FIDO Alliance, profile picture
Uploaded byFIDO Alliance
PPTX, PDF1,907 views

Intro to Passkeys and the State of Passwordless.pptx

The document discusses the FIDO Alliance's focus on promoting passwordless authentication via passkeys, detailing a range of topics including security challenges posed by traditional passwords, the importance of usability, and the transition to synced passkeys. It highlights the role of passkeys in enhancing security and user experience while addressing existing weaknesses in multi-factor authentication. Various sessions led by industry experts are outlined, emphasizing the implementation and benefits of passkeys in combating evolving cyber threats.

Technology
In this document
Powered by AI

The presentation introduces Passkeys and outlines the agenda for sessions discussing passwordless authentication.

FIDO Alliance is a global tech consortium focused on standardizing password-free sign-ins supported by industry leaders.

Highlights strengths of FIDO authentication, including security and usability, and the challenges with traditional two-factor systems.

Data on password vulnerabilities, hacking breaches, and rising phishing threats demonstrate the need for enhanced security.

Proposes the shift from traditional 'password + something else' models to single-factor, more secure authentication mechanisms.

Defines passkeys as passwordless authentication credentials, elaborating on their functionalities and advantages.

Describes technical aspects of passkeys, including user verification and synchronization across devices.

Announces World Password Day 2024 and showcases significant passkey support statistics among top websites.

Discusses the FIDO Design System and its focus on usability and rapid adoption of passkeys.

Details the role of FIDO in government authentication efforts and the importance of phishing resistance over mere MFA.

Emphasizes the advantages of synced passkeys over passwords and focuses on comprehensive security across account lifecycles.

Ends the presentation and invites questions from the audience.

