SlideShare a Scribd company logo
© FIDO Alliance 2024
1 © FIDO Alliance 2024
1
Intro to Passkeys and the
State of Passwordless
Andrew Shikiar
Executive Director & CEO
FIDO Alliance
© FIDO Alliance 2024
2
Today’s Agenda
APPROX START TIME SESSION SPEAKER(S)
Session 1: Building the Business Case: Intro to Passkeys & Passkeys in Action
1:15 – 1:40 Intro to Passkeys and the State of Passwordless Andrew Shikiar, FIDO Alliance
1:45 – 2:05 Passkeys Deep Dive Shane Weeden, IBM
2:10 – 2:30 How Hyatt Drives Exceptional Customer Experiences with FIDO Authentication
David Treece, Yubico
Art Chernobrov, Hyatt Hotels
2:35 – 2:55 Passkeys in the B2B2C World – A Journey to Passwordless
Tushar Phondge, ADP
Sanjoli Ahuja, ADP
2:55 – 3:10 Break
Session 2: Technical Implementation: Implement Passkeys & Meet the Experts
3:10 – 3:30 Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats Bojan Simic, HYPR
3:35 – 3:55 New UX Guidance for Implementing Passkeys
Kevin Goldman, UXWG, FIDO Alliance
Philip Corriveau, RSA
4:00 – 4:20 Tales from a Passkey Provider – Progress from Awareness to Implementation
Nick Steele, 1Password
Shane Weeden, IBM
Megan Shamas, FIDO Alliance
4:25 – 5:15 Implementation AMA – Ask your passkey questions!
Nick Steele, 1Password
Christiaan Brand, Google
Shane Weeden, IBM
Megan Shamas, FIDO Alliance
© FIDO Alliance 2024
3
What is the FIDO Alliance?
We are a global tech consortium
standardizing password-free sign-ins
© FIDO Alliance 2024
4
Backed by global tech leaders
+ Sponsor members + Associate members + Liaison members + Government members
© FIDO Alliance 2024
5
Security
Usability
Poor Easy
Weak
Strong
=
Single Gesture
Possession-based
Phishing-resistant
Authentication
Open standards for simpler,
stronger authentication using
public key cryptography
FIDO since 2013: Simpler and stronger
© FIDO Alliance 2024
6
2
1
3
Provide great alternative to traditional smart card deployments in high-risk
environments
Offer phishing-resistant multi-factor authentication in a single authenticator
Increase the security of consumer two-factor authentication
The very positives …
© FIDO Alliance 2024
7
2
1
3
Inconvenience of physical security keys
Higher barrier to adoption for users who don’t (want to) use two-factor
authentication at all, and are stuck with passwords
Challenges with embedded authenticators as a second factor
But challenges for scale
© FIDO Alliance 2024
8
The foundation of authentication is fundamentally flawed
of hacking-related breaches
are caused by weak or stolen
passwords
(Ping Identity)
81%
76%
Gave up on a purchase because they
forgot their password
(FIDO Alliance)
43%
Rise in direct financial loss from
successful phishing attacks from
2022-2023
(Proofpoint)
either use weak passwords or repeat
variations of passwords
(Keeper)
64%
When our primary factor is passwords…
Easily phished or socially engineered, difficult to use and maintain
© FIDO Alliance 2024
9
Layering on does not work
The art of MFA Bypass: How attackers regularly beat two-
factor authentication
Phishing Attacks Rise Sharply in Southeast Asia:
Kaspersky Detects Over 43M Email-Based Phishing
Region in 2022
Brace for more phishing, scams, data breaches,
APT attacks in APAC 2024
…then our additional layers – while well-intended and necessary – are there to cover up password problems
Often still phishable, socially engineered, difficult to use and maintain
Data breach cost Latitude $76 million: Cyber attack on
Australian company Latitude Financial saw the personal data
of up to 14 million customers stolen.
© FIDO Alliance 2024
10
967%
54%
1265%
Of consumers have noticed
phishing messages become
more sophisticated in last 60
days (FIDO Alliance)
Rise in malicious phishing
emails since Q4 2022
(Slashnext)
Rise in credential phishing in
particular since Q4 2022
(Slashnext)
Generative AI adds fuel to the phishing fire
© FIDO Alliance 2024
11
A fundamental pivot is needed..:
What if we could replace the outdated legacy model of
“password + something else” and could replace it with a single
factor that was much more secure – and easier to use?
© FIDO Alliance 2024
12
A fundamental pivot is needed..:
What if we could replace the outdated legacy model of
“password + something else” and could replace it with a single
factor that was much more secure – and easier to use?
If phishing is now the primary threat - a single phishing-
resistant authenticator is more valuable (in most cases) than
two factors which are both easily phished.
© FIDO Alliance 2024
13
Enter: Synced passkeys
Passkey
/’pas, kē/
noun
A FIDO Authentication credential that provides passwordless sign-ins
to online services.
