Overview
Topics: consumer, multiple passkey types, passkey management interface
Relevant moments in the customer journey: Awareness > Consideration > Enrollment > Management > Authentication
Created: 24 May 2024
Management of different passkey types exist in the same user interface, under the heading “Passkeys”.
- Passkeys can live on devices or security keys.
- The browser and operating system APIs are the same for all passkey types.
- Most devices like phones and laptops store passkeys that are synced to a password manager. The technical term is “synced passkeys.” For all passkey types on devices, the term for the end users is “passkeys on your devices”
- Most hardware security keys contain passkeys that are not synced to a cloud service or server.. The technical term is “device-bound passkeys. For all passkey types on security keys, the term for end users is “passkeys on security keys.”
- When creating interfaces for end users to manage passkeys, use “passkeys on devices” and “passkeys on security keys” not “synced passkeys” and “device-bound passkeys” as these are technical terms not meant for end users.
Outcomes
- Simplified end user interface for all passkey types.
- Alignment with the long term direction of passkeys and APIs.
- Leverage the complete range of options passkeys and the APIs offer.
Flow
Empty state
The management of different passkey types on user devices or security keys, exists in the same user interface, under the heading “Passkeys”.
Filled state
The end-user management of different passkey types on user devices or security keys, exists in the same user interface, under the heading “Passkeys.”
Future state
As passkeys become more familiar with people over time and additional browser API controls are in place, use a single call to action to create all passkey types on devices or security keys.
Empty state
The management of different passkey types on user devices or security keys, exists in the same user interface, under the heading “Passkeys”. End users find the icons for devices (laptop and phone) and security keys (USB key) helpful and intuitive. Some users do not yet associate “passkeys” with hardware security keys. To make the enrollment of security keys more discoverable, include a separate call to action to “Use a security key” and include a USB security key icon in the call to action.
Filled state
The end-user management of different passkey types on user devices or security keys, exists in the same user interface, under the heading “Passkeys” Passkeys on user devices, such as laptops or phones, are grouped under the heading “Passkeys on your devices.” Passkeys on hardware security keys are grouped under the heading “Passkeys on security keys” Use the icon (logo) of the password manager for passkeys on devices. Use the icon (logo) of a USB security key for a passkey on a security key.
Future state
As passkeys become more familiar with people over time and additional browser API controls are in place, use a single call to action to create all passkey types on devices or security keys. When using this approach, you will not be able to prompt to name the security key before enrolling it. Prompt to name it after enrolling it.
[Maybe say some RPs may choose this state now…]
Content
Copy and edit user tested content examples to suit your needs.
Passkeys
Passkeys can be created and saved on your devices, like your phone or laptop, or on security keys.
With passkeys on your devices, you don’t need to remember complex passwords. Passkeys are encrypted digital keys you create using your fingerprint, face, or screen lock. Most passkeys are saved to your password manager, so you can sign in on other devices.
With security keys your encrypted digital key stays on a small, dedicated device. Give your security key a nickname so you know which key(s) you registered at a later point in time. Learn More
Create a passkey
Use a security key
UX Research
Perception of passkeys as the technical elements that reside on phones, laptops, or USB keys (summary). User experience research found that the clear, concise messaging describing the types of passkeys available effectively motivated participants to create and use a range of passkey types.
- Ensure passkey options are prominently displayed within user account settings adjacent to other authentication modalities and consistently styled across platforms.
- Use commonly understood icons for “passkeys on your devices” (laptop and phone) and “passkeys on security keys” (USB key).
- Introduce passkey concepts gradually. Begin with basic benefits and usage instructions, followed by a “Learn More” link for those interested in deeper details. Refer to the “Awareness of security keys” for detailed “Learn more” content.
Rollout strategy
- Service providers who support “passkeys on security keys” should place the management interface under a heading called “Passkeys” even if they do not yet support “passkeys on your devices”.
- Service providers who support “passkeys on devices” and “passkeys on security keys” should allow people to manage them within the same user interface, under the heading “Passkeys”. The heading should include the passkey icon.
- As passkeys become more familiar with people over time service providers can use a single call to action to create any type of passkey.
Ecosystem
- At time of publishing this pattern, passkeys stored by Windows are “device-bound” and not synced across devices.
Security
- FIDO Alliance conducted adjacent research with findings that suggest usage of “passkeys on devices” will lead to more use of “passkeys on security keys”.
- FIDO Alliance acknowledges “passkeys on security keys” as the gold standard of authentication security.
- “Passkeys on your devices” can be Authentication Assurance Level 2 (AAL2).
- “Passkeys on security keys” can be Authentication Assurance Level 3 (AAL3).
- Federal Information Processing Standards (FIPS) categorize security into four levels, giving organizations the ability to choose passkeys that meet their specific security requirements.
- Use certified “passkeys on security keys” to maximize security. These passkeys vary in certification, with some meeting stringent FIPS standards, ensuring they meet precise security requirements and offer dependable protection.
- WebAuthn employs security flags to tailor authentication to specific scenarios, enhancing security for actions like User Presence (UP), User Verification (UV), and Backup Eligibility and Backup State.
Code
Passkeys.dev contains the basics to get started with passkey development as well as links to several tools, libraries, references, and demos. It’s created by the W3C WebAuthn Community Adoption Group and members of the FIDO Alliance. https://passkeys.dev
Related
- Authentication Assurance Level (AAL)
- Federal Information Processing Standards (FIPS)
- User Presence (UP), User Verification (UV), and Backup Eligibility and Backup State
- Get answers and join the FIDO-dev group powered by Google Groups.
- Making FIDO Deployments Accessible to people with Disabilities
- FIDO Figma UI Kit
- FIDO Alliance Privacy Principles
