SlideShare a Scribd company logo
1 of 16
Download to read offline
© FIDO Alliance 2024
1 © FIDO Alliance 2024 Confidential
1
A Deep Dive on
Passkeys
Roland Atoui
Security Secretariat, FIDO Alliance
© FIDO Alliance 2024
2
Security
Usability
Poor Easy
Weak
Strong
=
Single Gesture
Possession-based
Phishing-resistant
Authentication
Open standards for simpler,
stronger authentication using
public key cryptography
FIDO since 2013: Simpler and stronger
© FIDO Alliance 2024
3
2
1
3
Provide great alternative to traditional smart card deployments in high-risk
environments
Offer phishing-resistant multi-factor authentication in a single authenticator
Increase the security of consumer two-factor authentication
The very positives …
© FIDO Alliance 2024
4
2
1
3
Inconvenience of physical security keys
Higher barrier to adoption for users who don’t (want to) use two-factor
authentication at all, and are stuck with passwords
Challenges with embedded authenticators as a second factor
But challenges for scale
© FIDO Alliance 2024
5
We haven’t solved the main problem
Because our primary factor is passwords…
of hacking-related breaches
are caused by weak or stolen
passwords
(Ping Identity)
81%
76%
gave up on a purchase because they
forgot their password
(FIDO Alliance)
43%
rise in direct financial loss from
successful phishing attacks from
2022-2023
(Proofpoint)
either use weak passwords or repeat
variations of passwords
(Keeper)
64%
Easily phished or socially engineered, difficult to use and maintain
© FIDO Alliance 2024
6
Focus on fixing the foundation
What if we could replace the outdated legacy model of
“password + something else” and could replace it with a single
factor that was much more secure – and easier to use?”
If phishing is now the primary threat - a single phishing-resistant
authenticator is more valuable (in most cases) than two factors
which are both easily phished.
© FIDO Alliance 2024
7
Enter: Synced passkeys
Passkey
/’pas, kē/
noun
A FIDO Authentication credential that provides passwordless sign-ins
to online services.
A passkey may be synced across a secure cloud so that it’s readily
available on all of a user’s devices, or it can be bound to a dedicated
device such as a FIDO security key.
© FIDO Alliance 2024
8
A bit deeper on new(er) terminology
A passkey is any passwordless FIDO credential
Raises the bar for both security and UX
Is most commonly synchronized across a user’s devices – but doesn’t have to be
A passkey provider might be a platform/OS vendor, or 3rd-party software
such as a password manager.
Facilitates new device bootstrapping and simplifies account recovery
Security of synced passkeys is the responsibility of the passkey provider
Live passkey providers include Apple, Google, Dashlane, 1Password
© FIDO Alliance 2024
9
Same standards-based approach, new capabilities
User verification
Require user gesture before
private key can be used
Authenticator
FIDO
Authentication
Private key dedicated
to one app
Public key stored at
service provider
Private key can be securely
stored in cloud for
synchronization across devices
© FIDO Alliance 2024
10
Synced passkeys Device-bound passkeys
© FIDO Alliance 2024
11
Cross-device authentication
Enables passkeys to be
used to sign-not to
services not only on
their device, but on
nearby devices, too.
Image Credit: Google
© FIDO Alliance 2024
12
Stronger, More Usable – Now More Scalable
Security
Weak
Strong
Usability
© FIDO Alliance 2024
13
Some commonly needed clarifications
Are passkeys a new specification or standard from FIDO Alliance?
The same standards, commonly known as FIDO2 (WebAuthn and CTAP), are leveraged to deploy FIDO with
passkeys for sign-in. The WebAuthn standard covers the browser API that manages passkeys.
Are passkeys vendor-specific?
Vendors support passkeys, but the passkey sign-ins are enabled by open standards.
Are all passkeys synced?
A FIDO security key can house a device-bound passkey
Can passkeys only be used to sign-in on phones?
Passkeys can sync to multiple form factors – phone to PC, to your TV, gaming console, etc.
© FIDO Alliance 2024
14
Takeaways
Passkeys are…
Phishing-resistant FIDO credentials​
Add features to reduce with account recovery the need for password
resets
A superior alternative to passwords and legacy MFA, and a path
towards passwordless​
Able to drop in and ready for browsers (especially if you’re already
using WebAuthn)​
Already being used at scale! (Watch Andrew’s session to see the state
of passwordless adoption)​
© FIDO Alliance 2024
15 © FIDO Alliance 2024 Confidential
15
Questions?
© FIDO Alliance 2024
16 © FIDO Alliance 2024 Confidential
16
Thank you

