How Sierre Wolfkostin, Senior Product Designer at Duo Security/Cisco Secure, worked with the FIDO Alliance to publish industry guidelines for passkeys, helping the security world tell a compelling story about the “what, why, and how” of this brand new method of authentication.
I remember using a passkey for the first time.
As a design lead for Duo Security’s authentication product, I often test out cutting-edge security technologies well before they’re widely used.
I've examined over a dozen ways of proving one’s identity throughout my years in the security industry—everything from One-Time Passcodes (OTPs) to Yubikeys to those old, bulky hardware tokens that are still purchased by some companies today.
Signing in with a passkey took seconds. Standing in my home office in front of my desktop, I opened a test website, opted to log in, and was told by my computer’s operating system to authenticate using my passkey. I did this by lightly touching a finger to my computer’s biometric sensor. That was it. I was logged in and able to get on with my day in a flash.
The lightning fast experience by itself wasn’t that surprising; as an avid user of biometrics, I was used to using my face to sign into phones, tablets, and even TSA’s airport check. But what made a passkey particularly interesting was that, for the first time, I had a biometric login that could work across my iCloud or Google Cloud devices. Talk about ultra convenience.
Not only are passkeys easy to use, but they’re also far safer than traditional ways of logging in.
When I shifted my focus to online search, it didn't take long for me to discover the technical factors that made passkeys so safe to use. Passkeys are based on the World Wide Web Consortium (W3C) and FIDO Alliance’s standards, and they’re built on a technical foundation called WebAuthn. This significantly improves safety for a few reasons:
Protection from server leaks: Unlike passwords, passkeys don’t require the storage of sensitive information on remote servers.
Phishing-resistance: Because each passkey is bound to the site/application where it was originally created, it’s impossible for a lookalike phishing site to trick users into authenticating.
Strong verification: Passkeys cannot be guessed or reused.
The more I got to know passkeys, the more I began to appreciate them. This login method was safe and incredibly easy to use. In a security world where those properties have historically functioned as zero-sum, it was a rare win-win.
In other words, passkeys were the obvious replacement for passwords. With passkeys, I could envision a day where I could wake up and sign into all my accounts with biometrics—simply by touching or looking at my device.
Passwords wouldn’t be involved at all. No more scribbling passwords down on paper or a dedicated notebook. No more using a password management software to store my hundreds of passwords. No more brain energy needed to manage it, period. The small daily inconvenience would just disappear.
I liked that. I would live in that future.
Why a Compelling Story Matters to Enable Adoption
When my design team at Duo Security met to discuss how–exactly–we were going to offer passkeys to our 40 million users, there was a problem: the public representation of passkeys was extremely fragmented.
An audit of over 20 passkey deployments across a variety of companies, from seed startups to Fortune 500 companies, revealed the depth of this fragmentation. There was no unified answer to basic questions, such as:
What are passkeys: Are passkeys a replacement for passwords, or just a supplement? Are they the same thing as Touch ID?
Why do passkeys exist: Are passkeys important because they’re extra secure? Or because they’re easier to use? Or just because they’re new?
How do passkeys work: Why are there different messages coming from the website, the browser, and also the operating system? How does this work?
To make matters worse, for most people, a password is the only authentication method they’ve ever known. At the time of this writing, a vast majority of our world still uses that string of letters, numbers, and special characters to login. Three generations of people—that’s you, your parents, and even your grandparents—have used passwords. While they’re not always used in the safest way (I once walked into a restaurant whose manager had sharpie-scribbled a password on the wall for waiters’ easy reference), there’s no denying the huge staying power of passwords in our world. If passwords were a plant, they’d be a field bindweed—known for being particularly tiring to dig up.
Forming a cohesive story about the “what, why, and how” of passkeys was now more important than ever.
How might an industry get its story straight around passkeys?
Or more precisely: how might hundreds of companies work together—for the benefit of all—to establish a clear representation of what passkeys are, why they exist, and how they’re supposed to work?
No one person or company could shape an industry alone. So in May of 2022, I packed my bags and took a flight from my hometown of Ann Arbor to San Francisco to attend the RSA Security Conference, arguably the largest security event in the world. The gathering’s name comes from its three founders—Ron Rivest, Adi Shamir, and Leonard Adelman—who together held a single discussion panel about security back in 1991; today, their conference attracts more than 50,000 attendees.
Scanning the agenda, I looked for what my anthropology professor used to describe as tribes: groups of people who share the same beliefs, values, language, and ways of looking at the world. I needed to find a group of people already committed to standardization in the security industry.
