Skip to main content

Remove Passkeys from Service Provider Account Settings

Overview

Topics: consumer, passkey, WebAuthn, passkey management, Account Settings
Customer journey: Awareness > Consideration > Enrollment > Management > Authentication
Created: 24 May 2024

Allow people to remove a passkey from Account Settings.

Add remove a passkey from Account Settings

  • Display the option to remove a passkey within the passkey card affordance in Account Settings.
  • Include a confirmation dialog before proceeding with passkey removal to confirm people’s intentions.
  • Inform people to remove their passkeys from their credential managers to streamline future access.
  • If removing the only passkey:
    • inform people of the fallback authentication method to guide the transition and prevent lockout.
    • inform people of the value of passkeys as a more usable and secure authentication method.
  • Include the option to cancel passkey removal if people change their minds or if removal was initiated accidentally.
  • Confirm passkey removal with a success message to reassure people that the action has been completed successfully.

Outcomes

  • Increase trust and satisfaction by empowering people to control their security settings and remove passkeys.
  • Lower support costs and resources required to handle requests related to forgotten, lost, or compromised passkeys.
  • If a passkey is lost, stolen, or compromised, the remove pattern helps prevent unauthorized access and potential misuse.
  • With the use of a confirmation dialog, the pattern helps prevent accidental actions, educates people, and improves the user experience.
    • [removing the only passkey scenario] Inform people of the fallback authentication method when they remove the only passkey to help maintain their access and continuity of use, and avoid disruptions to their workflow or access.
    • [removing the only passkey scenario] Inform people of the value of passkeys when they remove the only passkey helps ensure that they understand the security implications of their actions and encourages them to maintain the use of passkeys.
  • [optional step] Inform people of the option to remove the passkey from the credential manager helps ensure that the removal process is thorough and prevents authentication failures and frustration.

Flow: schematic

Flow steps

  1. The user navigates to Account Settings and views the passkey cards.
    To manage passkeys, the user navigates to Account Settings to view the registered passkeys.
  2. The user decides on the passkey to remove and initiates the removal process.
    The passkeys are shown in cards using FIDO UXWG-crafted passkey design, iconography, and messages to shape them. The crafted passkey card provides metadata, messaging, and options that were found to inspire trust and reassure users that their passkey is active and available. Each passkey card has the option to remove the passkey via an active Remove button. The user reviews the information shown for each passkey from the registered passkey cards and decides on the passkey to remove. The user initiates the removal process by selecting the Remove button.
  3. Confirm removal or alternate dialog
    1. The system prompts the user to confirm their decision before proceeding with passkey removal.
      After the user selects the Remove button with the passkey card, the system displays a confirmation dialog to confirm the intention and/or inform of the consequences. The research found that the double-confirmation mechanism provides additional protection and assurance for users, helping to prevent accidental or unauthorized actions.
    2. The confirmation dialog structure varies based on whether there are fallback passkeys for sign-in, that is, the last passkey or one of many:
      If there is only one passkey, the FIDO-recommended confirmation dialog includes two clear calls to action labeled Cancel and Remove passkey. If the user cancels the removal process by selecting the Cancel button, the system exits the removal process and removes the overlay. Otherwise, the user continues the removal process.
  4. The system confirms the successful removal of the passkey.
    After confirming the removal of the passkey, the system displays a confirmation message of the successful removal of the passkey. The FIDO-recommended confirmation message includes the following details: Include the headline Passkey removed to immediately inform the user about the outcome of the removal process. Include This passkey can no longer be used with any device to clearly communicate to the user the impact of the removal process to help them make informed decisions about their security settings and reinforce the importance of passkey management. Include a boxed informational aid in a visible modal to provide the optional recommendation for the consumer to remove their passkeys from their credential manager. This recommendation helps prevent confusion and ensures consistency between the user’s stored credentials and their actual account settings. As an optional step, clearly label the box with optional step to promote clarity and encourage exploration. Include a clear call to action labeled OK to indicate to the user that they can proceed after reading the confirmation message, reinforcing the completion of the removal process. The user dismisses the confirmation message overlay by selecting the OK button. Include the headline Are you sure you want to remove the passkey? to draw the user's attention to the removal decision being initiated. Spotlight the passkey card to allow the user to review the information relating to the passkeys they intend to remove.

