The industry’s premier event dedicated to digital identity and authentication expands globally with Authenticate APAC 2026 in Singapore

SINGAPORE, 02 December – The FIDO Alliance today announced the expansion of its flagship event series with the launch of Authenticate APAC 2026. This marks the first time the industry’s only conference dedicated to digital identity and phishing-resistant authentication will be held in the Asia-Pacific region. The inaugural event will take place on June 2 – 3 2026, followed by a FIDO Member Plenary from June 4 – 5, 2026, at the Grand Hyatt in Singapore.

As organizations worldwide accelerate the shift from passwords to passkeys and begin to unlock the potential of verifiable digital credentials, Authenticate APAC will serve as a regional hub for education, collaboration, and innovation. The decision to bring Authenticate to the region builds on the success of the FIDO APAC Summit held over the last two years. It also reflects the region’s growing influence in the cybersecurity landscape, where recent momentum in government digital identity initiatives and widespread commercial passkey deployments are helping to drive the global standard for secure, user-friendly authentication.

“The FIDO Authenticate conference has become the defining event for the authentication community, and we are proud to extend this platform to the Asia-Pacific region,” said Andrew Shikiar, CEO of the FIDO Alliance. “There is tremendous innovation happening across APAC, and this event will provide a dedicated space for local and global leaders to collaborate and help build the future of a secure, user-friendly and interoperable internet.”

The Authenticate conference series delivers high-quality content with a highly engaged community of professionals committed to advancing passkeys, digital credentials and related technologies. It is designed to bring together CISOs, business leaders, product managers, security strategists, and identity architects to advance their knowledge of digital identity and shape the future of authentication. 

Call for Sponsors and Registration
The FIDO Alliance will offer a wide range of sponsorship opportunities designed to maximize brand exposure and reach target audiences. The 2026 Prospectus detailing sponsorship packages also launched today and is available here. 

Whether you are new to FIDO, in the midst of deployment or somewhere in between, Authenticate conferences have the right content, and community, for you. Registration for attendees will open later this year.

To stay up to date on speakers, sponsorship opportunities, and registration details, please visit the Authenticate APAC 2026 website, @FIDOAlliance on X, and sign-up to the newsletter.

About Authenticate
Authenticate is the premier conference dedicated to advancing digital identity and authentication, with an emphasis on phishing-resistant sign-ins using passkeys. Hosted by the FIDO Alliance, this event brings together CISOs, security strategists, product managers and identity architects to explore best practices, technical insights and real-world case studies in modern authentication.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication with innovations, like passkeys.

About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services. For more information, visit www.fidoalliance.org.

Contact
[email protected]

By: FIDO staff

The first two days of Authenticate 2025 delivered strong technical content, user insights and lots of thoughtful discussions.

The final day of Authenticate 2025 went a step further taking attendees on a deep dive into really important current and emerging topics for authentication including biometrics, agentic AI and verifiable credentials.

Passkeys and Verifiable Digital Credentials are Not Competitors

A key theme across multiple sessions at Authenticate 2025 was the growing need and development of standards for Verifiable Digital Credentials.

In a session led by Christine Owen, Field CTO at 1Kosmos and Teresa Wu, Vice President, Smart Credentials & Access at IDEMIA Public Security, the roles of passkeys and verifiable digital credentials (VDCs) within the evolving landscape of secure digital identity were clarified.

They emphasized that passkeys and VDCs are not competing technologies. Instead, they are best used together to strengthen both authentication and identity verification processes. Passkeys offer privacy preservation and are resistant to phishing, while VDCs provide digital representations of identity attributes that can be selectively shared when needed.

Breaking Glass: Restoring Access After a Disaster

In a thought-provoking session, Dean H. Saxe, Principal Security Engineer, Identity & Access Management at Remitly, explored the challenges and importance of digital estate management, particularly in the context of disasters and emergencies. 

Saxe described how personal experiences and recent natural catastrophes highlight the necessity of preparing for sudden loss of access to digital assets.

A hands-on experiment conducted by Saxe tested how well a “break glass” process works when all personal devices are lost. The process included relying on physical identity documents and a safe deposit box to regain access to important accounts like 1Password, Apple iCloud, and Google services. Saxe faced unexpected obstacles, such as a missing credential and issues getting recovery codes, which illustrated the real-world difficulties of these situations.

The findings of Saxe’s experiment stressed the need for regular testing and updating of disaster preparedness plans.

“So the failure to test your backup strategy means that you do not have a valid backup strategy,” Saxe said.

From the Trenches: Passkeys at PayPal

PayPal is an early adopter of passkeys with the initial motivation being focused on reducing password reliance.

“It’s time to break free from the password prison,” Mahendar Madhavan, Director of Product, Identity at PayPal said.

PayPal launched passkeys in 2022, saw a surge in mid-2024, and now boasts more than 100 million enrolled users with a 96% login success rate. This surge has delivered results—phishing-related losses have dropped by nearly half compared to traditional password and OTP methods.

Mohit Ganotra, Identity PM Lead at PayPal explained that initial efforts zeroed in on user education and reducing friction during login. By optimizing the login experience and targeting enrollment prompts during checkouts and password recovery, PayPal now sees 300,000 incremental enrolments each month from checkout alone, plus 75,000 from automatic passkey upgrades.

“Passkeys is still a new technology, it needs to go through the adoption curve that every new technology has,” Madhavan said. “So you as a relying party need to nudge users, guide users, encourage users to adopt a passkey at various points in their journey and how you do it is, you hyper personalize the content for consumers and users, and you talk in their language.”

Safeguarding Enterprise Online Credentials Post Authentication

While passkeys solve authentication security, post-authentication remains vulnerable through bearer token theft and session hijacking. 

There are however numerous technical approaches that can help mitigate the risk, which were described in detail by An Ho, Software Solution Architect at IBM and Shane Weeden, Senior Technical Staff Member at IBM.

The session introduced two complementary technologies designed to address this vulnerability. DPoP (Demonstrating Proof of Possession) extends OAuth 2.0 to create sender-constrained access and refresh tokens for API flows, while DBSC (Device-Bound Session Credentials) binds browser session cookies to specific devices. Both technologies use asymmetric cryptography to ensure that stolen credentials become unusable by attackers, as they require proof of possession of private keys that only the legitimate client or browser holds.

“We believe that you need to look at a holistic view of your sessions,” Weeden said. “You need to look at not just how clients and users log in, but also how to maintain a form of continuous authentication with the client or browser that is utilizing that session.”

From the Trenches: Improving Experience and Security at Databricks with Passkeys  

Meir Wahnon, Co Founder of Descope, explored how Databricks approached the challenges of unifying authentication and improving security across multiple cloud-based apps.

Databricks partnered with Wahnon’s company to figure out the best approach. The fragmented login experience had made it hard for users and the IAM team to manage access and maintain full visibility. Databricks tackled this by adopting a centralized identity provider and federation to ensure a more seamless single sign-on process. A major focus was the decision to add passkeys as an optional multi-factor authentication method. This choice was driven by Databricks’ commitment to balancing strong security for customers with a smooth, low-friction user experience.