The FIDO Alliance, it turned out, was exactly what I was looking for. Founded by PayPal, Validity Sensors, and others back in 2012, this group of now 250+ technology companies has been steadily committed to creating a “passwordless” future. Over the last decade, they’ve partnered with the W3C to develop and mature a technical foundation—WebAuthn—for enabling the use of passkeys across more than 85% of the world’s browsers and operating systems. Nervous but excited to learn more, I joined a colleague and made my way over to the FIDO Alliance seminar.
While luck can be manufactured, I also believe that everything happens for a reason. It just so happened that in the very same year that I attended RSA, the FIDO Alliance was launching what would become its first ever UX working group.
I love the practice of storytelling, and so when I saw an opportunity to help the security industry tell a cohesive story about the “what, why, and how" of passkeys, I knew exactly how I could help the group.
A month later, I was its newest member.
Crafting a Security Story with the FIDO Alliance
The FIDO Alliance UX working group was unlike any team I’ve worked with. When I joined, it hovered around 8-12 active contributors and later grew to be 60+ members representing over 30 different companies. Group members included security designers at Microsoft, passkey leads at Google, an engineering manager for authentication at Apple, myself and Jake Ingman as security designers at Duo Security, and even representatives at banks like JPMorgan Chase and U.S. Bank.
What brought everyone together at a regular cadence—meeting bi-weekly, and then ad hoc for projects—was an intense curiosity about what the future could be. These were all volunteers. Everyone had full-time jobs and many other commitments, but they carved out time because making a unified representation of passkeys was important.
We not only had great people, but also incredible leadership. Kevin Goldman, the group’s chair, had a mix of dedication, empathy, and compassion that design leaders would love to have on their senior team.
As I learned more about the FIDO Alliance’s UX working group, I remember thinking that if anyone could make a cohesive story for passkeys, it would be these people.
Creating industry guidelines for the user experience of passkeys.
Here’s what surprised me: when it came to creating standards for the security industry, it felt a lot more like a casual group project than one might expect.
Given the formal language on the FIDO Alliance’s website (phrases like “meeting quorum” and “committee chair”), I thought the process would be very congressional: everyone convenes in a big room with large wooden desks. There’s a debate about a proposal. Long hours. Many speeches. If a vote doesn’t pass, gridlock.
How relieved I was to join our first video call and see people in colorful shirts with dogs named boba hanging out and following a highly collaborative process to actualize industry guidelines for passkeys. Our working group’s approach had four phases:
Emphasize: Audit passkeys in-the-wild, interview brands that’ve successfully deployed passkeys, and talk to platforms like Apple and Google.
Define: Evaluate a person’s full journey with an account at a given organization, identifying all passkey touch points.
Design: Ideate on how best to represent passkeys in someone’s digital experience. Prototype the top concepts.
Test & Iterate: Conduct multiple rounds of moderated interviews and usability tests. Observe over twenty U.S. consumers’ use of passkeys. Iterate.
Throughout the process, I observed members of the FIDO Alliance playing to their individual strengths in ways that best supported the group. As a designer who loves storytelling, I subbed in to help develop the passkey narrative.
Shaping the What, Why, and How of Passkeys
Drawing from my work at the intersection of design and storytelling, I challenged the FIDO Alliance to think about how we as an industry might tell a compelling story about the “what, why, and how” of passkeys to the public. I worked with the group to explore the language (labels, messaging, value proposition), the visuals (icons, illustrations) and the core interactions (create, use, delete) involving passkeys. Together we turned our top concepts into prototypes of a person’s ideal journey with passkeys:
Create a passkey while signing up for an account
Sign-in with a passkey
Manage a passkey in settings
After multiple rounds of user testing on our prototypes, we turned our insights into a set of simple guidelines for the broader security industry. Along the way, we faced a few challenges.
One challenge was defining a simple value proposition.
Looking at how passkeys were being presented to U.S. consumers, I observed that many companies were struggling with what psychologists refer to as the Paradox of Choice. This phenomenon relates to the challenge of making decisions when faced with multiple options. Passkeys, after all, are inherently valuable in many ways: they’re unphishable, protected from server breaches, built on a stable and widely used security protocol, and incredibly easy to use. It’s what makes them a suitable replacement for passwords, but also so difficult to concisely explain.
Fortunately, after our group talked to consumers and aggregated research insights from our home companies (Duo Security, Google, and more), we learned something important: consumers often care about security second, and convenience first. This sentiment can also influence the enterprise space, too, since IT administrators are sensitive to user complaints about friction when logging in. As a designer at Duo Security, I often observe our administrators thinking carefully about the operational impact of their decisions, particularly if those decisions involve end users.
