User Perceptions of the Usability and Security of Smartphones as FIDO2 Roaming Authenticators

The FIDO2 standard aims to replace passwords with public-key cryptography for user authentication on the web. Doing so has benefits for both usability (e.g., not needing to remember passwords) and security (e.g., eliminating phishing). Users can authenticate with FIDO2 in one of two ways. With platform authenticators, users authenticate to trusted hardware on the same device on which they are accessing a website. However, they must re-register for each website separately on each device. With roaming authenticators, such as USB security keys, they only need to register once, transferring the security key across devices. However, users might not be willing to pay for a USB security key, carry it around, or figure out how to plug it into different devices. These drawbacks have driven recent efforts to enable smartphones to serve as roaming authenticators. We conducted the first user study of FIDO2 passwordless authentication using smartphones as roaming authenticators. In a between-subjects design, 97 participants used either their smartphone as a FIDO2 roaming authenticator (via a prototype called Neo) or a password to log into a fictitious bank for two weeks. We found that participants accurately recognized Neo's strong security benefits over passwords. However, despite Neo's conceptual usability benefits, participants found Neo substantially less usable than passwords both in objective measures (e.g., timing to accomplish tasks) and in perception. Their critiques of Neo included concerns about phone availability, account recovery/backup, and setup difficulties. Our results highlight key challenges and opportunities for spurring adoption of smartphones as FIDO2 roaming authenticators.