The deployment of passkeys came with careful attention to user adoption and support. Databricks made passkeys optional to minimize disruption, and included easy rollback options if customer uptake became a challenge.

“The balance between user experience and security is always a question when you build a user journey,” Wahnon said.

From the Trenches: Alibaba’s Passkey Story

Alibaba is expanding its use of passkey authentication across business units including AliExpress and DingTalk. 

Preeti Ohri Khemani, Senior Director at Infineon Technologies which works with Alibaba explained that the main goal was to improve security and user experience by reducing dependence on traditional passwords and costly SMS one-time passwords. The rollout has led to faster, more convenient logins and a smoother registration process for users.

On AliExpress, the deployment of passkeys simplified the login flow and eliminated extra steps for users. This change resulted in a reported 94% increase in login success rates along with an 85% reduction in login times. Users no longer need to manage passwords or wait for verification codes, which also lowered operational costs and security risks.

DingTalk, Alibaba’s internal messaging platform with 28 million daily active users, has similarly benefited from passkey integration. Engineers at Alibaba focused on making passkey adoption easy by sharing clear coding samples, open-source libraries, and helpful tools.

Keynotes: The Path to Digital Trust

Ashish Jain, CTO of OneSpan used his keynote to explore the ongoing challenge of establishing trust in digital interactions. Jain traced the journey from physical trust in face-to-face transactions to today’s anonymous digital world.

Ashish outlined the tension between user experience and security. He cited how complex password policies and frequent multi-factor authentication can frustrate users, yet they are essential for protection. The discussion highlighted how the industry is coming closer to a practical solution through the adoption of passkeys.

 “In the physical world, trust is emotional,” Jain said. “In the digital world, trust is an architecture.”

Keynote:  Biometrics Underpinning the Future of Digital Identity

Continuing on many of the same themes from Amlani’s keynote, Stephanie Shuckers, Director, Center for Identification Technology Research (CITeR), University of North Carolina – Charlotte and  Gordon Thomas, Sr. Director, Product Management, Qualcomm  provided more insights on the critical nature of biometrics.

Thomas noted that while face recognition remains popular, fingerprints offer enhanced privacy because they are less likely to be exposed online or through surveillance.

“It’s not really about proving who you are, but it’s about building and securing your digital identity layer by layer with trust every time you use it,” Thomas said.

Shuckers noted that there is a need for strong assurance levels in biometric technology on consumer devices. That’s where standards help ensure both user safety and usability. The FIDO Alliance’s programs test biometric systems for vulnerabilities such as deep fakes and injection attacks. These certifications are crucial for building trust in digital identity systems. 

Keynote: Microsoft Details What’s Needed to Authenticate Agentic AI

Pamela Dingle, Director of Identity Standards, Microsoft led a session on the challenges and opportunities in authenticating AI agents within enterprises. 

She stressed the importance of understanding what an agent is and pointed out that simply asking “who authenticates the agent” is not enough. Dingle highlighted the complexity that arises from having many agents running in different domains, each with unique tasks and identifiers. Administrators often struggle to see the full chain of actions, which complicates decision making and resource management.

Dingle introduced the idea of using “blueprints” and “task masters” to authenticate not just the agent but also the context and source of its tasks. She emphasized that knowing only the identifier is not enough. The future will require richer, composite data about each agent’s purpose and origin.

“The agentic AI push gives us an opportunity to build the tools enterprises need to run better.”

Keynote Panel: Digital Wallets and Verifiable Credentials: Defining What’s Next 

Verifiable credentials was a hot topic at Authenticate 2025 and it was one that was tackled in the final keynote panel.

The panel included Teresa Wu, Vice President, Smart Credentials and Access at IDEMIA Public Security, Loffie Jordaan, Business Solutions Architect at AAMVA, Christopher Goh, International Advisor, Digital Identity & Verifiable Credentials at Valid8 and Lee Campbell, Identity and Authentication Lead, Android at Google.

The discussion began with an overview of the ecosystem, emphasizing the interaction between the wallet, issuer, and relying party. This “triangle of trust” serves as the cornerstone for secure digital credential use. Panelists stressed the need for privacy, interoperability, and certification as this shift accelerates, highlighting lessons learned and ongoing challenges like fragmentation across platforms.

FIDO Alliance’s growing focus on digital credentials was described as a catalyst for industry progress. “FIDO is getting involved in the digital credential space,” Campbell said. “FIDO does an exceptional job at execution.”

That’s a Wrap!

Wrapping up the Authenticate 2025 program, FIDO Alliance Executive Director Andrew Shikiar emphasized that the event continues to grow year by years. 

For the 2025 event there were 150 sessions and 170 speakers. 

“Passkeys are driving measurable business outcomes,” Shikiar said. “One thing I thought was really cool this year about some of the presentations, it wasn’t just another ‘rah rah’ passkeys are great story, but also companies are coming back for their second time or third time, talking about progress and lessons learned and how they’re evolving, pivoting and growing.”

Speaking of growth, the Authenticate event is growing for 2026, with a new Authenticate APAC event set for June 2-3 in Singapore. Authenticate 2026 will be back in California at the same time next year.

Between now and then, the FIDO Alliance will be sharing lots of informative content and hosting educational events. Stay connected and sign up for updates.

By: FIDO Staff

Following on the information-packed day one, day two of Authenticate 2025 continued the trend.

Over the course of the day, users from across different geographic areas and industry verticals detailed their experiences with passkeys. Discussion on how passkeys fit into the payment ecosystem and the intersection with agentic AI were also hot topics of discussion across multiple sessions. 

Keynotes: A Brief History of Strong Authentication

Christopher Harrell, Chief Technology Officer at Yubico, kicked off the morning keynote tracing the journey of authentication practices from basic shared secrets to the modern era. 

Harrell outlined how early systems based on shared secrets and memorized passwords often failed due to human error and simplicity. Multi-factor authentication was introduced to address these gaps by layering security, but still relied heavily on passwords or similar secrets. He noted that the evolution of the market to passkeys eliminates the vulnerabilities of shared secrets and reduces the chance of phishing, making access both safer and easier for users.

“Shared secrets were never meant for the internet, we need authentication that protects you without making you remember more,” Harrell said.

Keynotes: Passkey Adoption in the UK

The United Kingdom (UK) has taken a big leap into passkey, embracing its usage at the national level.

Darren Hutton, Identity Advisor for NHS England and Pelin Demir, UX Designer for NHS Login, detailed the adoption path and success of passkeys in the UK. The presenters shared how NHS Login serves as a nation-level identity provider for healthcare access, reaching almost the entire adult population. They discussed the evolution from passwords and OTPs to introducing passkeys. The move aimed to improve both security and accessibility for all users.

Insights from their user research revealed that although over three million users adopted passkeys within months, there were challenges. These included inconsistent user interfaces, confusion around technical terms, and accessibility barriers for screen reader users. The team found that clear guidance and familiar wording were critical to increasing adoption.

“Passkeys, is a beautiful balance of technology that brings security and usability together to create a really good service,” Hutton said.

Leaders from the National Cyber Security Center (NCSC) in the UK detailed the strong imperative to move to passkey, noting that the majority of cyber harm to UK citizens happened through abuse of legitimate credentials.

