Overview
Topics: consumer, passkeys on security keys, security key, manage, rename, remove
Relevant moments in the customer journey: Awareness > Consideration > Enrollment > Management > Authentication
Created: 14 May 2022
Allow people to view, add, rename, and remove security keys.
NOTE: this pattern was originally published in 2022.
Also see the 2024 Design Pattern for Passkey management UI: best practices for combining all passkey types.
- Allow people to view previously added security keys and see when they were last used.
- Allow people to add a security key in “Security and Privacy” settings.
- Allow people to rename a security key with a new name.
- Allow people to remove a security key from the account.
Outcomes
- Reduce potential confusion regarding which security key was previously added to an account and when it was last used.
- Build trust from people who seek to protect valuable assets.
- Reduce account lockouts by encouraging people to add more than one security key.
Flow
Manage passkeys on security keys
Immediately after enrollment, unless the user opts to add a second security key, return the user to Security and Privacy settings.
Manage security keys
Progressively disclose more information about security keys in a “Learn more” link.
"Learn more" information
Progressively disclose more information about security keys in a “Learn more” link.
Step 1: after adding a security key, return to “Security and Settings”
Immediately after enrollment, unless the user opts to add a second security key, return the user to Security and Privacy settings.
Step 2: display security key management interface in “Security and settings”
On the Security and Settings page, display security key data to help users confirm enrollment was successful and that no unauthorized security key use has occurred. Empower users to update the security key nickname or unenroll the security key, including:
- Key nickname
- Date added and last used
- Attestation security key manufacturer information (optional)
- Persistent “Add key” option as the primary call to action
- “Rename” and “Remove” options
Step 3: progressively disclose more information about security keys in a “Learn more” link.
Ensure the “Learn more” link is visible before and after security key registration, as both are relevant touchpoints when users have questions or concerns about using security keys.
Content
Copy and edit user tested content examples to suit your needs.
[Security key name] Rename Remove
Added: [date and time]
Last used: [date and time]
Manufacturer information: [make and model]
A security key(s) allows you to complete two-step verification conveniently and more securely, when signing into DigitalBank.
What is a security key?
A security key is a small, physical device that works in addition to your password on sites that support it. A single key can be used with multiple accounts or sites.
Why should I use a security key?
Security keys protect you against imposter websites that try to steal sign-in credentials (like usernames and passwords). Other forms of 2-factor authentication (including text, email, messages, authenticator apps, and push notifications) do not give you the same level of protection as a security key.
How security keys work
You must first add security keys using the button above. Once added, you’ll be required to use them after signing in with your username and password. Doing this creates one of the strongest forms of authentication available to protect your account.
What security technology do security keys use?
Most keys use an authentication “standard” called FIDO® which allows for secure authentication without drivers or software. When a user signs in a website with a key, FIDO® cryptographically signs a challenge from the browser that verifies the website’s actual domain name, which provides strong protection against phishing (e.g., when a fake website is used to trick users into sharing personal information). An attacker would need to control the website domain name or the browser to get a usable signature from the key.
Why do security keys look like thumb drives?
Although hardware security keys may resemble thumb drives and are sometimes inserted into your computer’s USB port, they are not storage devices. Your personal information is not trackable or linkable across sites or online accounts when using a security key.
What happens if my security key gets stolen?
The key works in addition to your password, not as a replacement for it. If someone steals the key, they still can’t get into your bank account without knowing your password (or which sites are registered with your key). You can sign in with a backup method and remove the stolen key from your account.
Add more than one security key
Adding multiple security keys is highly recommended. If your security key is lost or stolen and you do not have a registered backup security key (or other backup authentication method), access to your account could be interrupted while we verify your identity. We recommend keeping one key easily accessible and another stored separately in a safe space.
Purchase security keys
Security keys vary by manufacturer and can be purchased from mainly online retailers. We recommend FIDO certified keys. See a list of FIDOⓇ certified keys. (https://fidoalliance.org/certification/fido-certified-products/)
Name your security keys
Give your security key a friendly “nickname” that only you can see, so you know which key you registered with this account at a later point in time.
UX Research
Through user research, we’ve identified topics that addressed the top questions and concerns participants had about security keys, which served as potential barriers to adoption.
This document provides the user experience (UX) guidelines and best practices for relying parties and implementers seeking to enable multi-factor authentication (MFA) with FIDO security keys as a second factor, based on a regulated industry (e.g., banking or healthcare) use case. These guidelines aim to accelerate decision-making during FIDO implementation and specify what information and controls should be given to users. Note that these UX recommendations are optimized for browser-based sites accessed on desktop/laptop computers, rather than mobile apps or mobile web. The guidelines do not, however, include recommendations about security policies or account recovery.
The principles in this document were developed following multiple (N = 68) sessions of moderated and unmoderated consumer research conducted by Blink, in collaboration with FIDO UX Task Force members. User research participants included consumers who owned and used security keys, primarily for work, as well as prospective security key users, who used two-factor authentication for personal online banking but had no experience with security keys prior to their research session. Note that our research scope did not include strategies to entice prospective users to purchase keys. In addition to user research, security key second-factor authentication experiences currently in the market were reviewed by the FIDO UX Taskforce and served as input during the research and evaluation process
These recommendations represent perspectives from the FIDO Alliance’s UX Task Force on how to implement MFA for FIDO security keys as a second factor on desktop/laptop for prosumers. For this document, a “prosumer” refers to a security- and privacy-conscious consumer who is an early adopter of security and privacy technologies and services in their personal lives.
Rollout strategy
- Promote the Security and Privacy settings page as the on-site hub for managing and learning about account security in general and security keys specifically: encourage users to visit the Security and Privacy settings page to facilitate the discovery of security keys as a sign-in option. Create a context where users can learn about the nature and advantages of security keys and take action to identify a security key to purchase and/or enroll a security key.
- Prepare customer support with knowledge about: How to enroll and authenticate with FIDO security keys, which security keys are FIDO Certified and compatible for use with your site, and why FIDO security keys are a safe, secure, and convenient alternative for authentication with your website
- Strongly encourage users to enroll multiple security keys, to help ensure users are not blocked from accessing their account if a security key is lost or stolen.
Ecosystem
- This pattern was originally published in 2022. See the 2024 Design Pattern for “Passkey management UI: best practices for combining all passkey types.”
Security
- This document provides the user experience (UX) guidelines and best practices for relying parties and implementers seeking to enable multi-factor authentication (MFA) with FIDO security keys as a second factor, based on a regulated industry (e.g., banking or healthcare) use case. These guidelines aim to accelerate decision-making during FIDO implementation and specify what information and controls should be given to users. Note that these UX recommendations are optimized for browser-based sites accessed on desktop/laptop computers, rather than mobile apps or mobile web. The guidelines do not, however, include recommendations about security policies or account recovery.
Code
Passkeys.dev contains the basics to get started with passkey development as well as links to several tools, libraries, references, and demos. It’s created by the W3C WebAuthn Community Adoption Group and members of the FIDO Alliance. https://passkeys.dev
Related
- Get answers and join the FIDO-dev group powered by Google Groups.
- Making FIDO Deployments Accessible to people with Disabilities
- FIDO Figma UI Kit
- FIDO Alliance Privacy Principles
