Remove passkeys from service provider account settings

Table of contents

Overview

Topics: consumer, passkey, WebAuthn, passkey management, Account Settings
Relevant moments in the customer journey: Awareness > Consideration > Enrollment > Management > Authentication
Created: 24 May 2024

Allow people to remove a passkeys from account settings. 

  • Display the option to remove a passkey within the passkey card affordance in Account Settings.
  • Include a confirmation dialog before proceeding with passkey removal to confirm people’s intentions.
  • Inform people to remove their passkeys from their password managers or keychains to streamline future access.
  • If removing the last passkey, inform people of the fallback authentication method to guide the transition and prevent lockout.
  • If removing the last passkey, inform people of the value of passkeys as a more usable and secure authentication method.
  • Include the option to cancel passkey removal if people change their minds or if removal was initiated accidentally.
  • Confirm passkey removal with a success message to reassure people that the action has been completed successfully.

Outcomes

  • Increase trust and satisfaction by empowering people to control their security settings and remove passkeys.
  • Lower support costs and resources required to handle requests related to forgotten, lost, or compromised passkeys.
  • If a passkey is lost, stolen, or compromised, the remove pattern helps prevent unauthorized access and potential misuse.
  • With the use of a confirmation dialog, the pattern helps prevent accidental actions, educates people, and improves the user experience.
    • [removing the last passkey scenario] Informing people of the fallback authentication method when removing the last passkey helps maintain their access and continuity of use, avoiding disruptions to their workflow or access. 
    • [removing the last passkey scenario] Informing people of the value of passkeys when removing the last one helps ensure that they understand the security implications of their actions and encourages them to maintain the use of passkeys.
  • [optional step] Informing people of the option to remove the passkey from the password manager or keychain helps ensure that the removal process is thorough and prevents authentication failures and frustration.
UX architectural diagram of the workflow to remove of a passkey. 

Flow

Step 1

People navigate to account settings.

Step 2

People decide to initiate the process to remove a passkey.

Step 3 (a)

The system shows the passkey and prompts to confirm their decision.

Step 3 (b)

If there is only one passkey, show a different message.

Step 4

The system confirms removal and displays instructions for an optional step.

To view full screen, hover the prototype, then tap the expand icon.

  • Step 1: The user navigates to account settings and views the passkey cards.
    To manage passkeys, the user navigates to account settings to view the registered passkeys.
  • Step 2: The user decides on the passkey to remove and initiates the removal process. 
    The passkeys are shown in cards using FIDO UXWG-crafted passkey design, iconography, and messages to shape them. The crafted passkey card provides metadata, messaging, and options that were found to inspire trust and reassure users that their passkey is active and available.  Each passkey card has the option to remove the passkey via an active “Remove” button. The user reviews the information shown for each passkey from the registered passkey cards and decides on the passkey to remove. The user initiates the removal process by clicking on the “Remove” button.
  • Step 3 (a): The system prompts the user to confirm their decision before proceeding with passkey removal.
    After the user clicks on the “Remove” button with the passkey card, the system displays a confirmation dialog to confirm the intention and/or inform of the consequences. The research found that the double-confirmation mechanism provides additional protection and assurance for users, helping to prevent accidental or unauthorized actions. 
  • Step 3 (b): The confirmation dialog structure varies based on whether there are fallback passkeys for sign-in, i.e., the last passkey or one of many:
    If there is only one passkey, the FIDO-recommended confirmation dialog includes two clear calls to action labeled “Cancel” and “Remove passkey.” If the users cancels the removal process by selecting the “Cancel” button, the system exits the removal process and removes the overlay. Otherwise, the user continues the removal process.
  • Step 4: The system confirms the successful removal of the passkey.
    After confirming the removal of the passkey, the system displays a confirmation message of the successful removal of the passkey. The FIDO-recommended confirmation message includes the following details: Include the headline “Passkey removed” to immediately inform the user about the outcome of the removal process. Include “This passkey can no longer be used with any device” to clearly communicate to the user the impact of the removal process to help them make informed decisions about their security settings and reinforce the importance of passkey management.  Include a boxed informational aid in a visible modal to provide the optional recommendation for the consumer to remove their passkeys from their password manager or keychain. This recommendation helps prevent confusion and ensures consistency between the user’s stored credentials and their actual account settings. As an optional step, clearly label the box with “optional step” to promote clarity and encourage exploration. Include a clear call to action labeled “OK” to indicate to the user that they can proceed after reading the confirmation message, reinforcing the completion of the removal process. The user dismisses the confirmation message overlay by clicking on the “OK” button. Include the headline “Are you sure you want to remove the passkey?” to draw the users’ attention to the removal decision being initiated.  Spotlight the passkey card to allow the user to review the information relating to the passkeys they intend to remove.  

