Rolling out a new login method aimed at optimising costs.
Passwords are a pain to remember. Thankfully, we dodged that hassle entirely. Logging into the app can be done using a one-time password (OTP) via SMS or WhatsApp.
BUT, the SMS and WhatsApp OTP costs add up quickly, and routinely leave us with a fat bill đź’°.
To tackle this, we teamed up with engineering and decided to introduce a shiny new login method: Passkeys.
It is an alternative to traditional passwords that’s gaining traction as the future of secure authentication.
With Passkeys, we could keep the login process seamless for users while significantly cutting down on those bloated OTP costs.
“Passkey” isn’t exactly a household term just yet, and we wanted to dig into how users perceive and interact with it. Here's the process we went with:
1. Quick mocks
2. Test it out quickly (unmoderated)
3. Release
4. Investigate
5. Iterate again
We started by introducing the concept of Passkeys in two areas it would be most contextually relevant:
1. Right after login for returning users (since 65% of them request an OTP after their registration date).
2. During logout, to subtly nudge users into exploring the feature.
We also built a dedicated setup flow in the settings page, giving users another entry point to get started with Passkeys.
On the web app, there was one difference while logging in: users needed to enter their phone number first to use the Passkey feature. This ensured we could securely link the Passkey to their account.
We wanted to see how users would react to the feature at first glance, what they’d understand right away and what they’d pick up once more details were provided.
Our researcher suggested testing two variations of the copy: one using the term “Passkeys” and the other “Biometrics.”
Our hypothesis was that users might resonate more with “Biometrics” since it’s a term they’re likely more familiar with.
While the screenshots shown above are in English, the entire flow was tested in Bahasa Indonesia to ensure it resonated with our target audience.
Users found the term “Biometrics” much clearer than “Passkeys”.
Here’s some of the feedback we heard:
“What’s the difference between Passkey and Password?”
”I rarely hear this word (passkey), it sounds like a key for the screen. Can it be changed to another word that is more understandable?”
About 70% of participants said they’d activate it right away, appreciating the added security benefits.
While 83% found the copy on the setup page easy to understand, only 30% actually found the page. Clearly, there’s room to make it easier to spot.
We couldn’t tackle the discoverability issue right away since it was part of a broader redesign effort. So, we went ahead and rolled out the feature to all eligible users.
Fun fact: Passkey setup is only available on certain iOS and Android OS versions!
These reads lead us to two questions:
1. Why didn’t some users set up a Passkey for future logins?
What we found was that many users are just used to logging in with SMS/WhatsApp. Those who are already familiar with passkeys tend to use them, especially for tasks like consultations—where speed is key. But security concerns were a big factor for some as well.
2. For those who did set it up, why weren’t they using it to log in?
What stopped users from using passkeys that were already set up were:
1. Device capability and errors.
2. Passkeys were activated on a different device, so they had to set one up on a new one as well.
We made tweaks based on the testing insights, focusing on improving setup, ease of use, and security.
One major change was the layout—we made the information more scannable, so users could take it all in at a glance. Simple but effective!
We also revamped the web login modal to better guide users toward using the Passkey login method. With this nudge, we made it more obvious and easier for them to opt for the secure, streamlined login option.
We pushed the web login changes first, mainly because it was the low-hanging fruit for boosting passkey usage (and, let’s be real, resource constraints were a factor too!).
