Would-be password-killer FIDO Alliance aims to boost uptake with new UX guidelines

Throws a bone to complex enterprise deployment, too


The FIDO Alliance, which operates with no smaller mission than to "reduce the world's over-reliance on passwords", has announced the release of new user experience (UX) guidelines aimed at bringing the more technophobic on board.

Launched back in 2013 as the Fast Identity Online Alliance, the FIDO Alliance aims to do away with passwords altogether through the introduction of standards-compliant "authenticators" including USB security dongles, fingerprint readers, Trusted Platform Modules (TPMs) and more.

While the organisation's standards, which were updated with the launch of FIDO2 in 2018, have enjoyed adoption in the majority of web browsers and with a range of companies, they're still seen as unusual and even inconvenient compared to the good ol' username and password combo – which is where the new UX guidelines come in.

"While FIDO definitely does provide a simpler, stronger approach to user authentication, there is still a need to get users more accustomed to the user experience – and to optimise these flows as much as possible," FIDO Alliance executive director Andrew Shikiar admitted.

"In short, 'if you build it they will come' isn't always sufficient for paradigm-changing technologies. We've heard from more and more relying parties that they would benefit from tips on how to most effectively implement FIDO in a way that resonates with consumers and works across major browsers and platforms," he added.

In response, the FIDO Alliance launched a task force centred around the user experience, enjoying input from FIDO users including Facebook, Google, eBay, Microsoft, Visa and more. Its goal was to figure out what's turning people off with FIDO adoption, and fix it.

The resulting set of guidelines concentrate on a single use case: logging on to FIDO-enabled services on the desktop. The FIDO Alliance has confirmed that other use cases, including mobile use, will be addressed in the future – without offering a firm date for the release of corresponding guidelines.

"Unfortunately we are in desperate need of phishing-resistant and privacy-enhancing sign-in experiences as threat actors become better at targeting their prey," ESET UK cybersecurity expert Jake Moore told The Register. "Many unassuming victims are still happy to leave their accounts unprotected and vulnerable without the knowledge of how to secure them."

He continued: "The age-old balance between security and convenience often still favours ease of use for many people's accounts, so any extra push toward a way to eliminate passwords for those requiring such support will always be gratefully received."

At the same time as the UX guidelines were published, the FIDO Alliance announced updates to the FIDO2 specifications aimed to easing enterprise deployment for passwordless login – including the addition of enterprise attestation, support for cross-origin iFrames and compatibility with the Apple Attest attestation service.

"FIDO Alliance's ultimate goal is to see as many service providers moving their customers away from password-based authentication as soon as possible," Shikiar concluded. "We hope that these UX guidelines can help accelerate this movement."

The UX guidelines are available now on the FIDO Alliance website. ®

Similar topics


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022