Problem with password — Simple passwords are hacker friendly, complicated passwords are not user friendly because users will forget their password etc.
FIDO2 authenticators = Passwordless way to access the account on website browsers
- Investigate whether FIDO2’s readiness as a passwordless authentication method.
- Highlight the FIDO2 passwordless authentication design challenges.
FIDO2 authenticators could be built-in biometrics ( desktop and mobile) and hardware security keys (NFC, Bluetooth U2F).
- Not all FIDO2 authenticators are talking to all devices, i.e. Some U2F key cannot be plugged in to an iPhone.
- Built-in biometrics only work on that particular device (single used) i.e. Desktop Built-in fingerprint cannot be used on mobile devices.
- Security keys could be used on multiple devices, depending on the type of security key you have (NFC/ USB/ Bluetooth) and if your devices can be connected to your security key. In other words, slightly restricted on the connection channel.
Cross device challenge — If the users only setup the Desktop fingerprint, when they try to sign in their account with their mobile devices. The users won’t be able to access their account.
- How might we design a simple and strong authentication method that is universal for pairing up with any devices?
FIDO2 Browsers adoption schedule
- Development readiness — Different browsers have different development schedules and not all FIDO2 authenticators are supported by all browsers/ OS (Chrome, Edge, Firefox, Opera and Safari).
- Old and new version browsers — Older version browser/ OS will not support FIDO2
Cross browser challenge — Different browsers support different authenticators. Chrome may support security key and Safari doesn’t support security key, then users cannot access their account.
- How might we design an experience that is accessible for all browsers?
FIDO2 authentication flow
Just like forget password, there will be a chance that the users will lose their FIDO2 authenticator or change to a new device.
- How might we design a frictionless account recovery experience for FIDO2 users?
During this passwordless transition period, FIDO2 may be used as a second factor. Mainly because password is universal which can be used in any browsers and OS. Also it takes time for users to understand and adopt to new authentication methods.
If we can address the major challenge:
- How might we design frictionless passwordless experience?
We will expect to see more user using FIDO2 as their preferred authenticator in the future.