Designing success: Crafting principles for passkey adoption with Kevin Goldman

Kevin Goldman and Sierre Wolfkostin at FIDO Alliance

Chris Strahl: Hi, and welcome to the Design Systems podcast. This podcast is about the place where design and development overlap. We talk with experts to get their point of view about trends in design code and how it relates to the world around us. As always, this podcast is brought to you by knapsack. Check us at Knapsack.cloud. If you want to get in touch with the show, ask some questions, or generally tell us what you think. Go ahead and tweet us @theDSPod. We'd love to hear from you. Hey everyone. Welcome to the Design Systems podcast. I'm your host, Chris Strahl. Today I'm here with two members of the Fido Alliance UX Working Group. I'm here with Kevin Goldman and Sierre Wolfkostin, welcome to the program.

Kevin Goldman: Thanks for having us.

Chris Strahl: So tell us a little about yourself and what you do. This is atypical. You all are from a group that is serving an industry instead of just a big enterprise or somebody that is using a design system internally. So tell me a little bit about yourself and what this is all about.

Kevin Goldman: Yeah, we both have day jobs, but we also contribute to the Fido Alliance, which I'll describe in a bit. I'm the Chief Experience Officer at Trusona. I'm also a board member at the Fido Alliance, and I chair the UX working group within The Fido Alliance.

Sierre Wolfkost...: As Kevin mentioned, most folks in the Fido Alliance also hold jobs in companies that are members of the Fido Alliance. So that is the case for myself as well. I'm a designer based out of Ann Arbor, and currently I work for duo, which is a part of Cisco. And there I work with their passwordless team to help kill the password and bring safer, more effective ways of logging in to all of our customers, which naturally got me involved with the Fido Alliance, where I met Kevin and then started working together after that.

Chris Strahl: I think the thing that is in everybody's mind is when you say something as provocative is we're going to kill the password. And you talk about the Fido Alliance. What is it that the Fido Alliance is all about?

Kevin Goldman: Yeah, great question. So about 10 years ago, the Fido Alliance was started and it always had the mission to create more secure authentication, and it's really reached an inflection point in the last year or two as Apple, Google and Microsoft have provided support for passkeys, and that pass key technology allows you to sign into a website or to an app in the same way that you would unlock your device. So people are very used to unlocking their phone a hundred times a day. Well now they can use that same gesture, that same experience, and unlock and get into a website. The beautiful thing about it is it's easy, but it's also much, much more secure than using a password. So you don't have to remember a password, but also there is nothing to really be stolen or leaked from the servers. And as most folks know in the security industry, the breaches that you see are often about 80% of them are caused if you go back to the root cause analysis caused by passwords.

So it's really a two mission, get rid of passwords and do that in a way that is easier to use the passwords and also more secure. It's also worth saying for folks that aren't familiar with Fido Alliance, it's a global industry alliance that creates specifications for modern authentication. And there's about 300 companies involved in the Fido Alliance. So pretty much every big tech company that you could imagine, but also a lot of other companies that companies like, I don't know, like PayPal or US Bank or N T T DoCoMo in Japan are also part of Fido Alliance.

Chris Strahl: Gotcha. So this is why I got a push notification from Google, I dunno three weeks ago that said, Hey, set up pass keys on all your accounts is because of the work that you all are doing.

Sierre Wolfkost...: Right. And it's important to note that even though passkey as a most recent security development are currently taking our industry by storm, as you've mentioned and noticed with Google, and now Apple supports them and Microsoft soon as well. It's important to note though that this has all been a long, long time. Coming back over a decade ago was when the Fido Alliance first started working on the foundation, which is called the Web, authentic API, that would later support the ability for passkeys to be a way of logging in that they are now today. So all of this was a long time coming. It's not like it happened overnight.

Chris Strahl: Gotcha. Yeah, of course. I think that it is interesting when you think about the structure and standards that are required to create some sort of cross company or industry-wide authentication standard or identification standard. That's a lot of work. I'm sure that this has gone on for many, many years. And on top of that, seeing the rollout and the tangible evidence of this being a meaningful change, the way we all think about security has got to be exciting for you all.