Flow: video

Flow: prototype

tip

To view full screen, hover over the prototype, then select the expand icon.

Content

Copy and edit user-tested content examples to suit your needs.


Are you sure you want to remove this passkey?


Remove passkey?

You are about to remove your last passkey. You will only be able to sign in with a password or email verification.

We recommend using passkeys for account sign-in as it is safer and you do not need to remember password and 6-digit code.


Passkey removed

This passkey can no longer be used with any device.

Optional step

To ensure your credential manager doesn’t prompt for passkeys, we recommend removing the passkey from your credential managers.

UX Research

User experience research revealed that providing participants with an affordance to remove passkeys fosters a sense of ownership and enhances the usability and accessibility of passkeys without requiring specialized knowledge or technical expertise.

Participants across the two iterative studies reported managing their passkeys for maintenance purposes, such as updating their passkeys in response to technical issues or removing them when they are no longer needed or in use. In addition, participants said that trust and privacy concerns would significantly influence their decision about removing passkeys.

“If I got something like the Google password manager had like a breach or something, I would remove it.”

— Phase 3-Participant 4 (age: 43), Android (Chrome)

As they initiated the removal process, user research found that having a secondary confirmation or verification step was helpful in reducing the chances of making errors, unintended consequences, or regrettable actions. The confirmation dialog allowed participants to reconsider their choices and provided an additional layer of protection and assurance, enhancing the overall usability and reliability of the service.

“It double-checked if I want to remove it, which I would definitely like and expect it to do.”

— Phase 2-Participant 4 (age: 31), iPhone (Safari)

When removing the only passkey associated with the account, participants were quick to identify the fallback authentication method and felt reassured by the message.

Participants found the informational modal about passkeys to be an effective reminder of their value. They reported that the message was effective at highlighting the two primary benefits of passkeys: their security and the convenience of not remembering passwords or codes.

“That yellow box definitely did [stand out] because it definitely just gives you a description of what happened. If you remove the passkey that you might have to remember, it keeps you from having to use the six-digit code and remembering your password.”

— Phase 3-Participant 6 (age: 32), Android (Chrome)

The user studies revealed that most participants did not anticipate having to remove their deleted passkey from the device’s or credential manager; this made participants speculate about the potential consequence of not removing the passkey. The FIDO-recommended headline for the informational aid, Optional step, helped communicate to participants that they have a choice in whether to proceed with the step. Participants found the instructional messaging to be helpful in preventing authentication failure, confusion, and frustration.

“I wouldn’t have remembered to do it [remove the passkey from the credential manager], and I probably would have been confused when I came back, and it asked for my passkey again.”

— Phase 3-Participant 2 (age: 29), Android (Chrome)

“And to also delete the passkey in your device’s credential manager So a nice reminder that I need to go into the credential manager and delete that as well because it’s saved in two locations.”

— Phase 2-Participant 2 (age: 24), Android (Chrome)

Roll-out strategy

Service providers with different alternative authentication options, or service providers who would like passkeys to be the only sign-in option, can choose to adjust the workflows and behavior of this pattern to match their own unique needs.

Ecosystem

  • There is no way for the service provider to remove the private key from the customer’s device. For this reason, FIDO recommends providing instructions for the Optional step after the passkey is removed.
  • Learn more about the forthcoming WebAuthn Report API which might mitigate the need for the Optional step.

Security

DigitalFiles gracefully falls back to an email OTP. The graceful fallback option you choose should match your unique security and business goals. Plan your UX in accordance with your unique security and business needs. The guidelines focus on UX concepts that are unique to FIDO with synced passkeys. You will see various forms of identity proofing and non-FIDO authentication examples throughout this work. The guidelines do not intend to prescribe security guidelines for identity proofing or other non-FIDO authentication mechanisms as they are unique to each RP and based on their own unique business needs and security policy.

Additional resources