Create Passkey After Account Recovery Due To Forgot Password

Overview

Topics: consumer, passkeys, WebAuthn, account recovery, password reset, account lockout
Relevant moments in the customer journey: Awareness > Consideration > Enrollment > Management > Authentication
Created: 6 May 2023

Allow people to create a passkey instead of or in addition to a new password during account recovery due to forgot password

• After identity proofing, allow people to create a passkey or new password.
• If people create a new password, then allow them to create a passkey, too.

Outcomes

• Increased customer satisfaction due to the resolution of account lockout.
• Potentially lower customer contact center requests over time as more people use passkeys in their password manager instead of memorized passwords.

Flow

Step 1

Initiate the forgot password experience.

Step 2

Use the “Confirm account” call to action from this step onward.

Step 3

Continue with identity proofing.

Step 4

Create the new credential (passkey or password).

Step 5 (a)

If “Continue” is selected on step 4, then create a passkey.

Step 5 (b)

If “Create a new password” is selected on step 4, then create a new password.

Step 5 (b2)

Once the new password has been successfully created, navigate them to a “New password created” confirmation page and also promote passkey creation once again using the passkeys hero prompt.

Step 6

For people who created a passkey, display a “Success” message via an overlay on top of the homepage, with the authenticated profile icon visible.

• Step 1: Initiate the forgot password experience.
  Initiate the forgot password experience with a “Forgot password” link.
  
• Step 2: Use the “Confirm account” call to action from this step onward.
  Because this workflow ultimately allows people to create a passkey, use the “Confirm account” call to action from this step forward versus the “Reset password” call to action.
  
• Step 3: Continue with identity proofing.
  The DigitalBiz identity proofing process sends an email to confirm their identity. The FIDO Alliance is not recommending any specific method of identity proofing. Your unique security policy and business drivers will determine the method of identity proofing during account recovery.
  
• Step 4: Create the new credential (passkey or password).
  After identity proofing, offer the choice to create a passkey or a new password. Promote passkeys as the primary path by using the passkeys hero prompt. Include text to inform people that if they choose to create a new password they can still create a passkey later in Account Settings.
  
• Step 5 (a): If “Continue” is selected on step 4, then create a passkey.
  Display OS dialogs to allow people the choice to create or decline creating a passkey. If people opt to create a passkey (by selecting the “Continue” button on Android and the “Confirm” button on iOS), the mobile OS prompts them to use their screen lock to authenticate. People using Android can decline to create a passkey in the OS dialogs by selecting the “Cancel” button and people using iOS can decline to create a passkey by selecting the “X” in the upper right of the dialog. If passkey creation was successful, passkey creation confirmation messaging from the OS is displayed, and disappears automatically. Then, display the “Passkey created” confirmation.
  
• Step 5 (b): If “Create a new password” is selected on step 4, then create a new password.
  If people choose to “Create a password” on the “Confirm account” page (screen 5), navigate them to a page to create a new password.
  
• Step 5 (b2): Once the new password has been successfully created, navigate them to a “New password created” confirmation page.
  Also promote passkey creation once again using the passkeys hero prompt.
  
• Step 6: For people who created a passkey, display a “Success” message via an overlay on top of the homepage, with the authenticated profile icon visible.
  Lead with a “Success” headline that matches your brand voice and identity. Offer a “View your account” button as the primary action, to navigate people to view information about or disable their new passkey within Settings. List the sign-in methods available. Display an “X” affordance to close the dialog, to allow people to get started with their site activities as well.

Content

Learn what user-tested button labels, phrases help people. Copy and edit content examples to suit your needs.

UX Research

Optimal moments in the customer journey to prompt to create a passkey

When people are in the mindset of account management and are experiencing friction while trying to access their account, passkey creation feels like a relevant enhancement to that task, rather than an unwelcome interruption or barrier to accomplishing other core site-related tasks. The research indicated that when people considered the new concept of passkeys while imagining the frustrating experience of resetting their password, they anticipated that a passkey not only serves their immediate need of regaining access to their account but will also help them avoid this frustrating and time-consuming password reset task in the future, which enhances their motivation and interest in the new concept of passkeys.

Messaging that introduces passkeys

Messaging was effective at inspiring participants to create a passkey. Creating a passkey instead of a password was an unexpected choice in the context of the “Forgot password” workflow. Participants expressed appreciation for the brief, simple, and relevant messaging that answered their top questions about passkeys to help inform their decision at the right moment when given the choice to create a passkey or new password.

Mindsets and goals people have during password recovery

Compared to new account creation, people with existing passwords might be especially reluctant to give them up. People who already use passwords appreciate the choice to create a passkey, create a new password, or both. The research indicated that participants experiencing an account recovery scenario due to forgot password felt more reluctant to give up their password compared to the scenario of creating a new account, especially if they valued account access on other devices. In the context of recovering an existing password, being able to reset their password and still create a passkey

Rollout strategy

• Service providers struggling with the high cost of poor customer experience of account lockout due to forgot password may choose to start their implementation of passkeys with this pattern.

Ecosystem

• Passkeys may require specific hardware or software support on users’ devices. Ensure that users are aware of the compatibility requirements for using passkeys and provide guidance on compatible devices and browsers.
• In the native mobile app context, signing in with a passkey differs from the biometric sign-in experience that has existed for many years. Signing in with a passkey requires an additional tap.

Security

• DigitalBiz gracefully falls back to an email OTP. The graceful fallback option you choose should match your unique security and business goals. Plan your UX in accord with your unique security and business needs. The guidelines focus on UX concepts that are unique to FIDO with synced passkeys. You will see various forms of identity proofing and non-FIDO authentication examples throughout this work. The guidelines do not intend to prescribe security guidelines for identity proofing or other non-FIDO authentication mechanisms as they are unique to each RP and based on their own unique business needs and security policy. 

Code

Passkeys.dev contains the basics to get started with passkey development as well as links to several tools, libraries, references, and demos. It’s created by the W3C WebAuthn Community Adoption Group and members of the FIDO Alliance. https://passkeys.dev

Related

• Get answers and join the FIDO-dev group powered by Google Groups.
• Making FIDO Deployments Accessible to people with Disabilities
• FIDO Figma UI Kit
• FIDO Alliance Privacy Principles