Kevin Goldman: Yeah, it is. I'll channel one of the lead designers at Google, Mitch Gallivan. He describes it as a system level reset on the internet, and it really is changing the way you authenticate globally across the internet. That's a big change. I'm certainly new to Fido Alliance, been working with Fido Alliance maybe three, four years. But as Sierra said, Fido Alliance has been hard at work on these specifications for the last 10 years.

Chris Strahl: So when you think about what this actually is and you describe a pass key, I'm familiar with it because look, my Google account for Gmail is set up with one, and so I kind of understand it or at least understand how to use it. Prior to that, a huge fan of one password we have it rolled out company wide, et cetera, et cetera. We all use two-factor everything with Twilio and aui. And then we were also a big part, we got caught up in the LastPass breach. And so what's different now from just using a password manager or some sort of two-factor system like Authe to manage your authentication?

Sierre Wolfkost...: So it's an interesting question because when you mention it, there are some aspects that change, but perhaps more surprisingly, there are a lot of aspects that don't change. I'll start with what doesn't change. I mean, for example, you still have to use something to log in or to sign into your accounts. It just so happens that a password is much weaker as a way to log in. It can be credential stuffed, it can be phished. There's a lot of inherent security vulnerabilities to passwords as a way to log in a pass key. Yes, you do use it to still sign in, same as a password, but it is so much more secure. It's based on your biometric information on your computer's operating system or on your phone's operating system. And so it's so much more secure when you're logging in even though the act of logging in is still being had. So that's one kind of notable similarity between the two. Also in both is an aspect of management as well. Password managers have existed for decades with pass keys. You can still manage them, but this time, instead of using a password manager, typically you'll use your iCloud account on Apple, your Google account for Google and Android. So you'll still have a way to manage those pass keys, and often it is more simple as well.

Chris Strahl: So what does the implementation of that look like? So you have big providers like Google, Microsoft, apple, that are adopting these as standards, but when it comes to my bank login and something like that, when will I start to see pass keys in places like that?

Kevin Goldman: Yeah, there are a number of rapidly growing lists of, we call them relying parties. It's a little bit of a jargon term, but they're really just brands or websites who have enabled passkey support, and it is beyond Apple, Google, Microsoft. You have companies like CVS Health, Hyatt, Instacart, Robinhood, kayak, TikTok, Shopify. There's a rapidly growing list of companies who have taken a look at pasties and said, wow, this is really a win-win. I get phishing resistant authentication that's more secure, but I also get a sign-in experience that's twice as fast as a password and four times more successful people signing in as a password. So the list is growing quite a bit now. For those brands that are interested in supporting passkeys on their website, they have to go through a process of just implementing a Fido server and then implementing some code on their front end to enable those passkeys to work as expected. That's a little bit where the UX working group comes in is because yeah, there's some code to implement, but there's also you need to kind of relook at some of those user journeys. For decades, we've had this paradigm of enter username and password to sign in, and now there's a new paradigm which is simply use a passkey. So the experience is entirely new in some ways. And so along with those specifications and the code examples, Fido Alliance also provides some UX guidelines to get those brands started with Basies.

Chris Strahl: Yeah, and how did you develop all these? I can imagine sitting there thinking back about a research project or some sort of way of re-imagining a login experience, something that is so fundamental to the way that we think about accessing secure areas of the internet. What does that look like? How do you come up with a new way of thinking about that?

Sierre Wolfkost...: Here's what really surprised me when it came to creating standards or creating a standardized experience for passkeys to be used by companies in the security industry and any company that wants to use baskets, it felt so much more like a casual group project than one might expect given the formal language of the Fight Alliance's website. I thought at first that the process would be very congressional, but I was so relieved to join our first video call and see people with their dogs hanging out, chatting up a storm, and then following this really highly collaborative process to actualize these guidelines and conduct some research. I'd say our process had four main phases. First, we built empathy by auditing passkey deployments in the wild. We interviewed brands as well that have successfully deployed passkey and talked to platforms like Apple and Google. After that, we sought to define exactly where we would focus in terms of the passkey experience.

We looked at a person's whole journey having an account at a given organization and picked out the most impactful touch points on which to focus. And then after that, we just iterated on our designs and brought those designs to multiple rounds of testing with over 20 different US consumers all with modern operating systems. And we got a chance to observe and see for moments of delight and friction and understanding. It all felt like a very typical design process that I'm sure a lot of us are used to, but overall, it was so collaborative and that's what made it so surprising as we were going through it.