More Related Content

Similar to A Deep Dive on Passkeys: FIDO Paris Seminar.pptx

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
LoriGlavin3
 

Similar to A Deep Dive on Passkeys: FIDO Paris Seminar.pptx (20)

FIDO Alliance Webinar: Catch Up WIth FIDO
FIDO Alliance Webinar: Catch Up WIth FIDOFIDO Alliance Webinar: Catch Up WIth FIDO
FIDO Alliance Webinar: Catch Up WIth FIDO
 
Introducing FIDO Device Onboard (FDO)
Introducing  FIDO Device Onboard (FDO)Introducing  FIDO Device Onboard (FDO)
Introducing FIDO Device Onboard (FDO)
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO Alliance
 
FIDO Masterclass
FIDO MasterclassFIDO Masterclass
FIDO Masterclass
 
Welcome and FIDO Update.pptx
Welcome and FIDO Update.pptxWelcome and FIDO Update.pptx
Welcome and FIDO Update.pptx
 
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptx
 
Introduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for AuthenticationIntroduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for Authentication
 
Introduction to FIDO Biometric Authentication
Introduction to FIDO Biometric AuthenticationIntroduction to FIDO Biometric Authentication
Introduction to FIDO Biometric Authentication
 
Webinar: Securing IoT with FIDO Authentication
Webinar: Securing IoT with FIDO AuthenticationWebinar: Securing IoT with FIDO Authentication
Webinar: Securing IoT with FIDO Authentication
 
Protecting IDAAS with FIDO Authentication
Protecting IDAAS with FIDO AuthenticationProtecting IDAAS with FIDO Authentication
Protecting IDAAS with FIDO Authentication
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO Alliance
 
FIDO & PSD2 – Achieving Strong Customer Authentication Compliance
FIDO & PSD2 – Achieving Strong Customer Authentication ComplianceFIDO & PSD2 – Achieving Strong Customer Authentication Compliance
FIDO & PSD2 – Achieving Strong Customer Authentication Compliance
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Using FIDO Authenticator for IoT Devices
Using FIDO Authenticator for IoT DevicesUsing FIDO Authenticator for IoT Devices
Using FIDO Authenticator for IoT Devices
 
Solving the IoT Challenge
Solving the IoT ChallengeSolving the IoT Challenge
Solving the IoT Challenge
 
FIDO, Federation and the Internet of Things
 FIDO, Federation and the Internet of Things FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of Things
 
Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical Tutorial
 
Tatyana-Arnaudova - English
Tatyana-Arnaudova - EnglishTatyana-Arnaudova - English
Tatyana-Arnaudova - English
 
E-Lock AdaptAuth.pptx
E-Lock AdaptAuth.pptxE-Lock AdaptAuth.pptx
E-Lock AdaptAuth.pptx
 
FIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - PresentationFIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - Presentation
 

More from LoriGlavin3

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
LoriGlavin3
 

More from LoriGlavin3 (7)

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
FIDO Securty Key UX Guidelines Webinar Sept 2022.pptx
FIDO Securty Key UX Guidelines Webinar Sept 2022.pptxFIDO Securty Key UX Guidelines Webinar Sept 2022.pptx
FIDO Securty Key UX Guidelines Webinar Sept 2022.pptx
 

Recently uploaded

“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
Muhammad Subhan
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 

Recently uploaded (20)