A passkey may be synced across a secure cloud so that it’s readily
available on all of a user’s devices, or it can be bound to a dedicated
device such as a FIDO security key.
© FIDO Alliance 2024
14
A bit deeper on new(er) terminology
A passkey is any passwordless FIDO credential
Raises the bar for both security and UX
Is most commonly synchronized across a user’s devices – but doesn’t have to be
A passkey provider might be a platform/OS vendor, or 3rd-party software
such as a password manager.
Facilitates new device bootstrapping and simplifies account recovery
Security of synced passkeys is the responsibility of the passkey provider
Live passkey providers include Apple, Google, Dashlane, 1Password
© FIDO Alliance 2024
15
Same approach – with new syncing capabilities
User verification
Require user gesture before
private key can be used
Authenticator
FIDO
Authentication
Private key dedicated
to one app
Public key stored
at service provider
© FIDO Alliance 2024
16
Same approach – with new syncing capabilities
User verification
Require user gesture before
private key can be used
Authenticator
FIDO
Authentication
Private key dedicated
to one app
Public key stored
at service provider
Private key can be securely
synchronized across devices
World Password Day 2024
Consumer Password
& Passkey Trends
www.fidoalliance.org
© FIDO Alliance 2024
18
World Password Day 2024
© FIDO Alliance 2024
19
Passkey support today
98%+
96%+
of the world’s top
100 websites and services
of the world’s top
250 websites and services
20% 12%
accounts can now leverage passkeys for
sign in.
13B
More
than
© FIDO Alliance 2024
20
FIDO’s Focus on Usability
Available Now
• FIDO Design System
• UX guidelines for passkeys,
security keys, and device
authenticators
• UI Kit
Coming soon:
Passkey Resource Center
© FIDO Alliance 2024
21
Rapid adoption
© FIDO Alliance 2024
22
Proven success
© FIDO Alliance 2024
23
Government utilization of FIDO Authentication
© FIDO Alliance 2024
24
Reframing the regulatory narrative
“Syncable authenticators that
are deployed under the
requirements set forth in this
supplement SHALL be
considered sufficient to protect
against threat contemplated
under AAL2.”
© FIDO Alliance 2024
25
Stop checking a box for “MFA”…
… and start thinking about phishing resistance rather than “factors”
© FIDO Alliance 2024
26
A synced passkey is always better than a password alone
Stop checking a box for “MFA”…
… and start thinking about phishing resistance rather than “factors”
© FIDO Alliance 2024
27
If you’re using password + SMS OTP, passkeys are better
A synced passkey is always better than a password alone
Stop checking a box for “MFA”…
… and start thinking about phishing resistance rather than “factors”
© FIDO Alliance 2024
28
Stop checking a box for “MFA”…
… and start thinking about your business requirements
One size doesn’t fit all – consider business , regulatory, and security
requirements
• Pair with another factor
• Leverage risk signals
• Require device-bound passkey
© FIDO Alliance 2024
29 © FIDO Alliance 2024
29
Looking forward...
© FIDO Alliance 2024
30
KBA
Weak remote IDV systems
tricked by synthetic
documents and fabricated
biometrics
Accounts created with
stolen or synthetic
identities
Account
Enrollment
Passwords
Phishable MFA
Account takeovers via
phishing, man in the
middle, credential stuffing
and other attacks
Authentication
Only as sound as
1 and 2!
Major vector for
account takeover
Account
Recovery/Reverification
=
= =
The Old Way: Every Part of the Online Account
Lifecycle Susceptible to Attacks
© FIDO Alliance 2024
31
Backed by FIDO
Certification programs
Tested by accredited third party labs
Removes need for vendor “bake offs”
• Biometric Component Certification
• IDV Document Authenticity
• IDV Selfie & Face (coming soon)
The New Way: advanced technologies for remote
identity verification snuff out attacks
• Reliable and accurate document
verification
• Biometric verification checks for
liveness to identify spoofs
o Photos of screens, 2D & 3D
masks, image upload
manipulation, etc.
• Biometric systems have advanced
reliability presentation attack
detection
© FIDO Alliance 2024
32
The New Way: Securing Every Part of the
Account Lifecycle
Strong remote IDV systems
can detect synthetic
documents and fabricated
biometrics
Accounts created only
for individuals with
proven identity
Account
Enrollment
FIDO phishing-resistant
authentication with
passkeys
Strong security at
every sign in
Authentication
As sound as 1 and 2!
Accounts are NOT
taken over through
account recovery and
re-verification methods
Account
Recovery/Reverification
=
=
=
© FIDO Alliance 2024
33 © FIDO Alliance 2024
33
Questions?

