Nowadays, more and more services are becoming digitalized. This is also affecting the way we use money—online banking, credit cards, and electronic payments are slowly becoming the norm. Taking advantage of this trend, phishing scams are also on the rise, with the Financial Services Agency and the National Police Agency sounding the alarm and drawing attention to phishing as an urgent issue.

As a result, there is a growing call for companies to handle user accounts in safer and more secure ways. At Mercari, we have introduced a password-free authentication method called passkey, which allows users to log in using biometric authentication or a PIN.

Passkey authentication is a system based on international standards and was established by the FIDO Alliance, of which Mercari is also a member. Alongside other Japanese and globally-renowned big tech companies, Mercari is a board member of the FIDO Alliance and contributes to discussions aimed at the widespread adoption of passkeys.

Since implementing passkeys for our Mercoin service in March 2023, we have worked on numerous initiatives to encourage users to register for and use passkeys. Our efforts have paid off, with over 10 million users registering passkeys as of March 3, 2025, just two years after the feature was introduced. This was much faster than anticipated, even surprising those who worked on the initiative!

So, how did Mercari encourage users to register for passkeys, and how has the increase in users using passkey authentication changed our services?  Further, what role does Mercari play in the FIDO Alliance?

We sat down with product managers (PMs) Keisuke Tanaka (@kei.t) and Kotaro Oi (@koi), marketing specialist Shohei Okamoto (@okamoto), and data analyst Nobuaki Maruoka (@maruoka) to find out the story behind this project and their outlook on what security measures will look like in the future.

Permanent measures against phishing attacks: The background behind passkey implementation

——Before we get started, could you give us a quick explanation of FIDO and passkeys, as well as the risks involved with using standard passwords?

@kei.t：​​FIDO stands for “Fast IDentity Online” and refers to new standards for authentication technology that does not rely on passwords. Passkeys were developed based on FIDO technology. Passkeys use biometric authentication, such as a fingerprint or facial recognition, or device screen locks, such as a PIN or a pattern, to allow users to log in safely and easily without using a password.

The problems associated with traditional password authentication include users registering simple passwords because they’re easy to remember or using the same password across multiple accounts, making it easier for the password to be leaked or the account to be hacked. Also, setting different passwords for different services places a burden on the user who has to remember all those different passwords.

With passkeys, users simply log in using a fingerprint or facial recognition, so there’s no need to remember anything. A passkey also verifies the user’s identity, meaning that there is less risk of phishing attacks. One other benefit is that logging in takes less time, improving the user experience.

——Passkeys certainly provide many advantages over passwords in terms of safety and ease of use. Could you tell us how the project to implement passkey authentication at Mercari came about?

@kei.t：At Mercari, we experienced around three phishing attacks in the past. To address these attacks, we implemented measures such as adding SMS OTP (two-factor authentication by sending a one-time password via SMS). However, phishing tactics are evolving, and it’s becoming impossible to completely prevent attacks as they happen.

Historically, a new type of phishing attack tends to appear approximately every 2 to 3 years, so we were all in agreement to implement permanent countermeasures following the phishing incidents in 2022. To do this, we decided to introduce passkeys.

The project was split up into five phases. Phase one was introducing passkey authentication for Mercoin. In phases two and three, we would implement passkeys for authentication processes other than the initial login (within the app and web). Phase four focused on implementing passkeys to log in for all services, and phase five focused on increasing the number of users who had registered a passkey. Our target was 10 million registered users, and we achieved that around two years after starting the project.

——How did you decide on the target of 10 million users, and what was the level of difficulty you assigned to this?

@koi：At the time, Mercari had around 20 million monthly active users (MAU). (Note: This figure is currently around 23 million.) We thought that if half of our users were using a passkey, potential attackers would see Mercari as too difficult to attack, and this would make us less likely to become a target of phishing. 

Having said that, 10 million users was just a checkpoint, and we didn’t focus solely on that number. For Merpay in particular, our users are more vulnerable to risk as they use credit and balance services, so we focused on protecting them as a priority.

In terms of difficulty, it was definitely a bold goal. Although, when we set our goal around a year ago, about 2 million users had registered a passkey. We were seeing around 200 to 300 thousand new registrations per month, so we expected to reach 10 million registered users in three years.

But, to prepare for the next anticipated attack in 2025, we needed 8 million new registrations within the remaining year. We had to figure out how to increase our figures to between 600 and 800 thousand users per month, which was challenging.

——That certainly must have been difficult. What helped you achieve your goal?

@koi：I think there were three main factors. The first was that users were becoming more worried about phishing attacks, particularly those who used payment services. Warnings about the risks of reusing passwords were being issued by the police and media, leading to a shared understanding that individuals should take measures themselves.

