Describe your service/platform/product and how it’s using FIDO authentication.
Nikkei Inc. and the Nikkei Group aim to assist readers and customers in making informed decisions through high-quality reporting and services, striving to become the world’s most fair and trusted media. We offer a variety of media and services, including the foundation of our journalistic activities, the Nihon Keizai Shimbun. The integrated ID platform supporting the Nikkei Group’s digital services, including our core service, the Nikkei Electronic Edition, is “Nikkei ID.”
Nikkei ID, which offers a wide range of services, has long faced the challenge of balancing security and usability. While we have implemented measures such as improving the login experience with OpenID Connect and introducing two-factor authentication and CAPTCHA (*1) to reduce the risk of unauthorized access, addressing security risks associated with password leaks and reuse, as well as countering increasingly sophisticated attacks, has been difficult.
(*1)A security authentication method to verify that a user is human.
In this context, as FIDO authentication has evolved and the threshold for introducing passkeys to services has lowered, Nikkei ID has proceeded with consideration and implementation with high expectations. Currently, we are expanding functionality to support not only web services but also mobile apps, and aiming to promote the adoption of passkeys through increased user awareness via internal and external blog posts, presentations, and guidance at the Nikkei ID Lounge Help Center.
What were the challenges you were trying to overcome?
The primary goal is to balance security and user experience. Many Nikkei ID users are not accustomed to digital services, so simply enhancing security is not enough. For example, while the introduction of CAPTCHA can prevent brute-force password attacks, it can also become a barrier for users who cannot pass the Turing test (*2), leading to increased support inquiries and added burden on customer service.
(*2) A test to determine whether something is ‘human-like’.
However, FIDO authentication (passkeys) achieves high security and user experience through integration with OS and platforms as a standard. This allows us to replace security measures that reduce risks associated with password authentication but negatively impact UX with passkeys.
Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?
The following two options were considered as alternatives to FIDO authentication (passkeys):
- Mandatory implementation of two-factor authentication such as TOTP or email verification
- Social login using other ID platforms
As a result of comparing these options, we believe FIDO authentication (passkeys) offers the following advantages:
- It allows for gradual transition by adding authentication on top of existing password authentication
- It enables the use of higher UX authentication methods such as biometric authentication
- It fundamentally resolves the risks associated with passwords
When it came to actual implementation, the aspect of “additional authentication” was particularly significant. In other words, it allows for implementation in a loosely coupled and highly cohesive manner without disrupting the existing ID model. The WebAuthn specification provides simple interface libraries and APIs for both backend and frontend on each platform, making secure implementation easy. Additionally, since existing authentication methods can be retained, the advantage of not significantly increasing support workload was also substantial.
Describe your roll out of FIDO authentication.
We implemented our own solution using the open-source backend library WebAuthn4J for FIDO authentication. We chose WebAuthn4J not only for its clear data model but also because it passed the FIDO2 Test Tools provided by the FIDO Alliance. For the frontend, we developed our own implementation that directly interacts with the WebAuthn API. Additionally, we created a test library to emulate FIDO authentication, enabling 24-hour automated testing as a comprehensive test of these implementations.
The rollout of FIDO authentication (passkeys) was carried out in the following steps:
- Internal beta testing to gather feedback and monitor usage
- White-box and black-box testing by external security companies
- Public release to all users
What data points can you share that show the impact FIDO authentication has had?
Since it was just released in February this year, we cannot provide detailed numbers yet, but thousands of users are already using passkeys. Additionally, we have heard that there have been almost no inquiries about how to use passkeys at the support desk, and we recognize that passkeys are being used smoothly.
Resources
The test library that emulates FIDO authentication, mentioned in the implementation section, is publicly available as Nikkei’s open-source software. You can obtain it from the following https://github.com/Nikkei/nid-webauthn-emulator
For authorization after completing FIDO authentication (passkeys), we use Authlete, an OpenID Connect platform. In this case study, we express our enthusiasm for the introduction of FIDO authentication (passkeys). (At the time of this presentation in 2023, passkeys were still under consideration) https://www.authlete.com/ja/resources/videos/20231212/02/
Technical blog article during the consideration stage of implementation: https://hack.nikkei.com/blog/advent20241221/