Keynote: Visa Details Payment Passkey Efforts

Ben Aquilino,VP, Global Head of Visa Payment Passkeys and Digital Identity at Visa explored the evolution of digital payment security from the earliest days of online commerce to the present. 

Aquilino used the history of Pizza Hut’s first online order in 1994 as a gateway to highlight how payment experiences have changed due to rising concerns over fraud, describing how simple early processes became more complex to counter increasingly sophisticated threats.

A significant portion of the session focused on the technological advancements used to combat payment fraud.

Visa’s recent efforts to innovate further by launching Visa Payment Passkeys. This new approach leverages passkeys and biometrics for payment authentication, aiming to offer better protection along with a seamless user experience

“Authentication doesn’t have to be a compromise between security and convenience; it can have both,” Aquilino said.

Keynote Panel: Quantifying Passkey Benefits from Early Adopters 

In a keynote panel session led by FIDO Alliance Executive Director Andrew Shikiar, industry leaders from PayPal, NTT DOCOMO and Liminal explored the ongoing shift in the authentication landscape.

Koichi Moriyama, Chief Security Architect at NTT DOCOMO and Rakan Khalid, Head of Product, Identity at PayPal, recounted the journey from initial pilots to broader adoption, detailing technical evolution and lessons learned. Khalid emphasized the impact of evolving authentication standards on customer experience, while Moriyama described Docomo’s commitment to ecosystem-wide security improvements.

A recurring message throughout was the proven effectiveness and industry momentum behind passkey authentication. Survey data from Liminal revealed that most decision-makers now rank passkeys as their top priority for authentication investments. 

“The big surprise in the survey was that passkeys really have moved from pilot to priority,”  Filip Verley, Chief Innovation Officer at Liminal said. “We’re seeing  huge adoption and nearly every adopter is very satisfied.”

Both PayPal and Docomo shared that organizational and customer metrics improved after moving away from passwords, including increased sign-in success and reduced account takeovers.

“When customers use passkey, we see about a 10-point increase in sign-in success rate over a traditional multi factor authentication.” Khalid said.

From the Trenches: Shipping Passkeys for Hundreds of Millions of users at TikTok

TikTok’s session offered a comprehensive look at its journey to implement passkeys as a login method for hundreds of millions of users. 

The team faced the challenge of introducing passkeys in a way that would not disrupt the user experience. TikTok chose to promote passkeys through a campaign on user profile pages, leading to high engagement rates and a marked increase in adoption. Most users who set up passkeys did so thanks to the visibility and education presented within the app.

Passkey login was not only made the default for users who had enabled it, but TikTok also streamlined the signup process. 

“Overall, it has been a great journey with Passkeys and TikTok,” Yingran Xu, Software Engineer at TikTok said. “Passkey remains one of the authentication methods with the highest success rate and fastest login experience.”

From the Trenches: Lessons Learned from Roblox’s Passkey Deployment

Roblox’s effort to deploy passkeys across its platform is a response to the complex security needs of a massive and diverse user base. 

With more than half of Roblox users under 13, the challenge was to design an authentication system that is easy for children while still robust enough for professionals handling accounts with significant financial stakes. The team aimed to make access secure and simple without passwords, reducing both user frustration and customer support issues tied to account recovery.

Through a phased rollout that began with passkeys in user settings and later added passkey options during account sign-up, Roblox has shown measurable progress. Eighteen percent of active users have adopted passkeys, which led to greater engagement and higher login success rates. Experiments with the user interface revealed that highlighting passkeys at pivotal moments, such as account recovery, can drive adoption as long as users are guided clearly and are not forced through abrupt changes.

Ongoing improvements focus on making passkeys easier to use and more accessible, especially as many Roblox players move between multiple device types. An adaptive login flow led to more passkey logins and fewer users defaulting to traditional passwords. There are also new protections for top game creators, who are frequent phishing targets, ensuring only secure login methods are available for valuable accounts.

“Our vision is that all Roblox users should have secure and accessible accounts without passwords, powered by passkeys,” Yuki Bian, Product Manager at Roblox said.

From the Trenches: Using Windows Hello to Enable Passkeys for SSO

Single Sign-On (SSO) is a common approach enabling users in enterprise environments to use a single credential to get access to multiple applications.

In a deep dive session, Amandeep Nagra, Sr. Director, Identity and Access Management at Crowdstrike detailed how Windows Hello for Business was implemented as a passkey solution for seamless Single Sign-On across enterprise devices. By turning device logins into trusted passkeys, users no longer needed to remember passwords or manage separate app authentications.

The solution involves generating a device-level PRT token using Windows Hello for Business pins, which enables SSO across various apps. The project saved 78,000 hours of work annually, 

“We turned the device login into your passkey—one sign-in, access to everything,” Nagra said.

From the Trenches: Modernizing Authentication with True Passwordless at Docusign

DocuSign is a leading provider of electronic agreement solutions that help individuals and businesses sign documents and manage contracts online. Security and identity verification are critical to its platform, as users rely on DocuSign to complete transactions that often involve sensitive or high-value documents, such as home purchases, business contracts, and legal agreements.

To meet rising threats and user demand for easier, safer access, DocuSign is working to make passwordless authentication the default experience.

The company’s authentication team has introduced passkeys, enabled biometrics, and streamlined account recovery methods. Their goal is to give users secure, reliable, and effortless ways to verify identity, whether that’s logging in to review paperwork or using a mobile device to approve a high-stakes deal.

Yuheng Huang, Engineering Manager at Docusign noted that the login success rate for passkeys on DocuSign is 99%. In contrast, the password login success rate is only 76%.

Going beyond just authentication Dina Zheng, Product Manager at Docusign explained that DocuSign is using a passkey with the company’s identity wallet.

“By combining capabilities with identity wallet, we’ve created a fully frictionless experience, secure enough for identity verification, yet simple enough that users barely notice the authentication step at all,” Zheng said. “This is a perfect example of how passkeys can go beyond just authentication. They’re becoming an enabler of trusted high assurance workflows across Docusign.”

Panel: Industry Perspectives on Securing Agent-Based Authentication

With the emergence of agentic AI, there are new concerns and challenges about how to secure and authenticate agents.

A panel with Lee Campbell, Identity and Authentication Lead, Android at Google,  Rakan Khalid, Head of Product, Identity at PayPal and Reid Erickson, Product Management, Network API at T-Mobile that was moderated by Eran Haggiag, CEO at Glide Identity, discussed the challenges of trust and security in agent-based authentication.

Key points included the need for phishing-resistant authentication methods like passkeys and verifiable credentials to ensure user intent and prevent fraud. The discussion highlighted the importance of standardization, context-aware authentication, and human-in-the-loop verification to mitigate risks. 

“There’s lots of work going on, lots of companies are involved, lots of standards bodies involved with every single standards body out there today having some agentic group,” Campbell said. “Everybody’s talking about it, and one of the challenges is getting everyone and all the right players in the same room to have these conversations. And I think FIDO is actually quite a good place to do this.”

The Big Finale is Coming on Day 3!

