UX guidelines for authentication flows
When integrating Nevis Authentication Cloud into your web application, you have the freedom to tailor the user-facing authentication flows to your specific needs. On this page we collect some recommendations to guide you in creating the optimal authentication experience for your users.
UX flow templates
We created Fido UAF and Passkey flow templates on Figma communities to visualize some examples of login and registration flows using Nevis Authentication Cloud functionality. These can help you create the optimal flows for your application. You can view them at:
General recommendations
Make the authentication process as seamless as possible. Users should not have to go through multiple steps or enter multiple pieces of information unnecessarily.
Use visual cues to guide users through the process. Make sure there that the authentication process is self-explanatory. Use distinct icons and progress indicators to show the different steps involved.
Provide clear and concise instructions. Users should know exactly what to do and when to do it.
Test the authentication process with a variety of your real users. This helps to identify any potential usability issues.
Be transparent regarding user privacy. Clearly communicate how user data and biometric information are being handled and protected.
FIDO UAF specific recommendations
Use simple, familiar terminology
Use familiar and straightforward language throughout the authentication process. Avoid technical jargon like "FIDO" or "UAF", “push notification”, “push message“ and other technical terms that may be confusing to users. Instead, use terms like "register your device" or "use your fingerprint to sign in." Always research whether your user base knows the terms you use. Some examples for simple terminology:
- "Verify it's you"
- "Use your fingerprint/face ID to sign in"
- "Register your device"
- "Confirm your identity"
- "Unlock the devicewith your your fingerprint"
- “Check the notification”
Encourage users to use FIDO UAF
Emphasize the benefits, and the convenience of biometric authentication, and reassure them that biometrics are safe to use, and that their biometric information never leaves their device. During account creation, gently direct your users towards using FIDO UAF based authentication, but give them the option to opt out and set it up later. It can help to for example include a step to switch biometric authentication on during the registration process.
Promote account recovery
During account creation, add a step to register an email address that users can use for account recovery
Configure fallback mechanisms
Provide alternative authentication methods, such as PIN login as a fallback option in case users cannot use their primary authenticator. This is important, as there are many everyday situations that impede the use of facial recognition or fingerprint scanning. Some example use cases are wearing winter gloves or medical masks.
Ensure inclusiveness
Make sure the authentication process is accessible to all users. Users with disabilities and accessibility issues should be able to use the same authentication flows as all other users. Examples: People in the construction industry may have fingerprints damaged as a result of their work, some people have no fingerprints at all, or ther may be users wearing facial prosthetics. We recommend the following to ensure inclusiveness:
- Direct users to register alternative options for authentication besides biometrics. This step shoud be implemented during the user enrollment process, before switching biometrics on.
- Offer the PIN fallback method during the UAF authentication. For the most seamless flow, do not ask users if they want to use the biometrics or PIN, simply start with biometrics as default method, and show an alternative.
- Provide the option to use biometrics on the PIN screen, so that users can easily navigate back if they landed on the PIN validation screen by accident.
- Provide an option to switch biometrics on and off in the settings to allow PIN only use.
Protect against bad actors taking posession of a device
Include a step to re-authenticate with FIDO UAF before allowing FIDO UAF authentication to be switched off. Use biometrics or pin to confirm that the lowering of security level is intentional, and done by the rightful user.
Omit app start confirmation
When FIDO UAF protects starting the app, there is no benefit in adding an extra step to start the sign-in process. Start with the FIDO UAF straight away for the most seamless flow.
Add FIDO UAF authentication as the last step in the flow
When authenticating with FIDO UAF, use it as the very last step after the last confirmation. Example flow steps:
Transaction signing
- Start transaction
- Fill in transaction details
- Confirm transaction
- FIDO UAF
Sign in
- Start sign-in
- Fill sign-in details (if applicable)
- FIDO UAF
Use general terms
FIDO UAF can be used in various devices, such as tablets, mobile phones, wearable devices. Use a naming that covers all of them, such as “Mobile device”.
Make sure QR codes are scanned with the right app
Users tend to scan the QR codes with their devices' native camera app. Camera apps are different in QR read capabilities. Set the technical background as to be able to direct the user to your app if the scan is made with a camera. Inform the user to use your app to scan the QR code.
Ensure QR code accessibility
Make QR codes visually easy to recognize for users with vision disabilities. For example, make them large, bordered, enclosed by arrows, etc.