Product Identity··14 min read

Passkeys Not Passwords: The Product Identity Future

Featured image for Passkeys Not Passwords: The Product Identity Future

Why Your Products Need Passkeys, Not Passwords: The Future of Digital Product Identity

Key Takeaways

  • Traditional warranty registration forms capture only 10–28% of eligible customers; passkey-based registration removes every friction point that causes the remaining 72–85% to abandon
  • The FIDO Alliance reports over 15 billion accounts globally enabled for passkey sign-in — adoption has hit critical mass across iOS, Android, and Windows
  • Passkeys authenticate a person to a specific product unit (not just a platform account), enabling cryptographic ownership transfer, scoped installer access, and phishing-resistant recall verification
  • CPSC data shows traditional recall completion rates of 15–30%; passkey-verified ownership gives manufacturers a direct, verified channel to every registered owner of an affected serial number

A customer unboxes a new dishwasher. There's a QR code on the door panel. They scan it. The experience loads — setup guidance, warranty registration, product support. It looks promising.

Then the wall: Create an account.

Email address. Password. Confirm password. Agree to terms. Verify email. Come back to the page. Log in. Now fill in the warranty form.

Most people close the tab. The ones who don't are trusting an email-and-password pair — a model designed for websites in 2004 — to represent their ownership of a physical product worth several hundred pounds. A model that can be phished, shared, forgotten, and compromised. A model that has nothing to do with the person physically holding the product.

There is a better way. And it's already in every smartphone your customers own.

Key Metric Value
Warranty registration abandonment ~44% form abandonment rate
Traditional registration capture 10–28% of eligible customers
FIDO Alliance passkey adoption 15+ billion accounts globally enabled
Phishing resistance 100%—cryptographically impossible to intercept
Device support iOS, Android, Windows, macOS (all major platforms)

The unique position: BrandedMark is the only connected product platform implementing passkey-native product identity. No competitors currently offer FIDO2/WebAuthn product ownership—making this a category-defining capability.

The Authentication Problem Nobody Talks About

Connected product platforms have a dirty secret: the moment a customer scans a product QR code, the experience breaks.

Not technically. The page loads. The content renders. But the business logic — warranty registration, ownership tracking, personalised support — all requires knowing who this person is. And "knowing who this person is" has, for the entire history of connected products, meant "make them create an account on our platform."

The numbers tell the story. Warranty registration through traditional web forms captures 10-28% of eligible customers. Desktop form abandonment runs as high as 44%. The majority of customers who scan a product code for the first time — the moment of peak engagement, the moment you have their attention — are lost to the friction of account creation.

This is not a UX problem you can optimise your way out of with shorter forms and fewer fields. It is an architectural problem. The authentication model is wrong for the use case.

When a customer scans a product they physically hold, the system should not be asking "what is your email and password?" It should be asking one question: are you the person holding this product?

That is exactly what passkeys do.

What Passkeys Are (and Why They Matter Now)

Passkeys are the consumer-facing implementation of the FIDO2/WebAuthn standard — a cryptographic authentication method that replaces passwords with device-bound credentials secured by biometrics.

In plain terms: instead of typing a password, you authenticate with your fingerprint, face, or device PIN. The credential is stored on your device, not on a server. There is no shared secret to phish, no password to forget, no credential database to breach.

Here is what matters for connected products. Passkeys are the consumer implementation of the FIDO2/WebAuthn open standard — a W3C Level 2 Recommendation with mandatory support across all major browsers since 2022 (W3C WebAuthn Specification):

  • Every modern smartphone supports them. Apple, Google, and Microsoft have built passkey support into iOS, Android, and Windows. The infrastructure is already in your customers' pockets.
  • They sync across devices. A passkey created on an iPhone is available on the user's iPad and Mac via iCloud Keychain. Android passkeys sync through Google Password Manager. The customer doesn't lose access when they switch devices.
  • They are phishing-resistant by design. The credential is cryptographically bound to the specific domain. It cannot be intercepted, replayed, or entered on a fake site. This is not an incremental improvement over passwords — it is a different security model entirely.
  • Adoption is accelerating. The FIDO Alliance reported over 15 billion accounts enabled for passkey sign-in globally (FIDO Alliance Passkey Statistics). Apple and Google now prompt users to create passkeys by default. The behaviour is becoming normalised faster than any prior authentication standard.

The web platform caught up. The connected product industry hasn't noticed yet.

From Account Ownership to Product Ownership

Here is the paradigm shift that matters for manufacturers.

A password authenticates a person to a platform. It says: "this person has an account on our system." It says nothing about their relationship to any specific product.

A passkey can authenticate a person to a product. The cryptographic key pair — public key stored against the product's digital identity, private key on the owner's device — creates a binding between the person and the specific unit they own. Not "this person has an account." Rather: "this person is the verified owner of serial number DW-2026-0847291."