While the first two days of Authenticate 2025 were stacked top to bottom with insightful sessions, Day 3 will deliver even more content.

With even more users stories coming, discussion on verifiable digital credentials and digital trust Day 3 will not disappoint.

Not registered? Don’t miss out! Attend remotely and access all previous sessions on demand, and attend day 3 live via the remote attendee platform! See the full agenda and register now at authenticatecon.com.

By FIDO staff

Authenticate 2025, the FIDO Alliance’s flagship conference, kicked off day one on strong footing as passkey adoption continues to grow.

The first day of Authenticate 2025 was loaded with insightful user stories, sessions on how to improve passkey adoption and technical sessions about the latest innovations.

Mastercard: Reimagining Online Checkout with Passkeys

Mastercard presented their ambitious vision to bring contactless payment-level security and convenience to online transactions through passkeys. The company is tackling three major e-commerce pain points: fraud from insecure authentication methods, cart abandonment and false declines of legitimate transactions. 

“There is no secret for this audience that one-time passwords are largely insecure and subject to phishing attacks,” Jonathan Grossar, Vice President of Product Management at Mastercard said. “So this is one big problem that we’re trying to address.”

Mastercard’s approach includes linking passkeys to payment card identities through bank KYC verification, adding device binding layers to meet regulatory requirements like PSD2, and ensuring banks retain control over authentication decisions even when Mastercard acts as the relying party on their behalf.

“When you have a passkey, that’s very easy, you can use it right away, and we see the conversion is just fantastic,” Gorssar said.

Passkey Mythbusters: Short Takes on Common Misunderstandings

As a relatively new technology, there are still a good deal of misunderstandings about passkeys.

In an engaging session led by Nishant Kaushik, CTO of the FIDO Alliance, Matthew Miller, Technical Lead at Cisco Duo and Tim Cappalli, Sr. Architect, Identity Standards at Okta debunked several key misconceptions about passkeys including:

Misconception #1 . Passkeys are stored in the cloud in the clear: The session clarified that passkeys are not stored in plain text. Reputable credential managers use strong end-to-end encryption, so even when passkeys are synced through the cloud, service providers cannot access the actual keys.

Misconception #2. Passkeys lock users into specific vendor ecosystems: The panel explained that new standards like the credential exchange protocol (CXP) and credential exchange format (CXF) enable secure transfer of passkeys between managers. 

Misconception #3. Phishing resistance depends solely on the relying party ID: Presenters emphasized that true phishing resistance comes from verifying the origin of authentication requests, not just matching the relying party ID. Proper server-side origin checks are essential for security.

Misconception #4 Cross-device passkey use enables remote attacks: The panel showed that cross-device authentication relies on proximity checks like Bluetooth, which prevent attackers from authenticating remotely even if they possess a QR code.

Misconception #5. Passkeys are not suitable for enterprise use: The panel highlighted that managed credential managers can offer strong policy control and high assurance for workforce applications, and that flexible management models fit both personal and enterprise contexts.

Misconception #6. Device management is always required for secure workforce passkeys: It was clarified that organizations can provide managed credential managers that enforce policies without requiring complete device management, allowing for greater flexibility.

Misconception #7. Passkeys cannot be used in mixed cloud and on-prem environments: The discussion explained that the right identity provider solutions and federation strategies can enable passkeys across a variety of application types.

What’s New in FIDO2: The New Features in WebAuthn and CTAP

There’s a lot going on with the underlying FIDO standards.

In his session, Nick Steele, Identity Architect at 1Password detailed the latest FIDO2, CTAP2.2 and WebAuthn updates. Steele explained how these new standards offer easier adoption, better security, and a smoother user experience for both enterprises and individuals.

Key technical improvements:

• Hybrid transport for flexible authenticator connections
• Signals API for better credential management
• Conditional passkey enrollment and improved autofill UI
• Stronger encryption and HMAC secret extension
• Broader support for smart cards and related origins

“We really want to increase the risk signalling and the trust that enterprises can get in a single go from a passkey,” Steele said.

Credential Exchange in the Wild

One of the key misconceptions about passkeys is that they lock users into a particular platform. 

Among the reasons why that’s not accurate is the Credential Exchange format effort which was detailed in a session led by Rene Leveille, Sr. Security Developer at 1Password.

Leveille explained how the credential exchange format is designed to help password managers understand and transfer numerous credential types, making it easier for users to migrate securely between different services. He highlighted how this format, paired with a secure protocol, is the foundation for cross-platform compatibility.

Leveille outlined recent progress, including the move from early drafts to a proposed industry standard in August 2025. He discussed how both Apple and Android platforms have introduced APIs that are paving the way for seamless transfers between apps. 

Emphasizing the importance of this work, Leveille stated, “It is an extremely easy way to migrate from one credential manager to another and it is secure.”

From the Trenches: eBay

Among the earliest adopters of passkeys is eBay, which has a long history with FIDO specifications.

Ilangovan Vairakkalai, Senior Member Technical Staff at eBay detailed his organization’s journey and how it has managed to increase adoption.

“Every percentage point we gain in Passkey adoption is another user freed from password frustration,” Vairakkalai said.

Passkey adoption among mobile and native app users has climbed to an impressive 55% to 60%, reflecting how intuitive, nearly invisible authentication is a win for users. Desktop adoption, while more modest at around 20%, is steadily rising as eBay continues to innovate and collaborate with browser and device makers. 

From the Trenches: Uber

Reducing user friction is a primary reason why Uber has embraced passkeys.

Ryan O’Laughlin, Senior Software Engineer at Uber Technologies detailed his organization’s journey to deploy passkeys as a secure and user-friendly login option across its global consumer platform. 

While there was some quick success there were also some early challenges. Despite passkeys offering faster and more secure logins compared to passwords, many users continued using traditional sign-in methods, raising concerns about adoption and the prevalence of phishing risks.

To address these challenges, Uber introduced usability improvements such as clearer entry points for passkey login and proactive prompts encouraging registration. Experiments showed that enrolling users right after account sign-up or login led to a marked increase in adoption.

The company also piloted features like selfie-based account recovery, aiming for secure, phishing-resistant options as part of its broader vision for a passwordless future.

“Passwords just don’t really work for our platform. People forget them,” O’Laughlin 

said. “There is a very realistic future where we don’t have password passwords at all.”

From the Trenches: BankID

In Norway, the BankID system has been around for over two decades, providing a uniform authentication system for the country’s citizens.

Heikki Henriksen, Technology Partnership Manager, Stø AS (BankID BankAxept in Norway) explained that the BankID system started off with hardware devices but in recent years has made a move to mobile, software based approaches.

BankID began moving to passkeys after most users had adopted the BankID app. The transition away from SMS-based authentication finished in 2023. Passkeys were introduced quietly—users were not told about the technical change but were moved to the stronger, phishing-resistant credentials through regular app updates.

“We never bothered talking about passkeys, we got over half of the Norwegian population to use passkeys without ever using the term passkey,” Henriksen said. “People don’t know what passkeys are. They don’t need to understand it either. So they just use Bank ID and for us technical people we know that passkeys are running the tech behind it.”

