By Andrew Shikiar, Executive Director and Chief Marketing Officer, FIDO Alliance
FIDO Authentication has seen remarkable acceptance over the past few years, thanks in large part to standardization by the World Wide Web Consortium (W3C) and the subsequent adoption into leading device platforms and browsers. All told, we estimate over 4 billion devices (inclusive of Windows 10 PCs as well as every modern Apple and Android device) now support FIDO Authentication, as do over 88% of web browsers. Couple that addressable market with the ability for developers to write to the public FIDO2 WebAuthn API and you can see why so many enterprises are featuring FIDO support in request for proposals (RFPs) and accelerating related development plans.
However, while FIDO definitely does provide a simpler, stronger approach to user authentication, there is still a need to get users more accustomed to the user experience – and to optimize these flows as much as possible. In short, “if you build it they will come” isn’t always sufficient for paradigm-changing technologies. We’ve heard from more and more relying parties that they would benefit from tips on how to most effectively implement FIDO in a way that resonates with consumers and works across major browsers and platforms.
Over the past five years, the Alliance has conducted research that has consistently found consumers want to use FIDO authentication once they understand what it is and to have common “FIDO-enabled” signals to show where to obtain it. This illustrates the need for FIDO to be introduced to consumers in a user-friendly and consistent way in order for our protocols to be adopted at scale.
To address this requirement, FIDO’s Board of Directors last year launched a User Experience (UX) Task Force (UXTF), drawing on world-class UX experts from many of our member companies, including Bank of America, eBay, Facebook, Google, HYPR, IBM, Intuit, JP Morgan Chase Bank, Microsoft, Trusona, Visa, and Wells Fargo. The UXTF was tasked with creating recommendations and best practices for how to deploy FIDO, factoring in utilization of FIDO messaging, logos and other visual cues. We partnered with consulting firm Blink UX to conduct the first formal usability research of FIDO user journeys, including registration and authentication steps and various use cases – all feeding into our Desktop Authenticator UX Guidelines.
To complement this effort, we constructed a strawman banking user journey that could be used to test various assumptions and to better examine the authentication steps actually employed by users. With IBM’s assistance, a website was created to reflect this use case and was utilized during our testing and analyses. The site will remain live as a reference implementation of our UX Guidelines.
We divided the typical FIDO journey into a series of four major steps:
- Promote awareness of the availability of various biometric sign-ins, then perform the actual sign-in and determine if a user has a FIDO-eligible device that can be used in the authentication process.
- Invite users to register via FIDO, especially if they are using Windows Hello or Apple TouchID.
- The actual FIDO registration of the user’s desktop authenticator, along with messages showing success or failure.
- Making FIDO the primary sign-in path, and issue appropriate confirmation messages.
The UX tests were done in three different rounds. First was a qualitative series where we walked participants through a mock-up of the site and test. This allowed us to get feedback on some of our initial messaging and visual assumptions, which fed into the final site design. Next, we ran 100 subjects through independent https://digitalbank-test.com/simple/ quantitative testing – where they were assigned and had to complete a mock banking task, which included a prompt to enroll for FIDO login. Our last round of testing were qualitative video interviews, which provided an invaluable human element and insights on the FIDO value proposition.
Collectively, these tests are what helped define and focus our messaging, logos and various other iconography and logic flows that were useful in developing UX guidelines and other best practices for FIDO implementations.
Our preliminary recommendations from these tests are:
- Use a simple biometric image (such as a fingerprint icon) to trigger the initial user registration, then have FIDO logos at each touchpoint to confirm that a user is following the right sequence of steps.
- Make sure developers optimize for each type of environment (operating system and device form factors such as laptop or phone) for each FIDO-capable device. For example, Windows and MacOS have different icons that are used to designate fingerprint usage, as shown in the below screencaps.
- Use one of two suggested messaging styles: we tested and validated one style that is simple and one that is to “add an option.” For example, a simple message might say: “You’re eligible for a simpler sign-in! Learn how you can skip your password the next time you sign in. Register now.” And the optional message might say: “Add an easy and safe way to access your account. Register now.”
- Take steps to educate consumers and customer support staff on FIDO. Promote FIDO awareness across multiple touch points and marketing channels such as email and direct postal mail campaigns and social media. This should include information about FIDO-capable device availability and how to use FIDO on Windows 10 Hello and Apple smartphones. This also will help address potential user reluctance around using biometric sign-ins. Although many users view biometric sign-in as desirable, convenient, and secure, some users initially express hesitancy to share biometric or other computer sign-in information with their bank or with FIDO – and hence need to be educated that their biometrics stay safely on their device.
- Have a special “problem resolution” path for those customers who run into problems.
FIDO Alliance’s ultimate goal is to see as many service providers moving their customers away from password-based authentication as soon as possible – and we hope that these UX guidelines can help accelerate this movement. As this is our first foray into usability guidance we’re also open to and appreciative of feedback from deploying organizations.
Read more about FIDO’s UX efforts and research here.
