Passwordless (FIDO2) Part 3 — UX Design challenges

Yu Phoebe
Yu Phoebe
Nov 19 · 3 min read
Photo by Luca Bravo on Unsplash

Background

Problem with password — Simple passwords are hacker friendly, complicated passwords are not user friendly because users will forget their password etc.

FIDO2 authenticators = Passwordless way to access the account on website browsers

  • Investigate whether FIDO2’s readiness as a passwordless authentication method.
  • Highlight the FIDO2 passwordless authentication design challenges.

FIDO2 authenticators(hardwares)

FIDO2 authenticators could be built-in biometrics ( desktop and mobile) and hardware security keys (NFC, Bluetooth U2F).

  • Not all FIDO2 authenticators are talking to all devices, i.e. Some U2F key cannot be plugged in to an iPhone.
  • Built-in biometrics only work on that particular device (single used) i.e. Desktop Built-in fingerprint cannot be used on mobile devices.
  • Security keys could be used on multiple devices, depending on the type of security key you have (NFC/ USB/ Bluetooth) and if your devices can be connected to your security key. In other words, slightly restricted on the connection channel.

Design challenges

Cross device challenge — If the users only setup the Desktop fingerprint, when they try to sign in their account with their mobile devices. The users won’t be able to access their account.

  • How might we design a simple and strong authentication method that is universal for pairing up with any devices?

FIDO2 Browsers adoption schedule

  • Development readiness — Different browsers have different development schedules and not all FIDO2 authenticators are supported by all browsers/ OS (Chrome, Edge, Firefox, Opera and Safari).
  • Old and new version browsers — Older version browser/ OS will not support FIDO2

Design challenge

Cross browser challenge — Different browsers support different authenticators. Chrome may support security key and Safari doesn’t support security key, then users cannot access their account.

  • How might we design an experience that is accessible for all browsers?

FIDO2 authentication flow

Design challenges

Just like forget password, there will be a chance that the users will lose their FIDO2 authenticator or change to a new device.

  • How might we design a frictionless account recovery experience for FIDO2 users?

Conclusion

During this passwordless transition period, FIDO2 may be used as a second factor. Mainly because password is universal which can be used in any browsers and OS. Also it takes time for users to understand and adopt to new authentication methods.

If we can address the major challenge:

  • How might we design frictionless passwordless experience?

We will expect to see more user using FIDO2 as their preferred authenticator in the future.

Yu Phoebe

Written by

Yu Phoebe

UX/UI Unicorn@ENYK, Designing for security | TESTLA HK Organiser, UX Testing community

Enyk Security

We help organizations of all sizes to achieve data security with encryption and access management technology

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade