There are many case studies that introduce the use of FIDO for login actions in order to primarily improve the user experience. Furthermore, there is also a way to utilize FIDO as an additional authentication method to enhance the security level of an account. By introducing FIDO as the required authentication to use a critical feature, increasing utilization is relatively easy. However, to maintain the account security level, FIDO credential management must also be treated as a critical operation. But there are some difficulties: account recovery, error handling, and risk control.
Mercari, Inc. provides C2C marketplace, finance, and cryptocurrency services. A few years ago, we were very struggling with phishing attacks. We mitigated the situation by introducing additional authentication for critical operations. But it caused a decrease in user experience and an increase in SMS authentication costs. Even if we accept the downside, phishing attacks are still a possible threat. To solve the problems, we decided to introduce FIDO. The experiences we gained might be helpful for other services which require a relatively high level of security assurance.