Pioneering passwordless authentication in public sector

Client

NHS login

a digital identity verification and authentication service with 4 million daily active users

NHS login provides patients and the public with a simple, secure and re-usable way to access multiple digital health and care services.

More than 100 digital health services and apps, including the NHS App, uses NHS login.

Role

Lead UX Designer

leading the R&D team, my role extended from discovery phase to driving proof of concept and helping define MVP.

Working closely with the PO, business analyst and scrum master, I played a key role in prioritisation and refinement sessions.

Rethinking Authentication

In 2019, UK National Cyber Security Centre reported

23 million hacked accounts worldwide

were using the password

'123456'

Following the pandemic, we facilitated a workshop, bringing key stakeholders together to discuss the existing methods of authentication.

We identified issues that created friction in the user journey and undermined security, creating the need for an alternative authentication method.

  • Dependency on mobile phones: Users without access to mobile phone or signal could not use the service.

  • Delays in OTP delivery: Slow OTPs (one time passcodes) frustrated users trying to access vital health services.

  • Password fatigue: Users struggled to manage their passwords, resorting to risky practices like reusing the same password.

Problem statement

Existing two-factor authentication method required users to have a mobile phone and signal to receive a one-time security code.

Delays in receiving OTPs and forgotten passwords create friction in the user journey, causing stress when accessing vital health services.

Objectives

  • Make it simple for users to gain access to any health/social care service

  • Provide a way for users in rural/low signal areas to authenticate

  • Increase account security

Multi-factor authentication without password and OTP

Passkeys

Passkeys are a secure alternative to passwords, combining multi-factor authentication in a single step.

They allow users to log in simply using their fingerprint, face ID, PIN, pattern or any other method they use to unlock their device.

Passkeys vs biometric authentication

Passkeys are an upgrade from traditional biometric logins, which are tied to a single device and only use face recognition or fingerprints for authentication.

Passkeys let users verify their identity using any screen lock method, such as a PIN or pattern as well as biometrics. They also make it possible for login credentials to be securely synced across all user’s devices through cloud accounts. This provides a more seamless, flexible experience and makes account recovery easier.

User value

  • no need to save, remember or enter anything for login

  • phishing resistant account security

  • passwordless experience across all user's devices

  • cross-device authentication

  • overcomes biometric skepticism

Business value

  • low cost implementation

  • reduced cost of sending OTPs

  • no security risk and liability in case of a cyber attack

  • increased user trust in digital services

  • less support requests related to account recovery

Passkeys offer security, flexiblity and easy of use, combining multi-factor authentication in a single step.

NHS login passkey implementation

  • Settings: Users can add/remove a passkey via their account settings.

  • Login Interrupt: Eligible users are prompted to set up passkeys during login.

  • Passkey login: Users who set up a passkey are offered to log in with their passkey instead of password and OTP.

  • Help and support: A dedicated Help Center article offering guidance for setup and troubleshooting.

Setting up a passkey (interrupt at login)

Passkey login

Delivery and launch strategy

  • Multiple rounds of user research and design iteration

  • Proof of concept (POC) technical testing

  • Security risk assessment

  • Technical testing to avoid disruption to the existing FIDO implementation

  • Phased rollout and controlled traffic to minimise risks

  • Statistics dashboard to track adoption

  • Post live user research for further improvement

Design development

Multiple touchpoints and scenarios were covered in settings, registration, account recovery and login journeys.

user testing

We did 5 rounds of testing with 66 participants of varying age and digital skills. 

  • 2 rounds of moderated testing with 14 participants

  • 2 rounds of unmoderated testing with 45 participants

  • 1 round of moderated testing with 7 participants with cognitive impairments, autism, dyslexia and low digital skills as well as those who are data skeptic

  • used Leeds accessibility lab to test with various screen readers and assistive tech devices

POC technical testing

Since passkeys are device led, user experience differs depending on the operating system and the browser.