Embed presentation

Downloaded 54 times
© FIDO Alliance 2024 1 © FIDO Alliance 2024 1 Intro to Passkeys and the State of Passwordless Andrew Shikiar Executive Director & CEO FIDO Alliance
© FIDO Alliance 2024 2 Today’s Agenda APPROX START TIME SESSION SPEAKER(S) Session 1: Building the Business Case: Intro to Passkeys & Passkeys in Action 1:15 – 1:40 Intro to Passkeys and the State of Passwordless Andrew Shikiar, FIDO Alliance 1:45 – 2:05 Passkeys Deep Dive Shane Weeden, IBM 2:10 – 2:30 How Hyatt Drives Exceptional Customer Experiences with FIDO Authentication David Treece, Yubico Art Chernobrov, Hyatt Hotels 2:35 – 2:55 Passkeys in the B2B2C World – A Journey to Passwordless Tushar Phondge, ADP Sanjoli Ahuja, ADP 2:55 – 3:10 Break Session 2: Technical Implementation: Implement Passkeys & Meet the Experts 3:10 – 3:30 Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats Bojan Simic, HYPR 3:35 – 3:55 New UX Guidance for Implementing Passkeys Kevin Goldman, UXWG, FIDO Alliance Philip Corriveau, RSA 4:00 – 4:20 Tales from a Passkey Provider – Progress from Awareness to Implementation Nick Steele, 1Password Shane Weeden, IBM Megan Shamas, FIDO Alliance 4:25 – 5:15 Implementation AMA – Ask your passkey questions! Nick Steele, 1Password Christiaan Brand, Google Shane Weeden, IBM Megan Shamas, FIDO Alliance
© FIDO Alliance 2024 3 What is the FIDO Alliance? We are a global tech consortium standardizing password-free sign-ins
© FIDO Alliance 2024 4 Backed by global tech leaders + Sponsor members + Associate members + Liaison members + Government members
© FIDO Alliance 2024 5 Security Usability Poor Easy Weak Strong = Single Gesture Possession-based Phishing-resistant Authentication Open standards for simpler, stronger authentication using public key cryptography FIDO since 2013: Simpler and stronger
© FIDO Alliance 2024 6 2 1 3 Provide great alternative to traditional smart card deployments in high-risk environments Offer phishing-resistant multi-factor authentication in a single authenticator Increase the security of consumer two-factor authentication The very positives …
© FIDO Alliance 2024 7 2 1 3 Inconvenience of physical security keys Higher barrier to adoption for users who don’t (want to) use two-factor authentication at all, and are stuck with passwords Challenges with embedded authenticators as a second factor But challenges for scale
© FIDO Alliance 2024 8 The foundation of authentication is fundamentally flawed of hacking-related breaches are caused by weak or stolen passwords (Ping Identity) 81% 76% Gave up on a purchase because they forgot their password (FIDO Alliance) 43% Rise in direct financial loss from successful phishing attacks from 2022-2023 (Proofpoint) either use weak passwords or repeat variations of passwords (Keeper) 64% When our primary factor is passwords… Easily phished or socially engineered, difficult to use and maintain
© FIDO Alliance 2024 9 Layering on does not work The art of MFA Bypass: How attackers regularly beat two- factor authentication Phishing Attacks Rise Sharply in Southeast Asia: Kaspersky Detects Over 43M Email-Based Phishing Region in 2022 Brace for more phishing, scams, data breaches, APT attacks in APAC 2024 …then our additional layers – while well-intended and necessary – are there to cover up password problems Often still phishable, socially engineered, difficult to use and maintain Data breach cost Latitude $76 million: Cyber attack on Australian company Latitude Financial saw the personal data of up to 14 million customers stolen.
© FIDO Alliance 2024 10 967% 54% 1265% Of consumers have noticed phishing messages become more sophisticated in last 60 days (FIDO Alliance) Rise in malicious phishing emails since Q4 2022 (Slashnext) Rise in credential phishing in particular since Q4 2022 (Slashnext) Generative AI adds fuel to the phishing fire
© FIDO Alliance 2024 11 A fundamental pivot is needed..: What if we could replace the outdated legacy model of “password + something else” and could replace it with a single factor that was much more secure – and easier to use?
© FIDO Alliance 2024 12 A fundamental pivot is needed..: What if we could replace the outdated legacy model of “password + something else” and could replace it with a single factor that was much more secure – and easier to use? If phishing is now the primary threat - a single phishing- resistant authenticator is more valuable (in most cases) than two factors which are both easily phished.
© FIDO Alliance 2024 13 Enter: Synced passkeys Passkey /’pas, kē/ noun A FIDO Authentication credential that provides passwordless sign-ins to online services. A passkey may be synced across a secure cloud so that it’s readily available on all of a user’s devices, or it can be bound to a dedicated device such as a FIDO security key.
© FIDO Alliance 2024 14 A bit deeper on new(er) terminology A passkey is any passwordless FIDO credential Raises the bar for both security and UX Is most commonly synchronized across a user’s devices – but doesn’t have to be A passkey provider might be a platform/OS vendor, or 3rd-party software such as a password manager. Facilitates new device bootstrapping and simplifies account recovery Security of synced passkeys is the responsibility of the passkey provider Live passkey providers include Apple, Google, Dashlane, 1Password
© FIDO Alliance 2024 15 Same approach – with new syncing capabilities User verification Require user gesture before private key can be used Authenticator FIDO Authentication Private key dedicated to one app Public key stored at service provider
© FIDO Alliance 2024 16 Same approach – with new syncing capabilities User verification Require user gesture before private key can be used Authenticator FIDO Authentication Private key dedicated to one app Public key stored at service provider Private key can be securely synchronized across devices
World Password Day 2024 Consumer Password & Passkey Trends www.fidoalliance.org
© FIDO Alliance 2024 18 World Password Day 2024
© FIDO Alliance 2024 19 Passkey support today 98%+ 96%+ of the world’s top 100 websites and services of the world’s top 250 websites and services 20% 12% accounts can now leverage passkeys for sign in. 13B More than
© FIDO Alliance 2024 20 FIDO’s Focus on Usability Available Now • FIDO Design System • UX guidelines for passkeys, security keys, and device authenticators • UI Kit Coming soon: Passkey Resource Center
© FIDO Alliance 2024 21 Rapid adoption
© FIDO Alliance 2024 22 Proven success
© FIDO Alliance 2024 23 Government utilization of FIDO Authentication
© FIDO Alliance 2024 24 Reframing the regulatory narrative “Syncable authenticators that are deployed under the requirements set forth in this supplement SHALL be considered sufficient to protect against threat contemplated under AAL2.”
© FIDO Alliance 2024 25 Stop checking a box for “MFA”… … and start thinking about phishing resistance rather than “factors”
© FIDO Alliance 2024 26 A synced passkey is always better than a password alone Stop checking a box for “MFA”… … and start thinking about phishing resistance rather than “factors”
© FIDO Alliance 2024 27 If you’re using password + SMS OTP, passkeys are better A synced passkey is always better than a password alone Stop checking a box for “MFA”… … and start thinking about phishing resistance rather than “factors”
© FIDO Alliance 2024 28 Stop checking a box for “MFA”… … and start thinking about your business requirements One size doesn’t fit all – consider business , regulatory, and security requirements • Pair with another factor • Leverage risk signals • Require device-bound passkey
© FIDO Alliance 2024 29 © FIDO Alliance 2024 29 Looking forward...
© FIDO Alliance 2024 30 KBA Weak remote IDV systems tricked by synthetic documents and fabricated biometrics Accounts created with stolen or synthetic identities Account Enrollment Passwords Phishable MFA Account takeovers via phishing, man in the middle, credential stuffing and other attacks Authentication Only as sound as 1 and 2! Major vector for account takeover Account Recovery/Reverification = = = The Old Way: Every Part of the Online Account Lifecycle Susceptible to Attacks
© FIDO Alliance 2024 31 Backed by FIDO Certification programs Tested by accredited third party labs Removes need for vendor “bake offs” • Biometric Component Certification • IDV Document Authenticity • IDV Selfie & Face (coming soon) The New Way: advanced technologies for remote identity verification snuff out attacks • Reliable and accurate document verification • Biometric verification checks for liveness to identify spoofs o Photos of screens, 2D & 3D masks, image upload manipulation, etc. • Biometric systems have advanced reliability presentation attack detection
© FIDO Alliance 2024 32 The New Way: Securing Every Part of the Account Lifecycle Strong remote IDV systems can detect synthetic documents and fabricated biometrics Accounts created only for individuals with proven identity Account Enrollment FIDO phishing-resistant authentication with passkeys Strong security at every sign in Authentication As sound as 1 and 2! Accounts are NOT taken over through account recovery and re-verification methods Account Recovery/Reverification = = =
© FIDO Alliance 2024 33 © FIDO Alliance 2024 33 Questions?

