Reducing Friction in Account Creation

Legacy sign-up forms are primary drivers of user churn. To improve conversion, developers should prioritize Identity Federation, allowing users to sign up via trusted providers (e.g., Google) to skip manual form entry. For applications that require manual sign-ups, developers should implement robust autofill by using descriptive name and id attributes alongside correct autocomplete values (e.g., new-password, email).

Once an account is created, the recommended pattern is "federate, then upgrade": use federation for instant onboarding, then immediately prompt the user to create a passkey for secure, device-agnostic future access. For verifying sensitive user attributes like age or legal identity, the Digital Credentials API provides a privacy-preserving transport layer to request verified claims from a user's mobile wallet.

Streamlining Sign-in with Passkeys

Passkeys offer a phishing-resistant alternative to passwords and OTPs. To optimize the sign-in experience:

  • Immediate UI Mode: Available in Chrome 148+, this allows the browser to present available credentials (passkeys or passwords) immediately. By setting password: true in the API call, developers ensure the highest success rate for users.
  • Conditional UI: This integrates passkeys directly into the browser's autofill suggestions, appearing when a user focuses on a username or password field.
  • Conditional Create: This allows for silent enrollment of a passkey in the background if the user's password matches their manager, which can significantly boost adoption rates.

Maintaining Credential Hygiene

To prevent "stale" credentials and ensure a consistent experience across devices, developers must use the Signal API to keep the browser and backend in sync.

  • signalUnknownCredential: Call this when the backend detects a sign-in attempt with a non-existent credential ID to remove it from the user's provider.
  • signalAllAcceptedCredentials: Use this after every sign-in or deletion to ensure the list of available passkeys remains accurate.
  • Cross-Platform Association: Use a assetlinks.json file on your server to link your web origin with your Android app, enabling seamless passkey usage across both platforms.

Modernizing Recovery

Traditional recovery methods like email OTPs or magic links introduce high-friction context switching and are vulnerable to phishing. The Email Verification Protocol allows for browser-mediated verification, eliminating the need for the user to leave the app to check an inbox. In the event of device loss, passkeys stored in cloud-synced providers (like Google Password Manager) allow users to recover access by authenticating on new hardware via screen lock or PIN.