Authenticate 2024 Conference

Authenticate 2024 – Day 2 Recap

By: FIDO staff

The second day of Authenticate 2024 continued with a packed schedule of sessions and speakers. If you missed Day 1, check out the recap here.

The day kicked off with a series of insightful keynotes from some of the biggest players in the passkey ecosystem that provided attendees with insights into how to achieve success with passkeys.

Chris Anderson, Product CTO at Cisco, started the day off by reminding everyone of the stark reality of the current cybersecurity landscape. He said that 80% of breaches leverage identity as a key component. As to why identity continues to be the root cause of breaches, Anderson noted limited visibility, gaps in protection, and an overall frustrating user experience continue to pose critical challenges in workforce authentication.

By: fido staff

That situation is improving and will continue to get better, thanks to the continued deployment, adoption and evolution of passkeys. More specifically Matthew Miller Technical Lead at Cisco, detailed a number of new innovations that will make passkey adoption and deployment easier than ever before.

The innovations include:

Device Bound Session Credentials (DBSC) – Miller explained that DBSC will be a way to essentially mark and protect a cookie, using device bound key pair, so that if an attacker were to compromise an endpoint and get that session token it would be useless on their machine.

Shared Signals Framework (SSF) – Miller explained that with SSF there is a common way for services to talk to each other and publish security events, and when they receive those events, they can do something like logging out a user if the user is in a compromised state of some kind.

Verifiable Credentials – Onboarding can potentially be a source of friction for passkey onboarding. Miller explained that Verifiable Credentials, simply put, are cryptographically verifiable documents that are issued by a trusted authority. Those credentials can then be used to help accelerate an onboarding flow.

How Sony Playstation Went Passwordless

Sony PlayStation is all gaming, but when it comes to handling passwords, that’s a game that Sony just didn’t want to play. Instead, the company has embarked on a passwordless journey, with passkeys being front and center.

By: fido staff

“Our users care about playing the game,” Sam Champeau, Product Manager at Sony Interactive Entertainment (PlayStation) said. “They care about accessing our services, and just getting straight into what they want to do. They don’t want to hassle with extra steps on sign in.”

Champeau detailed the core principles that his team embraced for the successful deployment of passkeys. They include making sure that synced passkeys are available to all users and all types of sign-ins. Sony PlayStation began introducing passkeys both as part of new account setup as well when users went through an account recovery process. The result was there was an 88% completion rate from users who started passkey activation. The impact was a 24% reduction in web sign-in time using passkeys.

“You can do it too, maximize the results from your passkey deployment,” Champeau said. “Minimize those risks with proper setup and testing. Full password replacement is a reasonable expectation, even for a launch.”

Google Lays Out Path for Passkey Adoption

Google has an ambitious goal of passkey ubiquity. It’s a goal that John Gronberg at Google outlined during his Authenticate 2024 keynote.

By: fido staff

“As of today, we have over two and a half billion sign-ins with 800 million accounts using passkeys on our Google consumer platform,” Gronberg said.

While those are big numbers, there is still more work to be done. To that end, Google has introduced multiple new capabilities so far in 2024 including:

  • Adding passkeys for enrollment into Google’s Advanced Protection Program. This led to a significant increase in enrolment in the program, with tens of thousands to hundreds of thousands of new users adopting it.
  • Rolling out passkey autofill, which turns passkey into a one-step sign-in process where Google can fill out the username and passkey to authenticate the user. This has led to a significant acceleration in passkey adoption across Google’s user base.

A Prime example of Passkey Success: Amazon

In his keynote, Abhinav Mehta, Senior Product Manager – Technical at Amazon, shared the company’s journey to reaching 175 million passkey users worldwide. 

By: fido staff

Mehta outlined the initial launch in September 2023, where Amazon aimed to enable 50% of its customers to use passkeys. The passkey launch resulted in customers signing in six times faster and more securely than before, and by October 2023, passkeys were rolled out to all eligible customers worldwide. 

Mehta explained that Amazon has set an ambitious target to eliminate passwords entirely.

“With the initial success of passkeys, we knew that it’s no longer just a promising technology, but the future of authentication,” he said. “So we set an ambitious target for 100% and a complete elimination of passwords.”

Amazon has adopted a strategic approach, targeting innovators and early adopters first, followed by the early majority. Mehta outlined the key lessons learned which include:

  • Bring passkeys to the customer rather than expecting them to seek out the enrollment settings.
  • Emphasize the convenience of passkeys as customers respond better to this than security-focused messaging.
  • Recognize and address the platform-specific differences in adoption with desktop users requiring more effort reduction compared to mobile users.
  • Actively help customers switch to passkeys by reducing the perceived effort, such as through auto-clicking or making passkeys the default sign-in method.

Come Together Now with the Digital Identity Advancement Foundation (DIA)

Rounding out the morning keynotes, Arynn Crow, Sr. Manager, AWS User Authentication Products, and Director of Governance and Transparency at the Digital Identity Advancement Foundation (DIAF), discussed the organization’s efforts to build a more inclusive community in the digital identity industry.