Chris Strahl: It's interesting because you all are talking about a research process that gets to be highly collaborative across all these different people and all these different companies that is servicing this goal of changing an industry. And the interesting part about that is you somehow got a bunch of different people with a bunch of different disparate organizational priorities to agree on what a consistent, clear systematized process to manage authentication looks like. And I think that's actually kind of remarkable, this idea that, hey, we're changing the way we all log in and we're all going to agree that might be the way. And to get that sort of alignment across a pretty diverse group of people. What's the secret sauce there?

Sierre Wolfkost...: For me, it really boiled down to two things. One was that everyone had shared values in the sense that we all came together at a regular cadence because we had this intense curiosity for what we could create together, and we all wanted the whole industry to benefit by having some sort of standardized experience. So we all were there for the same reasons. I think that's in part what made us work so well together. But then beyond that, just the fact that we were all involved in a typical design process I think really went a long way because everyone got to see the research, everyone got to see the insights as we went through testing and everyone was involved in the design phase. And so through being involved in that process from start to finish, it was so much easier to form natural alignment and natural agreement as we all learned and then designed together.

Chris Strahl: Yeah. Kevin, what do you think about that? Do you feel like your ingredients in the special sauce are the same?

Kevin Goldman: We really have to emphasize again that the Fido Alliance has been doing work for about 10 years, bringing the industry together around some of these security principles and cryptographic principles that laid the groundwork. And the work that Sierra and I are talking about is the UX working group and these UX guidelines and the research we've been doing, and that's been more recent in the last few years. So it is a really interesting challenge. At the time that we did this research, we had 77 people in the UX working group from 32 different companies, geographically diverse all over the world. So how do you bring these people together? The approach that I've tried to take is to create a creative safe zone where we can just be humans together and not get caught up in trying to have all the answers from the get go where it's okay to ask or ask all the silly questions and to be okay iterating.

And we did a lot of work around just taking time to acknowledge everybody's work and contributions. And so as the group started to come together, I think there began to feel an air of it's okay to share. My crazy idea started to be okay within this group. And the funny thing is those crazy ideas aren't crazy. They're just new. This space, this authentication space, all this work is so new that it can be a little scary to try to define these because nobody has the clear answer yet. So here's the different answer, which is within the Fido Alliance, we had 77 people from 32 companies just within the UX working group. We are so close to this stuff, we live and breathe it every day. So it was really important for us to hire a third party UX research firm and collaborate with them so that we can see our own blind spots and really make sure that we're not bringing our own jargon and biases into the work. Hiring that external firm also helped to ensure that we're researching the right things.

Chris Strahl: That's what's great about external folks sometimes is you bring the knowledge, they bring the mirror so you can kind of see your own knowledge reflected. And I think that that's a cool way of thinking about it.

Sierre Wolfkost...: What was interesting too is that not only did we look externally with the help of our third party research firm, but we also looked internally as well because all of us members were part of companies that in some way or another we're close to this space. And that meant that we had access to tons of research and existing insights and existing knowledge from each of our respective companies. And that made it really fun to share ideas and form standards together because you could pull in some research projects and share with the rest of the group. So like, Hey, Google does things this way. This is what they found in their latest user tests. Here's what duo found in this other research study. And then you combine insights and it saves a ton of time while also helping you get to the right answer. And the best answer for these sort of guidelines, I

Kevin Goldman: Have this list of all these companies and names in front of me. I have to just share a few of them because normally when we present this, there's a visual and Sierra and I might be presenting, but we want to make sure that everybody's acknowledged. I'm just going to rattle off a few of these companies. So the folks that were involved in this work, one password, American Express, apple Axio Beyond Identity, blink ux, Dashlane Duo, Google Hyper, I b M, idia, Intuit, JP Morgan, chase, meta, Microsoft, knock-knock, Okta, PayPal, Samsung, Sony, target, Trusa, trust, key, US Bank, VMware, Wells Fargo, UBI O, and the list goes on. The diversity also helped us to arrive at some guidelines that I think are pretty sound. It was drawn from such a diverse group.

