Abstract

Passkeys have emerged as a more secure authentication method than passwords, providing a passwordless alternative resistant to phishing and credential theft attacks. Despite their growing adoption, a systematic study into the user experience of passkeys across various websites has yet to be conducted. Usability heuristics suggest that users transfer their expectations from one product to another, and therefore, inconsistencies in passkey deployments can increase cognitive load, resulting in frustration and possible rejection. To address this knowledge gap, this paper presents a comparative analysis of the external functional consistency of the passkey user experience across 111 websites. Our research reveals that the passkey user experience is generally consistent, but we did find some variation in deployment practices across websites. Top-ranked websites, as well as those in the Information Technology category, offered the most consistent experiences, closely following the FIDO Alliance Design Guidelines, with more variation seen among lower-ranked sites and those in other industries. Although the passkey experience is becoming more standardized, industry-specific factors and organizational resources still influence how passkeys are deployed. We also identified several recurring security, privacy, and usability issues in passkey deployment practices that could hinder their adoption. Our findings suggest improvements to the FIDO Alliance Design Guidelines, providing actionable insights and recommendations to enhance the security, privacy, and usability of passkeys.

Degree

College and Department

Computer Science; Computational, Mathematical, and Physical Sciences

Rights

https://lib.byu.edu/about/copyright/