More Related Content

PPTX
FIDO Munich Seminar: FIDO Tech Principles.pptx
byFIDO Alliance
 
PPTX
Introduction to FIDO Authentication and Passkeys.pptx
byFIDO Alliance
 
PPTX
FIDO Alliance Seminar State of Passkeys.pptx
byFIDO Alliance
 
PPTX
FIDO Alliance - Simpler Stronger Authentication.pptx
byLoriGlavin3
 
PPTX
FIDO Masterclass
byFIDO Alliance
 
PPTX
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
byLoriGlavin3
 
PPTX
Going Passwordless with Microsoft
byFIDO Alliance
 
PDF
NIST 800-63 Guidance & FIDO Authentication
byFIDO Alliance
 
FIDO Munich Seminar: FIDO Tech Principles.pptx
byFIDO Alliance
 
Introduction to FIDO Authentication and Passkeys.pptx
byFIDO Alliance
 
FIDO Alliance Seminar State of Passkeys.pptx
byFIDO Alliance
 
FIDO Alliance - Simpler Stronger Authentication.pptx
byLoriGlavin3
 
FIDO Masterclass
byFIDO Alliance
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
byLoriGlavin3
 
Going Passwordless with Microsoft
byFIDO Alliance
 
NIST 800-63 Guidance & FIDO Authentication
byFIDO Alliance
 

What's hot

PPTX
IBM: Hey FIDO, Meet Passkey!.pptx
byFIDO Alliance
 
PDF
FIDO and the Future of User Authentication
byFIDO Alliance
 
PDF
Future-proofing Authentication with Passkeys
byNordic APIs
 
PPTX
Fido Technical Overview
byFIDO Alliance
 
PPTX
Zero trust Architecture
byAddWeb Solution Pvt. Ltd.
 
PPTX
Introduction to FIDO Alliance
byFIDO Alliance
 
PDF
Google & FIDO Authentication
byFIDO Alliance
 
PPTX
What is Zero Trust
byOkta-Inc
 
PDF
Introduction to OpenID Connect
byNat Sakimura
 
PPTX
Azure security and Compliance
byKarina Matos
 
PDF
“How to Secure Your Applications With a Keycloak?
byGlobalLogic Ukraine
 
PPTX
Preparing your enteprise for Hybrid AD Join and Conditional Access
byJason Condo
 
PDF
Azure Security Overview
byDavid J Rosenthal
 
PDF
Keycloak SSO basics
byJuan Vicente Herrera Ruiz de Alejo
 
PPTX
3 Modern Security - Secure identities to reach zero trust with AAD
byAndrew Bettany
 
PDF
Microsoft's Implementation Roadmap for FIDO2
byFIDO Alliance
 
PPTX
Azure Identity and access management
byDinusha Kumarasiri
 
PPTX
AZ-104T00A-ENU-PowerPoint_00.pptx
byAliChallioui
 
PPTX
Azure active directory
byRaju Kumar
 
PDF
Manage Microservices Chaos and Complexity with Observability
byNGINX, Inc.
 
IBM: Hey FIDO, Meet Passkey!.pptx
byFIDO Alliance
 
FIDO and the Future of User Authentication
byFIDO Alliance
 
Future-proofing Authentication with Passkeys
byNordic APIs
 
Fido Technical Overview
byFIDO Alliance
 
Zero trust Architecture
byAddWeb Solution Pvt. Ltd.
 