Chris Strahl: So thinking about this in the context of patterns, what you all have ostensibly created here is a pattern for validating identity through an authorization framework. And that represents a replacement of the traditional idea of a username and password. And I think that the really curious thing about this is you basically have a pattern for this now that has a core pattern and a bunch of variations, and the way you've decided to distribute it is effectively a design system. And this is fascinating because you're not just talking about a design system that distributing a pattern to a bunch of apps inside of a company. You're talking about a design system that is distributing a pattern to an entire industry. How did that decision process come about and what does that even look like?

Kevin Goldman: Well, it's been iterative. This is the third time that the Fido Alliance has released some UX guidelines. And the first time that we went through this process was about three years ago. And the delivery of those guidelines was a very linear narrative. Frankly, it was just a P D F, here's the guidelines, and it's a very linear story. And the second time we went through this process, we knew we had to make it a little bit more systematic modular. We needed more abstract thinking to be a little bit more principled in the approach. And then this third time with the pasky UX guidelines, we took that even a little bit further where we had findings, we had workflows. We could tell a linear story, but instead, we've spent a lot of time using that abductive thinking to abstract what we learned in the research and put those into principles that could be applied broadly across the world in a lot of different use cases. So that's one way we approached it. There's so many different ways we had to systematize what we learned from the research.

Sierre Wolfkost...: I just want to highlight your point, Kevin, around the simplicity of the principles because the audience for these principles is so large, I mean it's an entire industry worth of people that are consuming these and ideally using it to help them create their key experiences. That meant that at least at the beginning, we had to be as simple as possible just to ensure that these principles had the strongest possible chance of actually being followed and used as intended. I remember back when I was first looking at different ways that companies deployed keys. One thing that stood out to me was just how fragmented deployments can become, and I mean fragmentation in the most basic sense, like passkey being presented in two completely different ways by two completely different companies, different branding, iconography, labeling everything. And so just having a simple set of principles that everyone can easily implement, I think ended up being one of the most important things about our entire set of guidelines. They stress simplicity over anything else, and that is intentional to promote more widespread adoption.

Chris Strahl: And I think that it's a way of laying constraints that is still broad enough that people have a lot of freedom to implement how they want, but still represents guidance. A design system is a distribution mechanism for this type of research, and this type of technology is fascinating because what you're basically saying is, here is a systematic approach to this problem space. Here's a pattern that has lots of different variations that you can work within that can solve this particular issue inside of all of our companies. And so we're going to distribute that, and that distribution isn't going to be some heady 80 page spec. It's going to be something that is a practical set of guidelines that represent the constraints that the entire industry is going to rally around for the implementation of this.

Kevin Goldman: Chris, you hit the nail on the head. Part of the research was to research the end user experience, but then another part of our research was to research what is an effective way to communicate this information, these learnings? What is the right systematic approach to deliver this content to brands that are looking to implement PAs keys? I mentioned the first time we did this three years ago, it was just a linear P D F. It was just a linear story, but now we have a much more modularized approach. We have 10 UX principles for Paki. We have three content principles for paki. We have four user journeys for Paki. We do have a Figma UI kit where you can go grab a whole bunch of OSS dialogue prompts. That'll just help you kickstart your own prototyping work and some other modularized content. Because what we learned when we talked with brands is that, Hey, I don't necessarily want to read that 88 page doc that you were mentioning, Chris. I want to be able to drill into what I need when I need it.

Chris Strahl: I think the interesting thing is it almost mirrors the change in the agency process where you used to have a bunch of agencies that would come out and be like, all right, let's recreate a digital brand, or let's recreate the design for an application, and it'd be these massive docs that you would get. They would be dropped on people and people would look at them and review them because they were paying lots of money for them, and then ultimately very rarely open them again. And I think that that's kind of the way that lots of folks that aren't deeply in the standards game look at standards that they get. It's like, okay, I'm going to take a look at this and do some adherence work, but fundamentally, I'm going to pick that up a couple of times at most by having it be much more modular and much more systematized, it makes it a lot more practical in the way that it's implemented. And again, as a distribution mechanism, what you mentioned before, Kevin, different people look to get different things out of these types of guidelines and the ability to segment and have an information architecture that speaks to those different use cases becomes a very useful tool at getting people to care.

