Downloaded 26 times
More Related Content
Similar to How to Simplify and Accelerate Passkey Adoption.pptx
How to Simplify and Accelerate Passkey Adoption.pptx
- 1. © 2025 Yubico © 2025 Yubico yubico How to simplify& accelerate Passkey adoption - making users phishing resistant. Alex Wilson Director Solution Engineering - Yubico alex.wilson@yubico.com
- 2. © 2025 Yubico Making the internetsafer ● Providing “ubiquitous” access since 2007 ● Vision: One simple security key to protect all services ● Leading inventor of FIDO / Passkey open authentication standard ● Driver of modern phishing-resistant directives
- 3. © 2025 Yubico © 2024 Yubico Yubico 2024 Stateof Global Authentication Source Yubico 2024 State of Global 2024 State of Global Authentication
- 4. © 2025 Yubico © 2024 Yubico Points in timewhen an enterprise user falls out of phishing-resistance 4 Onboarding Device Registration Account Recovery
- 5. © 2025 Yubico © 2025 Yubico The rise ofpasskeys Accelerating phishing resistance across individuals and organizations FIDO An open security standard backed by the FIDO Alliance, a group focused on moving away from a password-based system. Credential The unique ID a user has that “gets you through the gate” when you log on to any system. Passkey Industry Standard Password Manager Platform Security Key
- 6. © 2025 Yubico © 2024 Yubico 6 1. Beyond Mandates 2.Promote UX improvements 3. Low hanging fruit 4. Use existing tooling and processes 5. Phased approach to Passwordless Accelerating Passkey Deployment
- 7. © 2025 Yubico © 2024 Yubico 7 Phishing-resistant registration Phishing-resistant authentication Phishing-resistant account recovery Modern hardwaresecurity keys secure all points in the account lifecycle to create phishing-resistant users #1. Beyond mandates Remove phishing from the enterprise
- 8. © 2025 Yubico © 2024 Yubico 8 Enhance cybersecurity resilience Reduce relianceon reactive measures Improve operational efficiency User Experience is key. Passkeys remove MFA fatigue through simple and quick login Stop account takeovers Protect the entire user credential lifecycle Minimize user decision- making Reduce the need and expense of user training programs Reduce help desk calls Ensure safe access from anywhere #2. Focus on User Experience
- 9. © 2025 Yubico © 2024 Yubico #3. Simple projectwins Identify your use cases and your user types Secure call centers and other mobile restricted areas Mobile restricted Enable secure and efficient log-in for shared computers Shared workstation Enable secure access from home Remote workforce Protect the most sensitive data and targeted employees Privileged accounts Improve security and productivity for office workers Office workers Protect corporate system access by 3rd parties 3rd party user Safeguard end customer accounts End customers Use Cases User Types
- 10. © 2025 Yubico © 2024 Yubico #4. Delivering aCredit Card experience Organization requests a YubiKey for a User Local Admin registers a Passkey on YubiKey using Enrollment API (yubienroll) YubiKey is shipped to User address User receives YubiKey. Yubico registers a Passkey on YubiKey using Enrollment API (Yubico as a Service) Requestor User receives PIN User authenticates Requestor sends PIN to User PIN is sent to requestor
- 11. © 2025 Yubico © 2024 Yubico #5. Phased approachin a move to passwordless Communication and Marketing Messaging, channels, call to action Project Readiness Use case strategies and integrations, project planning Training and Support User marketing, education and support materials and processes Launch and Reporting Pilot and go-live planning, key activity and success metrics
- 12. © 2025 Yubico The evolution of cyberattacks AI-powered Widening attack vectors Supply chain vulnerabilities Push for stronger cybersecurity Regulations & mandates Cyber insurance costs Hacktivism Embrace proactivity vs. reactivity Incident response Planning for recovery Zero Trust adoption Protecting critical regional, national, and global infrastructure and services humanity relies on. What to consider for 2025
- 13.
