Amid widespread support for WebAuthn and CTAP components of FIDO2 in browsers and operating systems, this major push can accelerate adoption.
To accelerate the world’s move beyond passwords, the FIDO Alliance has announced its first user experience (UX) guidelines and new FIDO2 standards enhancements.
With over 4 billion devices and all major browsers and operating systems now supporting FIDO authentication, the guidelines are expected to make it even easier for service providers and enterprises to provide simple, phishing-resistant and privacy-enhancing sign-in experiences.
While widespread support for FIDO Authentication has led to an increased demand from service providers and consumers alike, an implementation path is needed to maximize adoption and simplify deployments. The FIDO UX guidelines can provide that path, allowing service providers to help consumers understand, adopt and benefit from logging in with FIDO.
At the same time, the increase in remote work and subsequent increase in phishing attacks on their infrastructure is accelerating enterprises’ digital transformation plans and making strong authentication a priority. The FIDO2 enhancements announced today address enterprises’ unique authentication and device management needs for faster, more efficient FIDO deployments.
Said the alliance’s Executive Director and Chief Marketing Officer, Andrew Shikiar: “Eliminating the reliance on passwords is now a major objective for everyone offering online services—both to provide a more seamless yet secure access to consumer services, as well as to address the growing threat from sophisticated attacks targeting distributed workforces and systems. Our first UX guidelines and FIDO2 enhancements give consumers and enterprises the tools, protection and roadmap to a simpler, more secure, passwordless future.”
Accelerating the demise of passwords
New authentication technology allows user access— web services, a fingerprint or face scan, for example—in a secure and private manner, without the risks and hassle of passwords.
With the UX guidelines in place, the set of best practices can help service providers encourage their customers to choose FIDO Authentication on desktop environments; other FIDO authentication use cases will be addressed through UX guidelines in the future.
The guidelines were developed following many sessions of moderated and unmoderated consumer research conducted by third-party research firm Blink UX, in collaboration with UX and design experts from FIDO Alliance member companies including Bank of America, eBay, Facebook, Google, IBM, Intuit, JP Morgan Chase Bank, Microsoft, Trusona, Visa and Wells Fargo.
Specifications also enhanced
The FIDO2 specifications now include several new features that will be helpful for passwordless enterprise deployments and other complex security applications. Both FIDO2 specifications were recently updated by their governing bodies, with the World Wide Web Consortium (W3C) approving WebAuthn Level 2 and FIDO doing the same for CTAP 2.1.
Key to these enhancements is enterprise attestation, which provides enterprise IT with improved management of FIDO authenticators used by employees.
Enterprise attestation enables better binding of an authenticator to an account, assists with usage tracking and other management functions including credential and pin management; and biometric enrolment required in the enterprise. Other updates include support for cross-origin iFrames and Apple attestation, as well as improvements to resident credentials. More details on these and other FIDO specification enhancements are available here.