The second was that we were successful in making users aware of passkeys and understanding their benefits. We didn’t just promote them as technology that makes accounts more secure; we also emphasized that users could log in faster and more easily by using a passkey.

Lastly, internally, it was easy to form teams and cross-team collaboration went smoothly. Many members, including data analyst @maruoka and marketing representative @okamoto, shared our strong sense of urgency regarding phishing attacks and were active collaborators. Thanks to them, we were able to coordinate internally and communicate our messaging to users without a hitch. Right down to the designers who handled the creative side of things, I feel that everyone’s commitment to our “Be a Pro” value became the driving force behind the project.

Outreach, touchpoints, and wording, refined from the user’s perspective

——You mentioned that internal collaboration and the social movement against phishing attacks at the time played a big part, but could you share some specific measures that significantly contributed to the increase in users adopting passkeys?

@kei.t：Making login mandatory was a particularly effective product initiative. We announced that users would have to log in to use the app and advertised passkeys as a way to make logging in safer and easier.

This involved promoting passkeys to users who logged in via SMS, and raising awareness about passkey registration after login for users who had not yet registered. Users who had not yet registered were shown a message stating that registering a passkey would make the app safer and easier to use.

@maruoka：We usually communicated with users via in-app notifications or announcements, but for this project we also sent out emails. We saw a surprising number of users register a passkey via the email notice.

———I think the three key elements in increasing user awareness and understanding are “outreach,” “touchpoints,” and “clear wording.” @okamoto, you were in charge of the communication initiative for this project. Could you tell us how you devised the strategy for each of these elements?

@okamoto：First, for the outreach messages, we came up with various proposals to attract users, such as highlighting the benefits of passkeys as a security measure and saying that using passkeys is the new security standard. Of all the suggestions, we focused on what users might feel is a burden in their daily life, as very few of them had actually been attacked by a phishing scam. Telling users that they no longer had to deal with SMS OTP, which is time-consuming, was the most effective. ​

Then, we worked on the touchpoints. We used email notifications in addition to in-app announcements and push notifications. Our tactic involved a lot of trial and error based on the “user journey.” For example, we also added a link to passkey registration on the user’s home page to ensure that even those who missed the notifications would see it.

——The UX Team is good at working on the user journey. Did you collaborate with them at all?

@koi：Yes, they gave us advice like that it would be better to add in a landing page (LP) summarizing the features and necessity of passkeys instead of transitioning directly from the notification screen to the passkey settings screen.  They also advised us that ensuring the same experience anywhere on the app by using consistent wording and images to promote passkeys would gradually increase users’ interest.

——What kind of things did you try for the third element, “wording?”

@okamoto：We tried to come up with the best expressions depending on where we were sending out the messaging. For example, Mercari sends out a large number of notifications about campaigns, so an in-app notification may be overlooked. We wanted to make this announcement sound more official, so we avoided using special characters like emoji, which are often used for campaign notifications.

Also, there was a lot of information we wanted to convey but not much space to convey it, so we utilized videos that showed the technology in action in addition to text. We didn’t think it was necessary for all users to understand the background and advantages and disadvantages of passkeys from a technical perspective. First, we thought it was important for them to get a sense of how convenient passkeys are, then have them register a passkey to ensure their safety.

——@okamoto, you have worked on a number of different marketing initiatives. Was there anything different about this project?

@okamoto：The marketing initiatives I worked on previously were mainly for projects “on the offense” aimed at increasing gross merchandise value (GMV). This time, the goal of the project was to prevent fraud, that is, act as a defense. It was a fresh experience in a new field for me, and I was conscious of measuring the effect of our strategies quickly.

 This project was a brand-new undertaking for the company. Unlike typical marketing initiatives that I’ve worked on, I found it difficult to closely track inflow traffic and conversions, so, for this project, focusing on planning and action was more important than spending time on analysis.

Only creating what is needed—increasing speed through light analysis and evaluation

——Real-time analysis is also important for quick effect verification. Did you implement any particular techniques?

@maruoka：We created a lightweight dashboard that allowed us to track the number of registered users based on each initiative on a daily basis and compare numbers to those of the previous month, which was helpful. As @okamoto just mentioned, the dashboard was designed to avoid overly analyzing numbers and to allow us to gain an approximate understanding of the effect of each initiative and a rough future forecast. We were conscious of ensuring a level of detail that would lead to action. For example, “at this rate, we might fall short by this much, so let’s take the following action.”

▲The actual dashboard (partially modified for publication).

@kei.t：Even though we took a more hands-off approach, the accuracy of the figures ranged from roughly 60% to as high as nearly 90%. Also, being able to compare with the previous month on a daily basis allowed us to capture changes in real time, which was extremely helpful for identifying causes and devising countermeasures.