Editor's Notes
- #1 Audience: both enterprise as well as individual users when they are outside of the org 2024 has seen a whirlwind of change ranging from political shakeups and the global uncertainty they bring to a growth in data breaches and cyberattacks targeting industries and impacting critical infrastructure. We’ve seen a dramatic increase in phishing attacks that lure individuals into providing their credentials to bad actors who then use these credentials to infiltrate corporate networks guised as a legitimate user, all while circumventing certain forms of multi-factor authentication (MFA). With 2024 soon to be in the rear view mirror, prepare for a safe 2025 by attending this webinar to learn what organizations and individuals should be prioritizing to become phishing-resistant users and become cyber resilient against an ever evolving cyber threat landscape.
- #3 Ronnie will take and provides background on report David to add color on sophistication of attacks where AI can be used What we are presenting today is from a consumer and enterprise perspective AI ingrained in daily lives with regards to phishing attacks and finding those AI attacks are more successful Over this many countries Q: Why are people worried about AI, what is the impact are they seeing in their daily lives?
- #4 As we say in that example I gave upfront….there are key points in time when malicious actors can circumvent “phishing-resistant” MFA because at the center of it lies the fact that the user has set up their phishing-resistant form of MFA bootstrapped by a flimsy password. What happens when enterprise users lock themselves out of their accounts? What happens when enterprise users get a new device? Etc. Remember the example!... Call to the IT help desk and leverages stolen personally identifiable information of employees Threat actor easily answers security questions Then requests a password reset and requests to enroll a new device…cell phone to receive MFA codes Defeats legacy MFA, including SMS text and even stronger forms of phishing-resistant MFA What enterprises need is a passwordless bootstrapping method. How do you onboard your users? Certificate-Based Solutions FIDO Based Solutions
- #5 Ronnie and David cover Passkey momentum in 2024 and rebrand. FIDO credential. David and I were just at Gartner IAM and passkey more involved in as well and quote. From awareness standpoint 50% of consumers are aware of passkeys up from 30% up from last year.68% of orgs say passkey deployment is a high priority Seen amazon, Salesforce, CVS, LinkedIn, business and consumer apps adding support. There is really good momentum that we are seeing with passkeys Talk track: more services going mainstream in 2024 talking through the list There is often confusing about what is a passkey. The term passkey has recently flooded the scene and appears to be something brand new. Passkeys are simply a rebranding of FIDO credentials. Giving FIDO credentials a more recognizable name to users. There are 3 points of confusion we commonly encounter. You should know That Passkeys are FIDO credentials, not to be confused with the device they live on. There are different types of passkeys which have different properties. And Passkeys can live on different types of authenticators
- #6 Ronnie to give overview
- #7 As governments and industry bodies react to sophisticated credential attacks their recommendations are incremental as each attack occurs. They traditionally try and address elevated access, remote workers and third party suppliers who have access to information and systems. These mandates are progressive but account takeovers continue to be effective in circumnavigating these policies and controls. Setting policies and controls to remove phishing from the enterprise, rather than following specific mandates provide a much more comprehensive level of protection along with a greater ROI than targeted use of phishing resistant MFA.
- #8 In many discussions with organisations considering or being mandated to adopt strong authentication there is a perceived resistance to implementing such a fundamental change in authentication. The actual change is minimal and through all deployments of passkeys today the adoption by users is positive. The benefits of no longer being requested to change passwords, the simplicity of login, the speed of login and the ongoing support reduction soon replace any misgivings on mass deployment and adoption of passkeys.
