It always surprises me how slowly innovations find their way into everyday user life. Passwordless authentication is a good example of this. It’s no longer an absolute novelty, but still underrepresented in daily business.
I am convinced that the way people log in will change in the long term – and Fido2 will play a central role in this change.
Why do I care about the topic?
Quite simply: passwords make life harder for millions of users every day
Users have over 90 accounts1 on average, half of the passwords are reused for convenience. And a significant third of all online shopping transactions are not completed only because the password has been forgotten.
I can relate to all of this. Overall, passwords are simply a poor user experience in everyday digital life: for both employees and consumers. The fault doesn’t lie with the users – they’re only human, after all. Our job as UX designers is to make applications better.
Bye, bye, password!
So it’s finally time for a fast yet secure authentication method to make people’s daily lives easier and increase sales. But how?
The idea was actually born in 2009 in a meeting of PayPal and Validity Sensors.2 The plan was to develop an industry standard that would allow users to authenticate themselves locally on their device using public key cryptography – without the need for a password. As a result, the Fido Alliance was created to develop this open and license-free standard. As a result of the development, the use of the so-called Fido2 specification is possible. The “2” refers to the latest version of the Fido specifications.
The name “Fido” stands for Fast IDentity Online. Fido also comes from Latin and means “to trust, to rely on”.3
The most important digital players are involved in the development: Google, Amazon, Apple, Facebook, Intel, Microsoft – to name just a few. The fact that all these companies are involved gives me the feeling that Fido2 will become enormously important in the near future.
How Fido2 works from the user’s point of view
For users, Fido2 means that they can log in securely, quickly and conveniently using a single terminal device.
Prerequisite: the user must activate this device once for his account in his profile.
- Enter username
- Authentication via preferred passwordless method
(Biometrics or Security Key)
- Successful login
Fido2 Authenticators can be divided into two categories:
- Built-in Biometrics: Biometric methods built into the device, such as “Windows Hello” or “FaceID”.
- Hardware Security Keys that can be used on multiple devices and provide a workaround if the device does not have Built-in Biometrics.
Fido2’s Advantages at a glance:
- Browser-enabled: Biometric login is now finally possible for browser applications through Fido2. Chrome, Edge, Firefox for Android, Windows and macOS are already included. Which browsers support Fido in detail and to what extent can be found here.
- 2FA: what I find particularly exciting is that Fido2 can also be used as a second factor.The hardware is something the user owns. The biometrics is something the user is. This combination gives us 2-factor authentication on the same device.
- Safe: similar to personal biometric authentication data on modern smartphones, the login credentials never leave the device and are not stored on any server. This makes it particularly secure and the user’s privacy is protected.
- Cost reduction: without passwords, there will be fewer support tickets and the IT department can use their time more wisely.
- Comfortable: users can log in more conveniently and quickly: without a password, by facial scan, fingerprint, voice input or by using a USB stick (security key).
- One device: unlike logins via Authenticator apps, Fido2 allows users to stay on the same device.
Challenges provided by Fido2:
- Browser readiness: many browsers support Fido2, but not all of them have the same level of development. So it might take a little while until everyone is on the same level with this topic.
- Recovery option: if the user loses a device or gets a new one, the user must identify themself somehow, even without Fido2. Here, too, the password does not necessarily have to step into the breach (e.g. SMS, Magic Link) – but it is an option. When Fido2 is established, an adequate recovery function must be considered.
- One device logic: for the user, Fido2 is new. For this reason, he might not understand that the registration is only valid for this one device. Transparent and good communication is therefore very important.
- The right wording: since Fido2 is not yet an established term, naming the button for the passwordless login is a bit tricky. Either the choice between security key and biometric options is offered by a generic, upstream button called “Passwordless Login” or “Skip Password”, or you show the user the options directly with multiple buttons, e.g. “Windows Hello” and “Security Key”. I would generally advise against the term “Platform Authenticator”. The users usually do not know what is hidden behind it.
The future of login is passwordless – and Fido2 paves the way
The reasoning is quite simple: the fewer steps an employee needs to log into his work-related systems, the more efficient his workday will be.
What’s more, if you don’t have to enter a password, you can’t forget it and don’t have to open a support ticket. Exactly the same applies to users of an online store. If you can log in without much effort, you are far more likely to complete your purchase process. In a direct comparison, the password only wins on the point of habit, but in all other categories, such as security, user experience, and efficiency, it loses hands down to Fido2.
I am currently working on a customer project in which we are introducing Fido2 and the reactions have been consistently positive. Fido2 is a sustainable, simple and cross-platform way to establish a better login experience in daily business – it is not only more convenient for the user, but also much more secure than “hello1234”.