Kevin Goldman: Yeah, it sure does. And even within industry standards organizations, we're starting to see more systems, UX systems, design systems emerge. It's still a very greenfield space here for industry organizations like ours, like Fido Alliance, but if you look at open banking in the eu, they created some wonderful CX guidelines that were very systematized and modular, easy to kind of scan and then drill down where you want. Then also EM, VCO is doing some wonderful interactive guidelines that are going to be released here shortly in the payment space. It's an industry organization of credit card providers, so it's evolving and we're kind of learning from each other too. We talk with those other industry organizations and say, how are you systematizing your content? How are you figuring out how to take your best practices and deliver that in a way that the industry can better use?

Chris Strahl: I think that one other thing that I am curious about is how do you really showcase the importance of this to these organizations? How do you get people not just to participate, but to really adopt this stuff? What is the driving factor that really presents security and accessibility for consumers as a front and center concept?

Kevin Goldman: Couple different ways to answer that. One is, you might think it's from left field here, but it's through government policy. So there is work within the Fido Alliance that works to communicate and interface with governments around the world who create policy around these things regarded to authentication. In the US we have something called nist. There's a specification within NIST that is required for government agencies to use and to follow regarding authentication. So it's important for us to have a good dialogue and back and forth with NIST regarding this new modern authentication. Now, the interesting thing is private entities like banks, you mentioned banks earlier or other regulated industries will also fall in this guidelines. That's one way where you get the word out. Another way is definitely that the big players in the tech industry with Apple, Google and Microsoft now very vocally supporting Passkey, it sends a signal that this is ready, that there's a commitment from the major players and certainly Google, as you mentioned, you created your passkey for your Gmail account. Anybody, can you just go to g.co/passkey? The fact that Gmail now allows you to sign in with a passkey helps get the word out as well. But there are many, many, many, many channels that Fido Alliance uses to kind of get the word out. We have, there's a conference called Authenticate This year's in Carlsbad in October, and the conferences just growing each year and companies are going there because they're interested in pasties. They want to learn more, they think they might deploy, and they can go to a conference like that to learn more

Sierre Wolfkost...: In terms of getting the word out. What really strikes me about the Fido Alliance's approach, at least from what I've seen, is the focus on existing networks for getting the word out, and that's because the security community, it's a pretty tight-knit community, even though these are many dispersed companies working from all over the world. The community tends to congregate though at specific times of a year, pretty regularly at specific conferences. One of the biggest of which it's called the R S A Security Conference in San Francisco that was started back in, gosh, it was like 30 years, like 1990s or so.

Chris Strahl: Yeah, I had an R S A Key back in college,

Sierre Wolfkost...: And that's the acronym behind the conference itself. And so one way that the Fido Alliance has really been able to get the word out has been by showing up at these forums and showing up where the global security industry already is congregating. Kevin and I just in the last year or so, have been to numerous conferences together, and each time we meet new people, each time we meet new companies that are learning about the guidelines. Sometimes for the first time, sometimes they've come to ask more questions, but just taking advantage of existing networks and going where the people are already congregating has seemed to help a lot.

Kevin Goldman: Yeah, the security industry, they probably already know about PAs keys. They know about UBI keys and hardware security keys and these other related technologies that Fido Alliance produces specifications for. However, the audience of this podcast, are they aware, do they know that when they design a new system that there's another option besides username and password or there's another multifactor option other than username and password plus an SMS even coming on this podcast is like our goal is to spread the word to the design community, the PM community that just may not know yet that passkey exist.

Chris Strahl: Well, and it's an important issue because I think that in the context of how do we design better, more secure experiences, there's a consumer mindset here that is really difficult to overcome, right? Is that we've used username and password for years basically since the internet was created, and so how do you shift that while not making something more inconvenient? Right? It's hard enough to get people to sign up for two-factor authentication. If you had to make a major shift in the way that people authenticate, that is inconvenient for them. I think that adoption becomes really hard, and I think that that was one of the beautiful things that passkey is focused on is this idea that it's not altogether all that different, but it just ends up being something that is largely transparent to a user.