Introduction to FIDO Alliance
byFIDO Alliance
 
Google & FIDO Authentication
byFIDO Alliance
 
What is Zero Trust
byOkta-Inc
 
Introduction to OpenID Connect
byNat Sakimura
 
Azure security and Compliance
byKarina Matos
 
“How to Secure Your Applications With a Keycloak?
byGlobalLogic Ukraine
 
Preparing your enteprise for Hybrid AD Join and Conditional Access
byJason Condo
 
Azure Security Overview
byDavid J Rosenthal
 
Keycloak SSO basics
byJuan Vicente Herrera Ruiz de Alejo
 
3 Modern Security - Secure identities to reach zero trust with AAD
byAndrew Bettany
 
Microsoft's Implementation Roadmap for FIDO2
byFIDO Alliance
 
Azure Identity and access management
byDinusha Kumarasiri
 
AZ-104T00A-ENU-PowerPoint_00.pptx
byAliChallioui
 
Azure active directory
byRaju Kumar
 
Manage Microservices Chaos and Complexity with Observability
byNGINX, Inc.
 

Similar to Intro to Passkeys and the State of Passwordless.pptx

PPTX
FIDO Authentication: Unphishable MFA for All
byFIDO Alliance
 
PPTX
FIDO Alliance: Welcome and FIDO Update.pptx
byFIDO Alliance
 
PPTX
Welcome and FIDO Update.pptx
byFIDO Alliance
 
PDF
Beyond Passwords: FIDO and the Future of User Authentication
byFIDO Alliance
 
PPTX
The State of Passkeys with FIDO Alliance.pptx
byLoriGlavin3
 
PPTX
FIDO Munich Seminar Introduction to FIDO.pptx
byFIDO Alliance
 
PPTX
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
byFIDO Alliance
 
PPTX
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
byFIDO Alliance
 
PPTX
FIDO and Government: How Policymakers and Regulators are Thinking About Auth...
byLoriGlavin3
 
PDF
FIDO Alliance Osaka Seminar: Overview.pdf
byFIDO Alliance
 
PPTX
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
byFIDO Alliance
 
PDF
Javelin Research's State of Strong Authentication 2019 Report Webinar
byFIDO Alliance
 
PDF
Beyond Passwords: FIDO and the Future of User Authentication
byFIDO Alliance
 
PPTX
IdentityVerification IDV + Passkeys.pptx
byLoriGlavin3
 
PDF
FIDO Alliance Vision and Status
byFIDO Alliance
 
PPTX
Authenticate 2021: Welcome Address
byFIDO Alliance
 
PDF
Beyond Passwords: FIDO & the Future of Consumer Authentication
byFIDO Alliance
 
PPTX
Strong Authentication Trends in Government
byFIDO Alliance
 
PPTX
FIDO Alliance Vision and Updates
byFIDO Alliance
 
PDF
2018 12-07 tokyo-seminar Brett McDowell
byFIDO Alliance
 
FIDO Authentication: Unphishable MFA for All
byFIDO Alliance
 
FIDO Alliance: Welcome and FIDO Update.pptx
byFIDO Alliance
 
Welcome and FIDO Update.pptx
byFIDO Alliance
 
Beyond Passwords: FIDO and the Future of User Authentication
byFIDO Alliance
 
The State of Passkeys with FIDO Alliance.pptx
byLoriGlavin3
 
FIDO Munich Seminar Introduction to FIDO.pptx
byFIDO Alliance
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
byFIDO Alliance
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
byFIDO Alliance
 
FIDO and Government: How Policymakers and Regulators are Thinking About Auth...
byLoriGlavin3
 
FIDO Alliance Osaka Seminar: Overview.pdf
byFIDO Alliance
 
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
byFIDO Alliance
 
Javelin Research's State of Strong Authentication 2019 Report Webinar
byFIDO Alliance
 
Beyond Passwords: FIDO and the Future of User Authentication
byFIDO Alliance
 
IdentityVerification IDV + Passkeys.pptx
byLoriGlavin3
 
FIDO Alliance Vision and Status
byFIDO Alliance
 
Authenticate 2021: Welcome Address
byFIDO Alliance
 
Beyond Passwords: FIDO & the Future of Consumer Authentication
byFIDO Alliance
 
Strong Authentication Trends in Government
byFIDO Alliance
 
FIDO Alliance Vision and Updates
byFIDO Alliance
 
2018 12-07 tokyo-seminar Brett McDowell
byFIDO Alliance
 

More from FIDO Alliance

PPTX
FIDO Munich Seminar FIDO Automotive Apps.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: Authentication for a Billion Consumers - Amazon.pptx
byFIDO Alliance
 
PDF
FIDO Alliance Osaka Seminar: LY-DOCOMO-KDDI-Mercari Panel.pdf
byFIDO Alliance
 
PDF
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
byFIDO Alliance
 
PPTX
FIDO Munich Seminar: Securing Smart Car.pptx
byFIDO Alliance
 
PPTX
Securing Account Lifecycles in the Age of Deepfakes.pptx
byFIDO Alliance
 
PDF
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
byFIDO Alliance
 
PPTX
FIDO Seminar: New Data: Passkey Adoption in the Workforce.pptx
byFIDO Alliance
 