By: fido staff

“The central thing that brings us together, and the foundation of our bond, is the desire to realize a better, safer internet,” Crow said. 

That said, she acknowledged challenges in integrating new members and ensuring diverse representation. To address these issues, DIAF has launched award programs to provide financial support for newcomers and tenured professionals to attend industry events. Crow said the organization aims to further expand its reach, particularly in underrepresented regions, and improve gender diversity in its program.

Passkey Account Recovery Considerations

A common concern with user accounts is the issue of account recovery.

In a morning session, Kelley Robinson Developer Advocate, Identity & Authentication at Twilio detailed multiple approaches that can be used by various organizations today for account recovery. While it’s a common practice to fallback on insecure options for account recovery – Robinson says there are better options.

By: fido staff

“The biggest thing that you can do, if you take away nothing else in terms of your authentication recommendations for fallback options is you always want to register more authentication methods than you need for everyday login,” Robinson said. “Whether you’re using passkeys or not, you need to register at least three methods if you’re requiring two-step verification, ideally even more than that and you can also encourage users to register multiple passkeys.”

Federal Reserve and CISA Detail Risks and Opportunities

No Authenticate event would be complete without a government track. After all, among the biggest users of strong authentication is the U.S. government.

By: fido staff

In his session, Chris Schnieper, Director, Secure Payments at the U.S. Federal Reserve, underscored the dynamic nature of scams and the ongoing collaborative efforts to enhance detection and prevention. He highlighted the importance of leveraging a broader set of signals, such as device and behavioral data, to quickly detect and mitigate scams.

“We certainly encourage any type of innovation or investment into different technologies that are going to be better for consumers, better for costs and reduce fraud,” Schnieper said.

Grant Dasher, Architecture Branch Chief at CISA, used his session to detail how to apply the concepts of safety engineering to authentication. Dasher emphatically stated that credential phishing is caused by weak authentication controls.

“It is a technical problem that we can solve, and we can engineer solutions such as FIDO passkeys to attack and make the problem go away,” Dasher said. “And companies that have deployed these technologies have, in fact, seen that the problem just goes away.”

How Login.gov Implemented Passkeys

Among the largest and most public-facing implementations of passkeys in the U.S. government is on the login.gov site, which is a service used to get access to different U.S. agencies.

In her session, Allison Rosenberg, Product Manager at the U.S. General Services Administration (GSA) said that today 20% of login.gov users are authenticating with passkeys.

By: fido staff

Rosenberg noted that there are several challenges her organization faces with adoption that the GSA is working to overcome. One such challenge came from different issues on desktop operating systems. To that end, the GSA limited setup during account creation to mobile users. That single change resulted in an increase of the passkey authentication success rate by 35%.

“Though we focused on challenges today, I do want to say that at login, we’re really excited for the potential of passkeys to protect more of our users through secure and convenient authentication,” she said.

TikTok, IBM and Alibaba Detail Passkey Success

The second day of Authenticate 2024 was loaded with numerous user stories, with each organization detailing their passkey journey.

Among the users was Sydney Ng, FIDO2 Engineer at TikTok. The social media company is using passkeys to help secure its own enterprise users.

By: fido staff

“Our goal is to become a phishing-resistant company,” Ng said.

TikTok has taken an iterative process to passkey rollout, initially choosing to use hardware keys. She explained that TikTok took a customized approach to the key, providing a QR code on the device that has information that helps to accelerate the onboarding process significantly. The initial rollout saw adoption by 900 employees across 16 countries. The second rollout added another 1,500 employees. Not only are employees more secure, she also noted that there was an 87% in the time it takes to log in as well.

TikTok plans on rolling out passkeys to all employees by the end of 2024.

Alibaba is also rolling out passkeys to its users. Xiao Qian, Senior Staff Engineer at Alibaba said that there are no approximately 90,000 employees that have been enrolled with passkeys. He estimated that using passkeys is saving over a million dollars a year that had been previously spent using SMS-based MFA.

IBM employees are now also adopting passkeys as well, even though there was some initial hesitation at the company. Shane Weeden, Senior Technical Staff Member at IBM, recounted the long history of authentication tools used by his company over the last several decades.

By: fido staff

While hardware-based keys were not a concern, there was some concern from Weeden’s peers about the security of synced passkeys. Those concerns have been alleviated, as IBM has evaluated and better understood the risk profile and the benefits of passkeys. 

“We firmly believe that any passkey is better than no passkey,” he said.

As it turns out, the vast majority of passkey usage at IBM today is not from hardware keys. Weeden said that 85% of all passkey registrations on the IBM platform were platform authenticators or password managers.

Next Up: Authenticate Day 3

There’s more to come on the third and final day of Authenticate 2024, including more user stories, use cases and technical insights on passkey adoption and deployment.

Not registered? Don’t miss out! Attend remotely and access all previous sessions on demand, and attend day 3 live via the remote attendee platform! See the full agenda and register now at authenticatecon.com.