Passwordless (FIDO2) Part 2 — user review

Yu Phoebe
Yu Phoebe
Oct 14 · 3 min read
Photo by Headway on Unsplash

We interviewed two groups of users; our development team tested Github’s FIDO2 features and non-tech/ semi-tech users’ tested Webauthn.io. Here is our user review focusing on Passwordless (FIDO2) desktop using Chrome.

Developers’ review — Github

Github — set up FIDO2 authenticator

  1. Set up 2FA ( If the user didn’t set it up previously)
  2. Go to settings > Security > Security Keys
  3. Add security key
Github — set up FIDO2 authenticator ( Screen recording )

Github — sign in with FIDO2 authenticator

  1. Input user ID and password
  2. Show FIDO2 authenticator
Github — set up sign in with FIDO2 authenticator ( Screenshot )

Github FIDO2 pain points

👎 Lack of clarity. Users are required to name the device before showing the FIDO2 devices. There is an assumption that users know which FIDO2 authentication method they are going to use to set up FIDO2.

👎It’s not 100% passwordless yet. Users are still required to input password before showing FIDO2 authenticator ( FIDO2 is used as 2-step verification at the moment).

👎Not all browsers and systems support FIDO2 yet. Let’s imagine that you set up biometrics as the FIDO2 authenticator on chrome and FIDO2 is not supported by Safari then you may not have access to your account using Safari.

Users’ review — webauthn.io

We also interviewed to 6 non-tech and semi-tech users. Here’s their thoughts on using webauthn.io for the first time.

Webauthn.io — set up FIDO2 authenticator

  1. Enter username
  2. Show FIDO2 authenticator
Enter username > Show FIDO2

Webauthn.io — sign in with FIDO2 authenticator

  1. Enter username
  2. Show FIDO2 authenticator
Enter username > Show FIDO2 Biometrics

Pain points

👎 New pop ups are scary. Most users have not seen this pop up before. One non-tech user finds this new pop up confusing and is not sure whether this was an advertisement pop up or a browser pop up.

👎 Undesirable Security key. Only one user has seen or used a security key before. Most users are worried about losing the security key and think it is inconvenient to keep another device.

👎 Safety concern on Biometrics. Some users are skeptical about where biometrics is stored.

Likes

👍 Convenient biometrics. Most users prefer biometrics over security key. The process is smooth and simple.

Most users …

  • expect to see FIDO2 in banking services, online transactions, and work-related accounts.
  • think biometrics are for personal accounts and security key to be provided by their workplace.

Conclusion

Comparing with password, scoring out of 5 ⭐s:

Tech Readiness | ⭐⭐

Usability | ⭐⭐⭐

Convenience | ⭐⭐⭐

Feeling secured | ⭐⭐⭐⭐

FIDO2 as a passwordless method is still at a very early stage of the development process. There is definitely room to improve the usability for the users.

Hopefully more people will benefit from this technology. I’m really looking forward to it. What do you think?

Enyk Security

We help organizations of all sizes to achieve data security with encryption and access management technology

Yu Phoebe

Written by

Yu Phoebe

UX/UI Unicorn@ENYK, Designing for security | TESTLA HK Organiser, UX Testing community

Enyk Security

We help organizations of all sizes to achieve data security with encryption and access management technology

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade