Passkeys vs phishing: Mercari CISO on passwordless adoption

The digital keys to cybersecurity. Image created by DALL·E 3.

Online marketplaces are a common target of threat actors due to the rising number of users and the volume of daily transactions. Amid the surge in online shopping, criminals lurk in the shadows, poised to strike.

One such online marketplace is Mercari, a Japan-based online platform boasting 22.6 million monthly users as of late 2023. In 2021, the company faced a surge of phishing sites targeting its users, prompting a significant enhancement in security measures.

Frontier Enterprise sat down with Naohisa Ichihara, Chief Information Security Officer of Mercari, during the FIDO APAC Summit 2023 in Vietnam, to delve into the company’s journey towards adopting stronger authentication measures for its services.

Attack response

Realising that passwords are a weak authentication measure due to being often forgotten, easily guessed, reused in several services, and vulnerable to attacks and leaks, Mercari decided to implement several countermeasures, the first being SMS authentication.

Naohisa Ichihara, Chief Information Security Officer, Mercari. Image courtesy of Mercari.

Mercari stated in a blog post that this strategy “proved effective as it required attackers to obtain the SMS OTP multiple times, which is difficult to achieve for a real-time phishing site. However, repeatedly sending SMS OTPs was both expensive and not user-friendly, and it couldn’t entirely prevent account takeovers.”

Because of this, the company decided to implement its next countermeasure aimed at reducing costs.

“SMS authentication is not good UX. It involves several screens, with users needing to switch from the Mercari app to the SMS app, copy the PIN code, input it, and then press the submit button. This process is time-consuming, almost 24 seconds, and, security-wise, it’s not phishing-resistant,” Ichihara said.

For Mercari, passkeys met all their requirements for authentication: improved security, cost-effectiveness, and better UX.

Besides its payments platform Merpay, Mercari also introduced a new service called Mercoin, which can be used for buying and selling Bitcoin. Ichihara highlighted the necessity of stronger security to safeguard users against phishing.

“Within the Mercari application, multiple transactions take place, but cryptocurrency is a more critical aspect. Therefore, a different level of authentication is required. Even after logging into the Mercari application, users need to authenticate again to access Mercoin,” he said.

Initially, Mercari used FIDO2/WebAuthn for Mercoin, then transitioned to passkeys. Ichihara shared that while FIDO2 authentication is suitable for industries like banking, Mercari performed better with passkeys, particularly when it comes to account recovery.

“The concept of FIDO is that a secret key is generated inside the device, never to be exposed externally, and then it’s paired with a public key stored on the server side. Meanwhile, passkeys can be synchronised between devices, like device A and B. For example, if I’m using the same Google or Apple account on both devices, then the secret key will be synchronised,” the CISO explained.

Passkeys, Ichihara added, are especially helpful if a user loses his phone and needs to buy a new one.

“In the case of passkeys, logging into the same Google account, for example, allows for the recovery of the passkey. But in the case of FIDO, if I lost my device, I need to re-identify myself. I need to confirm my identity again by inputting a password, or eKYC, or something similar. This is not good UX,” he remarked.

Banks, on the other hand, prefer FIDO2 authentication because the root of trust remains within their organisation, unlike passkeys wherein the root of trust resides with the likes of external companies like Google or Apple.

“Banks and the financial sector generally prefer to manage their risk by themselves,” Ichihara continued.

Slowly but surely

As of August 2023, over 900,000 Mercari accounts have registered for passkeys. This represents only 4% of the platform’s 22.6 million monthly active users.

At the moment, Mercari does not intend to make the use of passkeys mandatory for logging into their application.

“We cannot impose on users to register for passkeys. It can’t be a barrier. If we make it mandatory, some might not be able to use the Mercari app. Many users don’t care about passkeys or security concerns; they just want to purchase products as quickly as possible. So while this area remains challenging, we are trying to educate them about passkeys,” Ichihara said.

The CISO also mentioned that while Mercari has an eKYC process, there is still a phishing risk for users relying on weaker authentication methods like SMS.

“For the login process, we aren’t completely able to distinguish or identify threat actors, but afterward, a hacked account might try to make a purchase. We can use passkeys to block these attempts. A passkey can block access because the user doesn’t have the same Google account. If a threat actor manages to take over user A’s Mercari account, the Google accounts – the threat actor’s and the victim’s – will differ. This discrepancy means the passkey won’t be synchronised. Consequently, the criminal won’t be able to log in or break through the passkey authentication. Thus, passkeys can block such unauthorised users,” he explained.

Improving for the future

Looking ahead, Mercari aims to enhance its anti-fraud measures without compromising user experience.

The company is considering data-sharing with other organisations to fight fraud more effectively.

“We can share information among ourselves, such as ‘this IP address is very suspicious,’ or noting that ‘this email address is frequently used for credit card fraud.’ Something along those lines,” Ichihara said.

As for passkeys, the CISO is optimistic that the technology will become safer and more secure in the future.

“Passkeys’ security relies on platforms like Google or Apple. What happens if the Google or Apple account is compromised? This would mean the passkey is also compromised. So then, in some cases, we might need to provide better protection for users who have substantial funds in the Mercari application, or significant cryptocurrency assets in Mercoin. To ensure their safety, we may need to have better UX or rely on a different technology than passkeys,” he noted.

To this end, fraud detection and cloud-based biometric authentication could be the answer. 

“In terms of account recovery and root of trust, we’re questioning if there’s currently a new solution available. Right now, there might not be one. But looking ahead, cloud-based biometric authentication could potentially play a major role, despite some existing privacy issues. It seems a combination of the current solutions, such as FIDO and passkeys, might be the direction for the next generation of security,” Ichihara concluded.