Keynotes: FIDO Alliance Details the Path Forward

A highlight of every Authenticate event is the keynote address from Andrew Shikiar, Executive Director of the FIDO Alliance.

As part of his Day One keynote, Shikiar detailed the past, present and future of the organization he leads and the standards it develops.

“Our internal estimates point to over 3 billion passkeys securing consumer accounts – actual passkeys in use,” he said. “That’s a massive number, 3 billion in less than three years time.”

Shikiar also revealed new data from a new report, the Passkey Index, which aims to help quantify the impact of the technology. Among the standout figures:

• An average 93% sign-in success rate using passkeys, which is more than double that achieved with other methods.
• A 73% decrease in login time when using passkeys.
• Up to an 81% reduction in login-related Help Desk incidents reported by some organizations.

No technology conversation in 2025 is complete without mention of AI and Shikiar didn’t disappoint. He noted that the FIDO Alliance is actively addressing agentic AI by launching targeted initiatives including the creation of a subgroup focused on agentic commerce, aiming to ensure secure authentication for human-authorized agents.

“We spent the past dozen years or so contemplating how to prevent bots from authenticating, and now we have to figure out how to enable them to authenticate,” he said.

Looking ahead, the need to eliminate knowledge-based recovery methods and improve user experience was stressed. Shikiar also talked about emerging efforts for digital credentialing, with FIDO Alliance developing foundational standards and certification programs to advance the digitization of identity documents and secure mobile credentials.

“We will create foundational specifications that are applicable to the market, building from CTAP to create a new protocol for cross device credential presentation, we’ll focus on enablement and usability,” Shikiar said.

Keynotes: Google Securing the Future of Account Management

Google’s Authenticate 2025 keynote focused on how account security and user experience are improving with the adoption of passkeys. 

With more than a billion users now signed into Google services using passkeys, it is clear these solutions are quickly moving into the mainstream. Chirag Desai, Product Manager at Google emphasized that passkeys make the sign-in process faster and easier for users and provide new opportunities for businesses looking to enhance safety and streamline account access.

“Just as the world moved from horses and carriages to cars and now even self-driving cars, we as an industry need to help our customers do the same thing,” Desai said. “We need to help make that transition from passwords to passkeys, with minimal friction.”

Beyond just passkeys for authentication Rohey Livne, Group Product Manager at Google addressed the critical role of digital credentials for account creation and recovery. These digital, device-bound documents offer stronger protection than emails or SMS, enabling selective disclosure and simplifying verification. They allow organizations to move beyond fragile legacy methods and create a fully secured account lifecycle.

“We’re not really solving account creation and account recovery with passkeys,” Livne said. “And so we are essentially trying to look at how the entire account lifecycle could be aided with digital credentials.”

Keynotes: Apple Details How to Get the Most Out of Passkeys

Apple is all in on passkeys. 

“Simply put, the world would be a better place if the default credential, the one that we all reached for first, was a passkey instead of a password,” Ricky Mondello, Principal Software Engineer at Apple said.

Mondello detailed multiple approaches that Apple is using to accelerate passkey adoption including:

• Account Creation API (iOS/Mac apps): Pre-fills user information (name, email/phone) to create new accounts with passkeys in one step, avoiding passwords entirely from the start.
• Automatic Passkey Upgrades: Seamlessly adds passkeys to existing password-based accounts without showing upsell screens when users sign in with their password manager. Already supported on Apple platforms and Chrome desktop.
• Prefer Immediately Available Credentials: Shows users their saved credentials (passwords or passkeys) when opening an app, eliminating the “which button do I press?” problem.

The most provocative message centered on security. Mondello argued that simply adding passkeys alongside passwords doesn’t deliver true phishing resistance. Organizations must plan to drop passwords entirely for accounts with passkeys.

“The hard truth is that to actually deliver the phishing resistance benefit to any given account, all phishable methods of signing in or recovering it need to be eliminated or otherwise mitigated,” Mondello said.

Get Ready for Day 2!

Day 2 will have even more great content across multiple tracks, with no shortage of user stories. Look for user stories from TikTok, Roblox, Microsoft, Docusign and many others, alongside technical insights for implementation.Not registered? Don’t miss out! Attend remotely and access all previous sessions on demand, and attend day 2 and 3 live via the remote attendee platform! See the full agenda and register now at authenticatecon.com.

• FIDO Alliance’s flagship event features an expanded agenda to deliver practical strategies for implementing usable, phishing-resistant security across the entire account lifecycle. 
• Super Early Bird discounts are available through June 20.

Carlsbad, Calif., June 18, 2025 – The FIDO Alliance has announced the agenda for Authenticate 2025, the only industry conference dedicated to digital identity and authentication with a focus on phishing-resistant sign-ins with passkeys. The event will take place October 13–15, 2025 at the Omni La Costa Resort and Spa in Carlsbad, Calif., with options for virtual participation available.

The focus of the program for the Authenticate 2025 conference is achieving phishing-resistant authentication with passkeys and the adjacent considerations required to achieve end-to-end account security with usability in mind.

Visit https://authenticatecon.com/event/authenticate-2025/ to view the full session guide and register ahead of the June 20th Super Early Bird deadline.

Authenticate is built for CISOs, security strategists, enterprise architects, product leaders, UX professionals, and anyone engaged in the identity lifecycle from strategy to implementation. Attendees will gain practical knowledge around deploying phishing-resistant authentication at scale, designing secure user experiences, understanding complementary technologies, and navigating policy and compliance requirements. 

This year’s event will showcase keynotes and sessions led by top executives and industry leaders at the forefront of the passwordless movement. The agenda for 2025 has been revamped to include: longer track sessions for more in-depth presentations, an increased focus on masterclasses for actionable synced and device-bound passkey implementation best practices, and a new solutions theater track to showcase live demonstrations of the latest identity and authentication solutions. This year’s agenda also features more opportunities for networking and exploration of the interactive expo hall to foster collaboration and idea sharing.

With four dynamic stages across four curated content tracks,  Authenticate 2025 will offer sessions on: 

• Account onboarding
• Remote identity verification and proofing
• Authorization
• Biometrics
• Session security
• Device onboarding and authentication
• Cybersecurity/fraud threats and detection
• Digital identity/digital wallets
• The future of digital identity and authentication

Sponsorship Opportunities Available
Authenticate 2025 offers unique sponsorship opportunities for companies to showcase solutions to an engaged, decision-making audience. With limited availability remaining, prospective sponsors can learn more and apply at https://authenticatecon.com/sponsors/ or contact [email protected]. 

About Authenticate 

Authenticate is the premier conference dedicated to advancing digital identity and authentication, with an emphasis on phishing-resistant sign-ins using passkeys. Hosted by the FIDO Alliance, this event brings together CISOs, security strategists, product managers and identity architects to explore best practices, technical insights and real-world case studies in modern authentication. The 2025 conference will take place from October 13-15 at the Omni La Costa Resort & Spa in Carlsbad, California, and will be co-located with the FIDO Alliance member plenary sessions, which run through October 16. 

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication with innovations, like passkeys. Signature sponsors for Authenticate 2025 are Google, Microsoft, Visa, and Yubico.

To learn more and register, visit https://authenticatecon.com/event/authenticate-2025/, and follow @AuthenticateCon on X. Register now and get the super early bird discount through June 20, 2025.

Authenticate Contact
[email protected]

PR Contact
[email protected]

By: FIDO staff

The third and final day of Authenticate 2024 was another jam-packed bonanza of content and insights. If you missed Day 1, check out the recap here. The recap for Day 2 is here.

Multiple users came up on the stage to detail how passkeys have made a difference in consumer, enterprise, and government use cases, and what lessons have been learned. There was also a “Passkeys for Payments” track, where speakers from Visa and Mastercard detailed the challenges and opportunities in the space. Digital identity was another core theme of the day with multiple sessions and a final keynote panel.

Among the many users that spoke was Elizabeth Beasley, Senior Content Designer at Intuit. She shared insights on implementing passkeys, emphasizing the importance of organization and user testing. 

User Experience (UX) really matters too, and to that end, Beasley stressed the value and importance of the FIDO UX Working Group and the passkeys design guidelines that it has produced. 

“When you go to passkeycentral.org, you can see the stuff that this group has helped create, and we’re going to keep creating more,” Beasley said. 

How Swiss Marketplace Group (SMG) is Embracing Passkeys

Swiss Marketplace Group (SMG) is a group of marketplaces based in Switzerland. SMG is implementing and rolling out passwordless authentication for its workforce to reduce risk and improve security as well as user experience.

Mikel Grabocka, Security Architect, Identity and Trust at SMG Swiss Marketplace Group AG, explained that the passkey rollout is happening across the company’s users. The target state is to have passwordless alongside managed devices across the entire company.

The initial rollout has been very strong, with 30% of eligible users adopting passwordless within the first month of it being available. He noted that the key focus for the deployment is taking a gradual, well-documented, and iterative approach, with a strong emphasis on user awareness and adoption. SMG plans to have 100% of its employees passwordless by the end of the year.

Bringing Passkeys to DocuSign 

DocuSign, one of the world’s leading e-signature providers, is also adopting passkeys.

“Safety and trust is the foundation of everything that we do,” Sarah Zou, lead product manager at DocuSign said. “That’s why we decided to invest in passkey. We wanted to make sure the first step of getting users into the signing ceremony, they feel welcome with a seamless protected experience, knowing that they’re using the most innovative new industry standard – passkey.”

DocuSign has also implemented passkey as a service, allowing the company to leverage it beyond just the login flow. DocuSign is using passkey to unlock other use cases, such as the DocuSign ID Wallet in the European market. The ID Wallet allows users to create, manage, and store their digital identity, which can then be used for identity verification before signing documents. Passkey is used to secure access to the ID Wallet.

The Intersection of Passkey and Payments

The intersection of passkey and secure payment was a topic of discussion across multiple sessions on day 3 of Authenticate 2024.

Among the foundational specifications in payments today is EMV-3D Secure. In a session, Henna Kapur, Director, Product Management at Visa, highlighted the potential for FIDO passkey adoption in financial services through an integration with EMV-3D Secure.

Jonathan Grossar, Vice President, Product Management at Mastercard, provided insight into how the Secure Payment Confirmation (SPC) specification will help improve payment security.

“SPC implements passkeys – but with additional security and better user experience,” Grossar said.

The enhancements that SPC provide include:

• Cross-origin authentication – It provides the ability for merchants to invoke payment passkeys for authentication without the need to redirect to the Relying Party (Bank or Payment network).
• Dynamic linking – Transaction amount and merchant identifier are approved by the consumer and included in the FIDO passkey assertion.

The final keynotes also include a panel on payments where the importance of the intersection between passkeys and payment security was reiterated.

“One of the things that is pervasive in both areas are the terms trust and managing risk,” Sean Estrada, Head of Industry Advocacy at Stripe said. “So I think that is really fundamental to a well-functioning ecosystem, and I think passkeys have a very useful position in there.”

Passkeys are Good, Now Prove Your Identity

Identity security was another hot topic on the final day of Authenticate 2024.

In a session, Abbie Barbir from the ADIA Association and Rolf Lindemann, VP Products at Nok Nok discussed the concept of Reusable Identity, also sometimes referred to as Decentralized Identity.

While passkeys provide strong authentication for access, the question that can sometimes remain is whether the passkey holder is in fact the rightful holder of the passkey. That’s where reusable identity plays a crucial role.

Reusable identity is a standard-based credential that can be attested and verified to enable interoperability. It allows users to prove their identity without having to repeatedly go through identity-proofing processes, reducing friction and over-sharing of personal data. Lindemann explained that it is enabled by decentralized identifiers (DIDs) that are unique, can be bound to a user’s devices and allow for key rotation if compromised.

Identity and the concept of a digital wallet for identity was the topic of one of the final keynote panels as well. Key points included the lack of a standardized definition for wallets, with opinions ranging from government-issued identity systems to cryptographic containers for verified attributes. 

The conversation highlighted the importance of trust, security, and interoperability, noting the challenges of market-driven standards and the need for global perspectives. Despite these challenges, the panelists agreed on the potential benefits of wallets for convenience and control, emphasizing the need for ethical and inclusive development.

Toward a Phishing Resistant User

Passkeys offer the promise of phishing-resistant authentication. While that’s extremely helpful in reducing risk, there is still more that’s needed to help create a phishing-resistant user, according to Derek Hanson from Yubico.

In the closing keynote session, Hanson emphasized the need to remove phishing from the end-to-end risk profile of a user.

“The point being if I’ve given you a very secure method to sign in and I gave you a password on a sticky note to recover access, that’s going to be where the system falls down,” Hanson said. “We need to remove phishing from the end-to-end life cycle, that is how we can actually transform businesses and remove risk.”

Stay Connected and Stay Engaged!

Overall Authenticate 2024 was a stellar event with 120 sessions and 150 speakers across the three-day conference.

Authenticate will be back October 13-16, 2025. Between now and then, the FIDO Alliance will be sharing lots of informative content and hosting educational events. Stay connected and sign up for Authenticate 2025 news here. See you next year!

By: FIDO staff

The second day of Authenticate 2024 continued with a packed schedule of sessions and speakers. If you missed Day 1, check out the recap here.

The day kicked off with a series of insightful keynotes from some of the biggest players in the passkey ecosystem that provided attendees with insights into how to achieve success with passkeys.

Chris Anderson, Product CTO at Cisco, started the day off by reminding everyone of the stark reality of the current cybersecurity landscape. He said that 80% of breaches leverage identity as a key component. As to why identity continues to be the root cause of breaches, Anderson noted limited visibility, gaps in protection, and an overall frustrating user experience continue to pose critical challenges in workforce authentication.

That situation is improving and will continue to get better, thanks to the continued deployment, adoption and evolution of passkeys. More specifically Matthew Miller Technical Lead at Cisco, detailed a number of new innovations that will make passkey adoption and deployment easier than ever before.

The innovations include:

Device Bound Session Credentials (DBSC) – Miller explained that DBSC will be a way to essentially mark and protect a cookie, using device bound key pair, so that if an attacker were to compromise an endpoint and get that session token it would be useless on their machine.

Shared Signals Framework (SSF) – Miller explained that with SSF there is a common way for services to talk to each other and publish security events, and when they receive those events, they can do something like logging out a user if the user is in a compromised state of some kind.

Verifiable Credentials – Onboarding can potentially be a source of friction for passkey onboarding. Miller explained that Verifiable Credentials, simply put, are cryptographically verifiable documents that are issued by a trusted authority. Those credentials can then be used to help accelerate an onboarding flow.

How Sony Playstation Went Passwordless

Sony PlayStation is all gaming, but when it comes to handling passwords, that’s a game that Sony just didn’t want to play. Instead, the company has embarked on a passwordless journey, with passkeys being front and center.

“Our users care about playing the game,” Sam Champeau, Product Manager at Sony Interactive Entertainment (PlayStation) said. “They care about accessing our services, and just getting straight into what they want to do. They don’t want to hassle with extra steps on sign in.”

Champeau detailed the core principles that his team embraced for the successful deployment of passkeys. They include making sure that synced passkeys are available to all users and all types of sign-ins. Sony PlayStation began introducing passkeys both as part of new account setup as well when users went through an account recovery process. The result was there was an 88% completion rate from users who started passkey activation. The impact was a 24% reduction in web sign-in time using passkeys.

“You can do it too, maximize the results from your passkey deployment,” Champeau said. “Minimize those risks with proper setup and testing. Full password replacement is a reasonable expectation, even for a launch.”

Google Lays Out Path for Passkey Adoption

Google has an ambitious goal of passkey ubiquity. It’s a goal that John Gronberg at Google outlined during his Authenticate 2024 keynote.

“As of today, we have over two and a half billion sign-ins with 800 million accounts using passkeys on our Google consumer platform,” Gronberg said.

While those are big numbers, there is still more work to be done. To that end, Google has introduced multiple new capabilities so far in 2024 including:

• Adding passkeys for enrollment into Google’s Advanced Protection Program. This led to a significant increase in enrolment in the program, with tens of thousands to hundreds of thousands of new users adopting it.
• Rolling out passkey autofill, which turns passkey into a one-step sign-in process where Google can fill out the username and passkey to authenticate the user. This has led to a significant acceleration in passkey adoption across Google’s user base.

A Prime example of Passkey Success: Amazon

In his keynote, Abhinav Mehta, Senior Product Manager – Technical at Amazon, shared the company’s journey to reaching 175 million passkey users worldwide. 

Mehta outlined the initial launch in September 2023, where Amazon aimed to enable 50% of its customers to use passkeys. The passkey launch resulted in customers signing in six times faster and more securely than before, and by October 2023, passkeys were rolled out to all eligible customers worldwide. 

Mehta explained that Amazon has set an ambitious target to eliminate passwords entirely.

“With the initial success of passkeys, we knew that it’s no longer just a promising technology, but the future of authentication,” he said. “So we set an ambitious target for 100% and a complete elimination of passwords.”

Amazon has adopted a strategic approach, targeting innovators and early adopters first, followed by the early majority. Mehta outlined the key lessons learned which include:

• Bring passkeys to the customer rather than expecting them to seek out the enrollment settings.
  
• Emphasize the convenience of passkeys as customers respond better to this than security-focused messaging.
  
• Recognize and address the platform-specific differences in adoption with desktop users requiring more effort reduction compared to mobile users.
  
• Actively help customers switch to passkeys by reducing the perceived effort, such as through auto-clicking or making passkeys the default sign-in method.

Come Together Now with the Digital Identity Advancement Foundation (DIA)

Rounding out the morning keynotes, Arynn Crow, Sr. Manager, AWS User Authentication Products, and Director of Governance and Transparency at the Digital Identity Advancement Foundation (DIAF), discussed the organization’s efforts to build a more inclusive community in the digital identity industry.

“The central thing that brings us together, and the foundation of our bond, is the desire to realize a better, safer internet,” Crow said. 

That said, she acknowledged challenges in integrating new members and ensuring diverse representation. To address these issues, DIAF has launched award programs to provide financial support for newcomers and tenured professionals to attend industry events. Crow said the organization aims to further expand its reach, particularly in underrepresented regions, and improve gender diversity in its program.

Passkey Account Recovery Considerations

A common concern with user accounts is the issue of account recovery.

In a morning session, Kelley Robinson Developer Advocate, Identity & Authentication at Twilio detailed multiple approaches that can be used by various organizations today for account recovery. While it’s a common practice to fallback on insecure options for account recovery – Robinson says there are better options.

“The biggest thing that you can do, if you take away nothing else in terms of your authentication recommendations for fallback options is you always want to register more authentication methods than you need for everyday login,” Robinson said. “Whether you’re using passkeys or not, you need to register at least three methods if you’re requiring two-step verification, ideally even more than that and you can also encourage users to register multiple passkeys.”

Federal Reserve and CISA Detail Risks and Opportunities

No Authenticate event would be complete without a government track. After all, among the biggest users of strong authentication is the U.S. government.

In his session, Chris Schnieper, Director, Secure Payments at the U.S. Federal Reserve, underscored the dynamic nature of scams and the ongoing collaborative efforts to enhance detection and prevention. He highlighted the importance of leveraging a broader set of signals, such as device and behavioral data, to quickly detect and mitigate scams.

“We certainly encourage any type of innovation or investment into different technologies that are going to be better for consumers, better for costs and reduce fraud,” Schnieper said.

Grant Dasher, Architecture Branch Chief at CISA, used his session to detail how to apply the concepts of safety engineering to authentication. Dasher emphatically stated that credential phishing is caused by weak authentication controls.

“It is a technical problem that we can solve, and we can engineer solutions such as FIDO passkeys to attack and make the problem go away,” Dasher said. “And companies that have deployed these technologies have, in fact, seen that the problem just goes away.”

How Login.gov Implemented Passkeys

Among the largest and most public-facing implementations of passkeys in the U.S. government is on the login.gov site, which is a service used to get access to different U.S. agencies.

In her session, Allison Rosenberg, Product Manager at the U.S. General Services Administration (GSA) said that today 20% of login.gov users are authenticating with passkeys.

Rosenberg noted that there are several challenges her organization faces with adoption that the GSA is working to overcome. One such challenge came from different issues on desktop operating systems. To that end, the GSA limited setup during account creation to mobile users. That single change resulted in an increase of the passkey authentication success rate by 35%.

“Though we focused on challenges today, I do want to say that at login, we’re really excited for the potential of passkeys to protect more of our users through secure and convenient authentication,” she said.

TikTok, IBM and Alibaba Detail Passkey Success

The second day of Authenticate 2024 was loaded with numerous user stories, with each organization detailing their passkey journey.

Among the users was Sydney Ng, FIDO2 Engineer at TikTok. The social media company is using passkeys to help secure its own enterprise users.

“Our goal is to become a phishing-resistant company,” Ng said.

TikTok has taken an iterative process to passkey rollout, initially choosing to use hardware keys. She explained that TikTok took a customized approach to the key, providing a QR code on the device that has information that helps to accelerate the onboarding process significantly. The initial rollout saw adoption by 900 employees across 16 countries. The second rollout added another 1,500 employees. Not only are employees more secure, she also noted that there was an 87% in the time it takes to log in as well.