PDF
FIDO Alliance Osaka Seminar: NEC & Yubico Panel.pdf
byFIDO Alliance
 
PPTX
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: Targeting Trust: The Future of Identity in the Workforce.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar: Biometrics and Passkeys for In-Vehicle Apps.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography.pptx
byFIDO Alliance
 
PPTX
UX Webinar Series: Aligning Authentication Experiences with Business Goals
byFIDO Alliance
 
PDF
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
byFIDO Alliance
 
PPTX
FIDO Munich Seminar Workforce Authentication Case Study.pptx
byFIDO Alliance
 
PDF
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
byFIDO Alliance
 
PPTX
FIDO Munich Seminar Blueprint for In-Vehicle Payment Standard.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptx
byFIDO Alliance
 
FIDO Munich Seminar FIDO Automotive Apps.pptx
byFIDO Alliance
 
FIDO Seminar: Authentication for a Billion Consumers - Amazon.pptx
byFIDO Alliance
 
FIDO Alliance Osaka Seminar: LY-DOCOMO-KDDI-Mercari Panel.pdf
byFIDO Alliance
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
byFIDO Alliance
 
FIDO Munich Seminar: Securing Smart Car.pptx
byFIDO Alliance
 
Securing Account Lifecycles in the Age of Deepfakes.pptx
byFIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
byFIDO Alliance
 
FIDO Seminar: New Data: Passkey Adoption in the Workforce.pptx
byFIDO Alliance
 
FIDO Alliance Osaka Seminar: NEC & Yubico Panel.pdf
byFIDO Alliance
 
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
byFIDO Alliance
 
FIDO Seminar: Targeting Trust: The Future of Identity in the Workforce.pptx
byFIDO Alliance
 
FIDO Munich Seminar: Biometrics and Passkeys for In-Vehicle Apps.pptx
byFIDO Alliance
 
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
byFIDO Alliance
 
FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography.pptx
byFIDO Alliance
 
UX Webinar Series: Aligning Authentication Experiences with Business Goals
byFIDO Alliance
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
byFIDO Alliance
 
FIDO Munich Seminar Workforce Authentication Case Study.pptx
byFIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
byFIDO Alliance
 
FIDO Munich Seminar Blueprint for In-Vehicle Payment Standard.pptx
byFIDO Alliance
 
FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptx
byFIDO Alliance
 

Recently uploaded

PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PDF
Mastering Agentic Orchestration with UiPath Maestro | Hands on Workshop
byUiPathCommunity
 
PDF
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
PDF
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
PDF
5 Common Supply Chain Attacks and How They Work | CyberPro Magazine
byCyberPro Magazine
 
PDF
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
PDF
Lets Build a Serverless Function with Kiro
byChris Bingham
 
PDF
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
PPTX
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
PDF
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
PDF
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
PDF
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PDF
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
PDF
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
PDF
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
PPTX
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
PDF
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
PPTX
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
PPTX
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
Mastering Agentic Orchestration with UiPath Maestro | Hands on Workshop
byUiPathCommunity
 
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
5 Common Supply Chain Attacks and How They Work | CyberPro Magazine
byCyberPro Magazine
 
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
Lets Build a Serverless Function with Kiro
byChris Bingham
 
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 

Intro to Passkeys and the State of Passwordless.pptx

  • 1.
    © FIDO Alliance2024 1 © FIDO Alliance 2024 1 Intro to Passkeys and the State of Passwordless Andrew Shikiar Executive Director & CEO FIDO Alliance
  • 2.
    © FIDO Alliance2024 2 Today’s Agenda APPROX START TIME SESSION SPEAKER(S) Session 1: Building the Business Case: Intro to Passkeys & Passkeys in Action 1:15 – 1:40 Intro to Passkeys and the State of Passwordless Andrew Shikiar, FIDO Alliance 1:45 – 2:05 Passkeys Deep Dive Shane Weeden, IBM 2:10 – 2:30 How Hyatt Drives Exceptional Customer Experiences with FIDO Authentication David Treece, Yubico Art Chernobrov, Hyatt Hotels 2:35 – 2:55 Passkeys in the B2B2C World – A Journey to Passwordless Tushar Phondge, ADP Sanjoli Ahuja, ADP 2:55 – 3:10 Break Session 2: Technical Implementation: Implement Passkeys & Meet the Experts 3:10 – 3:30 Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats Bojan Simic, HYPR 3:35 – 3:55 New UX Guidance for Implementing Passkeys Kevin Goldman, UXWG, FIDO Alliance Philip Corriveau, RSA 4:00 – 4:20 Tales from a Passkey Provider – Progress from Awareness to Implementation Nick Steele, 1Password Shane Weeden, IBM Megan Shamas, FIDO Alliance 4:25 – 5:15 Implementation AMA – Ask your passkey questions! Nick Steele, 1Password Christiaan Brand, Google Shane Weeden, IBM Megan Shamas, FIDO Alliance
  • 3.
    © FIDO Alliance2024 3 What is the FIDO Alliance? We are a global tech consortium standardizing password-free sign-ins
  • 4.
    © FIDO Alliance2024 4 Backed by global tech leaders + Sponsor members + Associate members + Liaison members + Government members
  • 5.
    © FIDO Alliance2024 5 Security Usability Poor Easy Weak Strong = Single Gesture Possession-based Phishing-resistant Authentication Open standards for simpler, stronger authentication using public key cryptography FIDO since 2013: Simpler and stronger
  • 6.
    © FIDO Alliance2024 6 2 1 3 Provide great alternative to traditional smart card deployments in high-risk environments Offer phishing-resistant multi-factor authentication in a single authenticator Increase the security of consumer two-factor authentication The very positives …
  • 7.
    © FIDO Alliance2024 7 2 1 3 Inconvenience of physical security keys Higher barrier to adoption for users who don’t (want to) use two-factor authentication at all, and are stuck with passwords Challenges with embedded authenticators as a second factor But challenges for scale
  • 8.
    © FIDO Alliance2024 8 The foundation of authentication is fundamentally flawed of hacking-related breaches are caused by weak or stolen passwords (Ping Identity) 81% 76% Gave up on a purchase because they forgot their password (FIDO Alliance) 43% Rise in direct financial loss from successful phishing attacks from 2022-2023 (Proofpoint) either use weak passwords or repeat variations of passwords (Keeper) 64% When our primary factor is passwords… Easily phished or socially engineered, difficult to use and maintain
  • 9.
    © FIDO Alliance2024 9 Layering on does not work The art of MFA Bypass: How attackers regularly beat two- factor authentication Phishing Attacks Rise Sharply in Southeast Asia: Kaspersky Detects Over 43M Email-Based Phishing Region in 2022 Brace for more phishing, scams, data breaches, APT attacks in APAC 2024 …then our additional layers – while well-intended and necessary – are there to cover up password problems Often still phishable, socially engineered, difficult to use and maintain Data breach cost Latitude $76 million: Cyber attack on Australian company Latitude Financial saw the personal data of up to 14 million customers stolen.
  • 10.
    © FIDO Alliance2024 10 967% 54% 1265% Of consumers have noticed phishing messages become more sophisticated in last 60 days (FIDO Alliance) Rise in malicious phishing emails since Q4 2022 (Slashnext) Rise in credential phishing in particular since Q4 2022 (Slashnext) Generative AI adds fuel to the phishing fire
  • 11.
    © FIDO Alliance2024 11 A fundamental pivot is needed..: What if we could replace the outdated legacy model of “password + something else” and could replace it with a single factor that was much more secure – and easier to use?
  • 12.
    © FIDO Alliance2024 12 A fundamental pivot is needed..: What if we could replace the outdated legacy model of “password + something else” and could replace it with a single factor that was much more secure – and easier to use? If phishing is now the primary threat - a single phishing- resistant authenticator is more valuable (in most cases) than two factors which are both easily phished.
  • 13.
    © FIDO Alliance2024 13 Enter: Synced passkeys Passkey /’pas, kē/ noun A FIDO Authentication credential that provides passwordless sign-ins to online services. A passkey may be synced across a secure cloud so that it’s readily available on all of a user’s devices, or it can be bound to a dedicated device such as a FIDO security key.
  • 14.
    © FIDO Alliance2024 14 A bit deeper on new(er) terminology A passkey is any passwordless FIDO credential Raises the bar for both security and UX Is most commonly synchronized across a user’s devices – but doesn’t have to be A passkey provider might be a platform/OS vendor, or 3rd-party software such as a password manager. Facilitates new device bootstrapping and simplifies account recovery Security of synced passkeys is the responsibility of the passkey provider Live passkey providers include Apple, Google, Dashlane, 1Password
  • 15.
    © FIDO Alliance2024 15 Same approach – with new syncing capabilities User verification Require user gesture before private key can be used Authenticator FIDO Authentication Private key dedicated to one app Public key stored at service provider
  • 16.
    © FIDO Alliance2024 16 Same approach – with new syncing capabilities User verification Require user gesture before private key can be used Authenticator FIDO Authentication Private key dedicated to one app Public key stored at service provider Private key can be securely synchronized across devices
  • 17.
    World Password Day2024 Consumer Password & Passkey Trends www.fidoalliance.org
  • 18.
    © FIDO Alliance2024 18 World Password Day 2024
  • 19.
    © FIDO Alliance2024 19 Passkey support today 98%+ 96%+ of the world’s top 100 websites and services of the world’s top 250 websites and services 20% 12% accounts can now leverage passkeys for sign in. 13B More than
  • 20.
    © FIDO Alliance2024 20 FIDO’s Focus on Usability Available Now • FIDO Design System • UX guidelines for passkeys, security keys, and device authenticators • UI Kit Coming soon: Passkey Resource Center
  • 21.
    © FIDO Alliance2024 21 Rapid adoption
  • 22.
    © FIDO Alliance2024 22 Proven success
  • 23.
    © FIDO Alliance2024 23 Government utilization of FIDO Authentication
  • 24.
    © FIDO Alliance2024 24 Reframing the regulatory narrative “Syncable authenticators that are deployed under the requirements set forth in this supplement SHALL be considered sufficient to protect against threat contemplated under AAL2.”
  • 25.
    © FIDO Alliance2024 25 Stop checking a box for “MFA”… … and start thinking about phishing resistance rather than “factors”
  • 26.
    © FIDO Alliance2024 26 A synced passkey is always better than a password alone Stop checking a box for “MFA”… … and start thinking about phishing resistance rather than “factors”
  • 27.
    © FIDO Alliance2024 27 If you’re using password + SMS OTP, passkeys are better A synced passkey is always better than a password alone Stop checking a box for “MFA”… … and start thinking about phishing resistance rather than “factors”
  • 28.
    © FIDO Alliance2024 28 Stop checking a box for “MFA”… … and start thinking about your business requirements One size doesn’t fit all – consider business , regulatory, and security requirements • Pair with another factor • Leverage risk signals • Require device-bound passkey
  • 29.
    © FIDO Alliance2024 29 © FIDO Alliance 2024 29 Looking forward...
  • 30.
    © FIDO Alliance2024 30 KBA Weak remote IDV systems tricked by synthetic documents and fabricated biometrics Accounts created with stolen or synthetic identities Account Enrollment Passwords Phishable MFA Account takeovers via phishing, man in the middle, credential stuffing and other attacks Authentication Only as sound as 1 and 2! Major vector for account takeover Account Recovery/Reverification = = = The Old Way: Every Part of the Online Account Lifecycle Susceptible to Attacks
  • 31.
    © FIDO Alliance2024 31 Backed by FIDO Certification programs Tested by accredited third party labs Removes need for vendor “bake offs” • Biometric Component Certification • IDV Document Authenticity • IDV Selfie & Face (coming soon) The New Way: advanced technologies for remote identity verification snuff out attacks • Reliable and accurate document verification • Biometric verification checks for liveness to identify spoofs o Photos of screens, 2D & 3D masks, image upload manipulation, etc. • Biometric systems have advanced reliability presentation attack detection
  • 32.
    © FIDO Alliance2024 32 The New Way: Securing Every Part of the Account Lifecycle Strong remote IDV systems can detect synthetic documents and fabricated biometrics Accounts created only for individuals with proven identity Account Enrollment FIDO phishing-resistant authentication with passkeys Strong security at every sign in Authentication As sound as 1 and 2! Accounts are NOT taken over through account recovery and re-verification methods Account Recovery/Reverification = = =
  • 33.
    © FIDO Alliance2024 33 © FIDO Alliance 2024 33 Questions?

