Motivation

Previously Mercari was using passwords and faced with real-time phishing attacks, added SMS OTPs as an authentication method to protect their users. While this improved their security, it did not completely eliminate real-time phishing attacks. Sending a high volume of SMS OTPs was also both expensive and not very user-friendly.

Mercari also had a new service Mercoin, a platform for buying and selling Bitcoin with the user’s available balance in Mercari, which had strong security requirements and passkeys met their needs.

Because passkeys are bound to a website or app’s identity, they’re safe from phishing attacks. The browser and operating system ensure that a passkey can only be used with the website or app that created them. This frees users from being responsible for signing in to the genuine website or app.

Requiring users to use extra authentication methods and perform additional action is an obstacle when what users actually want is to accomplish something else using the app.

Adding passkey authentication removes that additional step of SMS OTP and improves user experience while also providing better protection for users from real-time phishing attacks and reducing the cost associated with SMS OTPs.

Results

900,000 Mercari accounts have registered passkeys and the success rate of signing in with them is 82.5% compared to 67.7% success rate for signing in with SMS OTP.

Signing in with passkeys has also proved to be 3.9 times faster than signing in with SMS OTP–Mercari users on average take 4.4 seconds to sign in with passkeys, while it takes them 17 seconds to do the same with SMS OTP.

The higher the success rate of authentication and the shorter the authentication time, the better the user experience and Mercari has seen great success with implementing passkeys.

Learn more about Mercari’s implementation of passkeys

To learn more about how Mercari solved the challenges of making a phishing resistant environment with passkeys, read their blog on Mercari’s passkey adoption.