Mercari, Inc. is a Japanese e-commerce company, offering marketplace services
as well as online and mobile payment solutions. With Mercari users can sell
items on the marketplace, and make purchases in physical stores. In 2023, they
implemented passkeys. This article will explain the motivation behind their
decision and the results they achieved.
Motivation
Previously Mercari was using passwords and faced with real-time phishing
attacks, added SMS OTPs as an authentication method to protect their users.
While this improved their security, it did not completely eliminate real-time
phishing attacks. Sending a high volume of SMS OTPs was also both expensive and
not very user-friendly.
Mercari also had a new service Mercoin, a platform for buying and selling
Bitcoin with the user’s available balance in Mercari, which had strong security
requirements and
passkeys
met their needs.
Because passkeys are bound to a website or app's identity, they're safe from
phishing attacks. The browser and operating system ensure that a passkey can
only be used with the website or app that created them. This frees users from
being responsible for signing in to the genuine website or app.
Requiring users to use extra authentication methods and perform additional
action is an obstacle when what users actually want is to accomplish something
else using the app.
Adding passkey authentication removes that additional step of SMS OTP and
improves user experience while also providing better protection for users from
real-time phishing attacks and reducing the cost associated with SMS OTPs.
Results
900,000 Mercari accounts have registered passkeys and the success rate of
signing in with them is 82.5% compared to 67.7% success rate for signing in
with SMS OTP.
Signing in with passkeys has also proved to be 3.9 times faster than singing in
with SMS OTP?Mercari users on average take 4.4 seconds to sign in with
passkeys, while it takes them 17 seconds to do the same with SMS OTP.
|
Success rate
|
Authentication time
|
SMS OTP
|
67.7%
|
17 s
|
Passkey
|
82.5%
|
4.4 s
|
The higher the success rate of authentication and the shorter the authentication time, the better the user experience and Mercari has seen great success with implementing passkeys.
Learn more about Mercari’s implementation of passkeys
To learn more about how Mercari solved the challenges of making a phishing resistant environment with passkeys, read their blog on
Mercari’s passkey adoption.