More Related Content

Similar to Intro to Passkeys and the State of Passwordless.pptx

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
1ID2-KeyBank-CapitalOne.pptx
1ID2-KeyBank-CapitalOne.pptx1ID2-KeyBank-CapitalOne.pptx
1ID2-KeyBank-CapitalOne.pptx
ssuserc1c6091
 
Webinar: Catch Up with FIDO Plus AMA Session
Webinar: Catch Up with FIDO Plus AMA SessionWebinar: Catch Up with FIDO Plus AMA Session
Webinar: Catch Up with FIDO Plus AMA Session
FIDO Alliance
 
FIDO Alliance Webinar: Catch Up WIth FIDO
FIDO Alliance Webinar: Catch Up WIth FIDOFIDO Alliance Webinar: Catch Up WIth FIDO
FIDO Alliance Webinar: Catch Up WIth FIDO
FIDO Alliance
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
Going Passwordless with Microsoft
Going Passwordless with MicrosoftGoing Passwordless with Microsoft
Going Passwordless with Microsoft
FIDO Alliance
 
The State of FIDO
The State of FIDOThe State of FIDO
The State of FIDO
FIDO Alliance
 
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud JumeletFIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
Identity Days
 
E-Lock AdaptAuth.pptx
E-Lock AdaptAuth.pptxE-Lock AdaptAuth.pptx
E-Lock AdaptAuth.pptx
Archana833240
 
Beyond Passwords: FIDO & the Future of Consumer Authentication
Beyond Passwords: FIDO & the Future of Consumer AuthenticationBeyond Passwords: FIDO & the Future of Consumer Authentication
Beyond Passwords: FIDO & the Future of Consumer Authentication
FIDO Alliance
 
The FIDO Alliance Today: Status and News
The FIDO Alliance Today: Status and NewsThe FIDO Alliance Today: Status and News
The FIDO Alliance Today: Status and News
FIDO Alliance
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
FIDO Alliance
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
FIDO Alliance
 
FIDO & PSD2 – Achieving Strong Customer Authentication Compliance
FIDO & PSD2 – Achieving Strong Customer Authentication ComplianceFIDO & PSD2 – Achieving Strong Customer Authentication Compliance
FIDO & PSD2 – Achieving Strong Customer Authentication Compliance
FIDO Alliance
 
The State of FIDO
The State of FIDOThe State of FIDO
The State of FIDO
FIDO Alliance
 
Introduction to FIDO Biometric Authentication
Introduction to FIDO Biometric AuthenticationIntroduction to FIDO Biometric Authentication
Introduction to FIDO Biometric Authentication
FIDO Alliance
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO Alliance
FIDO Alliance
 
HYPR: The Leading Provider of True Passwordless Security®
HYPR: The Leading Provider of True Passwordless Security®HYPR: The Leading Provider of True Passwordless Security®
HYPR: The Leading Provider of True Passwordless Security®
HYPR
 
Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical Tutorial
FIDO Alliance
 
The Death of 2FA and the Birth of Modern Authentication
The Death of 2FA and the Birth of Modern AuthenticationThe Death of 2FA and the Birth of Modern Authentication
The Death of 2FA and the Birth of Modern Authentication
SecureAuth
 

Similar to Intro to Passkeys and the State of Passwordless.pptx (20)

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
1ID2-KeyBank-CapitalOne.pptx
1ID2-KeyBank-CapitalOne.pptx1ID2-KeyBank-CapitalOne.pptx
1ID2-KeyBank-CapitalOne.pptx
 
Webinar: Catch Up with FIDO Plus AMA Session
Webinar: Catch Up with FIDO Plus AMA SessionWebinar: Catch Up with FIDO Plus AMA Session
Webinar: Catch Up with FIDO Plus AMA Session
 
