Authenticate 2023: Day 3 Recap
By: FIDO staff
The third and final day of Authenticate 2023 delivered a deep dive into the reality of passkey deployment in the real world today.
Speakers talked about how their organizations are adopting and deploying passkeys, while also outlining potential issues that need to be concerned. Research into the current state of passkeys and authentication, authentication for connected TVs and the role of password managers were also a key part of the day’s agenda.
It’s always good to start a day with a smile and that’s where Microsoft’s Erik Dauner opened the day with a session about his company’s efforts, which include Windows Hello (that has a wink and a smile as startup animation). The path toward passwordless at Microsoft has taken some time with the company first introducing Windows Hello in 2010.
“Everybody’s looking for the silver bullet, the catch here is that there is no silver bullet,” Dauner said. “I wish I could say there was, instead it’s more of a journey.”
With the latest release of Windows 11 version 22H2, passkeys are deeply integrated, enabling a strong authentication experience. While Windows can be used as a platform authenticator, there is a need for organizations and applications to adopt passkeys. To that end Dauner encouraged organizations to determine where they can include passkeys across websites and applications.
“The more prevalent they are with all different websites, the more people can use them, the more people will be comfortable with them,” he said.
Why passkeys and password managers work together
Rew Islam, director of product engineering and innovation at Dashlane, initially was a bit worried what passkeys might do to his company’s business. After all, Dashlane is in the business of providing a password manager and if people don’t need passwords, would they still need Dashlane?
As it turns out there is a great fit for Dashlane and other vendors that make password managers in the new era of synced passkeys. Users can choose to use their platform authenticator or a third party manager to handle management of synced passkeys.
Islam detailed how Dashlane has implemented passkey support through browser extensions and mobile operating system APIs. He also detailed best practices for relying parties to support passkeys used with password managers.
Among his key takeaways:
- Consider mobile native app passkey support
- Consider UI that highlights the passkey provider
- Use the backup flags to create helpful user hints
Intuit details financial gains by adopting FIDO authentication
Financial software giant Intuit has seen much success in its implementation of FIDO authentication according to Rakan Khalid, group product manager for identity at Intuit.
Intuit serves over 100 million customers but handles sensitive financial data for each, making security and usability a priority. The company first deployed FIDO2 on mobile apps seeing authentication success rates rise to 97-98% compared to 80% previously.
“We know from our measurements and from our data analytics that every one point increase in signup success rate actually has multi million dollars of top line impact,” he said.
Looking ahead, Intuit plans to bring FIDO security to the web with passkeys that Khalid said would be really beneficial for Intuit’s customer base.
What Auth is on your connected TV?
The modern connected TV is loaded with multiple services, each requiring its own sign-in method. The typical process for signing into those services can be less than ideal, with challenges for users to actually type in passwords, which often results in individuals reusing passwords or creating very simple passwords.
Tony MacDonell, engineering director at Synacor explained that the current situation is complex for many users, especially those that are not particularly tech-savvy. There are however some newer approaches to minimize complexity including the use of out-of-band QR code that are connected via a user’s smartphone.
MacDonell noted that his firm is now also working on passkey implementation to help ease the challenge of connecting to multiple streaming services.
“This is a holy grail for us in terms of experience,” MacDonell said about the use of passkeys for connected TVs. “The holy grail very particularly is the fact that no text entry is required and once you get it going the speed to complete the process of authenticating is incredibly fast.”
TikTok dances for passkeys
Social networking site TikTok is also seeing very impressive results from its use of passkeys.
“We have a 97% login success rate for passkeys on Tiktok,” Daniel Grube, product manager at TikTok said. “This is extremely good as a login method in general.”
TikTok’s move to support passkeys benefited from the fact that the organization had been using FIDO based strong authentication for its internal staff for several years.
Using FIDO internally has helped to keep the company more secure and that security now extends to user logins. Embracing passkeys has also meant a cost reduction for TikTok too.
“Passkeys are not as expensive as sending an OTP SMS code,” Grube said. “With the way that we implemented passkeys in the platform there was a 2% reduction in SMS OTP login, which saves the company money as well.”
Research shows passkeys are a winner
During Authenticate 2023 a pair of research reports were released that detail the current state of the authentication landscape. The FIDO Alliance’s 2023 Online Authentication Barometer and the joint FIDO and LastPass 2023 Workforce Authentication report both provide insights and were discussed during an afternoon panel session.
Megan Shamas, senior director of marketing at the FIDO Alliance shared that among the non-surprising findings in the FIDO report is that consumers are still using passwords and they are also largely not using multi-factor authentication either. Cart abandonment due to authentication issues is also a recurring issue that the report surfaced.
“A lot of folks are still abandoning purchases because they just can’t get into their accounts,” she said.
While movement toward stronger forms of authentication with consumers isn’t moving terribly fast, the LastPass report did provide some rays of hope. Barry McMahon, director of marketing at LastPass noted that his firm’s report found that over 90% of the respondents to the survey said that they either have or are planning to move to passwordless. Looking forward, McMahon said that almost 70% of IT leaders said that they would be using passwords for less than 25% of their applications across the next five years.
Retailers like passkeys too
In the afternoon keynotes executives from Skechers, Expedia, and Target participated in a panel discussion yesterday to talk about their experiences rolling out passwordless authentication and the future of passwords.
“Passwordless authentication is a business enabler that can improve enterprise operations and processes, and really offer a frictionless consumer experience,” said panel moderator Kristen Dalton, Director of Strategic Cyber Engagement at RH-ISAC.
Manish Gupta, director, software development engineering at Expedia commented that from his perspective it has been the leadership of the FIDO Alliance that has helped to accelerate strong authentication and passkeys forward. Tom Sheffield, sr director of cybersecurity at Target emphasized that FIDO authentication is important and passkeys are now being adopted by 400,000 team members at the retailer. Brett Cumming, senior director, information security officer at Skechers discussed how passwordless aligned with his company’s security priorities, as the threat actor ecosystem makes passkeys a super relevant conversation area.
The panelists agreed that now is the time for organizations to adopt standards like FIDO to improve security and usability. As Tom Sheffield stated, “The ecosystem is ready. It’s our collective efforts that will help consumers understand passwordless solutions.”
Authentication leaders look to the future of passkeys
In the final panel of the event, FIDO’s Andrew Shikiar, Google’s Christiaan Brand, Microsoft’s Pamela Dingle and CISA’s Bob Lord discussed the big trends of the Authenticate 2023 event.
The panel also reflected on progress made in the past year and set goals for the coming year. Significant discussion centered around efforts to drive further adoption of passkeys with panelists all agreeing that it was just a matter of time.
One of the drivers for adoption is also a move toward enabling security by design and by default, which is an effort that CISA is leading. Lord said the security by design initiative is focussed on eliminating entire classes of vulnerabilities and FIDO fits in well as a solution to the issue of password exploitation.
The panel closed by making predictions on passkey support at top websites by the end of 2024, with estimates ranging from 15% to 35%, signaling continued progress toward ubiquitous passwordless authentication.
Shikiar closed out the event commenting that key themes of the event included how to get to passkey nirvana and when do we get there.
“We’re also mature enough as an e organization now to focus on best practices, not just focus on doing things, but doing them well,” he said.
To that end, there were numerous workshops at Authenticate 2023 as well designed to help educate and inform practitioners in best practices. It’s the attendees of the event and those that learn from FIDO that are the real superheroes in his view as that is the community that is helping in the collective mission towards reducing the reliance on passwords.
That’s a wrap for Authenticate 2023. Authenticate will be back next year at the same location from Oct. 14 -16, 20254. Room block is open – book today!
