Would-be password-killer FIDO Alliance aims to boost uptake with new UX guidelines
Throws a bone to complex enterprise deployment, too
The FIDO Alliance, which operates with no smaller mission than to "reduce the world's over-reliance on passwords", has announced the release of new user experience (UX) guidelines aimed at bringing the more technophobic on board.
Launched back in 2013 as the Fast Identity Online Alliance, the FIDO Alliance aims to do away with passwords altogether through the introduction of standards-compliant "authenticators" including USB security dongles, fingerprint readers, Trusted Platform Modules (TPMs) and more.
While the organisation's standards, which were updated with the launch of FIDO2 in 2018, have enjoyed adoption in the majority of web browsers and with a range of companies, they're still seen as unusual and even inconvenient compared to the good ol' username and password combo – which is where the new UX guidelines come in.
"While FIDO definitely does provide a simpler, stronger approach to user authentication, there is still a need to get users more accustomed to the user experience – and to optimise these flows as much as possible," FIDO Alliance executive director Andrew Shikiar admitted.
"In short, 'if you build it they will come' isn't always sufficient for paradigm-changing technologies. We've heard from more and more relying parties that they would benefit from tips on how to most effectively implement FIDO in a way that resonates with consumers and works across major browsers and platforms," he added.
In response, the FIDO Alliance launched a task force centred around the user experience, enjoying input from FIDO users including Facebook, Google, eBay, Microsoft, Visa and more. Its goal was to figure out what's turning people off with FIDO adoption, and fix it.
The resulting set of guidelines concentrate on a single use case: logging on to FIDO-enabled services on the desktop. The FIDO Alliance has confirmed that other use cases, including mobile use, will be addressed in the future – without offering a firm date for the release of corresponding guidelines.
- US House Rep on cyber committees tweets Gmail password, PIN in Capitol riot lawsuit outrage
- The Microsoft Authenticator extension in the Chrome store wasn't actually made by Microsoft. Oops, Google
- Google will make you use two-step verification to login
- Crane horror Reg reader uses his severed finger to unlock Samsung Galaxy phone
"Unfortunately we are in desperate need of phishing-resistant and privacy-enhancing sign-in experiences as threat actors become better at targeting their prey," ESET UK cybersecurity expert Jake Moore told The Register. "Many unassuming victims are still happy to leave their accounts unprotected and vulnerable without the knowledge of how to secure them."
He continued: "The age-old balance between security and convenience often still favours ease of use for many people's accounts, so any extra push toward a way to eliminate passwords for those requiring such support will always be gratefully received."
At the same time as the UX guidelines were published, the FIDO Alliance announced updates to the FIDO2 specifications aimed to easing enterprise deployment for passwordless login – including the addition of enterprise attestation, support for cross-origin iFrames and compatibility with the Apple Attest attestation service.
"FIDO Alliance's ultimate goal is to see as many service providers moving their customers away from password-based authentication as soon as possible," Shikiar concluded. "We hope that these UX guidelines can help accelerate this movement."
The UX guidelines are available now on the FIDO Alliance website. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust