Supporting Passkeys in Shop's Authentication Flows

Whether processing checkouts through Shop Pay or shopping via the Shop app, security is paramount to Shopify—as is providing a frictionless authentication experience. 

Passkeys are a new login credential based on public-key cryptography that replace the need for username and password sign-ins. When Passkeys began receiving mainstream adoption last year through the FIDO Alliance, the Shop team saw the perfect opportunity to upgrade our authentication mechanism while maintaining the ease of use for which our product is known. In December 2022, we started deploying passkeys to Shop's authentication flows on the web and in our native app to replace email and SMS verification.

Currently, Shop Pay customers authenticate using a code that we send to their verified email address or to verified phone number via SMS. While we support the security of our users’ accounts, the security of the Shop Pay account is only as good as the security of the email account and/or phone number associated with it, which varies depending on the provider. Passkeys have proven to be phishing-resistant and generally a lot more secure than passwords, while retaining a convenient authentication process. 

Passkeys are now supported in Android and Chrome by the latest version of Google Password Manager, and on iOS devices and Safari by Apple’s iCloud Keychain. This is how it works: When signing in to an app or website, users generate a private/public keypair—a private key stored locally on their device, while the website they’re registering on stores a public key. As long as the device is safe, the user credentials are safe. No usernames and passwords that can be leaked are required. On the client side, passkeys can use platform authenticators that are part of the device (such as biometrics); roaming authenticators, which can be connected to any device (hardware keys such as YubiKeys); or other software methods with high security guarantees.

Leave a Comment