This document discusses passwordless authentication using FIDO implementations. It provides a baseline study examining FIDO U2F deployments across different platforms and products. The study found a lack of consistent terminology, authentication methods, and browser support across services. Consistent user experiences are important for consumer adoption of passwordless authentication. The solution needs to be more convenient than passwords while providing security that consumers understand and value.

1. ©2017Yubico
© 2017 Yubico
FIDO Implementations
Normalization of the Security Key User Experience

2. ©2017Yubico
Visualize Passwordless
2

3. ©2017Yubico
Passwordless Paradise
Technical Definition
● High-Assurance, Low-Friction Authentication
● Device-Based Authentication
3

4. ©2017Yubico
Designing Consumer Identity Processes
1. Registration
2. Authentication
3. Recovery
Building Consumer Facing Apps
4

5. ©2017Yubico
Timeline of Technologies
1. Username and password
2. KBA Questions
3. Remember Me
4. Cookies to Re-establish Sessions
Building a Consumer App
5

6. ©2017Yubico
Technology Timelines
1. SMS MFA
2. Knowledge-Based Questions
3. Application-Based TOTP
4. Push Applications
5. FIDO U2F
6. Social Login
Securing a Consumer App
6

7. ©2017Yubico
1. I don’t want to register at this site, that’s too much work
2. I don’t want to type my shopping profile in again, that’s too much
work, so I will register
3. I don’t want to setup multi-factor authentication, that’s too much
work
What did the user experience?
7

8. ©2017Yubico
© 2017 Yubico
Examining FIDO U2F Deployments
Baseline Study

9. ©2017Yubico
Premise of Study
● Targeted Two Products Per
Market Segment
● Tested Multiple Operating
Systems
● Tested Multiple Browsers Per
Operating System
● Tested Multiple Device
Form-Factors
The Study
9
Products Tested
● Social Platforms
○ Facebook
○ Twitter
● Email Platforms
○ Google
○ FastMail
● Developer Tools
○ GitHub
○ GitLab
● Password Managers
○ Dashlane
○ Keeper

10. ©2017Yubico
Summary of Results
● Lack of Consistent Terminology
● Lack of Consistent Alternate Authentication Methods
● Lack of Consistent Browser Support
Results
10

11. ©2017Yubico
Industry Confusion Creates Consumer Marketing Confusion
● Authenticate, Access, Federate, Single Sign On
● Login, Logon, Sign In, Sign On
● Step-Up, Two Step, Multi-Factor Authentication, Two Factor
Authentication
Consistent Terminology
11

12. ©2017Yubico
12
Terminology Usage
Two Factor Authentication:
● Facebook
● Dashlane
● Keeper
● Github
● Gitlab
Two Step Verification:
● Google
● FastMail
Login Verification:
● Twitter
What terminology did the service use?

13. ©2017Yubico
13
Does the service require a backup 2FA option?
Alternate Authentication Options
13
All services required a backup option,
except for GitLab
Require Backup Example: Facebook-W10-
Chrome
Require Backup Example: FastMail-W10-
Chrome

14. ©2017Yubico
Alternate Authentication Options
14
Does the service allow you to turn off other forms of 2FA?
14
All services, except for FastMail, did not allow
you to turn off all other forms of 2FA.
Note: FastMail doesn’t allow you to turn off backup
codes.
Can’t turn off other forms of 2FA Example:
Facebook-W10-Chrome
FastMail Example: Facebook-W10-Chrome

15. ©2017Yubico
Browser Support
15
https://caniuse.com/#feat=u2f

16. ©2017Yubico
© 2017 Yubico
What does this mean?

17. ©2017Yubico
Consumer Adoption
17

18. ©2017Yubico
Consumer Perspective
18

19. ©2017Yubico
What are the consumer motivations?
● Consistent and simple experience
● Something valued and understood
● Something convenient
Personal Analysis
19

20. ©2017Yubico
The consumer-centric solution must:
● Offer a more convenient solution then passwords
● Security professionals agree on value with consumers
FIDO2 enables the development of consumer centric solutions
A Consumer-Centric Solution
20

21. ©2017Yubico
Derek Hanson
@derekhanson
derek@yubico.com
Thank you
21