This article series aims to provide a systematic overview of the passkey process and user experience for different companies as they move towards a password-free world. While the goal is to improve user-friendly and secure authentication, each company has its own unique way of implementing passkeys.
TL;DR
- Availability since Q4 2022
- Initial passkey setup works only via the "Security" section in the Shopify account settings
- Availability of passkeys on all major platforms (iOS, macOS, Windows, Android)
- Availability on both the Shopify website and app
- Passkeys only available at login, not at initial sign-up for an account (yet)
- Sophisticated device detection, device management and passkey-readiness detection logic by Shopify
- Seamless cross-device usage between different platforms
1. Introduction
More and more companies from a wide range of industries are stepping into
a password-free world and implement passkeys. Through this series of articles, we aim to provide a comprehensive overview of the passkey user experience of those companies. This should enable you to incorporate these findings and enhance your product login accordingly. In each article, we focus on a single company. Today, we dive into Shopify. Passkeys became available for Shopify accounts in Q4 2022. The widespread rollout of Shopify passkeys is a game-changing moment for the e-commerce industry, as one of the largest e-commerce platforms enabled millions of users to use passkeys.
Disclaimer:
- Status of the analysis is May 2023. Passkey features are subject to change by companies on an ongoing basis.
- Please refer to the use cases to find the devices we used for the analysis.
2. Key insights from Shopify analysis
In this section, we present the most important insights we have gained from the analysis of Shopify passkeys.
2.1 Highlights of Shopify passkeys implementation
2.1.1 Hybrid rollout strategy
Currently, Shopify passkeys are only available to log into your Shopify account.To initially set up a passkey for the device used, you must first go to the account settings in your Shopify admin area. The passkey can then be created manually in "Security" section. This is probably done to start with low risk and find bugs with early adopters (as passkeys flows, especially for cross-device and cross-platform processes are quite complex to implement). Before the passkey is actually created, the user must authenticate with their password and confirm the creation once again. The fact that users must proactively signal that they want to use passkeys by visiting the "Security" section shows that Shopify is gradually rolling them out to ensure a smooth process for every user. Even though this approach may be less user-friendly at the moment, it helps to gather feedback from early adopter usage and improve for all non-technical users who may not be familiar with passkeys as an additional login option. Therefore, all users can still use passwords to log in. This suggests that Shopify is using a hybrid passkey rollout strategy. This hybrid strategy is characterized by the fact that passkeys can only be used by existing users for login, and that they are not available for sign-up. In addition, legacy login methods are always retained here. This rollout strategy is to ensure a careful transition to passkeys for existing users.
2.1.2 Smart passkey management
Shopify detects for which devices a passkey has already been created and lists them in the Shopify account. The detection includes the platform (e.g., Android, Apple, and Windows), the location where the passkey is stored (e.g., Apple iCloud Keychain), and the creation timestamp. Although those features don't prevent the user from clicking the "Create a new passkey" button for already registered devices (see section Drawbacks of the current Shopify passkeys implementation) yet the user is given very clear details about his created passkeys here.
2.1.3 Most seamless way of cross-device usage currently possible
Cross-device usage for passkeys refers to the ability to use a single passkey to authenticate across multiple devices. This means that a user can create a passkey on one device and then use the same passkey to authenticate on other devices, even outside the same ecosystem (e.g., Apple), without having to enrol each device separately. Among all the companies examined thus far that have implemented passkeys, Shopify stands out as the first one where the cross-device usage functions the most seamless way currently possible (see use case 6). This is remarkable, as cross-device-usage is one of the biggest challenges in implementing passkeys.
2.1.4 Clear and simple user communication
Shopify uses the term "passkeys". Since users consciously decide to store passkeys for their account by visiting "Security" section in the account settings mentioned above, Shopify probably assumes that these users know what passkeys are (or educates them hereby). One notable aspect we observed is that Shopify got all users covered who may be unfamiliar with passkeys or wish to learn more about them before using them. This is done through comprehensive documentation provided by Shopify. The passkey feature is accompanied by a concise description, conveniently located where users can create their passkey. Additionally, a detailed description is accessible through an additional link, offering users a more in-depth understanding of the passkey functionality. As with Google passkeys and eBay passkeys (check out our analysis on Google and eBay passkeys for more information), the reference is drawn to the underlying concept of biometric authentication here as well, with which the vast majority of users are likely to be familiar. However, general and no platform-specific authentication methods (e.g., Face ID or Windows Hello) are mentioned here.
