Passkeys Security - Early Adoption

Passkeys Security - Early Adoption

Passkeys Security - Early Adoption

Project Type

End-to-end product design, user research

Team

Product Designer and three developers

My Role

Product Designer

Duration

2 Months

Client

SolidWP

Solved a support bottleneck for our agency users while improving login security with the industry's first Passkeys feature.

Results

Industry's first

First to launch passkeys in the WordPress security industry.

x2 success rate

Doubled the login success rate.

27% Reduced tickets

Reduction in login recovery requests from users.

55%

Reduction in login time.

Context

Solid Security's agency users were experiencing infrastructure strain from supporting account recovery efforts as they implemented higher security standards for end users. In addition, our other personas faced similar issues with standard password recovery. The product team decided to pioneer the industry's first Passkey feature to address both user dilemmas.

The Problem

Our key features, like Strong Password Policy, Brute Force Protection, and Ban Users, were great for site security, but they inherently placed the burden of web security on our users and end users.

The Process and What I Owned

The entire product design lifecycle, from roadmap discussions and research through design iterations, validation, DQA, feature launch, and post-launch review. I ran several rounds of research, including user interviews and usability tests. I focused on deep collaboration with my lead developer to understand the novel WebAuthn protocol through several rounds of iteration.

Detailed Background

Our user base, primarily agencies, developers, and power users managing multiple client sites, faced a pervasive, costly security problem: the password itself. Users and their clients were required to use passwords every time they logged in to their WordPress sites, increasing anxiety about potential breaches.

This poor password hygiene generated a corresponding business problem: a spike in brute-force attacks and late-night work sessions for our users, who had to unblock authorized clients locked out by their own forgotten passwords. We recognized that the underlying issue was not a lack of security features, but a critical friction point in the login process. To address this support burden and security exposure, our challenge was to quickly and intuitively integrate Passkeys, a novel security technology, into our plugin ecosystem.

Tools I Used

What Principles Did I Lean On?

Rather than designing in a vacuum, I adopted a "Sponge" approach—absorbing the team's deep technical domain knowledge and combining it with verified user pain points.


  • Lean UX (Build-Measure-Learn): To achieve "first-to-market" status in the WordPress industry, I prioritized speed and iterative learning. We skipped extensive upfront research in favor of rapid prototyping, developer collaboration, and targeted usability testing to validate our hypothesis in real-time.


  • Proactive User Guidance: Because passkeys were a novel technology in 2022, I designed an "educational-first" flow. By including "How" and "Why" UI components and a step-by-step registration guide, we reduced the cognitive hurdle of adopting a passwordless mental model.


  • Mental Model Bridging: To prevent "new technology anxiety," I maintained strict alignment with the existing WordPress login styling. This ensured the transition felt like a natural upgrade to a familiar process rather than a jarring new interface.

Rather than designing in a vacuum, I adopted a "Sponge" approach—absorbing the team's deep technical domain knowledge and combining it with verified user pain points.


  • Lean UX (Build-Measure-Learn): To achieve "first-to-market" status in the WordPress industry, I prioritized speed and iterative learning. We skipped extensive upfront research in favor of rapid prototyping, developer collaboration, and targeted usability testing to validate our hypothesis in real-time.


  • Proactive User Guidance: Because passkeys were a novel technology in 2022, I designed an "educational-first" flow. By including "How" and "Why" UI components and a step-by-step registration guide, we reduced the cognitive hurdle of adopting a passwordless mental model.


  • Mental Model Bridging: To prevent "new technology anxiety," I maintained strict alignment with the existing WordPress login styling. This ensured the transition felt like a natural upgrade to a familiar process rather than a jarring new interface.

Discovery & Research

Our Initial Hypothesis

My initial understanding of the problem mainly focused on login effectiveness. As a Security plugin, we consistently advised users to reset passwords regularly, but we often struggled to get them to follow through with that best practice. When I first discussed the idea of introducing passkeys with my Lead Developer, who was already familiar with the technology and highly supportive of it, and our Project Manager (we did not have a product owner at the time), I presented Passkeys as a solution to the recurring password reset issues our users faced as seen by an initial support ticket review session.

User Research

We decided to skip extensive user research to prioritize speed to market. Our goal was to be the first WP Security plugin to introduce Passkeys. However, we still wanted to validate our assumptions and explore other ways Passkeys could benefit our users and their clients. So, we met with only five current users, discussed login security with our support team, and held additional collaboration sessions with our Lead Developer, who had a strong understanding of the subject.