——For a project that had no precedent at the company and required speed, that sounds like the perfect design. But is it really possible to implement the PDCA cycle effectively with such a low level of analysis?

@maruoka：@okamoto was originally a data analyst, so he knows how to work with data well. With @okamoto on the team, we had someone who could immediately interpret the analysis and link it to effect verification, which meant that even relatively light analysis served us well. Also, it was helpful that the team shared a common understanding of keeping analysis to a certain level and spending more time on planning and action.

@kei.t：One other thing that was special about this project is that we hardly used any budget. If we had a large budget, we would need to discuss where we should invest to minimize the risk of failure, for example. However, for this project, I think that quickly running through the PDCA cycle with a limited budget was the right approach.

——Compared to the projects you have worked on as a data analyst in the past, were there any aspects of this project that stood out to you?

@maruoka：I first joined the project around a year ago, when the number of registered users was about 2 million. Honestly, I was surprised when I heard that the goal was 10 million users. I felt like we would need to implement every possible measure, and even then would only barely reach our goal if results exceeded expectations. Actually, that’s a very Mercari-like approach. (laughs)

However, thinking positively about how we could achieve our goal and steadily repeating the PDCA cycle ultimately led to tangible results. That taught me that it’s really important to believe in the goal and try, even if the task seems impossible.

Also, it was my first time being a major participant in a long-term project spanning over a year. Being able to work on a project while approaching each task with the long term in mind was personally a big learning experience for me. Even for the dashboard mentioned earlier, despite only including simplified points of analysis, it was designed with the intention of making something that will be impactful in the future.

Smoother internal coordination through visualizing the impact on management and other teams

——It’s important to all be on the same page when you’re working on a project as a team. Were you conscious of anything in particular when collaborating with other teams or those in management?

@koi: Generally speaking, it’s difficult to promote defensive projects, like this one, throughout the company. To bolster our case, @kei.t told the various stakeholders involved that this project was necessary to prevent financial losses and maintain user trust, and that helped the project move along smoothly.

For instance, if one of our users becomes the victim of a phishing attack, Mercari will compensate them in full. If the amount of damage is significant, more burden is placed on the company, and users who feel unsafe may stop using our product. That’s why @kei.t emphasized the perspective of maintaining a trust relationship with our users, not only in terms of short-term gains and losses but also in the medium to long term.

@kei.t: I also shared specific examples of how it would benefit the company financially. For example, the costs involved with sending messages for SMS OTP authentication reached several hundred million yen per year—using passkeys would cut those costs. Also, if the company had to pay compensation totaling 100 million yen, approximately 10 times that amount in GMV would be needed to recover the loss. I communicated to management and related departments that even if an initiative does not directly generate profit, it can provide significant value in mitigating future losses.

——So, you talked about not just short-term gain but also future impact when making your case.

@koi: Also, @maruoka analyzed the impact on other service areas, and that was a great help in getting other members to understand the project. Just telling people that passkeys are an effective security measure makes it hard to get them on board as they can’t see how it relates to their own domain.

@maruoka examined whether there’s a difference in rates of users who register passkeys between those with a good credit rating and those with a low credit rating, or whether users who had registered a passkey are more inclined to make purchases on Mercari.

Although you can’t always be sure of the correlation, we discovered that those who purchase more frequently on Mercari tend to have a higher passkey registration rate. From there, we were able to make the case that the adoption of passkeys is necessary to ensure that such users can continue to use the service with peace of mind.

Mercari’s position as a FIDO Alliance board member and role leading passkey adoption in society

——Achieving 10 million registered users was possible precisely because you worked together with management and other departments. Earlier, you said that the number 10 million was just a checkpoint. What do you think will be challenging about increasing this number going forward?

@koi: I think there is still much to be done in promoting awareness and understanding about passkeys. In the early stages, we described passkeys using the term “biometric authentication,” which led to the misunderstanding that Mercari is trying to collect biometric information. Using passkeys does not actually expose any user information, but it ended up causing concern among users.

Then, we decided to use the word “passkey,” and explicitly stated that no biometric information would be collected. This experience made us realize just how the way we communicate can significantly impact the speed of adoption. Going forward, we want to further expand awareness and understanding in a way that avoids any misunderstandings.

——To encourage users to register, couldn’t you take an approach where you essentially force users to set a passkey to use the app?

@kei.t: In theory, we could. In fact, some banks and securities companies have been promoting the transition to passkeys by mandating their usage through their terms and conditions. However, Mercari’s current stance is that, while it may be necessary to enforce passkey authentication to protect certain features or services, we should not go so far as to make passkey registration mandatory in order to use the app. The reason for this is that passkeys still do not offer a perfect user experience.