How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx

  • 1. © FIDO Alliance 2024 1 © FIDO Alliance 2024 Confidential 1 A Deep Dive on Passkeys Roland Atoui Security Secretariat, FIDO Alliance
  • 2. © FIDO Alliance 2024 2 Security Usability Poor Easy Weak Strong = Single Gesture Possession-based Phishing-resistant Authentication Open standards for simpler, stronger authentication using public key cryptography FIDO since 2013: Simpler and stronger
  • 3. © FIDO Alliance 2024 3 2 1 3 Provide great alternative to traditional smart card deployments in high-risk environments Offer phishing-resistant multi-factor authentication in a single authenticator Increase the security of consumer two-factor authentication The very positives …
  • 4. © FIDO Alliance 2024 4 2 1 3 Inconvenience of physical security keys Higher barrier to adoption for users who don’t (want to) use two-factor authentication at all, and are stuck with passwords Challenges with embedded authenticators as a second factor But challenges for scale
  • 5. © FIDO Alliance 2024 5 We haven’t solved the main problem Because our primary factor is passwords… of hacking-related breaches are caused by weak or stolen passwords (Ping Identity) 81% 76% gave up on a purchase because they forgot their password (FIDO Alliance) 43% rise in direct financial loss from successful phishing attacks from 2022-2023 (Proofpoint) either use weak passwords or repeat variations of passwords (Keeper) 64% Easily phished or socially engineered, difficult to use and maintain
  • 6. © FIDO Alliance 2024 6 Focus on fixing the foundation What if we could replace the outdated legacy model of “password + something else” and could replace it with a single factor that was much more secure – and easier to use?” If phishing is now the primary threat - a single phishing-resistant authenticator is more valuable (in most cases) than two factors which are both easily phished.
  • 7. © FIDO Alliance 2024 7 Enter: Synced passkeys Passkey /’pas, kē/ noun A FIDO Authentication credential that provides passwordless sign-ins to online services. A passkey may be synced across a secure cloud so that it’s readily available on all of a user’s devices, or it can be bound to a dedicated device such as a FIDO security key.
  • 8. © FIDO Alliance 2024 8 A bit deeper on new(er) terminology A passkey is any passwordless FIDO credential Raises the bar for both security and UX Is most commonly synchronized across a user’s devices – but doesn’t have to be A passkey provider might be a platform/OS vendor, or 3rd-party software such as a password manager. Facilitates new device bootstrapping and simplifies account recovery Security of synced passkeys is the responsibility of the passkey provider Live passkey providers include Apple, Google, Dashlane, 1Password
  • 9. © FIDO Alliance 2024 9 Same standards-based approach, new capabilities User verification Require user gesture before private key can be used Authenticator FIDO Authentication Private key dedicated to one app Public key stored at service provider Private key can be securely stored in cloud for synchronization across devices
  • 10. © FIDO Alliance 2024 10 Synced passkeys Device-bound passkeys
  • 11. © FIDO Alliance 2024 11 Cross-device authentication Enables passkeys to be used to sign-not to services not only on their device, but on nearby devices, too. Image Credit: Google
  • 12. © FIDO Alliance 2024 12 Stronger, More Usable – Now More Scalable Security Weak Strong Usability
  • 13. © FIDO Alliance 2024 13 Some commonly needed clarifications Are passkeys a new specification or standard from FIDO Alliance? The same standards, commonly known as FIDO2 (WebAuthn and CTAP), are leveraged to deploy FIDO with passkeys for sign-in. The WebAuthn standard covers the browser API that manages passkeys. Are passkeys vendor-specific? Vendors support passkeys, but the passkey sign-ins are enabled by open standards. Are all passkeys synced? A FIDO security key can house a device-bound passkey Can passkeys only be used to sign-in on phones? Passkeys can sync to multiple form factors – phone to PC, to your TV, gaming console, etc.
  • 14. © FIDO Alliance 2024 14 Takeaways Passkeys are… Phishing-resistant FIDO credentials​ Add features to reduce with account recovery the need for password resets A superior alternative to passwords and legacy MFA, and a path towards passwordless​ Able to drop in and ready for browsers (especially if you’re already using WebAuthn)​ Already being used at scale! (Watch Andrew’s session to see the state of passwordless adoption)​
  • 15. © FIDO Alliance 2024 15 © FIDO Alliance 2024 Confidential 15 Questions?
  • 16. © FIDO Alliance 2024 16 © FIDO Alliance 2024 Confidential 16 Thank you