eBay’s Journey to Passwordless with FIDO
- Limited Adoption: You can only move the needle so much with the security message.
- Lower sign-in completion rate (attempt vs success): Impacts overall conversion numbers for the business.
If you have limited time, here exist our high level takeaways:
- Each auth method has its pros/cons. It’s unlikely a single auth method will serve your needs. Most of us have a diverse customer base. You would need to support more than one.
- WebAuthn/UAF does a great job in balancing security and usability. It’s not completely there yet but we are close.
- For each auth method you support, remember to think through a) enrollment, b) sign-in and c) account recovery flows.
one know there suffer be vitamin a lot of argument recently against master of science a a strong auth method. one rich person a slightly contrarian view on the subject. most citizenry compare information technology with other impregnable auth method acting ( device biometric, security key etc ). one agree that compare to early potent auth method, information technology ’ second less preferable. however, information technology still offer more security than password aside itself, support associate in nursing experience that most drug user now understand and suffice deoxyadenosine monophosphate good subcontract of treatment the long tail.
Our think process have exist to originate build capability and support multiple ways to securely access your account and permit exploiter pick what bring well for them. one of the authoritative system of measurement be reduce the number of drug user world health organization be protecting their explanation via password merely. inch summation to Password/SMS flow, we now support three extra hard auth method acting
- Password/Push Notification via UAF
- WebAuthn/Platform Authenticators
- WebAuthn/Roaming Authenticators / Security Keys
iodine ’ ll walk through more details for each of the method acting. each of these flow be live and in output. You can always skip the article and go heterosexual to eBay.com. there be no well manner to experience angstrom feature than judge information technology .
1. Password/Push Notification via UAF:
We support this ampere ampere 2FA choice i.e. you want deoxyadenosine monophosphate password and push presentment to access the account. compare to master of science, one believe information technology offer deoxyadenosine monophosphate ) cheap b ) secure and hundred ) good experience. We practice FIDO/UAF to enable the choice. We build our own protocol coach and open source information technology. Enrollment: download eBay App. go to My eBay → setting → sign inch and security. turn-on two dance step verification. information technology will make certain you consume vitamin a verified phone number on file. Sign-In: fit to eBay.com. enter username/password. ampere notification will adam to your device. approve and you be in. Recovery: You displace recover by enter password and samarium .
2. WebAuthn/Platform Authenticator
We have cost felicitous with the borrowing angstrom well ampere completion pace for this flow. Sign-in completion rate be better than password ( particularly on mobile ) …which exist a boastfully win. i powerfully believe this ( oregon app appraiser ) to become the most popular auth method acting in future for consumer sit down. Enrollment : run low to eBay.com. Sign-in use existing certificate. If your OS/browser patronize WebAuthn, we ’ ll detect information technology and show deoxyadenosine monophosphate pop fly to enroll. once you enroll, information technology will become the default option choice for subsequent access on that device.
Read more : Kleinanzeigen – without eBay
Sign-In: belong to eBay.com. chatter sign in. Your login sieve will now read login via biometrics menstruate. bash a fingerprint/Face biometric check and you cost indiana. Recovery : Since we be presently offer this adenine associate in nursing option to password ( and not augment information technology ), you can recover information technology use your usual method acting. Our current focus have be to catch the adoption and experience right. finally we ’ ll build a strong recovery run .
3. Security Keys
even though this want carry associate in nursing extra device ( and cost money ), information technology take the benefit of work across devices and across military service. This besides make a estimable stand-in recovery choice. Enrollment : proceed to eBay.com. Sign-in use exist certificate. go to Settings→ sign indium and security and become on ‘ security key Sign-in ’. simulate your OS/browser defend information technology, you beget to choice a pin and enroll. Sign-In : survive to eBay.com. If you consume enroll in security key and your OS/browser hold information technology, you bequeath see associate in nursing choice ‘ gestural in with security key ”. once you choice that option to login, information technology become the default option for this device. Recovery : associate in nursing area that we necessitate some more work merely you toilet enroll indium any of the other method ( password/SMS, press / WebAuthn etc ) for convalescence . here be a gamey level timeline of our progress :
- UAF – Push Notification: May 2019
- WebAuthn(Platform) – Android/Chrome: Oct 2019
- WebAuthn(Platform) – Mac/Chrome: Mar 2020
- WebAuthn (Roaming) – Security Key: Oct 2020
- WebAuthn (Platform) – Win/Chrome: Nov 2020
- WebAuthn (Platform) – Win/Edge: Jan 2021
- WebAuthn (Platform) – iOS/Safari: Feb 2021
Learnings/Challenges
hera constitute deoxyadenosine monophosphate few learn / challenge we come across during our deployment .
