Passkeys

Easygo

April 4, 2025

Melbourne

Building out a comprehensive Identity Access Management solution for the worlds largest online cryptocurrency casino.

UX Research

UX Design

Product Design

Product Management

Project Overview

With Stake.com's rapid growth reaching over 70,000 daily active users, securing user accounts became an essential priority. Increased cybersecurity breaches globally underscored the urgent need for a more robust authentication protocol. As the sole product designer on this initiative, I collaborated directly with the Head of Product, Head of Security, and engineering teams to pioneer the integration of passkeys, aiming to create a safer, quicker, and frictionless user experience.

‍

Problem Statement

Passwords are inherently insecure as they rely heavily on user-managed secrecy, making them susceptible to breaches and user error. Passkeys offered a more secure, intuitive, and reliable alternative. Our goal was to implement passkeys not just for enhanced security but also for improved login speeds and stronger identity verification in regulated markets.

‍

My Approach

Beginning with stakeholder alignment sessions, we clearly defined project goals, user expectations, and delivery timelines. Research and benchmarking were critical first steps, helping to surface best practices in passkey integration from FIDO and the broader identity management industry.

I identified five core user journeys impacted by passkey implementation:

Signing in with a passkey
Creating a new account with a passkey
Creating a passkey within settings
Managing existing passkeys
Account recovery and creating passkeys

‍

An overall flow of all the journies that passkey would impact on a UX level

Design Process

After extensive research, I developed comprehensive user flow maps illustrating each touchpoint passkeys would affect. These visual flows served as the architectural backbone, highlighting opportunities to transition users seamlessly from traditional passwords to passkeys.

Following stakeholder feedback, I created low-fidelity wireframes detailing each interaction point and shared these with security, engineering, and customer support teams. Collaborative feedback loops ensured that both technical requirements and user needs were addressed.

‍

Key Findings & Insights

Research yielded clear best practices for integrating passkeys effectively:

Prompt at contextually relevant moments: Encourage passkey creation during sign-up, password-reset, or in settings, rather than disrupting regular sign-in.
Clear, familiar messaging: Employ intuitive UI elements and language (e.g., "Use fingerprint/Face ID") to clarify interactions.
Choice & accessibility: Allow users to opt-out or disable passkeys, adhering strictly to WCAG standards.
Prominent passkey management: Introduce a dedicated Passkey section within account settings to manage credentials transparently.
Flexible credential types: Support both device-synced and device-bound passkeys.
Robust security protocols: Enforce biometric or PIN verification and store only public cryptographic keys.
Fallback alternatives: Use FIDO-based authenticators rather than vulnerable methods like SMS codes.
Continuous iteration: Measure adoption and login success rates, iterating progressively toward phasing out passwords.

A critical insight was recognising the need for multi-device authentication support, which led to distinguishing between device-bound and synced passkey managers.

‍

Journey 1 - Create a new account with a Passkey

Journey 2 - Create a passkey and/or new password during account recovery

Journey 3 - Create/view & manage passkeys in account settings

Journey 4 - Sign in to Stake with Passkey

New Journey - Cross device sign-in to Stake

Challenges & Solutions

One major challenge was addressing user scenarios involving locked-out password managers. Collaborating closely with our customer support and security teams, we established a clearly defined account recovery process.

Another significant challenge was operating as the sole designer. I leveraged industry resources, networked with IAM professionals on LinkedIn, and continually engaged stakeholders, which allowed me to navigate technical complexities confidently. Adopting a phased rollout approach helped mitigate risks and optimise user adoption rates.

‍

Outcomes

The integration successfully resulted in a 12% initial adoption rate for passkeys—a significant achievement indicating strong user acceptance. Recognising the importance of user education, we launched targeted email marketing campaigns focused on critical interaction points, such as password recovery, rather than generic security notifications. This strategic decision notably increased engagement and adoption.

Additionally, passkeys opened productive discussions with regulators about enhanced identity verification practices, laying the groundwork for future regulatory acceptance.

‍

I need to thank the Product, Engineering and Security teams for their guidance in delving into ambiguity! Without them I would not have been able to produce this work.

‍