This distinction is subtle but transformative. It means:

  • Ownership is a cryptographic fact, not a database entry. The proof that someone owns a product is the private key on their device, not a row in a table that says "email X registered product Y."
  • Authentication happens at the product level, not the platform level. The customer doesn't need to know or care what platform powers the product experience. They scan, they authenticate with their face or fingerprint, they're in. The product knows them.
  • The model maps to how physical products actually work. You don't need a username and password to use your dishwasher. You shouldn't need one to access its digital experience either.

What This Unlocks for Manufacturers

Zero-Friction Warranty Registration

The entire registration flow collapses to seconds:

  1. Customer scans the QR code on the product
  2. The experience prompts: "Register this product as yours"
  3. Customer confirms with Face ID, fingerprint, or device PIN
  4. A passkey is created, binding the customer's device to this specific product serial
  5. Warranty is registered. Owner is known. Relationship begins.

No email. No password. No form. No verification email. No "come back and log in." The customer goes from unboxing to registered owner in under 15 seconds, using a gesture they perform dozens of times a day — unlocking their phone.

Compare this to the current state: a web form that captures 15-28% of customers. Passkey-based registration removes every friction point that causes the other 72-85% to abandon.

Secure Ownership Transfer

Products change hands. Appliances are sold with houses. Power tools are gifted. Commercial equipment is leased and returned. Every ownership change is currently either invisible to the manufacturer or requires a "contact support" process to update.

With passkey-based ownership, transfer becomes a cryptographic operation:

  1. Current owner initiates transfer from the product experience
  2. New owner scans the product and creates their own passkey
  3. The previous owner's key is revoked; the new owner's key is bound to the product
  4. Warranty status, service history, and product data transfer with the product — not with the old owner's email account

No support tickets. No account sharing. No "I bought this secondhand and I can't access anything." The product's digital identity persists across owners, and each owner is cryptographically verified.

Installer and Technician Access

Many durable goods — HVAC systems, commercial kitchen equipment, smart home devices — involve professional installation and field service. Today, giving a technician access to product data means either sharing login credentials (insecure), creating temporary accounts (friction), or printing configuration sheets (defeats the purpose of digital).

Passkeys enable scoped, time-limited access. An installer scans the product and authenticates with their own device. The system grants them an installer-level credential — access to configuration data, installation guides, and commissioning workflows — without sharing the owner's credentials or creating a platform account. The credential can be scoped to a time window and automatically revoked after the service visit.

Anti-Counterfeiting

Counterfeiting in consumer durables and industrial equipment is a growing problem, particularly for spare parts. A product with a passkey-protected digital identity creates a verification chain:

  • The product's QR code links to its digital identity on the manufacturer's platform
  • The digital identity is bound to a cryptographic record that cannot be duplicated
  • A customer scanning a genuine product gets the authenticated experience; scanning a counterfeit gets nothing — or a warning

This is fundamentally stronger than hologram stickers, scratch-and-verify codes, or any visual authentication method. The verification is cryptographic, not visual. It cannot be counterfeited because the private key material never leaves the manufacturer's infrastructure.

Recall Verification

When a safety recall is issued, manufacturers need to reach the actual owners of affected units — and verify that the person responding is the real owner. Today, with 15–30% recall completion rates — a figure cited repeatedly in US Consumer Product Safety Commission (CPSC) research — the majority of affected products are never addressed because the manufacturer has no direct relationship with the owner (CPSC Recall Effectiveness Research).

Passkey-based ownership inverts this:

  • The manufacturer knows exactly who owns each affected serial number
  • They can push a notification directly through the product's digital experience
  • When the owner responds, their identity is verified cryptographically — not by asking them to read a serial number off the back of the product
  • The recall completion record is tied to verified ownership, not self-reported data

The DPP Intersection

The EU Digital Product Passport requires a persistent digital identity for every regulated product. Passkeys provide a persistent, phishing-resistant digital identity for the product's owner. These are two halves of the same system.

A DPP tells the world what the product is — materials, compliance data, sustainability metrics, repairability. A passkey-based ownership layer tells the system who owns it — and verifies that claim cryptographically every time the owner interacts with the product.

The manufacturers who combine both have something neither compliance-only DPP platforms nor traditional connected product tools can offer: a product identity system that is simultaneously regulatory-compliant, genuinely secure, and built for ongoing customer relationships.

Consider the data model:

Layer What it contains Who it serves
DPP compliance layer Material composition, sustainability data, repairability score, regulatory documentation Regulators, supply chain
Product identity layer Serial number, manufacture date, scan history, configuration, service record Manufacturer, service partners
Ownership layer (passkey-bound) Verified owner identity, warranty status, parts purchases, support history Customer, manufacturer

Three layers. One QR code. One scan. The first layer satisfies the regulator. The second and third build the business.