- #9 Customer challenge: While working to deploy YubiKeys, a software company identified that contractors had different network security standards and were leveraging devices not issued by the customer. The solution: Applied a conditional access policy to contractor access Began immediately distributing YubiKeys to this group to better secure their authentication and reduce potential vulnerabilities. That’s really interesting. Now I’d like to drill down on one particular area in the Readiness topic-- to investigate your use cases ahead of time. We often see deployments that are centered around one use case initially -- often the Information Security group or privileged access users. We sometimes though clients who have other use cases that come to light after they begin their deployment or as they socialize YubiKeys through their organization. Beyond the use case of securing the most sensitive accounts, as mentioned earlier, remote workers have become a popular group to upgrade to modern authentication. In addition, shared workstations, and mobile restricted environments, such as call centers are also rapidly increasing. These use cases can include employees, third party contractors and partners, to your end-customers-- all of them need to be considered in looking at your use cases and your deployment, whether it has 1 or 10 use cases. The key takeaway here is to as much as possible determine your short term and longer term use cases early on, and to make sure that they are all included as you plan for your deployment, so that no groups get left behind and are at risk
- #10 When a new employee joins a company, they are sent a pre-registered key, directly to their location, in time to use to onboard on day 1 without any phishiable secrets. For those employees who have already onboarded, the company can roll out pre-registered keys to their employees without any self-enrollment needed by the user and without IT admins needing to enroll on behalf of the user and manage the logistics. Finally if that new employee or existing employee loses their key or it is stolen, replacement keys can be requested that are also pre-registered, ensuring the user continues to use phishing resistant MFA. Next slide
- #12 Mel lead in now that we covered 2024 retrospective and speaking with our leaders within the org here is personal and enterprise overview of what we should be looking at out here is what we David better registration and getting people to adopt AI-powered cyberattacks Zero Trust adoption increases Supply chain attacks grow Protecting critical regional, national, and global infrastructure Cyber insurance costs rise IoT devices provide critical attack vectors Hacktivism Regulations & Mandates Incident response & planning for recovery exploiting weaknesses state funded hacking global division APTs 10 Cybersecurity Predictions for 2025: AI-Powered Cyberattacks Become Mainstream Attackers will use AI to develop highly targeted phishing campaigns, automate malware creation, and bypass security measures. Security teams will need AI-driven defenses to counter these sophisticated threats. Quantum Computing Threatens Legacy Encryption As quantum computing advances, current encryption algorithms like RSA and ECC may become vulnerable. Organizations will start transitioning to quantum-safe cryptography to protect sensitive data. Ransomware-as-a-Service (RaaS) Will Proliferate Ransomware operations will become more professionalized, offering "as-a-service" models to lower-tier cybercriminals. Multi-layered defenses and robust backup strategies will be critical to counter this growing threat. Zero Trust Adoption Becomes Universal Zero Trust Architecture (ZTA) will move from a trend to an essential strategy, with organizations implementing granular access controls, continuous monitoring, and context-aware authentication across all systems. Explosive Growth in Supply Chain Attacks Cybercriminals will increasingly exploit vulnerabilities in software, hardware, and service providers. Companies will adopt stricter third-party risk assessments and real-time monitoring for supply chain security. Cloud Security Becomes a Top Priority As cloud adoption continues to rise, attackers will target misconfigured cloud environments. Companies will invest heavily in cloud-native security tools and automated compliance checks to mitigate risks. Data Sovereignty Regulations Tighten Governments will impose stricter laws on how data is stored, processed, and shared across borders. Organizations will need to adapt with localized data strategies and ensure compliance with region-specific regulations. Cyber Insurance Costs Will Skyrocket With the increase in cyberattacks, insurers will raise premiums and demand more stringent security measures from policyholders. Businesses will need to prove robust security practices to qualify for coverage. IoT Devices Become Critical Attack Vectors The proliferation of Internet of Things (IoT) devices will create new vulnerabilities, particularly in critical infrastructure sectors. Enhanced IoT security standards and real-time monitoring will become essential. Focus on Cybersecurity Skills Gap The global shortage of cybersecurity professionals will lead to increased investment in automation and AI to fill gaps, alongside aggressive hiring and training initiatives to build talent pipelines. The cybersecurity landscape in 2025 will demand innovation, proactive defenses, and a focus on resilience as threats evolve and regulations become more complex. I think the AI-powered cyberattacks, Supply chain attacks, cloud security top priority, cyber insurance cost increases, and IoT devices could be really good ones — https://blog.checkpoint.com/security/2025-cyber-security-predictions-the-rise-of-ai-driven-attacks-quantum-threats-and-social-media-exploitation/ https://www.computerweekly.com/opinion/CISOs-will-face-growing-challenges-in-2025 https://securityscorecard.com/blog/2025-security-predictions-the-forces-reshaping-cybersecurity/ https://www.forbes.com/councils/forbestechcouncil/2024/11/22/six-cybersecurity-trends-heating-up-in-2025/