With a set of starter guidelines, online service providers and web development teams will be able to design user-friendly passkey sign-ins

Passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices.

While passkeys are more secure than passwords and legacy forms of two-factor authentication, research by FIDO Alliance had found that passkey sign-ins present a distinct user journey that service providers need to consider before providing passkey support.

Now, the group has released user experience guidelines to help online service providers design a better, more consistent user experience when signing in with passkeys. The guidelines are available at https://fidoalliance.org/ux-guidelines/. The guidelines were created in partnership with Blink UX, with added underwriting support from 1Password, Google, Trusona and US Bank.

Overview of the guidelines

The guidelines start off with three sections detailing:

    1. 10 UX principles to feature passkey security on a website
    2. Three content principles made specifically for content strategists
    3. Helpful tools such as a UX architecture diagram; a demo video; and a kit of ready-to-use UX components and content

The guidelines are aimed at helping users reach desired outcomes such as:

    • Reduce or eliminate new account creation with passwords
    • Learn which touchpoints in the customer journey are optimal for building a passkeys strategy
    • Optimize adoption of passkey systems and reduce password recovery processes
    • Increase passkey adoption and successful creation of passkeys
    • Enable existing customers to use passkeys instead of passwords
    • Reduce time and cost spent in UX optimization with proven re-usable UX patterns established through formal usability research
    • Use the UI kit to accelerate passkeys work
    • Adapting the guidelines’ passkeys content principles to individual corporate requirements

Note that these UX recommendations are optimized for browser-based sites rather than native mobile apps.

Note also, that security policy is not within the scope of these guidelines. The latter focus on UX concepts that are unique to FIDO research scenarios with synced passkeys. Users of the guidelines will see various forms of identity proofing and non-FIDO authentication examples throughout the document. The guidelines do not intend to prescribe security guidelines for identity proofing or other non-FIDO authentication mechanisms as they are unique to each RP, and are based on unique business needs and security policy. Throughout the guidelines, look for this symbol [ i ], which indicates where a reader’s own security policy and business drivers come into play.