Content

Copy and edit user tested content examples to suit your needs.


Are you sure you want to remove this passkey?


Remove passkey?

You are about to remove your last passkey. You will only be able to sign in with a password or email verification.

We recommend using passkeys for account sign in as it is safer and you do not need to remember password and 6-digit code.


Passkey removed

This passkey can no longer be used 
with any device.

Optional step

To ensure your password manager doesn’t prompt for passkeys, we recommend removing the passkey from your password manager(s).

UX Research

User experience research revealed that providing participants with an affordance to remove passkeys fosters a sense of ownership and enhances the usability and accessibility of passkeys without requiring specialized knowledge or technical expertise. 

Participants across the two iterative studies reported managing their passkeys for maintenance purposes, such as updating their passkeys in response to technical issues or removing them when they are no longer needed or in use. In addition, participants said that trust and privacy concerns would significantly influence their decision about removing passkeys.  

“If I got something like the Google password manager had like a breach or something, I would remove it.”

— Phase 3-Participant 4 (age: 43), Android (Chrome)

As they initiated the removal process, user research found that having a secondary confirmation or verification step was helpful in reducing the chances of making errors, unintended consequences, or regrettable actions. The confirmation dialog allowed participants to reconsider their choices and provided an additional layer of protection and assurance, enhancing the overall usability and reliability of the service.

“It double-checked if I want to remove it, which I would definitely like and expect it to do.”

— Phase 2-Participant 4 (age: 31), iPhone (Safari)

When removing the only passkey associated with the account, participants were quick to identify the fallback authentication method and felt reassured by the message. 

Participants found the informational modal about passkeys to be an effective reminder of their value. They reported that the message was effective at highlighting the two primary benefits of passkeys: their security and the convenience of not remembering passwords or codes. 

“That yellow box definitely did [stand out] because it definitely just gives you a description of what happened. If you remove the passkey that you might have to remember, it keeps you from having to use the six-digit code and remembering your password.”

— Phase 3-Participant 6 (age: 32), Android (Chrome)

The user studies revealed that most participants did not anticipate having to remove their deleted passkey from the device’s keychain or password manager; this made participants speculate about the potential consequence of not removing the passkey. The FIDO-recommended headline for the informational aid, “Optional step,” helped communicate to participants that they have a choice in whether to proceed with the step. Participants found the instructional messaging to be helpful in preventing authentication failure, confusion, and frustration. 

“I wouldn’t have remembered to do it [remove the passkey from the password manager or keychain], and I probably would have been confused when I came back, and it asked for my passkey again.”

— Phase 3-Participant 2 (age: 29), Android (Chrome)

“And to also delete the passkey in your device’s keychain or password manager So a nice reminder that I need to go into the password manager and Delete that as well Because it’s saved in two locations.”

— Phase 2-Participant 2 (age: 24), Android (Chrome)

Rollout strategy

  • Service providers with different alternative authentication options or service providers who would like passkeys to be the only sign in option may choose to adjust the workflows and behavior of this pattern to match their own unique needs.

Ecosystem

  • At the time of publication, there is no way for the service provider to remove the private key on the customer’s device. For this reason, FIDO recommends showing people instructions for the “Optional step” after the passkey is remove.
  • Learn more about the forthcoming WebAuthn Report API which may mitigate the need for the “Optional step“.

Security

  • DigitalFiles gracefully falls back to an email OTP. The graceful fallback option you choose should match your unique security and business goals. Plan your UX in accord with your unique security and business needs. The guidelines focus on UX concepts that are unique to FIDO with synced passkeys. You will see various forms of identity proofing and non-FIDO authentication examples throughout this work. The guidelines do not intend to prescribe security guidelines for identity proofing or other non-FIDO authentication mechanisms as they are unique to each RP and based on their own unique business needs and security policy. 

Code

Passkeys.dev contains the basics to get started with passkey development as well as links to several tools, libraries, references, and demos. It’s created by the W3C WebAuthn Community Adoption Group and members of the FIDO Alliance. https://passkeys.dev