Yahoo Japan Corporation is an internet company offering more than 100 services, including search engine, auction, news, weather, sport, email and shopping to the more than 51 million active users on its platform.
For Yahoo! JAPAN, the act of signing in is the entry point to all of its services. This makes it critical that the experience at that entry point is a positive one for all users. At the same time, it’s equally critical that every user’s personal information is well protected.
To find the right balance between convenience and security, Yahoo! JAPAN turned to FIDO Authentication.
From Early Member to Early Adopter
Yahoo! JAPAN was one of the earliest members of the FIDO Alliance, joining in April 2014. In its role as a member, executives from Yahoo! JAPAN participated in user authentication specifications development, particularly the FIDO2 standards, and best practices for FIDO adoption for consumers via the Alliance’s Consumer Deployment Working Group. Yahoo! JAPAN was appointed to the FIDO Alliance board of directors in 2019.
During this time of actively contributing to the FIDO Alliance, Yahoo! JAPAN was evaluating FIDO for its own services. Yahoo! JAPAN had been offering SMS one-time passcodes for two-factor authentication but they weren’t quick, secure or easy enough for their users. By taking a standards-based approach with FIDO, specifically the FIDO2 standards, Yahoo! JAPAN learned it could provide strong authentication in a very simple way via on-device biometrics on billions of supported mobile, desktop and laptop devices.
Yahoo! JAPAN’s journey with FIDO deployment began in 2018 when the company became the first in Japan to certify a FIDO2 server, a necessary component to delivering FIDO Authentication to its users. After extensive internal testing and piloting, Yahoo! JAPAN unveiled its first deployment on Android Chrome in October 2018, the first deployment by a relying party. Today, the company now offers FIDO Authentication on Android and iOS both in the browser and for native applications (see figure 1 for the deployment journey). Next up, Yahoo! JAPAN plans to offer FIDO Authentication on desktop and laptop PCs.
Simultaneously with its FIDO deployment, Yahoo! JAPAN began offering its users the opportunity to disable passwords entirely, and register new accounts without having to establish a password.
For Yahoo! JAPAN users that have opted in to FIDO, sign in is very simple
(see figure 2):
- The user inputs their user ID and clicks next
- Their device prompts them for their biometric, such a fingerprint
- The user presents their biometrics and is successful signed in
OVERVIEW
The FIDO protocols, including FIDO
UAF and FIDO2 specifications, use
standard public key cryptography
techniques instead of shared secrets
to provide stronger authentication
and protection from phishing and
channel attacks. The protocols are
also designed from the ground up to
protect user privacy.
The protocols do not provide
information that can be used by
different online services to collaborate
and track a user across the services,
and biometrics, when used, never
leave the user’s device. This is all
balanced with a user-friendly and
secure user experience through a
simple action at login, such as swiping
a finger, entering a PIN, speaking into
a microphone, inserting a second-
factor device or pressing a button.
For its deployment, Yahoo! JAPAN
leveraged FIDO2 standards with
biometric authenticators.
“Password disablement is the end goal for us for the overall security and usability of our platform, and we see FIDO as a key factor in helping us get there faster,” — Yumi Ashida, product manager at Yahoo! JAPAN
Yahoo! JAPAN also values its membership in the FIDO Alliance for its role in helping to easing deployment and increasing adoption. Membership provides a platform for the company to provide direct feedback to other stakeholders including the operating system platform providers and work directly with them on overcoming challenges they face. And, it allows them to work with other service providers working on deployments to share experiences and best practices.
“For others deploying FIDO Authentication in the consumer environment, it’s important to understand the time and resources that it will require. But considering the meaningful impact that FIDO brings — it’s well worth it,” — Yumi Ashida, product manager at Yahoo! JAPAN
Realizing the Benefits of FIDO
For users of FIDO to access Yahoo! JAPAN’s services, their sign in time has decreased dramatically — by 37% compared to other login methods. ”Because signing in is the entry point to all of our services, quicker and more successful sign ins means our users can access our services that more quickly — this makes a hugely positive impact on our users’ overall experience on our platform,” said Yumi Ashida, product manager at Yahoo! JAPAN.
To increase adoption and get more users to experience these benefits, Yahoo! JAPAN leverages many tactics, including email promotion and pop up notifications at login to invite users to enroll with FIDO. Key to this strategy is conveying the benefits of FIDO Authentication, including faster sign ins, more security and the ability to remove the password from the login flow. At the same time, Yahoo! JAPAN is continuously working to ensure its user experience with FIDO is optimized.