@koi: If a user uses multiple devices, for instance, the system will require the user to scan a QR code when attempting to log in from a device without a passkey. Additionally, passkeys are shared via Apple ID or Google accounts but may not be shared correctly between an Android smartphone and a Mac, for example. Also, there are cases where the platform in question does not support passkeys, making it impossible to log in.

@kei.t: However, despite such problems, there’s no question that passkeys improve the user experience. In a survey conducted by Mercari, we found that it takes on average 25 seconds to log in using SMS OTP, compared to approximately 4.4 seconds using a passkey. Also, the authentication rate is overall higher with passkeys than with SMS OTP.

To provide a safe and user-friendly system for our users, we have considered making passkeys mandatory for all users in the future. However, given the current technical limitations of the technology, we would also need to focus on how to communicate this change and how to ensure understanding.

We’re not going to be satisfied just because we’ve reached 10 million registered users. We are aware that there are still some pain points for users, so we want to improve both the way we communicate and the user experience.

——So, there are also such things as platform issues that Mercari cannot solve alone. When you come across a problem like that, how do you attempt to solve it?

@koi: I think, in that regard, our activities as a member of the FIDO Alliance become important. The FIDO Alliance is an industry organization with members such as Apple and Google, as well as Japanese tech companies and major telecommunications operators, that promotes the adoption of FIDO authentication and passkeys throughout society.

Mercari is a member of the FIDO Alliance, and also a board member with voting rights. The Alliance has highly rated our successful rollout of passkey authentication, placing us in a position where we can exert a certain level of influence.

As a company providing services to general users, we will also continue to provide the FIDO Alliance with on-the-ground insights, including information about aspects of services that can be difficult to convey to users and different types of phishing methods that are emerging. Through these efforts, we want to be the leader of FIDO and passkey implementation in society. For example, Mercari took the lead in creating a white paper (a report that compiles specialized information on a specific topic), “Passkeys: The Journey to Preventing Phishing Attacks,” to make recommendations to the FIDO Alliance. We will continue to work on such efforts to contribute to the adoption of safer and simpler authentication methods.

Making passkeys the catalyst for Mercari’s growth, and the norm across the world

——It’s clear that Mercari aims to contribute to improving security across society in collaboration with the FIDO Alliance. Lastly, could you tell us your future goals?

@kei.t：First, we really want to focus on improving the user experience. To prevent fraud, you essentially have to make a service more difficult to use, but that may also negatively impact how users use the service. We want to aim to deter criminals but continue to provide the same stress-free service to our users. To achieve this, we’ll need to continue taking on and seriously addressing user feedback.

On the other hand, we also want to focus on positive feedback, not just issues. Negative opinions tend to stand out on social media, and users who only see that content could end up thinking that passkeys are a bad thing. Misinformation like that can spread easily.

But in reality, some users say they are relieved that they no longer have to remember a password, and our data shows that we have fewer inquiries due to improved login success rates. It is also my role to visualize and publish positive results like this.

——So, addressing both the good and the bad leads to improving user experience.

@kei.t: Actively sharing our knowledge and practices with companies that are planning to implement passkeys going forward is also important. Phishing scams affect a large number of companies all over the world, and I’m sure a lot of companies are currently facing difficulties in transitioning to the use of passkeys. We hope to provide information that can be of help to them.

@okamoto: Sharing knowledge and expanding societal understanding of passkeys is an important topic from a marketing perspective as well. Moving forward, we aim to communicate the risks of phishing scams and the convenience and security of passkey authentication to more people through PR activities and collaboration with the media. And this should ultimately lead to even more users registering a passkey on Mercari.
@koi: Passkeys are still considered new technology, and some companies and people may be reluctant to use them. However, just like passwords, they will gradually become a part of our daily life, and we will no longer think of them as something special. Our long-term goal is to change the perception surrounding passkeys so that they become the norm all over the world.

——Could you tell us your future outlook on the product side as well?

@koi: For our product, we’re aiming to revamp the whole authentication experience. Some possible designs include replacing identity verification during account recovery with passkey authentication, or ensuring a secure experience by having users log in using a passkey, eliminating unnecessary authentication elsewhere. We will review various authentication processes within the app and aim to provide a simpler and more user-friendly experience while maintaining security and safety.

@maruoka: I feel that passkey implementation has great potential from a business and marketing perspective in addition to improving security. We managed to work on this project with fairly low costs, but we want to make solid investments going forward as there is significant potential to improve the number of users who register to use the app, purchase rates, and usage frequency.

If we can turn our progress into confidence and keep actively working with other teams, this could become a catalyst for new growth involving the entire organization. We’ll try our best to keep challenging ourselves to strive for that future.

Text ：Fumiaki Sato　Photo：Wataru Suzuki