Sierre Wolfkost...: Right, and as you mentioned, we're up against a lot of inertia here. I mean, for most people, a password is the only authentication method that they've ever known. I mean, the vast majority of our world uses three generations of people yourself, your parents, your grandparents. They've all used passwords, and so there's no denying that Passwords have a lot of inertia, a lot of force behind them in our world, and so only with a new option that's both easy to use and also more secure, one that really represents the best of both worlds, can you even stand a chance to start moving passwords aside? And even then it's hard, especially since it's a new technology. This is not something that most consumers at this point in time have heard of before or used before, and so that means that storytelling is super important. Getting a consensus around what passkeys are, why they're important, how they're supposed to work, all of that is super important for the adoption of any new technology, but especially passkeys because again, we're up against so much inertia from passwords.

Chris Strahl: So we talked a lot about the idea that design systems are a distribution mechanism for this work, and a lot of that is about principles, it's about workflows, it's about research, and there's also some practical things like UI kits in there. Can you give us some examples of what's contained inside of the system and why this presentation Medium is unique in chosen by the Fighter Alliance?

Sierre Wolfkost...: Of course. So as Kevin mentioned, we have 10 main UX principles along with three content principles and then additional user journeys. The most relevant ones to cite are likely some of the UX principles. These include things like prompting to create pass keys alongside account related tasks. They include things like associating unfamiliar concepts like a passkey with familiar concepts such as biometrics or passwords, or things that are more tangible in the mind of a consumer. Those are just a couple examples of the guidelines included, and what's really interesting and unique about them is that not only is there a practical value to those guidelines, as in they can help inform the flow so that it's more easy to use, that it's more usable for consumers, but also beyond that, the principles were created directly to help companies drive real adoption of keys. So some of the principles have dual purposes where they were explicitly created not only to make the experience usable, but also because they tested really well in our testing in terms of their ability to incentivize people to use the passkeys and to encourage them to set them up and use them for the first time.

Chris Strahl: We talked about 20 years of inertia associated with usernames and passwords. There's also 20 years of technology built up that supports this, and a lot of that focuses on things like accessibility. How do you take that into consideration when you're developing literally a new standard for a fundamental underpinning of how we use our apps?

Kevin Goldman: Absolutely. Yeah. Accessibility is really important for the Fido Alliance, and it's really important for the UX working group to study as well. So the person who's leading this effort has really matured our understanding of accessibility around phyto technologies. That's Joyce Oida. She's an accessibility specialist at VMware, and she looks at accessibility through the lens of five different lenses. It can be audio disabilities, physical disabilities, vision disabilities, cognitive disabilities, or voice disabilities in the latest round of UX guidelines for passkey, we really focus on ensuring that the passkey experiences are accessible for people who are blind or have low vision. We did usability testing with people who were blind and learned an awful lot from that. The great news, just the cut to the chase, the pacus are very, very accessible, and not only that, they're nine times faster than two af with SMS

Chris Strahl: That's awesome. So this has been a really fascinating journey around how are you using design systems as a way to distribute an industry-wide change through an alliance of organizations and building a design system as a method to create a more modular experience for people to allow them to very easily get what they want, to understand more about keys and understand how they can adopt them. I think it's a fascinating way of using design systems in a case that I'd never heard of, also in a space security that people don't often think or associate with design systems. So I want to thank you both for being on the program and sharing this really unique perspective. It's been awesome to learn from you and to understand more about how y'all are thinking about systems and your approach to changing the way we all log in.

Kevin Goldman: Thanks, Chris.

Sierre Wolfkost...: Yes, thanks for having us.

Chris Strahl: We really appreciate it. We'll check in again soon. We'll also have a link to their design system and the show notes, and you can check it out there. This has been The Design System podcast. I'm your host, Chris Strahl. Have a great day, everyone. That's all for today. This has been another episode of the Design Systems podcast. Thanks for listening. If you have any questions or a topic you'd like to know more about, find us on Twitter @theDSPod. We'd love to hear from you with show ideas, recommendations, questions, or comments. As always, this pod is brought to you by Knapsack. You can check us out at Knapsack.cloud. Have a great day.

Get started

See how Knapsack helps you reach your design system goals.

Get started

See how Knapsack makes design system management easy.

Related posts