FIDO Alliance Webinar: Catch Up WIth FIDO
FIDO Alliance Webinar: Catch Up WIth FIDOFIDO Alliance Webinar: Catch Up WIth FIDO
FIDO Alliance Webinar: Catch Up WIth FIDO
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Going Passwordless with Microsoft
Going Passwordless with MicrosoftGoing Passwordless with Microsoft
Going Passwordless with Microsoft
 
The State of FIDO
The State of FIDOThe State of FIDO
The State of FIDO
 
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud JumeletFIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
 
E-Lock AdaptAuth.pptx
E-Lock AdaptAuth.pptxE-Lock AdaptAuth.pptx
E-Lock AdaptAuth.pptx
 
Beyond Passwords: FIDO & the Future of Consumer Authentication
Beyond Passwords: FIDO & the Future of Consumer AuthenticationBeyond Passwords: FIDO & the Future of Consumer Authentication
Beyond Passwords: FIDO & the Future of Consumer Authentication
 
The FIDO Alliance Today: Status and News
The FIDO Alliance Today: Status and NewsThe FIDO Alliance Today: Status and News
The FIDO Alliance Today: Status and News
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
 
FIDO & PSD2 – Achieving Strong Customer Authentication Compliance
FIDO & PSD2 – Achieving Strong Customer Authentication ComplianceFIDO & PSD2 – Achieving Strong Customer Authentication Compliance
FIDO & PSD2 – Achieving Strong Customer Authentication Compliance
 
The State of FIDO
The State of FIDOThe State of FIDO
The State of FIDO
 
Introduction to FIDO Biometric Authentication
Introduction to FIDO Biometric AuthenticationIntroduction to FIDO Biometric Authentication
Introduction to FIDO Biometric Authentication
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO Alliance
 
HYPR: The Leading Provider of True Passwordless Security®
HYPR: The Leading Provider of True Passwordless Security®HYPR: The Leading Provider of True Passwordless Security®
HYPR: The Leading Provider of True Passwordless Security®
 
Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical Tutorial
 
The Death of 2FA and the Birth of Modern Authentication
The Death of 2FA and the Birth of Modern AuthenticationThe Death of 2FA and the Birth of Modern Authentication
The Death of 2FA and the Birth of Modern Authentication
 

More from FIDO Alliance

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: LY-DOCOMO-KDDI-Mercari Panel.pdf
FIDO Alliance Osaka Seminar: LY-DOCOMO-KDDI-Mercari Panel.pdfFIDO Alliance Osaka Seminar: LY-DOCOMO-KDDI-Mercari Panel.pdf
FIDO Alliance Osaka Seminar: LY-DOCOMO-KDDI-Mercari Panel.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: NEC & Yubico Panel.pdf
FIDO Alliance Osaka Seminar: NEC & Yubico Panel.pdfFIDO Alliance Osaka Seminar: NEC & Yubico Panel.pdf
FIDO Alliance Osaka Seminar: NEC & Yubico Panel.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: CloudGate.pdf
FIDO Alliance Osaka Seminar: CloudGate.pdfFIDO Alliance Osaka Seminar: CloudGate.pdf
FIDO Alliance Osaka Seminar: CloudGate.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: PlayStation Passkey Deployment Case Study.pdf
FIDO Alliance Osaka Seminar: PlayStation Passkey Deployment Case Study.pdfFIDO Alliance Osaka Seminar: PlayStation Passkey Deployment Case Study.pdf
FIDO Alliance Osaka Seminar: PlayStation Passkey Deployment Case Study.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Welcome Slides.pdf
FIDO Alliance Osaka Seminar: Welcome Slides.pdfFIDO Alliance Osaka Seminar: Welcome Slides.pdf
FIDO Alliance Osaka Seminar: Welcome Slides.pdf
FIDO Alliance
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FIDO Alliance
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
FIDO Alliance
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
FIDO Alliance
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
FIDO Alliance
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
FIDO Alliance
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
FIDO Alliance
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
FIDO Alliance
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
FIDO Alliance
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
FIDO Alliance
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
FIDO Alliance
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
FIDO Alliance
 

More from FIDO Alliance (20)