We decided to skip extensive user research to prioritize speed to market. Our goal was to be the first WP Security plugin to introduce Passkeys. However, we still wanted to validate our assumptions and explore other ways Passkeys could benefit our users and their clients. So, we met with only five current users, discussed login security with our support team, and held additional collaboration sessions with our Lead Developer, who had a strong understanding of the subject.

Key Findings

All the experienced users I met shared a common issue. They also struggled to get their clients to reset passwords regularly, which led to late-night sessions unblocking authorized users solely because of password problems and interactions with our security features like brute force protection and the blocked users list—something we only realized after meeting with users and noticing a similar pattern in support tickets.

All the experienced users I met shared a common issue. They also struggled to get their clients to reset passwords regularly, which led to late-night sessions unblocking authorized users solely because of password problems and interactions with our security features like brute force protection and the blocked users list—something we only realized after meeting with users and noticing a similar pattern in support tickets.

  • We also noticed that users didn’t use the existing two-factor feature to the level we hoped. Only two of five users used the two-factor authentication feature, leading us to assume their clients were not using it either.


  • We measured how long users took to log in to their sites. For users who had their passwords saved to a password manager, they logged in very quickly without delay, but for the users who did not have a password manager, they took on average 25 -30 seconds to log in.


  • Our agency users were experiencing infrastructure strain from supporting account recovery efforts as they implemented higher security standards for end users. This created a strong aversion to improving login security efforts for their users.

The issue now stems more deeply from the security burden on experienced users (agencies, developers, power users) because of their clients' widespread password management failures and a general hesitation to adopt existing multi-factor authentication (2FA). This creates significant, time-consuming support problems for these users and increases the risk for both the client and the site.

The issue now stems more deeply from the security burden on experienced users (agencies, developers, power users) because of their clients' widespread password management failures and a general hesitation to adopt existing multi-factor authentication (2FA). This creates significant, time-consuming support problems for these users and increases the risk for both the client and the site.

Strategy, Ideation, & Prioritization

Defining the Scope & Vision

Vision:

Ideally, we wanted a Passkeys feature that could compete with big companies like Google and others but didn't have a clear idea of what their experiences would look like.

Ideally, we wanted a Passkeys feature that could compete with big companies like Google and others but didn't have a clear idea of what their experiences would look like.

Scope:

We decided to provide extensive user guidance for Passkeys registration in the MVP, since no other competitors had released Passkeys at this stage and the concept would be new to many of our million active install users. We were unsure how much it would resemble offerings from leading companies like Google, but we chose to include a comprehensive amount of guidance on the initial registration process.

We decided to provide extensive user guidance for Passkeys registration in the MVP, since no other competitors had released Passkeys at this stage and the concept would be new to many of our million active install users. We were unsure how much it would resemble offerings from leading companies like Google, but we chose to include a comprehensive amount of guidance on the initial registration process.

Trade-offs & Constraints

Regarding design, we needed to match the existing styling for the WP login screens. This imposed strict design limitations to align with users' mental models when they log in. Not only is this standard practice, but we also wanted to ensure users do not face a significantly new design or unnecessary cognitive effort when interacting with a completely new technology or feature: no logos and minimal new visuals.

Regarding design, we needed to match the existing styling for the WP login screens. This imposed strict design limitations to align with users' mental models when they log in. Not only is this standard practice, but we also wanted to ensure users do not face a significantly new design or unnecessary cognitive effort when interacting with a completely new technology or feature: no logos and minimal new visuals.

User Persona

We aimed to base our designs on our primary user persona, “Cindy.”

User Flow

Before meeting with my Lead developer to discuss what they knew about the new technology and how the experience would look from a technical perspective, I researched everything I could about Passkeys and found only one existing demo from Cisco DUO that greatly helped in understanding how a user would interact with Passkeys.

Before meeting with my Lead developer to discuss what they knew about the new technology and how the experience would look from a technical perspective, I researched everything I could about Passkeys and found only one existing demo from Cisco DUO that greatly helped in understanding how a user would interact with Passkeys.

Before meeting with my Lead developer to discuss what they knew about the new technology and how the experience would look from a technical perspective, I researched everything I could about Passkeys and found only one existing demo from Cisco DUO that greatly helped in understanding how a user would interact with Passkeys.

