FIDO Wording Guidelines

In order to promote the use of FIDO and to help standardize the user experience, the FIDO Alliance has written some guidelines about how to display information related to FIDO when using it on a website.
However, these guidelines are mainly constructed around the use of FIDO for account log-in. In the case of transaction validation and two factor authentication using WAFL, some of the recommendations are not really applicable.

You will find here what we could extract from this official documentation that is relevant to apply in our context and that we used in our demonstration.

 

FIDO during the user journey - Our interpretation

  • Until the user is logged-in, no change on the website.
  • Once the user is logged-in, on the their main dashboard, advertise the fact that a new way to Authenticate payments is available, and link to the settings to enable it, but only if the device supports FIDO.
    (see how to check that in the implementation guide)
    Do not mention FIDO yet, but only biometrics.
    Use a fingerprint icon matching the user platform : Apple icon for Mac and iOS; generic icon for other platforms.
  • In the user settings, the section dedicated to FIDO activation should :
    • Use proper biometrics icon.
    • Start mentioning FIDO.
    • Offer registration only on supported device.
    • Mention that even though it is supported, it might be necessary to enable it in the device settings, and indicate how to do so. (Ex: Windows Hello can be disabled, but FIDO will appear as supported by the device)
    • Insist on the benefits of using FIDO : it's faster and it's simpler.
    • Display the FIDO logo.
    • At the bottom, add a link to display some FIDO key facts, as provided in the official guidelines.
  • During transaction validation, if the user used an other validation method, invite the user to register FIDO after a successful transaction if their device is not registered yet.
  •  

Official extracts

Information about Security Keys

  • What is a security key?

    A security key is a small, physical device that works in addition to your password on sites that support it. A single key can be used with multiple accounts or sites.

  • Why should I use a security key?

    Security keys protect you against imposter websites that try to steal login credentials (like usernames and passwords). Other forms of 2-factor authentication (including text, email, messages, authenticator apps, and push notifications) do not give you the same level of protection as a security key.

  • How security keys work

    You must first add security keys using the button above. Once added, you'll be required to use them after signing in with your username and password. Doing this creates one of the strongest forms of authentication available to protect your account.

    • What security technology do security keys use?

      Most keys use an authentication "standard" called FIDO® which allows for secure authentication without drivers or software. When a user signs in a website with a key, FIDO® cryptographically signs a challenge from the browser that verifies the website's actual domain name, which provides strong protection against phishing (e.g., when a fake website is used to trick users into sharing personal information). An attacker would need to control the website domain name or the browser to get a usable signature from the key.

  • Why do security keys look like thumb drives?

    Although hardware security keys may resemble thumb drives and are sometimes inserted into your computer's USB port, they are not storage devices. Your personal information is not trackable or linkable across sites or online accounts when using a security key.

  • What happens if my security key gets stolen?

    The key works in addition to your password, not as a replacement for it. If someone steals the key, they still can't get into your bank account without knowing your password (or which sites are registered with your key). You can sign in with a backup method and remove the stolen key from your account.

  • Add more than one security key

    Adding multiple security keys is highly recommended. If your security key is lost or stolen and you do not have a registered backup security key (or other backup authentication method), access to your account could be interrupted while we verify your identity. We recommend keeping one key easily accessible and another stored separately in a safe space.

  • Purchase security keys

    Security keys vary by manufacturer and can be purchased from mainly online retailers. We recommend FIDO certified keys. See a list of FIDOⓇ certified keys.

  • Name your security keys

    Give you security key a friendly "nickname" that only you can see, so you know which key you registered with this account at a later point in time.

Information about Device Unlock

  • How device unlock works

    A technology called FIDO lets you sign in securely without relying on a password. Once you've registered your computer's PIN, facial recognition, fingerprint, or security key, FIDO verifies it's really you and doesn't transmit any of your login information over the internet.

  • Why use device unlock

    Easy, safe—and private! FIDO makes signing into your online accounts much easier, while keeping your info safe from hackers. Leading companies worldwide in retail, telecommunications, finance and technology are already using FIDO.

  • More information

    Registering with FIDO provides you with an additional login option for this device—your password remains valid.

Learn more content

This part contains the information that could be used in any "Learn more" link, tooltip, popup to be displayed under the FIDO icon under Registration or Authentication buttons.

FIDO lets you sign in securely without relying on a password by keeping your login information securely on your device. Nowhere else.

How it works ?

  1. A technology called FIDO lets you sign in securely without relying on a password.
  2. FIDO makes signing into your online accounts much easier, while keeping your info safe from hackers.
  3. Once you’ve registered your computer’s PIN, facial recognition, fingerprint, or security key, FIDO verifies it’s really you and doesn’t transmit any of your login information over the internet.
  4. Easy, safe—and private!
  5. Registering with FIDO provides you with an additional login option for this device—your password remains valid.
  6. Leading companies worldwide in retail, telecommunications, finance and technology are already using FIDO.

FIDO Facts content

This part contains some facts elaborated after some studies involving final users that are designed to improve trust in FIDO.

  • FIDO is a technology built into all leading desktop devices (PC and Mac) and browsers, that allows users to sign in securely without a password.
  • In the same way your phone uses a biometric, FIDO now enables biometric sign-in on websites viewed on your desktop too.
  • FIDO makes sign-in easy, safe, and private!
  • FIDO technology uses your computer’s built-in authentication method (i.e., Windows Hello or Apple Touch ID) to ensure your sign-in information stays safe from hackers because it never leaves your computer.
  • Once you’ve registered your computer’s PIN, facial recognition, fingerprint, or security key, FIDO verifies it’s really you and doesn’t transmit any of your sign-in information over the internet.
  • Registering with FIDO provides you with an additional sign-in option for this device — your password remains valid.
  • Leading companies worldwide in retail, telecommunications, finance, and technology are already using FIDO.
Enable "on this page" menu on doc section
On