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
FIDO Alliance Osaka Seminar: LY-DOCOMO-KDDI-Mercari Panel.pdf
FIDO Alliance Osaka Seminar: LY-DOCOMO-KDDI-Mercari Panel.pdfFIDO Alliance Osaka Seminar: LY-DOCOMO-KDDI-Mercari Panel.pdf
FIDO Alliance Osaka Seminar: LY-DOCOMO-KDDI-Mercari Panel.pdf
 
FIDO Alliance Osaka Seminar: NEC & Yubico Panel.pdf
FIDO Alliance Osaka Seminar: NEC & Yubico Panel.pdfFIDO Alliance Osaka Seminar: NEC & Yubico Panel.pdf
FIDO Alliance Osaka Seminar: NEC & Yubico Panel.pdf
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
FIDO Alliance Osaka Seminar: CloudGate.pdf
FIDO Alliance Osaka Seminar: CloudGate.pdfFIDO Alliance Osaka Seminar: CloudGate.pdf
FIDO Alliance Osaka Seminar: CloudGate.pdf
 
FIDO Alliance Osaka Seminar: PlayStation Passkey Deployment Case Study.pdf
FIDO Alliance Osaka Seminar: PlayStation Passkey Deployment Case Study.pdfFIDO Alliance Osaka Seminar: PlayStation Passkey Deployment Case Study.pdf
FIDO Alliance Osaka Seminar: PlayStation Passkey Deployment Case Study.pdf
 
FIDO Alliance Osaka Seminar: Welcome Slides.pdf
FIDO Alliance Osaka Seminar: Welcome Slides.pdfFIDO Alliance Osaka Seminar: Welcome Slides.pdf
FIDO Alliance Osaka Seminar: Welcome Slides.pdf
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 

Recently uploaded

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
Claudio Di Ciccio
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 

Recently uploaded (20)

