Mercari, one of the leading e-commerce platforms in Japan, has mandated passkey-only authentication for users who have registered passkeys, eliminating the option of password sign-ins. This measure aims to combat real-time phishing attacks that exploit the continued allowance of password sign-ins for passkey-enabled users.

This transition required the development of an innovative account recovery mechanism that upholds stringent security standards while ensuring a seamless user experience. In alignment with NIST SP 800-63B guidelines, the new account recovery process integrates adaptive multi-factor authentication methods, enabling secure and efficient account recovery for passkey deployments.

Implementing this system presented challenges, such as integrating with existing infrastructure and educating users about the new authentication methods. Through targeted user education initiatives and strategic system architecture adjustments, we successfully navigated these obstacles, resulting in a significant reduction in phishing incidents and enhanced compliance with industry standards.

This session will provide an in-depth analysis of the deployment process, challenges faced, and best practices established, delivering actionable insights for organizations seeking to implement secure and user-friendly authentication and account recovery solutions.