The FIDO Alliance announced its first user experience (UX) guidelines and new FIDO2 standards enhancements aimed at accelerating the world’s move beyond passwords.
With over 4 billion devices, all major browsers and operating systems now supporting FIDO authentication, today’s releases make it even easier for service providers and enterprises to provide simple, phishing-resistant and privacy-enhancing sign-in experiences.
Today’s announcements come as the widespread support for FIDO Authentication has led to an increased demand from service providers and consumers alike – but they need an implementation path to follow that maximizes adoption and simplifies FIDO deployments. The FIDO UX guidelines provide that path, allowing service providers to help consumers understand, adopt and benefit from logging in with FIDO.
At the same time, the increase in remote work and subsequent increase in phishing attacks on their infrastructure is accelerating enterprises’ digital transformation plans and making strong authentication a priority. The FIDO2 enhancements announced today address enterprises’ unique authentication and device management needs for faster, more efficient FIDO deployments.
“Eliminating the reliance on passwords is now a major objective for everyone offering online services – both to provide a more seamless yet secure access to consumer services, as well as to address the growing threat from sophisticated attacks targeting distributed workforces and systems. Our first UX guidelines and FIDO2 enhancements give consumers and enterprises the tools, protection and roadmap to a simpler, more secure, passwordless future,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance.
FIDO UX guidelines
Virtually every modern device and web browser now supports FIDO Authentication, allowing consumers to leverage the same technology they use to unlock their device (a fingerprint or face scan for example) to now sign-in to web services in a secure and private manner. A growing number of large service providers and financial institutions are providing this built-in functionality in order to give their customers the option to log in without the risk and hassle of passwords.
These FIDO UX guidelines were created as a set of best practices to help service providers encourage their customers to log in with FIDO Authentication on desktop environments; other FIDO authentication use cases will be addressed through UX guidelines in the future.
The UX guidelines were developed following many sessions of moderated and unmoderated consumer research conducted by third-party research firm Blink UX, in collaboration with UX and design experts from FIDO Alliance member companies including Bank of America, eBay, Facebook, Google, IBM, Intuit, JP Morgan Chase Bank, Microsoft, Trusona, Visa and Wells Fargo.
Enhancements to FIDO standards to accelerate passwordless in the enterprise
The FIDO Alliance has announced enhancements to its FIDO2 specifications, which include several new features that will be helpful for passwordless enterprise deployments and other complex security applications. Both FIDO2 specifications were recently updated by their governing bodies – with the World Wide Web Consortium (W3C) approving WebAuthn Level 2 and FIDO doing the same for CTAP 2.1.
Key to these enhancements is enterprise attestation, which provides enterprise IT with improved management of FIDO authenticators used by employees. Enterprise attestation enables better binding of an authenticator to an account, assists with usage tracking and other management functions including credential and pin management, and biometric enrollment required in the enterprise.
Other updates include support for cross-origin iFrames and Apple attestation, as well as improvements to resident credentials. More details on these and other FIDO specification enhancements are available here.