Authenticate 2024: Day 3 Recap
By: FIDO staff
The third and final day of Authenticate 2024 was another jam-packed bonanza of content and insights. If you missed Day 1, check out the recap here. The recap for Day 2 is here.
Multiple users came up on the stage to detail how passkeys have made a difference in consumer, enterprise, and government use cases, and what lessons have been learned. There was also a “Passkeys for Payments” track, where speakers from Visa and Mastercard detailed the challenges and opportunities in the space. Digital identity was another core theme of the day with multiple sessions and a final keynote panel.
Among the many users that spoke was Elizabeth Beasley, Senior Content Designer at Intuit. She shared insights on implementing passkeys, emphasizing the importance of organization and user testing.
User Experience (UX) really matters too, and to that end, Beasley stressed the value and importance of the FIDO UX Working Group and the passkeys design guidelines that it has produced.
“When you go to passkeycentral.org, you can see the stuff that this group has helped create, and we’re going to keep creating more,” Beasley said.
How Swiss Marketplace Group (SMG) is Embracing Passkeys
Swiss Marketplace Group (SMG) is a group of marketplaces based in Switzerland. SMG is implementing and rolling out passwordless authentication for its workforce to reduce risk and improve security as well as user experience.
Mikel Grabocka, Security Architect, Identity and Trust at SMG Swiss Marketplace Group AG, explained that the passkey rollout is happening across the company’s users. The target state is to have passwordless alongside managed devices across the entire company.
The initial rollout has been very strong, with 30% of eligible users adopting passwordless within the first month of it being available. He noted that the key focus for the deployment is taking a gradual, well-documented, and iterative approach, with a strong emphasis on user awareness and adoption. SMG plans to have 100% of its employees passwordless by the end of the year.
Bringing Passkeys to DocuSign
DocuSign, one of the world’s leading e-signature providers, is also adopting passkeys.
“Safety and trust is the foundation of everything that we do,” Sarah Zou, lead product manager at DocuSign said. “That’s why we decided to invest in passkey. We wanted to make sure the first step of getting users into the signing ceremony, they feel welcome with a seamless protected experience, knowing that they’re using the most innovative new industry standard – passkey.”
DocuSign has also implemented passkey as a service, allowing the company to leverage it beyond just the login flow. DocuSign is using passkey to unlock other use cases, such as the DocuSign ID Wallet in the European market. The ID Wallet allows users to create, manage, and store their digital identity, which can then be used for identity verification before signing documents. Passkey is used to secure access to the ID Wallet.
The Intersection of Passkey and Payments
The intersection of passkey and secure payment was a topic of discussion across multiple sessions on day 3 of Authenticate 2024.
Among the foundational specifications in payments today is EMV-3D Secure. In a session, Henna Kapur, Director, Product Management at Visa, highlighted the potential for FIDO passkey adoption in financial services through an integration with EMV-3D Secure.
Jonathan Grossar, Vice President, Product Management at Mastercard, provided insight into how the Secure Payment Confirmation (SPC) specification will help improve payment security.
“SPC implements passkeys – but with additional security and better user experience,” Grossar said.
The enhancements that SPC provide include:
- Cross-origin authentication – It provides the ability for merchants to invoke payment passkeys for authentication without the need to redirect to the Relying Party (Bank or Payment network).
- Dynamic linking – Transaction amount and merchant identifier are approved by the consumer and included in the FIDO passkey assertion.
The final keynotes also include a panel on payments where the importance of the intersection between passkeys and payment security was reiterated.
“One of the things that is pervasive in both areas are the terms trust and managing risk,” Sean Estrada, Head of Industry Advocacy at Stripe said. “So I think that is really fundamental to a well-functioning ecosystem, and I think passkeys have a very useful position in there.”
Passkeys are Good, Now Prove Your Identity
Identity security was another hot topic on the final day of Authenticate 2024.
In a session, Abbie Barbir from the ADIA Association and Rolf Lindemann, VP Products at Nok Nok discussed the concept of Reusable Identity, also sometimes referred to as Decentralized Identity.
While passkeys provide strong authentication for access, the question that can sometimes remain is whether the passkey holder is in fact the rightful holder of the passkey. That’s where reusable identity plays a crucial role.
Reusable identity is a standard-based credential that can be attested and verified to enable interoperability. It allows users to prove their identity without having to repeatedly go through identity-proofing processes, reducing friction and over-sharing of personal data. Lindemann explained that it is enabled by decentralized identifiers (DIDs) that are unique, can be bound to a user’s devices and allow for key rotation if compromised.
Identity and the concept of a digital wallet for identity was the topic of one of the final keynote panels as well. Key points included the lack of a standardized definition for wallets, with opinions ranging from government-issued identity systems to cryptographic containers for verified attributes.
The conversation highlighted the importance of trust, security, and interoperability, noting the challenges of market-driven standards and the need for global perspectives. Despite these challenges, the panelists agreed on the potential benefits of wallets for convenience and control, emphasizing the need for ethical and inclusive development.
Toward a Phishing Resistant User
Passkeys offer the promise of phishing-resistant authentication. While that’s extremely helpful in reducing risk, there is still more that’s needed to help create a phishing-resistant user, according to Derek Hanson from Yubico.
In the closing keynote session, Hanson emphasized the need to remove phishing from the end-to-end risk profile of a user.
“The point being if I’ve given you a very secure method to sign in and I gave you a password on a sticky note to recover access, that’s going to be where the system falls down,” Hanson said. “We need to remove phishing from the end-to-end life cycle, that is how we can actually transform businesses and remove risk.”
Stay Connected and Stay Engaged!
Overall Authenticate 2024 was a stellar event with 120 sessions and 150 speakers across the three-day conference.
Authenticate will be back October 13-16, 2025. Between now and then, the FIDO Alliance will be sharing lots of informative content and hosting educational events. Stay connected and sign up for Authenticate 2025 news here. See you next year!