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 

Intro to Passkeys and the State of Passwordless.pptx

  • 1. © FIDO Alliance 2024 1 © FIDO Alliance 2024 1 Intro to Passkeys and the State of Passwordless Andrew Shikiar Executive Director & CEO FIDO Alliance
  • 2. © FIDO Alliance 2024 2 Today’s Agenda APPROX START TIME SESSION SPEAKER(S) Session 1: Building the Business Case: Intro to Passkeys & Passkeys in Action 1:15 – 1:40 Intro to Passkeys and the State of Passwordless Andrew Shikiar, FIDO Alliance 1:45 – 2:05 Passkeys Deep Dive Shane Weeden, IBM 2:10 – 2:30 How Hyatt Drives Exceptional Customer Experiences with FIDO Authentication David Treece, Yubico Art Chernobrov, Hyatt Hotels 2:35 – 2:55 Passkeys in the B2B2C World – A Journey to Passwordless Tushar Phondge, ADP Sanjoli Ahuja, ADP 2:55 – 3:10 Break Session 2: Technical Implementation: Implement Passkeys & Meet the Experts 3:10 – 3:30 Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats Bojan Simic, HYPR 3:35 – 3:55 New UX Guidance for Implementing Passkeys Kevin Goldman, UXWG, FIDO Alliance Philip Corriveau, RSA 4:00 – 4:20 Tales from a Passkey Provider – Progress from Awareness to Implementation Nick Steele, 1Password Shane Weeden, IBM Megan Shamas, FIDO Alliance 4:25 – 5:15 Implementation AMA – Ask your passkey questions! Nick Steele, 1Password Christiaan Brand, Google Shane Weeden, IBM Megan Shamas, FIDO Alliance
  • 3. © FIDO Alliance 2024 3 What is the FIDO Alliance? We are a global tech consortium standardizing password-free sign-ins
  • 4. © FIDO Alliance 2024 4 Backed by global tech leaders + Sponsor members + Associate members + Liaison members + Government members
  • 5. © FIDO Alliance 2024 5 Security Usability Poor Easy Weak Strong = Single Gesture Possession-based Phishing-resistant Authentication Open standards for simpler, stronger authentication using public key cryptography FIDO since 2013: Simpler and stronger
  • 6. © FIDO Alliance 2024 6 2 1 3 Provide great alternative to traditional smart card deployments in high-risk environments Offer phishing-resistant multi-factor authentication in a single authenticator Increase the security of consumer two-factor authentication The very positives …
  • 7. © FIDO Alliance 2024 7 2 1 3 Inconvenience of physical security keys Higher barrier to adoption for users who don’t (want to) use two-factor authentication at all, and are stuck with passwords Challenges with embedded authenticators as a second factor But challenges for scale
  • 8. © FIDO Alliance 2024 8 The foundation of authentication is fundamentally flawed of hacking-related breaches are caused by weak or stolen passwords (Ping Identity) 81% 76% Gave up on a purchase because they forgot their password (FIDO Alliance) 43% Rise in direct financial loss from successful phishing attacks from 2022-2023 (Proofpoint) either use weak passwords or repeat variations of passwords (Keeper) 64% When our primary factor is passwords… Easily phished or socially engineered, difficult to use and maintain
  • 9. © FIDO Alliance 2024 9 Layering on does not work The art of MFA Bypass: How attackers regularly beat two- factor authentication Phishing Attacks Rise Sharply in Southeast Asia: Kaspersky Detects Over 43M Email-Based Phishing Region in 2022 Brace for more phishing, scams, data breaches, APT attacks in APAC 2024 …then our additional layers – while well-intended and necessary – are there to cover up password problems Often still phishable, socially engineered, difficult to use and maintain Data breach cost Latitude $76 million: Cyber attack on Australian company Latitude Financial saw the personal data of up to 14 million customers stolen.
  • 10. © FIDO Alliance 2024 10 967% 54% 1265% Of consumers have noticed phishing messages become more sophisticated in last 60 days (FIDO Alliance) Rise in malicious phishing emails since Q4 2022 (Slashnext) Rise in credential phishing in particular since Q4 2022 (Slashnext) Generative AI adds fuel to the phishing fire
  • 11. © FIDO Alliance 2024 11 A fundamental pivot is needed..: What if we could replace the outdated legacy model of “password + something else” and could replace it with a single factor that was much more secure – and easier to use?
  • 12. © FIDO Alliance 2024 12 A fundamental pivot is needed..: What if we could replace the outdated legacy model of “password + something else” and could replace it with a single factor that was much more secure – and easier to use? If phishing is now the primary threat - a single phishing- resistant authenticator is more valuable (in most cases) than two factors which are both easily phished.
  • 13. © FIDO Alliance 2024 13 Enter: Synced passkeys Passkey /’pas, kē/ noun A FIDO Authentication credential that provides passwordless sign-ins to online services. A passkey may be synced across a secure cloud so that it’s readily available on all of a user’s devices, or it can be bound to a dedicated device such as a FIDO security key.
