Should We Rush to Implement Password-less Single Factor FIDO2 based Authentication?

© 2020 IEEE. Fast Identity Online (FIDO) Alliance and W3C have defined a set of specifications (called FIDO2) that allows a user to replace the password based authentication system. However, none of the high profile web sites have implemented FIDO2 yet as password-less single factor (SF) authentication (password-less SF). In this paper, we analyze the set of factors that make websites reluctant to adopt password-less FIDO SF authentication. We start by comparing the threat models of password-less FIDO SF authentication with password-based SF authentication. Our analysis shows that although password-based authentication is less secure than FIDO SF authentication, other factors related to the usability of FIDO security keys and FIDO based authentication system, the non-consideration of enterprise requirements and the lack of specifications regarding account recovery/deletion and suspension are the main obstacles to the adoption of password-less FIDO SF authentication