Create Passkey After Account Recovery Due To Forgotten Password
Overview
Topics: consumer, passkeys, WebAuthn, account recovery, password reset, account lockout
Customer journey: Awareness > Consideration > Enrollment > Management > Authentication
Created: 6 May 2023
Allow people to create a passkey instead of, or in addition to, a new password during account recovery due to forgot password.
Add create passkey after account recovery due to forgotten password
- After identity proofing, allow people to create a passkey or new password.
- If people create a new password, then allow them to create a passkey too.
Outcomes
- Increased customer satisfaction due to the resolution of account lockout.
- Potentially lower customer contact center requests over time as more people use passkeys in their credential manager instead of memorized passwords.
Flow: schematic
Flow steps
- Initiate the forgot password experience.
Initiate the forgot password experience with a Forgot password link. - Use the Confirm account call to action from this step onward.
Because this workflow ultimately allows people to create a passkey, use the Confirm account call to action from this step forward versus the Reset password call to action. - Continue with identity proofing.
The DigitalBiz identity proofing process sends an email to confirm their identity. The FIDO Alliance is not recommending any specific method of identity proofing. Your unique security policy and business drivers will determine the method of identity proofing during account recovery. - Create the new credential (passkey or password).
After identity proofing, offer the choice to create a passkey or a new password. Promote passkeys as the primary path by using the passkey hero prompt. Include text to inform people that if they choose to create a new password they can still create a passkey later in Account Settings. - Continue or Create a new password
- If Continue is selected in step 4, then create a passkey.
Display OS dialogs to allow people the choice to create or decline to create a passkey. If people opt to create a passkey (by selecting the Continue button on Android and the Confirm button on iOS), the mobile OS prompts them to use their screen lock to authenticate. People using Android can decline to create a passkey in the OS dialogs by selecting the Cancel button and people using iOS can decline to create a passkey by selecting the X in the upper right of the dialog. If passkey creation was successful, passkey creation confirmation messaging from the OS is displayed, and disappears automatically. Then, display the Passkey created confirmation. - If Create a new password was selected on step 4, then create a new password.
If people choose to Create a password on the Confirm account page (step 4), navigate them to a page to create a new password. - Once the new password has been successfully created, navigate them to a New password created confirmation page.
Also promote passkey creation once again using the passkey hero prompt. - For people who created a passkey, display a Success message via an overlay on top of the homepage, with the authenticated profile icon visible.
Lead with a Success headline that matches your brand voice and identity. Offer a View your account button as the primary action, to navigate people to view information about or disable their new passkey within Settings. List the sign-in methods available. Display an X affordance to close the dialog, to allow people to get started with their site activities as well.
Flow: video
Flow: Android prototype
To view full screen, hover over the prototype, then select the expand icon.
Flow: iOS prototype
To view full screen, hover over the prototype, then select the expand icon.
Content
Learn which user-tested button labels and phrases help people. Copy and edit content examples to suit your needs.
With passkeys, you don’t need to remember complex passwords.
What are passkeys?
Passkeys are encrypted digital keys you create using your fingerprint, face, or screen lock.
Where are passkeys saved?
Passkeys are saved in your credential manager, so you can sign in on other devices.
UX Research
Optimal moments in the customer journey to prompt to create a passkey
When people are in the mindset of account management and are experiencing friction while trying to access their account, passkey creation feels like a relevant enhancement to that task, rather than an unwelcome interruption or barrier to accomplishing other core site-related tasks.
The research indicated that when people considered the new concept of passkeys while imagining the frustrating experience of resetting their password, they anticipated that a passkey would not only serve their immediate need to regain access to their account but would also help them avoid this frustrating and time-consuming password reset task in the future, which enhances their motivation and interest in the new concept of passkeys.
Messaging that introduces passkeys
Messaging was effective at inspiring participants to create a passkey. Creating a passkey instead of a password was an unexpected choice in the context of the Forgot password workflow. Participants expressed appreciation for the brief, simple, and relevant messaging that answered their top questions about passkeys to help inform their decision at the right moment when given the choice to create a passkey or new password.
Mindsets and goals people have during password recovery
Compared to new account creation, people with existing passwords might be especially reluctant to give them up. People who already use passwords appreciate the choice to create a passkey, create a new password, or both. The research indicated that participants experiencing an account recovery scenario due to a forgotten password felt more reluctant to give up their password compared to the scenario of creating a new account, especially if they valued account access on other devices.
Roll-out strategy
Service providers struggling with the high cost of poor customer experience of account lockout due to forgotten passwords might choose to start their implementation of support for passkeys with this pattern.
Ecosystem
- Passkeys might require specific hardware or software support on user's devices. Ensure that users are aware of the compatibility requirements for using passkeys and provide guidance on compatible devices and browsers.
- In the native mobile app context, signing in with a passkey differs from the biometric sign-in experience that has existed for many years. Signing in with a passkey requires an additional tap.
Security
DigitalBiz gracefully falls back to an email OTP. The graceful fallback option you choose should match your unique security and business goals. Plan your UX in accordance with your unique security and business needs. The guidelines focus on UX concepts that are unique to FIDO with synced passkeys. You will see various forms of identity proofing and non-FIDO authentication examples throughout this work. The guidelines do not intend to prescribe security guidelines for identity proofing or other non-FIDO authentication mechanisms as they are unique to each relying party (RP) and based on their own unique business needs and security policy.