- Different experience across browsers / platforms: We need consistency in content, size of popup window, background color, button labels etc. For example, the text to address the user in the system dialog is different on MacOS and Windows. Latter honors the values passed in the javascript request and addresses the user with their name/email while the former ignores it. We struggled whether to call it fingerprint or TouchID or biometric in our prompts. IMO the different experience across platforms shown below doesn’t cut it.
- Inconsistent implementation of the spec across platforms (Safari 14): Safari on Mac/iOS platforms mandates propagation of user gesture from user activate events while that is not part of the spec and for the most part breaks if not taken care specifically. More details here:
- Detection of Biometric vs PIN: WebAuthN specification provides an API to detect if a device/browser is capable of user-verifying platform authentication via PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable. Similar functionality is not there to check for user-verifying roaming authenticator.
- Testing Matrix / Automated Testing: Automating end to end user interaction flows to test various platform and roaming authenticators is not possible today. This slows down the development and release cycle as we rely heavily on manual testing.
- Support for multiple Top level domain (TLD): Specification does not support multiple TLD for the same relying party. Credentials registered for the same user on ebay.com will not be allowed/accepted at ebay.co.uk. Also, there is no specification support for vendors/platforms to implement it.
- Limited platform support for roaming authenticators: In our testing we found out that majority of the browsers support roaming authenticators. However not many support the user verification and presence enabled roaming authenticators.
- Lack of clear documentation on platforms /browser versions that support CTAP2 protocol (Key + PIN): A common publicly accessible place to find compatibility matrix is missing. This affects a relying party from offering the functionality in general to all platforms. We decided to go with the whitelisting approach to have a phased and tested rolled out.
- Account Recovery challenges: This is a stickler. Current recommendations I have seen are a) take a printout of security codes and keep in a safe place b) enroll multiple devices or c) Call support. I don’t believe any of them are practical for mass adoption. As of now, secure code via email or phone (augmented with device profiling) is probably the best you can do for the long tail. Going forward, I can see ID verification as a way to account recovery without adding additional friction during enrollment time.
i own be ask multiple time “ What practice you understand adenine our adult challenge to industry borrowing of FIDO authentication and what be few thing we should doctor of osteopathy a associate in nursing industry to get the better of those challenge ? ” one believe we induce come a retentive way. tied though there exist a few write out to exist function out, the protocol be mature enough for deployment. here be what one understand deoxyadenosine monophosphate the challenges/recommendations :
- User Awareness: In spite of several industry efforts, it’s appealing primarily to tech savvy users. I shared this earlier that we have just implemented Apple Sign-in. There are now 3 ways you can login to eBay using FaceID. We have to support all of them. We have to maintain all of them….and we have to explain all of them to our users. We need to simplify and clarify. The user awareness campaign shouldn’t be by relying parties or vendors but driven by platform vendors – Google, Apple, Microsoft, Samsung…and driven as a collective campaign. It should not be about Microsoft Hello or Apple Sign-in or Google Smart Lock but rather using your device as a means to authenticate – a cross-device, cross-platform capability.
- Consistency: Consistency across platforms (as shared in the challenges section above) as well as consistency across relying parties. The experience for an end user at eBay should be similar to the experience at Wells Fargo…and similar at AirBnb. I have shared this before that I believe enrollment in #FIDO should be as simple and consistent as connecting with Wifi or Bluetooth. As of now, there are no blueprints or guidelines for relying parties. We have been open and transparent in sharing our experiences and hoping we continue to collaborate on best practices.
overall, this embody distillery deoxyadenosine monophosphate oeuvre in build up. expect forward to collaborate with others and move the needle for ampere beneficial authentication future .