With this insight, our FIDO Alliance working group set out to create messaging that leads with the core value proposition of passkeys: convenience. Here’s a snippet from our copy recommendation in the guidelines…
By leading with what people value most—convenience—the description serves as an effective hook to draw people in and get them interested in the concept of passkeys.
A second challenge was figuring out how to best drive adoption.
Whenever I visit a website or application, it’s typically to accomplish a specific task. I swing by YouTube to watch a show. I open Venmo to send a payment. This is common behavior that we as designers observe across the internet: people visit sites with a predefined purpose, and are thus sensitive to unwanted interruptions. This is certainly true when it comes to security.
Our working group’s tests showed that nudging people to add a passkey while signing in was ineffective; after all, people were more interested in reaching their destination in order to shop, order food, play games—anything but manage their account’s authentication devices. This finding was also reflected in parallel studies that I was conducting at Duo Security, studies that involved employees logging into their work apps; it’s natural and quite efficient for people to focus on their destination.
To make the matter more challenging, because passkeys were such a new concept, people often struggled with sensemaking. Technically accurate descriptions tended to cause confusion, as they prompted more questions than answers with terms like WebAuthn, cryptography, and “FIDO Alliance” (most people understand FIDO to be a doggo’s name, not Fast IDentity Online). With these problems in mind, we made two solutions:
First, we chose to promote passkeys during moments of account management. When people are already in the mindset of creating, recovering, or managing an account, they’re more likely to see passkeys as a relevant enhancement to the experience rather than an unwanted interruption.
Second, we chose to associate the unfamiliar (passkeys) with the familiar (biometrics, passwords, and so on). When passkeys are associated with well-known concepts, they feel more familiar and trustworthy. By meeting people where they are, we make the path to adoption simple and accessible for everyone.
A third challenge was enabling coordination between all parties involved with the experience of a passkey.
When I join a video chat every Friday afternoon to connect with other designers at Duo Security, it’s easy to feel like we’re the only team working on security. After all, our team protects billions of logins every year for customers that range from seed-stage startups to Fortune 500 companies. There’s a heavy stream of feedback, requests, and suggestions for how to improve what we offer.
Taking a step back, though, it’s important to recognize that we’re one of many teams around the world who contribute to the public’s overall experience with security– especially when it comes to widely available security technology like passkeys.
Here’s a real-life example. Say I go to Kayak.com using a Chrome browser on a Macbook computer. I want to make a passkey. For that to happen, three different companies–Kayak, Google, and Apple–have to participate in the passkey creation process. First I see the website (Kayak) pass me to the browser (Chrome) in order to make the key itself on the operating system (MacOS) so I can return successfully back to my account (Kayak) and continue with my goal of booking a trip to Austin.
Fortunately, handoffs are a specialty of Duo Security, whose core authentication product exists in that liminal space between the beginning and ending of the login process for a given website or application. After years of working alongside designers and researchers at Duo, I had picked up on what felt comfortable during these important moments of handoff within a security experience.
With this in mind, our FIDO Alliance working group set out to define best practices for key moments of handoff involved in someone’s overall experience with a passkey.
A Publishing Milestone: Passkey UX Guidelines for the Global Security Industry
On behalf of the FIDO Alliance, our working group published a series of guidelines (10 experience principles, 3 content principles, and 4 user journeys) related to passkeys.
The guidelines’ purpose is to enable global adoption of passkeys by empowering companies to quickly, confidently, and successfully introduce them to their users.
Here are some of my favorite principles that I actively contributed to during our working group’s research, designing, prototyping, and testing:
Prompt to create passkeys alongside account-related tasks: When people are already in an account management mindset—such as, account creation, account recovery, or as part of account settings—they are more likely to perceive the option to create a passkey as a relevant enhancement to their site experience, rather than an unwelcome interruption or barrier to accomplishing other core site tasks, such as shopping.
Associate the unfamiliar (passkeys) with the familiar: Passkeys are a new term, a new visual symbol, and a new authentication method for consumers. Whenever possible, help them understand the nature and value of passkeys by associating them to familiar concepts, visuals, and experiences. For example, biometric experiences are familiar.
Use proven passkeys messaging and icons before and after OS dialogs: Before triggering the passkeys OS dialogs, display passkeys messages, icons, and actions related to the status of the current task. After the passkeys OS dialogs are completed or dismissed, show the resulting status of the task using messages and icons. This provides a “handshake” between the relying party (RP) website and the OS dialogs and clarifies how the OS and RP are working together to optimize account access and security through passkeys.