2.2 Drawbacks of Shopify passkeys implementation
2.2.1 No synchronization within the Windows ecosystem
Currently, Shopify passkeys are only available to log into your Shopify account.To initially set up a passkey for the device used, you must first go to the account settings in your Shopify admin area. The passkey can then be created manually in "Security" section. This is probably done to start with low risk and find bugs with early adopters (as passkeys flows, especially for cross-device and cross-platform processes are quite complex to implement). Before the passkey is actually created, the user must authenticate with their password and confirm the creation once again. The fact that users must proactively signal that they want to use passkeys by visiting the "Security" section shows that Shopify is gradually rolling them out to ensure a smooth process for every user. Even though this approach may be less user-friendly at the moment, it helps to gather feedback from early adopter usage and improve for all non-technical users who may not be familiar with passkeys as an additional login option. Therefore, all users can still use passwords to log in. This suggests that Shopify is using a hybrid passkey rollout strategy. This hybrid strategy is characterized by the fact that passkeys can only be used by existing users for login, and that they are not available for sign-up. In addition, legacy login methods are always retained here. This rollout strategy is to ensure a careful transition to passkeys for existing users.
2.2.2 Disabled Conditional UI functionality
Conditional UI leverages the autofill function passkeys provide. It automatically prefills passkeys as soon as the user clicks on the username input field. This means that users no longer must search for their credentials manually (not even usernames!), as they are already stored in the device / browser and are automatically pre-filled. However, Shopify has not implemented this feature (yet).
2.2.3 Inaccurate passkey detection
Even if a passkey is already stored in the Shopify account for a device, the "Create a new passkey" button remains visible, allowing users to manually start the creation process for a new passkey. This implies that Shopify does not clearly detect that a passkey might have already been created for this device. If you try to recreate a passkey, you will be informed that a passkey has already been generated for this device in a proper manner (no bug) and the new one will not be stored.
3. Analysis of the login process
To make the analysis of Shopify passkeys as comprehensive as possible, we tested the login process with several device-browser-combinations. We have recorded the outcomes in the following use cases. To better understand the use cases, please read through the conceptual definitions of passkeys below before jumping into the use cases.
3.1 Conceptual definitions
3.1.1 Single-device passkey vs. multi-device passkey
Passkeys come in two distinct types which are single-device and multi-device credentials. Single-device passkeys are tied to a specific device, meaning that the passkey can only be used on the device it was generated on. Multi-device passkeys are the "true" passkeys that can be synced and transferred between devices. This means that users can use any of their devices that support passkeys to authenticate, regardless of whether the credential was created on that specific device. This greatly enhances the usability of passkeys, as users don't need to enrol each device.
3.2 Tested cases
Note that we have only performed the use cases with passkey-ready devices (e.g., no iPhone prior to iOS 16.0, no MacBook prior to macOS Ventura, no Android prior to Android 9, no Windows device prior to Windows 10). Also, for testing purposes we used two different Shopify accounts ( livep58236@farebus.com for use cases 1–3 and 10, and yigesot408@favilu.com for uses cases 4–9). This is why you will find different passkey types for identical device-browser combinations in the table below. In addition, we tested the passkey login with an iPhone only in the Shopify app because the login process in different browsers does not differ regardless of the platform and device.
For the detailed analysis, feel free to check out the full-length article on: https://www.corbado.com/blog/passkeys-amazon-cognito#setup-aws-lambda-custom-auth
4. Conclusion
As one of the leading e-commerce companies, Shopify has introduced passkeys for all users across all platforms. Their implementation of passkeys is commendable, emphasizing user education, providing excellent user experience, and addressing the existing limitations of passkeys, such as cross-device processes and the lack of sync options on Windows. In our opinion, Shopify offers one of the best passkey implementations available. However, it is worth noting that the sign-up process has not yet been touched, as users are still required to set a password when creating a new Shopify account.
Top comments (0)