To compile a library of behaviours and errors, we facilitated a technical testing session with the wider team helping us test passkeys on as many devices and browsers as possible.

references and inspiration

In order to maintain a consistent and familiar experience for users, I referred to industry leaders who have already implemented passkeys such as Apple, Google, PayPal, Amazon and Shopify.

constraints and challenges

  • Limited control over the UI: When creating and using passkeys, a pop up is initiated which is managed by the browser and the operating system. Customisation of the pop up is restricted to basic elements (i.e. username and service name), limiting the ability to improve user understanding.

  • Complex user journeys: We had to consider multiple touch points i.e account recovery, settings, help centre etc and map out existing tech implementations to ensure a streamlined, secure and consistent user experience throughout the service.

  • Legal and security requirements: Balancing user needs with business requirements was challenging, as explaining technicalities could complicate the journey and lead to drop offs. By working closely with stakeholders and SMEs, and involving them in user testing and design reviews, we maintained a simple user journey while ensuring compliance.

  • WebView within native apps: Supporting passkeys in native apps requires specific WebView configurations. We updated developer documentation to outline these requirements and collaborated with partner services to ensure compatibility through testing. To enhance the user experience, we implemented device compatibility checks to avoid prompting users to set up passkeys on unsupported devices. For users with existing passkeys, we provided alternative login options and clear explanations when passkeys could not be used.

  • Existing FIDO implementation: While, in the long-term, there is possibility to phase out FIDO (biometric login), it needs to be gradual with a user-centred approach. The decision to fully migrate to passkeys or continue supporting FIDO depends on how passkey technology evolves and the user adoption. To prevent confusion and disruption for FIDO users during this transition period, we implemented eligibility criteria to ensure they are not interrupted to set up a passkey. Users with both passkeys and FIDO enabled will be able to continue logging in using biometrics on the native app and when accessing the service through a browser, they will be able to use their passkey.

Key design decisions

Adopting the term ‘Passkey’

Initially, we were unsure whether to use the term ‘passkey’ as it was unfamiliar to users, and potentially could cause hesitation. We tested this by using alternative phrases like ‘Register a device’.

Eventually, our decision to use ‘passkey’ was influenced by several key factors:

  • Alignment with industry terminology: Apple and Google use ‘passkey’ in their ecosystems, making it important for users to recognise this term when managing passkeys in their device and browser settings.

  • Consistency with FIDO2 UI: Passkey pop up which is managed by the device and operating system uses the term ‘passkey’. We have no control over its content, so alignment was essential to avoid confusion.

  • Avoiding confusion with biometrics: We wanted to avoid users being confused between passkeys and the traditional biometrics.

  • Preventing misconceptions: When we replaced the term ‘passkey’ with more familiar phrases, users felt more confident. However, inadvertently this led to misunderstandings, with some users mistakenly assuming they would receive security alerts on their devices.

  • User adoption: Our decision to adopt ‘passkey’ was reinforced when we noticed users became more comfortable with the term after seeing it in context on the pop up and continued using it throughout their interactions.

Creating a device-led experience

In testing, we observed that providing upfront instructions led to cognitive overload, which ultimately reduced user confidence.

Passkeys are managed by the operating systems, resulting in varying user experiences across different devices and browsers. This inconsistency makes providing instructions challenging and complicates maintenance as operating systems make updates to their UI.

When guided by their device, users were able to focus better and follow on-screen prompts. They developed a better understanding of passkeys once they actually went through the process.

Avoiding information overload

In testing, we found that the more we tried to explain what a passkey is, the less confident users felt.

Passkeys are still unfamiliar to most users, making it easy to overwhelm them with too much information. While the intention was to educate, details about security, and how passkeys function only led to confusion and hesitation.

Users trust the service to handle security, so they don't want detailed explanations. Providing concise and minimal information helps build confidence and makes the experience more intuitive. Simplifying the messaging ensured that users can focus on the task at hand, rather than being distracted or discouraged by complex details.

Building user confidence through familiar references

When introducing a new concept like passkeys, it’s tempting to provide detailed explanations to address user concerns.

