use cases from 2022 to 2023 reveals accelerated adoption rates, suggesting promising growth potential. We expect that Conditional UI adoption will accelerate within the next 12 months, once more and more browser and operating systems support it. Though not a necessity for passkeys, Conditional UI significantly enhances the user experience by offering intuitive, user-specific interfaces.

However, the linchpin of this evolution remains the WebAuthn standard, which has achieved staggering adoption rates exceeding 99% across different operating systems and browsers. This widespread embrace testifies to the importance and effectiveness of WebAuthn in fortifying online security and streamlining authentication processes. These trends underline the necessity for businesses and platforms to stay abreast of such advancements to cater to the increasingly sophisticated and security-conscious user base.

To find out the passkey-readiness of your users, you can test Corbado’s free Passkeys Analyzer that can be integrated in <5 mins and analyzes your users’ devices’ passkey-readiness anonymously and GDPR-compliant.

Enjoyed this read?

Stay up to date with the latest news, strategies and insights about passkeys sent straight to your inbox!