  • 14. © FIDO Alliance 2024 14 A bit deeper on new(er) terminology A passkey is any passwordless FIDO credential Raises the bar for both security and UX Is most commonly synchronized across a user’s devices – but doesn’t have to be A passkey provider might be a platform/OS vendor, or 3rd-party software such as a password manager. Facilitates new device bootstrapping and simplifies account recovery Security of synced passkeys is the responsibility of the passkey provider Live passkey providers include Apple, Google, Dashlane, 1Password
  • 15. © FIDO Alliance 2024 15 Same approach – with new syncing capabilities User verification Require user gesture before private key can be used Authenticator FIDO Authentication Private key dedicated to one app Public key stored at service provider
  • 16. © FIDO Alliance 2024 16 Same approach – with new syncing capabilities User verification Require user gesture before private key can be used Authenticator FIDO Authentication Private key dedicated to one app Public key stored at service provider Private key can be securely synchronized across devices
  • 17. World Password Day 2024 Consumer Password & Passkey Trends www.fidoalliance.org
  • 18. © FIDO Alliance 2024 18 World Password Day 2024
  • 19. © FIDO Alliance 2024 19 Passkey support today 98%+ 96%+ of the world’s top 100 websites and services of the world’s top 250 websites and services 20% 12% accounts can now leverage passkeys for sign in. 13B More than
  • 20. © FIDO Alliance 2024 20 FIDO’s Focus on Usability Available Now • FIDO Design System • UX guidelines for passkeys, security keys, and device authenticators • UI Kit Coming soon: Passkey Resource Center
  • 21. © FIDO Alliance 2024 21 Rapid adoption
  • 22. © FIDO Alliance 2024 22 Proven success
  • 23. © FIDO Alliance 2024 23 Government utilization of FIDO Authentication
  • 24. © FIDO Alliance 2024 24 Reframing the regulatory narrative “Syncable authenticators that are deployed under the requirements set forth in this supplement SHALL be considered sufficient to protect against threat contemplated under AAL2.”
  • 25. © FIDO Alliance 2024 25 Stop checking a box for “MFA”… … and start thinking about phishing resistance rather than “factors”
  • 26. © FIDO Alliance 2024 26 A synced passkey is always better than a password alone Stop checking a box for “MFA”… … and start thinking about phishing resistance rather than “factors”
  • 27. © FIDO Alliance 2024 27 If you’re using password + SMS OTP, passkeys are better A synced passkey is always better than a password alone Stop checking a box for “MFA”… … and start thinking about phishing resistance rather than “factors”
  • 28. © FIDO Alliance 2024 28 Stop checking a box for “MFA”… … and start thinking about your business requirements One size doesn’t fit all – consider business , regulatory, and security requirements • Pair with another factor • Leverage risk signals • Require device-bound passkey
  • 29. © FIDO Alliance 2024 29 © FIDO Alliance 2024 29 Looking forward...
  • 30. © FIDO Alliance 2024 30 KBA Weak remote IDV systems tricked by synthetic documents and fabricated biometrics Accounts created with stolen or synthetic identities Account Enrollment Passwords Phishable MFA Account takeovers via phishing, man in the middle, credential stuffing and other attacks Authentication Only as sound as 1 and 2! Major vector for account takeover Account Recovery/Reverification = = = The Old Way: Every Part of the Online Account Lifecycle Susceptible to Attacks
  • 31. © FIDO Alliance 2024 31 Backed by FIDO Certification programs Tested by accredited third party labs Removes need for vendor “bake offs” • Biometric Component Certification • IDV Document Authenticity • IDV Selfie & Face (coming soon) The New Way: advanced technologies for remote identity verification snuff out attacks • Reliable and accurate document verification • Biometric verification checks for liveness to identify spoofs o Photos of screens, 2D & 3D masks, image upload manipulation, etc. • Biometric systems have advanced reliability presentation attack detection
  • 32. © FIDO Alliance 2024 32 The New Way: Securing Every Part of the Account Lifecycle Strong remote IDV systems can detect synthetic documents and fabricated biometrics Accounts created only for individuals with proven identity Account Enrollment FIDO phishing-resistant authentication with passkeys Strong security at every sign in Authentication As sound as 1 and 2! Accounts are NOT taken over through account recovery and re-verification methods Account Recovery/Reverification = = =
  • 33. © FIDO Alliance 2024 33 © FIDO Alliance 2024 33 Questions?