Editor's Notes

  • #9 We’ve been talking about the password problem for so long now I feel like we’ve actually lost sight of how LARGE of a problem it really is – instead focusing on all of the great benefits of unphishable FIDO-based MFA (rightly).
  • #10 That being said, 2FA certainly is out there and yes, is much better than a password alone. But legacy forms of 2FA really are just bandaids to try and stem the damage from the flawed primary factor. And it’s little wonder that we’re seeing damaing MFA bypass attacks that leverage a combination of social engineering and traditional phishing to access enterprise systems and/or user accounts. We saw this coming last year and were sadly correct. I think that on the consumer side in 2023 Smishing will really go mainstream at least here in the US – and will be hugely damaging
  • #11 We’ve been talking about the password problem for so long now I feel like we’ve actually lost sight of how LARGE of a problem it really is – instead focusing on all of the great benefits of unphishable FIDO-based MFA (rightly). But the fact of the matter is that MFA adoption has lagged – especially for consumers. Part of this is lack of will by RPs, but it’s mainly IMO an issue of usability and ease of access. These stats are a little old tbh, we saw phishing rise during covid, and now we are seeing phishing become even easier thanks to generative AI 54% of people have noticed an increase in suspicious messages and scams online, while 52% believe these have become more sophisticated. 
  • #16 We always need a device in the middle, we call this the authenticator Step 1 - Local interaction between the user and authenticator – we call this user verification On the front end, we are very flexible – we require some user gesture and that gesture is verified by the authenticator directly Facial recognition, local PIN entry, security key – but we will talk more about the user experience in a minute Step 2: Once the user is verified by the authenticator, which lives on your personal device, the authenticator then authenticates you to the service. Not using your information or the evidence of who you are, but actually using public key cryptography. What’s beautiful about public key cryptography is you don’t ever have to give away your private key (your secret), with asymmetric cryptography – which is what we use – you use that private key to sign a challenge : proof of possession that you have the right private key. The service provider verifies that it is correct with the corresponding public key. Unique key pairs for each service – this is essential for privacy. No global identifiers with FIDO. Simple change of architecture turns the model upside down. The only thing now that is stored on a server are the public keys, which aren’t useful for scalable attack.
  • #17 We always need a device in the middle, we call this the authenticator Step 1 - Local interaction between the user and authenticator – we call this user verification On the front end, we are very flexible – we require some user gesture and that gesture is verified by the authenticator directly Facial recognition, local PIN entry, security key – but we will talk more about the user experience in a minute Step 2: Once the user is verified by the authenticator, which lives on your personal device, the authenticator then authenticates you to the service. Not using your information or the evidence of who you are, but actually using public key cryptography. What’s beautiful about public key cryptography is you don’t ever have to give away your private key (your secret), with asymmetric cryptography – which is what we use – you use that private key to sign a challenge : proof of possession that you have the right private key. The service provider verifies that it is correct with the corresponding public key. Unique key pairs for each service – this is essential for privacy. No global identifiers with FIDO. Simple change of architecture turns the model upside down. The only thing now that is stored on a server are the public keys, which aren’t useful for scalable attack.
  • #18 We surveyed 2k people across the US and UK and found that people continue to struggle with traditional passwords As these struggles continue, more consumers are aware of passkeys and trying them out as a password alternative. The data reveals a positive trend: when people adopt at least one passkey, they are more likely to enable the technology on other applications to improve convenience and security online
  • #19 Last Thursday was World Password Day. We just spent all this time talking about passkeys, and yet we’re still celebrating a holiday focused on passwords. We are constantly asked “When will we REALLY kill the password?” The answer is: When the use of passkeys outweighs the use of passwords. Ok, but when will that be? [CLICK] This year we are another step closer to that goal. Microsoft rolled out passkeys to all of its user accounts. [CLICK] And Google shared an incredible update that more than 400 MILLION accounts are now protected by passkeys – and passkeys have been used more than 1 BILLION times. Not to mention countless other FIDO Members who launched data, news, and campaigns promoting their successes and endorsements of passkeys. At this point I think it’s safe to say we’re ready to ditch World PASSWORD day in favor of something new - [CLICK] World PASSKEY Day. We look forward to seeing you all celebrate and launch campaigns around that one next year.
  • #22 But overall, the progress with passkeys has been nothing short of phenomenal It started with PayPal and a few other services on in Q4, and then really picking up steam as passkey support was live across Google platforms by early 2023. To the point now where we have brands such as these – and surely many more – that are all moving their consumers away from passwords, and towards passkeys. These are some of the brands that are already enabling passkey sign-ins. These include leading payment and ecommerce services telecom and more. Perhaps most notably Google a few months ago enabled anyone with a Google account to enroll a passkey associated with that account that means that billions the consumers now have the ability to use past keys instead of passwords for Google services such as Gmail - and also for sites that support Google social sign in. Look in the news and you’ll see passkeys reaching far and wide in the industry. Deployments and commitments, products, services. Even password managers, who many thought would be displaced by this development, are embracing it and making it their new business model.
  • #23 FIDO has provided ROI since its earliest implementations, and synched passkeys fully unlock that capability at scale. - several case studies this week where you can hear directly from practitioners, but some examples include [click] Air New Zealand [click] This data from Google: passkeys instead of passwords for google account. They are seeing four times the sign in success vs passwords. 4x. And in half the time [click] Mercari is using passkeys as an MFA improvement over sms otp – they’re finding 21% sign-in improvement with a 75% time reduction [click] And of course FIDO is used extensively in the workforce – - HYPR /Forrester study found over 300% ROI due to massive reduction of password utilization - which led to higher employee productivity.
  • #24 CDS – Canadian Digital Services
  • #25 We also need to reframe the way regulators contemplate authentication EVERYONE’s frame of reference has always been to figure out how to mitigate the fundamental weakness of passwords – passkeys present a whole new paradigm for authentication And we’re grateful that NIST is consideraign synced credentials for 800-63-4 – and we’ll be undertaking similar efforts with key regulations o We are expecting that as PSD2 is revised, we will have more to report on ways to address compliance and hope to continue to have the opportunity to share updates and engage. We hope that DG FISMA will consider the importance of phishing-resistant authentication in any PSD2 revision – as well as consider alternative authentication models in SCA requirements that can enable better security and better user experience.
  • #31 Zooming back out, we realize that “identity” = more than just authentication It really starts with enrollment – and we need that to be possession-based as well. Specifically, replacing knowledge-based authn with possession-based approaches that leverage certified doc authn and livendess detection And we know that recovery is a major vector for ATOs
  • #32 What you get