Once I gained an initial understanding from Cisco’s passkeys demo, I attended several meetings with our Lead Developer to ensure my research aligned with the technical application his team expected. The Cisco demo proved to be very valuable because the flow matched the technical application that my developer anticipated.

Once I gained an initial understanding from Cisco’s passkeys demo, I attended several meetings with our Lead Developer to ensure my research aligned with the technical application his team expected. The Cisco demo proved to be very valuable because the flow matched the technical application that my developer anticipated.

Once I gained an initial understanding from Cisco’s passkeys demo, I attended several meetings with our Lead Developer to ensure my research aligned with the technical application his team expected. The Cisco demo proved to be very valuable because the flow matched the technical application that my developer anticipated.

To ensure I understood each step in the process, both when designing and across the organization, such as for junior developers, I created a user flow chart to clearly show the step-by-step process of registering and using a passkey.

To ensure I understood each step in the process, both when designing and across the organization, such as for junior developers, I created a user flow chart to clearly show the step-by-step process of registering and using a passkey.

To ensure I understood each step in the process, both when designing and across the organization, such as for junior developers, I created a user flow chart to clearly show the step-by-step process of registering and using a passkey.

Design, Testing, & Iteration

Once we had low-fidelity designs, I quickly translated a few screens into high-fidelity designs to enhance collaboration. I reviewed them with my lead developer to ensure they remained aligned with the technical application.

As I discussed earlier, we wanted to guide users through this experience, since it might be one of the first, if not the very first, experiences most of our users have with passkeys. The initial screen in the flow that we eventually improved is represented by the "how" and "why" UI shown below:

Usability Testing

Once we had a complete high-fidelity prototype, I advocated for usability testing because, again, this was uncharted territory for our product and industry. We needed to ensure these designs were intuitive and would facilitate the adoption of this new security technology.

Targeted User Interviews (iThemes Security Users)

30 Testers

52%

Percentage of participants rated the ease of use 9/10

63%

Percentage of participants said the UI was intuitive and 33% said “very intuitive”

90%

Task success rate, with a low click rate.

96%

Percentage of participants said the flow was “as expected”

User Quotes:

User Quotes:

“The design is quite easy to understand”

“I found the language was clear.”

“Very simple and intuitive.”

“Easy to understand, but too much text.”

Design Rationale

The step-by-step guide we pivoted to was designed to introduce users to and guide them through the process, even if the browser interstitial did not guide on its own. We knew users would still be able to see our guiding UI, even when the interstitial was displayed, so the UI would automatically update to show the next numbered step and hopefully offer helpful information if users were unsure of what to do next or were initially confused by a browser pop-up.

After the usability tests, we incorporated some key feedback. We shortened the dense text sections but kept the rest of the design since users connected well with it and rated it as intuitive most of the time. View our specific changes below.

After the usability tests, we incorporated some key feedback. We shortened the dense text sections but kept the rest of the design since users connected well with it and rated it as intuitive most of the time. View our specific changes below.

Tested Designs

Our initial data showed a massive trust and cognitive gap. We hypothesized that heavy educational copy would reassure users, but our research proved the exact opposite.

Shadow interviews and prototype testing revealed that long, jargon-filled paragraphs actually created information overload. Users felt overwhelmed and bogged down by 'support-text toil,' leading to high abandon rates and frequent misclicks during critical biometric prompts.

Outcome & Impact

Using basic telemetry data, we saw a reduction in login times by 55% compared to our initial user interviews and pre-passkeys telemetry observations.

55%

Reduction in login time

We were able to reach our first launch of passkeys in the WordPress security goal.

x2

Doubled login success rate compared to the password model.

27% Ticket Reduction

Reduction in login recovery requests.

Improved login security for our clients. We saw a reduction brute force issues with our users and their customers/clients from our support team.

Reduction in Brute Force-related support tickets.

Lessons Learned

Solving Complex Problems Requires Deep Collaboration

When starting at SolidWP, I was not a cybersecurity expert. Still, through in-depth, ongoing discussions with PMs, developers, and our users, I learned how to translate complex security protocols into a simple, intuitive UI.

Adding More Guiding Copy Does Not Simplify An Experience

Strong UX comes from a combination of factors that go beyond guiding copy. Understanding our users and their comfort with security topics was key to realizing that less copy created a better experience for Passkeys.

Overview

Discovery

ideation

Test

Outcome