Fast Identity Online 2 (FIDO2), a modern authentication protocol, is gaining popularity as a default strong authentication mechanism. It has been recognized as a leading candidate to overcome limitations (e.g., phishing resistance) of existing authentication solutions. However, the task of deprecating weak methods such as password-based authentication is not trivial and requires a comprehensive approach. While security, privacy, and end-user usability of FIDO2 have been addressed in both academic and industry literature, the difficulties associated with its integration with production environments, such as solution completeness or edge-case support, have received little attention. In particular, complex environments such as enterprise identity management pose unique challenges for any authentication system. In this paper, we identify challenging enterprise identity lifecycle use cases (e.g., remote workforce and legacy systems) by conducting a usability study, in which over 100 cybersecurity professionals shared their perception of challenges to FIDO2 integration from their hands-on field experience. Our analysis of the user study results revealed serious gaps such as account recovery (selected by over 60% of our respondents), and identify priority development areas for the FIDO2 community.

翻译：快速在线身份认证2.0（FIDO2）作为一种现代认证协议，正逐渐成为默认强认证机制的流行选择。它被视为克服现有认证方案局限性（如防钓鱼能力）的领先候选方案。然而，废弃基于密码认证等弱方法并非易事，需要采取全面策略。尽管学术界和工业界文献已涉及FIDO2的安全性、隐私性和终端用户可用性，但其与生产环境（如方案完整性或边缘情况支持）集成的困难却鲜受关注。特别是，企业身份管理等复杂环境对任何认证系统都构成了独特挑战。本文通过一项可用性研究，识别了企业身份生命周期中的挑战性用例（如远程员工和遗留系统），其中超过100名网络安全专业人士根据其实践经验分享了关于FIDO2集成挑战的认知。通过对用户研究结果的分析，我们发现了严重差距（例如，超过60%受访者选择的账户恢复问题），并为FIDO2社区确定了优先发展领域。