FIDO Seminar RSAC 2024

1. Tales from a Passkey Provider
Progress from Awareness to Implementation
May 2024

2. PRIVATE &
CONFIDENTIAL
Nick Steele
Staff Product Manager
1Password
Today’s
speakers
Shane Weeden
Senior Technical Staff Member
IBM
Megan Shamas
(moderator)
Senior Director of Marketing
FIDO Alliance

3. PRIVATE &
CONFIDENTIAL
Agenda
• Where we’ve been
• Where we’re at
• What you can do
• Panel Q&A

4. PRIVATE &
CONFIDENTIAL
Where have we been?

5. PRIVATE &
CONFIDENTIAL
We are still Pioneers

6. PRIVATE &
CONFIDENTIAL
And sometimes it feels like this

7. PRIVATE &
CONFIDENTIAL
U2F/CTAP
UAF
CTAP2 WebAuthn
Passkeys ✨
Verifiable
Credentials
👋
2014

8. PRIVATE &
CONFIDENTIAL
Passkeys
in the news
September 2022: iOS16 officially brings
passkeys to Apple devices.
October 2023: Google makes passkeys the default sign-
in option for all users, significantly boosting adoption.
April 2024: X (formerly Twitter) rolls out global
support for passkeys on IOS.
October 2023: Amazon begins supporting passkeys
for all users.

9. PRIVATE &
CONFIDENTIAL
2023: The year of the 3rd Party Passkey Provider
• Weak and stolen credentials remain the number one cause of breaches.
• Passkey Providers are the new Password Manager!
• Trial users who interact with our passkey features are ~20% more likely to convert
to paying customers than those who do not.
• With new solutions, come new problems! Platforms & Hardware Tokens have
different needs.
• Relying Party as a Service continues to flourish.
• We

10. PRIVATE &
CONFIDENTIAL

11. PRIVATE &
CONFIDENTIAL
Where are we at?

12. PRIVATE &
CONFIDENTIAL
2024: Regulations, Enterprise, and Beyond(Corp)
• 400 Million Google Accounts, over 1 Billion authentications.
• Passkeys are officially AAL2 compliant!
• But MFA, especially for regulation, is still lagging.
• Passkeys are a replacement for passwords (and sometimes need MFA)
• Both B2B and B2C are still struggling with UX and UI regarding passkeys, especially in
regulated industries.
• Starting to be co-opted into Zero Trust architectures and decision-making.

13. PRIVATE &
CONFIDENTIAL
Looking Ahead: FIDO UCEP and UCEF
• FIDO Universal Credential Exchange Protocol & Format
• Aims to help address current issues around lock-in, insecure import/export, and other
issues related to moving different types of credentials.
• Not limited by passkeys, but motivated by passkeys.
• Currently working on proof of concepts and testing with 5 companies,
• Expect V1 to be published in the next few weeks!

14. PRIVATE &
CONFIDENTIAL
What you can do?

15. PRIVATE &
CONFIDENTIAL
Where do you Start?
• Check out some RPaaS! (Insert shameless plug for Passage here)
• If you’re thinking about building your own solution, here are a few things we’ve learned:
• Basic implementations are not hard. The challenge is accounting for fallbacks,
account recovery, and device edge cases.
• WebAuthn is an evolving standard, so keep an eye out for changes that can improve
user experience. Additions like PublicKeyCredentialDescriptor could make
identifying providers much easier.
• Poor implementations can cause conversions to drop.
• Educating users is a huge part of the shift, and one of the biggest hurdles.

16. PRIVATE &
CONFIDENTIAL
What about your organization?
• If you’re going the in-house route. Get started now or catch up later
• As new features get released, don’t aim for a moving target.
• Savings can be more motivating than Security
• Reduce SMS OTP Fees.
• Passkeys provide 50% faster logins, 64% increase in login success.
• Shopify merchants that enabled passkeys for shoppers saw an 8% increase in
conversion.

17. PRIVATE &
CONFIDENTIAL
Tales from the Trail

18. Thank you!