Introduction
Hello, this is @nov from the Money Forward ID development team.
The season for WWDC has arrived this year.
WWDC 2024 Passkey Upgrade
WWDC 2024 had just one passkey session, shown below:
- Streamline sign-in with passkey upgrades and credential managers – WWDC24 – Videos – Apple Developer
The video is short and does not mention the details of the technology, but it seems to be about a feature called “passkey upgrade,” which allows users to seamlessly register passkeys when they input credentials such as password, TOTP, SMS, and OTP via password managers.
Passkey registration during account registration is likely not compatible with autofill, but if your team is reluctant to introduce passkey into a service, you shall note that using this feature right after login will likely bring in a relatively high CVR for passkey registration.1
However, that is not what I am expecting, so let us finish this topic and examine the usage of passkey in Money Forward ID, which has become customary.
The Current Quarter Year Being Bothered by an iOS 17.4 Bug
iOS 17.4 released in early March 2024 had two bugs related to passkey.
One of them is that the excludeCredentials setting during passkey registration became ignored.
The second bug is that passkey became unavailable in ASWebAuthenticationSession.
Bug regarding excludeCredentials
excludeCredentials is a parameter of WebAuthn JS API to prevent creation of new passkeys during passkey registration when the current terminal is already registered to the current service.
This became inactive in iOS 17.4, which made it possible for a user to register multiple passkeys from a single terminal, which is not what we want.2
If multiple passkeys are registered for a single terminal, the possibility for a user to be confused when selecting a passkey will increase.
In Money Forward ID, the majority of passkey registrations are done from passkey promotion page, and since users already registered are excluded from being redirected to the promotion page, there was no damage even though excludeCredentials was ignored.
Furthermore, this bug has been resolved in iOS 17.5.2
Bug regarding ASWebAuthenticationSession
ASWebAuthenticationSession is sort of an application-internal browser used to log in to iOS Apps, and basically has the same functionality as Safari. From iOS 17.4, autofill started to malfunction inside this ASWebAuthenticationSession.
Since Money Forward ID adopts an implementation thoroughly dependent on passkey autofill, this bug had a large impact on Money Forward ID.
Especially the accounting applications were affected heavily, and their websites can be logged in using a passkey as usual, but the iOS version cannot be. As a result, the number of passkey usage in the iOS version has decreased by half within the last few months.
In iOS 17.5, it became possible to select a passkey if the user explicitly opens password manager from the keyboard, but autofill UX, which is supposed to be working, is not, and the passkey usage in the iOS version of the accounting application is yet to be recovered.
Thus, the current quarter year is the first term in which the usage of passkey has decreased since Money Forward ID has started supporting passkey.
Passkey Registrations in June 2024
Now, let us examine the actual statistics.
As of June 2024, there are approximately 1,150,000 passkeys registered in total.
The penultimate report counts 320,000 passkeys and the last report counts 750,000, so there is no significant change in the increase rate of passkey registrations.
Breakdown within each OS is as follows. There is no big change here either.
| OS | percentage among total (last time → this time) |
|---|---|
| iOS | 62% → 61% |
| Android | 19% → 20% |
| macOS | 9% → 8% |
| Windows | 9% → 10% |
Passkey Usage in June 2024
Let us examine, for each OS, the percentage of passkeys among all registered that were actually used for authentication.
| OS | percent actually used for authentication (last time → this time) |
|---|---|
| iOS | 32% → 41% |
| Android | 29% → 41% |
| macOS | 40% → 47% |
| Windows | 23% → 27% |
As time goes, the usage rate increases accordingly without problems.
Even though passkey autofill started to malfunction in ASWebAuthenticationSession, this only affects iOS native Apps, so the overall number has not been largely affected.
As with the previous time, passkey is still keeping the second position after password, exceeding Google Sign-in.
On the First Anniversary after Starting Passkey Support
One year has passed since Money Forward ID started passkey support in April 2024.
Success of Passkey Autofill
In the past year, websites using passkey have pretty much increased disregarding Money Forward ID, among which some thoroughly rely their implementation on passkey autofill.
FIDO Alliance also published a study report that passkey autofill greatly contributes to usability improvement, and it is anticipated that more websites will adopt passkey autofill than now.
The research explored participants’ success and satisfaction with a dedicated “Sign in with a passkey” link, buttons, and autofill. Our testing indicates that autofill ensured the highest success for people to sign in with a passkey. Autofill makes passkey sign in delightfully fast and efficient. The research indicated when autofill was enabled, participant responses to signing in with a passkey were overwhelmingly positive. The most frequently used adjectives to describe signing in with a passkey with autofill were “simple, fast, efficient, and seamless”. ref.) https://fidoalliance.org/design-guidelines/patterns/sign-in-with-a-passkey/
Transformation of Passkey Promotion Strategy
Meanwhile, passkey promotion, which had been used for login in Money Forward ID, has ended its lifecycle.
One year has passed since the start of the promotion, and the use of passkey promotion during login has been terminated early this month for the following reasons.
- Most users presumably have seen the promotion page in question at least once.
- The CVR of users who are promoted to register a passkey at login has been barely high from the beginning.
- The CVR of B2B users who experienced passkey promotion during registration flow is way higher than that of ordinary login.
Due to the termination of promotion within the login flow, which had been the majority of the flow to the promotion page, we anticipate that the increase of passkey registration will greatly decrease from now on. However, in the long run, we believe that it is beneficial to terminate promotion, which has not been so meaningful.
We are considering of using passkey promotion for Money Forward ID registration,
… hoping that the bug in ASWebAuthenticationSession will be fixed.
Lastly
We have so far publicized a passkey usage report in Money Forward ID every quarter year, but given that the trend has settled, we are considering to update the report non-regularly from now on.
The next time may perhaps be when the contribution of passkey promotion in the registration flow starts to emerge.
Well, then, let us meet next time in volume 6.
— @nov
Footnotes
- Since it is expected that all users will be in a state with “register” selected, the overall CVR when passkey upgrade is used would probably be 40 to 60 percent compared to the CVR of passkey promotion in Money Forward ID as publicized in Passkey Usage Report Volume 3. ↩
- 270553 – WebAuthn excludeCredentials option stopped preventing duplicate passkey registration ↩ ↩2