Editor's Notes

  1. We’ve been talking about the password problem for so long now I feel like we’ve actually lost sight of how LARGE of a problem it really is – instead focusing on all of the great benefits of unphishable FIDO-based MFA (rightly).
  2. That being said, 2FA certainly is out there and yes, is much better than a password alone. But legacy forms of 2FA really are just bandaids to try and stem the damage from the flawed primary factor. And it’s little wonder that we’re seeing damaing MFA bypass attacks that leverage a combination of social engineering and traditional phishing to access enterprise systems and/or user accounts. We saw this coming last year and were sadly correct. I think that on the consumer side in 2023 Smishing will really go mainstream at least here in the US – and will be hugely damaging
  3. We’ve been talking about the password problem for so long now I feel like we’ve actually lost sight of how LARGE of a problem it really is – instead focusing on all of the great benefits of unphishable FIDO-based MFA (rightly). But the fact of the matter is that MFA adoption has lagged – especially for consumers. Part of this is lack of will by RPs, but it’s mainly IMO an issue of usability and ease of access. These stats are a little old tbh, we saw phishing rise during covid, and now we are seeing phishing become even easier thanks to generative AI 54% of people have noticed an increase in suspicious messages and scams online, while 52% believe these have become more sophisticated. 
  4. We always need a device in the middle, we call this the authenticator Step 1 - Local interaction between the user and authenticator – we call this user verification On the front end, we are very flexible – we require some user gesture and that gesture is verified by the authenticator directly Facial recognition, local PIN entry, security key – but we will talk more about the user experience in a minute Step 2: Once the user is verified by the authenticator, which lives on your personal device, the authenticator then authenticates you to the service. Not using your information or the evidence of who you are, but actually using public key cryptography. What’s beautiful about public key cryptography is you don’t ever have to give away your private key (your secret), with asymmetric cryptography – which is what we use – you use that private key to sign a challenge : proof of possession that you have the right private key. The service provider verifies that it is correct with the corresponding public key. Unique key pairs for each service – this is essential for privacy. No global identifiers with FIDO. Simple change of architecture turns the model upside down. The only thing now that is stored on a server are the public keys, which aren’t useful for scalable attack.
  5. We always need a device in the middle, we call this the authenticator Step 1 - Local interaction between the user and authenticator – we call this user verification On the front end, we are very flexible – we require some user gesture and that gesture is verified by the authenticator directly Facial recognition, local PIN entry, security key – but we will talk more about the user experience in a minute Step 2: Once the user is verified by the authenticator, which lives on your personal device, the authenticator then authenticates you to the service. Not using your information or the evidence of who you are, but actually using public key cryptography. What’s beautiful about public key cryptography is you don’t ever have to give away your private key (your secret), with asymmetric cryptography – which is what we use – you use that private key to sign a challenge : proof of possession that you have the right private key. The service provider verifies that it is correct with the corresponding public key. Unique key pairs for each service – this is essential for privacy. No global identifiers with FIDO. Simple change of architecture turns the model upside down. The only thing now that is stored on a server are the public keys, which aren’t useful for scalable attack.
  6. We surveyed 2k people across the US and UK and found that people continue to struggle with traditional passwords As these struggles continue, more consumers are aware of passkeys and trying them out as a password alternative. The data reveals a positive trend: when people adopt at least one passkey, they are more likely to enable the technology on other applications to improve convenience and security online
  7. Last Thursday was World Password Day. We just spent all this time talking about passkeys, and yet we’re still celebrating a holiday focused on passwords. We are constantly asked “When will we REALLY kill the password?” The answer is: When the use of passkeys outweighs the use of passwords. Ok, but when will that be? [CLICK] This year we are another step closer to that goal. Microsoft rolled out passkeys to all of its user accounts. [CLICK] And Google shared an incredible update that more than 400 MILLION accounts are now protected by passkeys – and passkeys have been used more than 1 BILLION times. Not to mention countless other FIDO Members who launched data, news, and campaigns promoting their successes and endorsements of passkeys. At this point I think it’s safe to say we’re ready to ditch World PASSWORD day in favor of something new - [CLICK] World PASSKEY Day. We look forward to seeing you all celebrate and launch campaigns around that one next year.
  8. But overall, the progress with passkeys has been nothing short of phenomenal It started with PayPal and a few other services on in Q4, and then really picking up steam as passkey support was live across Google platforms by early 2023. To the point now where we have brands such as these – and surely many more – that are all moving their consumers away from passwords, and towards passkeys. These are some of the brands that are already enabling passkey sign-ins. These include leading payment and ecommerce services telecom and more. Perhaps most notably Google a few months ago enabled anyone with a Google account to enroll a passkey associated with that account that means that billions the consumers now have the ability to use past keys instead of passwords for Google services such as Gmail - and also for sites that support Google social sign in. Look in the news and you’ll see passkeys reaching far and wide in the industry. Deployments and commitments, products, services. Even password managers, who many thought would be displaced by this development, are embracing it and making it their new business model.
  9. FIDO has provided ROI since its earliest implementations, and synched passkeys fully unlock that capability at scale. - several case studies this week where you can hear directly from practitioners, but some examples include [click] Air New Zealand [click] This data from Google: passkeys instead of passwords for google account. They are seeing four times the sign in success vs passwords. 4x. And in half the time [click] Mercari is using passkeys as an MFA improvement over sms otp – they’re finding 21% sign-in improvement with a 75% time reduction [click] And of course FIDO is used extensively in the workforce – - HYPR /Forrester study found over 300% ROI due to massive reduction of password utilization - which led to higher employee productivity.
  10. CDS – Canadian Digital Services
  11. We also need to reframe the way regulators contemplate authentication EVERYONE’s frame of reference has always been to figure out how to mitigate the fundamental weakness of passwords – passkeys present a whole new paradigm for authentication And we’re grateful that NIST is consideraign synced credentials for 800-63-4 – and we’ll be undertaking similar efforts with key regulations o We are expecting that as PSD2 is revised, we will have more to report on ways to address compliance and hope to continue to have the opportunity to share updates and engage. We hope that DG FISMA will consider the importance of phishing-resistant authentication in any PSD2 revision – as well as consider alternative authentication models in SCA requirements that can enable better security and better user experience.
  12. Zooming back out, we realize that “identity” = more than just authentication It really starts with enrollment – and we need that to be possession-based as well. Specifically, replacing knowledge-based authn with possession-based approaches that leverage certified doc authn and livendess detection And we know that recovery is a major vector for ATOs
  13. What you get