Passkey at Indeed — Danny Rudzinski

Indeed Passkeys

Role

Lead Designer

Platform

iOS, Android, Windows, MacOS

Employer

Indeed

Focus

Strategy, research, testing, design

Goal: Leverage cutting-edge technology to provide a simple, safe, and secure authentication experience for Indeed users.

Background

Fraud is a serious problem for Indeed. Account takeovers (ATO) are a major concern on the employer side, and hacking accounts to mine personal information is a serious problem for job seekers. Passwords are the single most common vector used to gain access to an account without permission.

“Passkeys are a replacement for passwords. They are faster to sign in with, easier to use, and much more secure”

— Apple

About passkey

Passkey is a joint effort between several leading tech companies - including Microsoft, Google, and Apple - to replace the antiquated password protocol with a more secure alternative.

These companies have entrusted the FIDO Alliance with overseeing the effort to develop passkey technology. FIDO has a well-established track record in the multi-factor authentication (MFA) space and currently supports hardware tokens for FIDO’s Cross-Device Authentication flow, or CTAP.

Learn more about passkey

Passkey by the Numbers

The Secure Sign-in Trends Report 2023 by Okta

Intensive research conducted both internally at Indeed and externally by the FIDO Alliance and other major players shows the clear value of using passkeys over passwords.

At Indeed:

56% is the sign-in success rate for password users
60% of all account takeovers (ATOs) are caused by the usage and storage of passwords
10,000+ monthly CS calls are related to passwords, the most of any reason at Indeed

The benefits of passkeys:

40% faster than passwords
The most secure and simple according to research conducted by Okta (see below)
2-factor auth in a single step

User feedback on the proposed prototypes was generally positive. Introduction to new sign-in methods was smooth, and user’s were easily able to access alternative sign-in methods if the first proposal did not match their expectations.

Unfortunately, I am not able to access the raw results of this study so I cannot share them here.

“Passkeys present no tradeoff between security and usability”

— Okta

Pitching passkey

The Identity, Trust, and Safety team was convinced on the promise of passkey, but we still needed to convince leadership. So, of course, we built a deck:

View the Passkey pitch deck

The team - PM, engineering manager, and myself as the designer - used this deck to pitch passkeys to our executive leadership team. The pitch was a huge hit and leadership approved the passkey project.

The next step would be a lot of research into the technology, its capabilities, and its limitations. Once we thoroughly understood the tech, we started designing and testing it with our users.

Research, Testing, and iteration

Initial testing on the passkey concept was done in conjunction with a researcher and using a combination of existing tools - such as passkey.org - and rapid prototypes. Initial responses to the testing showed promise for the technology and surfaced some concerns that the design would need to address:

Read the research deck

Based on feedback from the testing, I quickly iterated on the design. Then we organized a bug bash before releasing the beta version internally for dogfooding and further refinement.

How the passkey design progressed during testing, from wireframe to public release.

Final design

Much of the passkey experience is dictated by the user’s device, but based on testing and user feedback we knew we had a few specific goals:

Inform users about the benefits of passkey
Explain how passkey works and why its effective
Address privacy and data storage concerns
Make passkey inviting and seamless for new users

Here is a quick walkthrough of the golden path end-to-end experience as presented to users prior to release.

This prototype is as identical as technically possible to the final shipped experience.

Adding a thorough explanation of what passkey is and how it works - as well as a disclaimer on how a user’s data will be stored - helped address some of the privacy concerns discovered during testing.

The ‘Sign in faster on this device’ heading proved to be the most successful during A/B testing and most users said they value convenience over security (especially at Indeed).

Impact

Passkey was released using a staged rollout starting at 1% of a specified user base. With it’s initial success, it was quickly scaled to 100% over the course of a week. Initial results are very promising:

Sign-in success

>90%

Passkey enrollment

82%

Passkey will continue to be released to more users and refined based on feedback and insights provided by data collected during the phased rollout.

The future of passkey

Initial results from the rollout of passkey are very promising, but improvements can always be made. The team will continue to monitor the data collected during passkey enrollment and sign-in and make iterative changes to improve the experience for the user.

Passkey also continues to evolve as a technology. As more and more devices become supported and additional functionality is added, we will continue to develop our approach.

As an example, we have already started to explore how to implement cross-device passkey access for devices that don’t have native biometrics or passkey support - as seen in the screens below.

Cross-device passkey support using a phone camera to scan a QR code on a desktop without biometrics.

Questions?

There’s always more that can be said, and many more screens, flows, and prototypes available. If you’d like more information, please don’t hesitate to contact me or reach out in Linkedin. I’m always happy to discuss my work!