Implementation Reality

Passkeys are not vapourware. The standards are mature. The device support is universal. But implementing passkey-based product ownership is not a trivial project. Here is what it requires:

WebAuthn integration in the product experience platform. The platform that powers the product's digital experience must support the WebAuthn API for credential creation and authentication. This is a platform-level capability, not something bolted on per product.

Conditional UI for first scan. When a customer scans a product for the first time, the experience must detect whether their browser and device support passkeys and present the appropriate flow — passkey creation for supported devices, a fallback for the small minority that don't support the standard yet.

Key recovery and multi-device access. Passkeys sync across devices within an ecosystem (Apple, Google), but customers need a recovery path if they lose all their devices. This typically means a recovery email or phone number — used only for account recovery, not for day-to-day authentication.

Ownership transfer protocol. The system needs a defined flow for transferring ownership — revoking the previous owner's credential and binding a new one — that works seamlessly at the product level.

Scoped credentials for installers and service partners. Beyond owner credentials, the system needs to issue time-limited, role-scoped credentials for professional access.

None of this is speculative technology. Every component exists in production systems today. The gap is that no connected product platform has assembled them into a product-ownership model — yet.

Why Now

Three forces are converging:

Passkey adoption has hit critical mass. With Apple, Google, and Microsoft all defaulting to passkey creation, the install base is large enough that a passkey-first product experience won't exclude meaningful numbers of customers. The "but not everyone supports it yet" objection no longer holds.

DPP regulation is creating infrastructure investment anyway. Manufacturers are about to spend significant money building digital product identity infrastructure for ESPR compliance. The incremental cost of building passkey-based ownership into that same infrastructure — rather than retrofitting it later — is a fraction of doing it as a separate project.

Customer expectations are shifting. Consumers use Face ID and fingerprint authentication dozens of times a day. Asking them to create a password to access a product they're physically holding feels increasingly absurd. The gap between how people authenticate everywhere else and how connected products authenticate is widening every month.

The manufacturers who build passkey-native product identity now will set the standard for how digital product ownership works. The ones who wait will spend the next five years explaining to customers why they need to create an account to use a product they already own.

Every product deserves a digital identity. Every owner deserves a better way to prove it's theirs. Passkeys make both possible — and the window to be first is open right now.

FAQ: Passkeys and Product Identity

Will passkeys work for customers in regions with lower smartphone penetration?

Passkeys require modern device support (iOS 16+, Android 9+, Windows 10+), which covers ~95% of global device installed bases. For the small percentage without biometric devices, a recovery email/phone method provides access. The fallback path ensures nobody is locked out while maintaining security.

How do passkeys handle account recovery if a customer loses their device?

Passkeys synced through iCloud Keychain (Apple) or Google Password Manager (Android) are automatically available on new devices within the ecosystem. For complete device loss, a recovery email or phone number—used only for account recovery, not daily authentication—provides access. The system never stores the private key centrally.

Is passkey implementation difficult or expensive?

No. WebAuthn is a W3C standard with mature library support in all major frameworks. BrandedMark provides WebAuthn integration out of the box with conditional UI for first-time use. The platform handles cryptographic ceremony; your team configures the enrollment flow. Implementation typically takes 1–2 weeks from integration to production.

Can we still use passwords for customers who don't want passkeys?

Yes, but we don't recommend it. Passkeys are strictly more secure than passwords (phishing-resistant, no shared secrets), and adoption is accelerating rapidly (Apple and Google default users to passkey creation). A password fallback creates security gaps. Instead, offer exceptional user experience at passkey creation so the friction that would drive password preference disappears entirely.

Try It: Live Passkey Demo

Experience what passkey authentication feels like. This demo uses the real WebAuthn API in your browser — no server, no account required.

Interactive Passkey Demo

Register a passkey with your fingerprint or face, then sign in with it. This is what your customers would experience.

Open Passkey Demo →

Requires HTTPS and a device with biometric support (Face ID, Touch ID, Windows Hello, or Android biometrics).

See how BrandedMark handles this

Turn every post-purchase moment into an opportunity to build loyalty and drive revenue.

Join the Waitlist — It's Free

Related articles

Product Identity·13 min read

Why Every Product Needs a Digital Identity

Physical products leave the factory and disappear from your systems. Digital product identity connects every unit to the owner, the warranty, and the full lifecycle.

Product Identity·15 min read

Who Owns Your Product Data When You Switch Platforms?

Cancel your QR platform and your codes die. Switch warranty tools and your customer database stays behind. Product data portability is a crisis nobody's addressing.

Product Identity·16 min read

QR vs NFC vs RFID: Which Technology for Connected Products?

QR codes, NFC tags, and RFID chips each suit different connected product use cases. A full comparison of cost, scan rates, and when to choose each technology.

Back to all posts