Allow freedom and choice related to passkeys: For consumers to remain in control of their experience and to engender trust with your brand, provide clear options related to creating and managing passkeys. Allow them to create accounts with or without a passkey. Allow them to create a new password upon password reset or create a passkey instead.
Follow accessibility principles before and after the use of passkeys: Passkeys are most accessible when they are presented to users in ways that they can perceive, are operable using assistive technologies, and are understandable to users with a variety of functional needs throughout workflows in their journey with passkeys. Comply with accessibility guidelines such as the Guidance for Making FIDO Deployments Accessible to people with Disabilities and the Web Content Accessibility Guidelines (WCAG).
Read the full FIDO Alliance guidelines for passkeys.
While these guidelines represented only a first version of our working group’s recommendations, they marked an important milestone towards creating a cohesive story about the passkeys for our security industry and the public at large.
It was time to socialize our guidelines with the broader security community.
On a particularly foggy morning in San Francisco, I stepped out onto a seminar’s stage on the 3rd floor of the Moscone Convention Center to get a moment of silence and see if my coffee jitters would counteract my pre-presentation jitters.
I was excited because, after months of dedicated work and multiple rounds of testing, the FIDO Alliance was finally about to announce the first experience guidelines for passkeys.
Ironically, I was there to co-present the guidelines at the 2023 RSA Security Conference—the same conference where I had first met the FIDO Alliance exactly a year before. With over 50,000 security practitioners in attendance, the conference is where “the world talks security”. Glancing at name tags, I noticed the audience was full of security architects, designers, Chief Information Security Officers (CISOs), and other experts in the security industry. Their phones that would soon be aimed at the projected slides, taking “screenshots” of information they wanted to remember.
Standing beside me, the conference announcer finished up by saying what I remember as, “Now I’ll hand it over to Kevin and Sierre to introduce the FIDO Alliance’s user experience working group and give you an overview of their guidelines”.
And we did, with this presentation about our approach, research, testing, and resulting guidelines for the user experience of passkeys.
Wrapping up the talk, I felt a huge sense of relief. Speaking in front of a large audience was definitely a step outside of my comfort zone. But I’m glad I did it, because helping an industry adopt an exciting technology like passkeys was worth it.
The push to enable global adoption of passkeys continues.
Besides presenting the guidelines at the RSA Conference in San Francisco, Kevin and I spoke at the Identiverse Conference in Las Vegas, the Authenticate Conference in Seattle, webinar series, and podcasts on behalf of the FIDO Alliance. In total, we reached many thousands of people closest to the decision points of implementing passkeys. Scrolling through the lists of attendees, I saw all sorts of people and groups tuning in. Banks, retail stores, manufacturers, high-tech companies, gaming studios, airlines, and even local municipalities were listening. The level of engagement we had from a diverse group of participants reflected a serious interest in using passkeys.
Reflecting on all of this, I think the adoption of any new technology is as much a human challenge as it is a technical one. In the case of passkeys, yes, they wouldn’t have been possible without the WebAuthn API (the technical foundation that’s now supported by the vast majority of our world’s browsers and operating systems). But just because a technology exists doesn’t mean people will use it. People only use what they easily understand. And thus the technical challenge morphs into a human one.
What greatly excites me is that when I think about designing human-centered technology, I think of my design team at Duo Security. I think about how we as designers go far and beyond to understand how many other people—from IT admins, to end users, to CISOs, to industry experts at other companies in the FIDO Alliance—all understand security. I think about our willingness to move fast into this still volatile space that surrounds passkeys as a new method of authentication. Overall, it’s clear to me that Duo Security and our broader security industry are in a better spot than ever before to change the status quo of password use.
Standing at the desk in my home office, I’ve noticed that I’ve already used a passkey a couple of times today—first to log into my work apps (via Duo Security’s Single-Sign On), and then into Kayak.com to plan an upcoming trip to Austin. It still feels new, but I can’t wait for the day when it feels as normal as using a house key. It’s time to replace “pass-words” with “pass-keys” one login at a time.
A special thanks to…
Kevin, James, Mitchell, Court, Judy, Joyce, Megan, and all the humble yet extremely talented contributors to the FIDO Alliance. Your valuable time, your energy, and all your accumulated knowledge about passkeys has helped to make these guidelines possible.
Bethany, Fraser, Amber, Jake, Kaush, and the incredible design team at Cisco’s Duo. Thank you immensely for all your support. I’m optimistic that our industry will continue making a cohesive story about passkeys in a way that leads to widespread adoption.