In early testing, users expressed they would like more details about what a passkey is and its benefits as a way to encourage them. However, this conflicted their behaviour. During prototype testing, users often felt overwhelmed by the amount of information.

To explore this further, we set up an unmoderated testing. We used an accordion style component that allowed users to expand and read additional details at their discretion. Only 2 out of 15 users opened the details, and even then, they only skimmed through the content.

On the other hand, users immediately noticed 'fingerprint and face ID' in the content. These familiar terms were enough to encourage them to proceed with setting up a passkey as that gave them an idea of what to expect with passkeys.

Adoption

On the whole, it would make me access the service more frequently because it would be more secure and less of a hassle to log in.

While users are somewhat unfamiliar with passkeys, overall, they reacted positively to passwordless login and appreciated the security and speed of passkeys.

Early adoption

  • 1,000+ unique users set up a passkey within the first week of launch.

  • 5,000+ users adopted passkeys by the second week.

  • Within just two months, over 100,000 unique users had set up a passkey.

It is important to note that there was no campaign promoting passkeys. These figures represent users who discovered passkeys in account settings and decided to set one up, demonstrating the interest in passwordless login.

Adoption over time

Within eight months of going live, we have seen user adoption gradually increase:

  • 778,044 unique accounts have passkeys.

  • 500,000 passkey logins per month on average.

  • passkey setup success rate improved from 67.3% during the first three months to 78% after six months.

Qualtrics user feedback

We launched Qualtrics survey to collect feedback from users who set up a passkey in live product. We received 92 responses. 70 out of 92 users found the setup process easy, with 15 users responding that it was in line with their expectations.

We also asked users their reason for setting up a passkey. Users could only select one out of the five options. 75 out of 92 users selected their primary motivation was ‘to make login quicker’. 6 users chose improved security, while 5 users selected ‘no need to remember a password’.

Key takeaways

  • passkeys are a relatively new concept, and we expect that adoption can take time

  • some users will still prefer to use methods they are familiar with, therefore offering other secure alternatives remains important

  • the improved success rate and fewer errors over time suggests that increased exposure to passkeys and a streamlined user experience can help with adoption

As more services offer passkeys, user confidence and familiarity will continue to grow, driving wider adoption over time.

Next Steps

NHS login is committed to improving the passkey experience and driving widespread adoption.

  • Continuous Improvement: We will continue iterating on our current implementation, using data from live service and ongoing user research to inform areas for improvement.

  • Encouraging Adoption: We are looking to implement prompts at strategic touchpoints, such as password reset or account recovery, to encourage users to set up a passkey.

  • WebView Implementation: We are working with partner services to ensure their WebView implementation supports passkeys on native apps.

  • Improving Login Speed: We are exploring technical solutions to eliminate the need for manual username or email entry, simplifying the authentication process and improving overall efficiency.

Future outlook

The future of passkeys looks promising with some of the world’s largest brands now offering passkeys — Apple, Google, Amazon, TikTok, WhatsApp, and PayPal, to name a few.

Apple and Google continue to work together towards a unified cross-platform experience, to make passwordless login seamless for users.

Recent updates from Google demonstrate the industry's commitment to passkeys. Google Password Manager now supports passkey synchronisation across Windows, macOS, and Android, streamlining the user experience.

Reflections

One of the defining aspects of this project was the close collaboration with engineers, cybersecurity experts, and clinical teams.

Bridging the gap between design and technology, we ensured that the passkey integration was not just user-friendly but also underpinned by robust security measures.

This has been an exciting and rewarding challenge—laying the foundation for passwordless authentication and shaping the future of digital identity.

It was a complex design task where I had to map out the full service to understand how different parts connect and how users interact with those parts. It was more than designing screens; I had to consider the broader context, such as legacy tech, security protocols, legal obligations, and support structures.

This experience showed me that effective design approach is one that adopts a holistic view, anticipates potential challenges and integrates them into cohesive, user-focused solutions.