CHI '26 · Honorable mention · full-paper review · confidence medium-high

Moving Beyond Passwords: Investigating the Effect of Digital Nudges on Passkey Adoption

Tobias Reittinger , Magdalena Glas , Günther Pernul

This is a solid, practice-oriented CHI paper with a clear empirical contribution: it tests passkey nudges at multiple journey points and shows that timing matters. The strongest takeaway is not that nudges universally work, but that they can shift engagement in specific contexts, which is exactly the kind of boundary-sensitive result HCI needs.

Axes Lens

Rare contribution shape, typical evidence profile. The point here is not a score. It is to show what kind of claim the paper makes, and whether the evidence pattern is unusual or baseline in this 268 -review set.

Contribution shape

Knowledge form: causal knowledge typical · 31/268
Novelty type: empirical finding typical · 68/268
Abstraction level: practice typical · 85/268
Generalization target: organizational context typical · 20/268
Validation mode: mixed methods typical · 136/268

Evidence profile

Evidence strength: strong typical · 158/268
Claim alignment: strong typical · 231/268
Overclaim risk: medium typical · 210/268

Review Summary

This paper’s main contribution is not a new interface widget or a grand theory of authentication, but a careful empirical answer to a practical HCI question: when should systems nudge users toward passkeys, and what kind of nudges are worth trying? The authors explicitly frame the gap as the lack of empirical evidence about touchpoints in the digital user journey and about which nudge types and designs encourage adoption. They then address that gap with a mixed-methods pipeline: 15 expert interviews to identify candidate nudges and design principles, followed by a randomized controlled trial with 3,680 participants on a commercial healthcare platform. That validation scope is substantial for a CHI paper and gives the findings real weight. The most interesting result is also the most nuanced: nudges increased interaction, but did not significantly change success rate once users engaged. In other words, the intervention seems to work by shaping attention and initial participation rather than by changing the downstream likelihood of adoption among already-engaged users. That is a useful departure from the common-sense assumption that any reminder or prompt should directly improve conversion. The paper’s novelty is therefore best understood as an empirical finding about touchpoint sensitivity and intervention timing, not as a universal design rule. The limitations are appropriately stated: purposive interview recruitment may bias the qualitative input, and the field deployment on a healthcare platform reduces experimental control even as it improves ecological validity. Overall, this is a strong, well-scoped contribution whose value lies in specifying boundary conditions for nudging rather than overgeneralizing from a single deployment.

What Changed

Canon before

Passkey adoption is often treated as a usability or awareness problem; this paper reframes it as a touchpoint-sensitive intervention problem, asking when and where nudges matter rather than assuming any reminder will help equally.

Departure from common sense

The paper’s counterintuitive point is that nudges do not simply improve adoption everywhere; they mainly increase interaction and attention, while the final success rate among those who engage may not change. That means the effective intervention is not just “more prompting,” but prompting at the right moment in the journey.

Actual novelty

The paper’s novelty is a systematic, mixed-methods evaluation of multiple nudge types across five concrete passkey-adoption touchpoints, combining expert interviews with a large RCT to identify where nudges are effective and which designs are worth deploying.

Evidence

The paper states that passkey adoption had not been empirically evaluated at which touchpoints users are inclined to adopt, and that it was unknown which nudge types and designs encourage adoption. It then evaluates nudges in an RCT with 3,680 participants on a commercial healthcare platform, and reports that nudges increased interaction but not success rate, alongside explicit limitations about purposive recruitment and reduced experimental control in the field setting.

“ Information & Contributors Bibliometrics & Citations Reading Options References Figures Tables Media Share Abstract Passwords suffer from major usabil”

actual novelty · Abstract/Introduction gap statement; contribution bullets · confidence 0.55

“ • Nudges increased overall adoption but did not significantly raise the success rate —the proportion adopting among those who interacted—suggesting that nudges capture attention while additional factor”

departure from common sense · 6.5 Summary of Results; 7.1 Effective Touchpoints for Passkey Adoption · confidence 0.60

“ The Council of Psychological Advisers. Annual Review of Psychology 67, 1 (2016), 713–737. Google Scholar [88] David Temoshok, James L. Fenton, Yee-Yin Choong, Naomi Lefkovitz, Andrew Regenscheid, Ryan Galluzzo, and Justin P. Richer. 2025. NIST SP 800-63B-4: Digital Identity Guidelines: Authentication and Authenticator Management . NIST Special Publication (SP) NIST SP 800-63B-4”

limitation · 7.4 Limitations (7.4.1 Interviews; 7.4.2 User Study) · confidence 0.82

“ We evaluate these nudges in a randomized controlled trial (RCT) with 3,680 participants on a commercial healthcare platform”

validation scope · Abstract; 5.1 User Study Design and Procedure; 6 Quantitative Results · confidence 0.72

Limits

Method limits

The study combines 15 expert interviews with an RCT, but the authors note purposive rather than random recruitment for interviews, which may introduce selection bias. The field setting also reduces experimental control over external influences, so causal interpretation is strongest for the tested platform and conditions rather than all passkey contexts.

Deployment limits

The findings are tied to a commercial healthcare platform and to the specific touchpoints and nudge designs tested there. Deployment beyond similar authentication journeys, user populations, or organizational settings should be cautious because the paper itself emphasizes that the setting increased ecological validity but reduced control.

Boundary conditions

The results suggest nudges are most useful when applied at the right touchpoints in the digital user journey. The paper also indicates that nudges may affect engagement more than final adoption success, so boundary conditions likely include where in the flow the prompt appears and whether the user has already decided to proceed.

Position in field

This is a CHI paper that contributes evidence on passkey adoption by moving beyond generic pro-security messaging toward touchpoint-specific intervention design. Its main value is empirical: it helps specify when nudges matter and shows that adoption support is not uniform across the journey.

Abstract

Passwords suffer from major usability hurdles that foster insecure practices and undermine cybersecurity. Passkeys were introduced to address these issues, however, adoption remains low. Digital nudges offer a promising way to accelerate passkey adoption, yet research lacks empirical insight about when to nudge and which nudge types and designs are most effective. We therefore employed a mixed-methods approach to examine the impact of nudges on passkey adoption across five touchpoints in the digital user journey: During registration, login, account recovery, while in the settings menu, and during user activity. First, we conducted 15 expert interviews to identify candidate nudges and their design principles. We evaluate these nudges in a randomized controlled trial (RCT) with 3,680 participants on a commercial healthcare platform. Our results indicate that digital nudges can significantly increase passkey adoption when applied at the right touchpoints, encouraging users to move beyond passwords.