Balancing Security and Usability: Strategic Adoption of FIDO for Critical Operations

Session Details

There are many case studies that introduce the use of FIDO for login actions in order to primarily improve the user experience. Furthermore, there is also a way to utilize FIDO as an additional authentication method to enhance the security level of an account. By introducing FIDO as the required authentication to use a critical feature, increasing utilization is relatively easy. However, to maintain the account security level, FIDO credential management must also be treated as a critical operation. But there are some difficulties: account recovery, error handling, and risk control.

Mercari, Inc. provides C2C marketplace, finance, and cryptocurrency services. A few years ago, we were very struggling with phishing attacks. We mitigated the situation by introducing additional authentication for critical operations. But it caused a decrease in user experience and an increase in SMS authentication costs. Even if we accept the downside, phishing attacks are still a possible threat. To solve the problems, we decided to introduce FIDO. The experiences we gained might be helpful for other services which require a relatively high level of security assurance.