TikTok plans on rolling out passkeys to all employees by the end of 2024.

Alibaba is also rolling out passkeys to its users. Xiao Qian, Senior Staff Engineer at Alibaba said that there are no approximately 90,000 employees that have been enrolled with passkeys. He estimated that using passkeys is saving over a million dollars a year that had been previously spent using SMS-based MFA.

IBM employees are now also adopting passkeys as well, even though there was some initial hesitation at the company. Shane Weeden, Senior Technical Staff Member at IBM, recounted the long history of authentication tools used by his company over the last several decades.

While hardware-based keys were not a concern, there was some concern from Weeden’s peers about the security of synced passkeys. Those concerns have been alleviated, as IBM has evaluated and better understood the risk profile and the benefits of passkeys. 

“We firmly believe that any passkey is better than no passkey,” he said.

As it turns out, the vast majority of passkey usage at IBM today is not from hardware keys. Weeden said that 85% of all passkey registrations on the IBM platform were platform authenticators or password managers.

Next Up: Authenticate Day 3

There’s more to come on the third and final day of Authenticate 2024, including more user stories, use cases and technical insights on passkey adoption and deployment.

Not registered? Don’t miss out! Attend remotely and access all previous sessions on demand, and attend day 3 live via the remote attendee platform! See the full agenda and register now at authenticatecon.com.

By: FIDO staff

Authenticate 2024, the FIDO Alliance’s flagship conference, kicked off strong with more concurrent tracks and sessions than ever before.

The first day of the Authenticate 2024 conference was loaded with insightful user stories, sessions on how to improve passkey adoption and technical sessions about the latest innovations.

The opening panel of the event was moderated by Megan Shamas, Chief Marketing Officer at FIDO Alliance, exploring enterprise trends in passkey adoption. During the session, panelists shared preliminary details of an upcoming FIDO research report on workforce deployments of passkeys.

The research showed that complexity (43%) and cost (33%) are the main reasons for passkeys not being deployed among those who haven’t deployed passkeys.

Panelist Michael Thelander, Sr. Director of Product Marketing at Axiad, argued that, from his product perspective, complexity and cost are not the primary reasons for organizations to delay on passkey adoption.

“I see that from our product perspective, it is actually about usability and manageability,” Thelander said. “We say complexity, but actually the usability is what we’re complaining about.”

The research also found that over two thirds (68%) say the development of passkeys is a high or critical priority in their organization. After passkeys were deployed, 90% noticed an impact on increased security for login/authentication.

Additionally, 87% of those that were familiar with passkeys are in a project and or have completed a project. Panelist Sarah Lefavrais, IAM Product Marketing Manager at Thales, commented that means the majority of organizations that have considered passkeys are in the process of deploying or have already succeeded in passkey deployment.

The research also found that there is a significant decline in usage of all alternative authentication methods after passkeys are deployed

“Once they make the switch they are never going back,” commented Sean Dyon, Director of Strategic Alliances at HID Global.

What’s the ROI for Passkeys? 

There are many reasons why organizations are increasingly moving to passkeys. In a morning session, Jeff Hickman, Global Head of Solutions Engineering at HYPR provided some of his insight on the potential return on investment (ROI) for passkeys.

Hickman said that passkeys could potentially save several seconds per login attempt, leading to significant productivity gains. He estimates that for an organization with 8,000 employees, approximately 7 hours a year are spent on authentication, which could cost nearly $2 million annually.

“That’s a lot of time that’s lost, you know, doing authentication steps along those lines and passkeys can simplify that,” he said.

Japan Loves FIDO 

User stories are a key part of the Authenticate experience, helping attendees to learn from the experience of those that have deployed strong authentication in production.

Among the earliest adopters of FIDO specifications is NTT DOCOMO, which has helped to spearhead broad interest in Japan overall. In a morning session, Koichi Moriyama, Chief Security Architect at NTT DOCOMO, detailed his firm’s efforts as well as those of the FIDO Japan Working Group. In addition to broad adoption on carrier networks, there has also been strong support from the Japanese government to promote passkey adoption in a bid to protect against phishing attacks.

The 3Fs of Strong Authentication Adoption

Another early adopter of FIDO protocols was Yahoo. In a session with two former Yahoo engineers, Sarit Arora and Lovlesh Chhabra – both currently at Oracle – detailed their experiences and lessons learned. Yahoo implemented its Account Key technology 9 years ago.

Chhabra explained that the first ‘F’ is fear. He noted that users are afraid of the unknown. As such it’s important to educate them. The second ‘F’ is friction. Adding in a different way to get at what a user is trying to get at introduces friction that needs to be minimized.  

The third ‘F’ is flow.

“So the challenge is that fear and fiction is a known thing,” Chhabra said. “However, we need to make sure that from a user experience perspective, the user should neither feel the fear and they should neither feel the friction and that’s where the flow comes in.”

The “flow” involves principles like providing motivation to change, using multiple touchpoints to prompt the user, and creating a “pocket of success” where the user can experience the new authentication method before fully adopting it.

Passkey Advancements with CTAP 

Technical details on new and emerging specifications are another core element of the Authenticate conference. 

On the first day of the event included multiple sessions on technical innovations, including one on the CTAP 2.1 specification. CTAP stands for Client to Authenticator Protocol.

“CTAP is how the client or the web browser is going to talk to the security key to allow that security key to provide the passkey,” Will Smart, Sr. Solutions Architect at Yubico explained in a session. 

CTAP 2.1 was published back in the summer of 2022 and it contains a bunch of new features that are focused on making security keys. The CTAP 2.1 capabilities are now making their way into various platforms.

The main new additions in CTAP 2.1 include:

• Enterprise Authentication (EA) – Allows selective de-anonymization of security keys for specific relying parties during registration.
• PIN-on-first-use – Requires users to change their PIN before it can be used for security operations.
• Minimum PIN length – Allows organizations to set and enforce a minimum PIN length during registration.

Always require user verification – Ensures the security key always asks for user verification, even if not required by the relying party.

Credential Exchange Format is Making Progress

A commonly discussed topic relating to passkeys today is the ability to share passkeys across different management applications.

“Generally if you share passwords across different password managing apps today, the trick is to copy/paste your password and then put it right into your importing provider,” Nick Steele, Security Researcher at 1Password, said during his session. “And that’s not great for many reasons.”

The solution for the challenge is the emerging Credential Exchange Format specification.

The Credential Exchange Format is a comprehensive, standardized JSON-based representation of a user’s credentials and account structure, designed to enable secure and interoperable migration between different password management providers.

“This allows the passkeys and all the other credentials to never leave an unencrypted boundary, so they’re always encrypted in transit within the boundary of the provider,” explained Rene Leveille, Senior Developer at 1Password.

The Credential Exchange Format has a working draft that is being released on Friday October 18, with a review draft expected by the end of the first quarter of 2025.

What’s New with Passkeys at Google and Microsoft?

Both Google and Microsoft are supporters of the FIDO Alliance and both have adopted passkeys. In their respective sessions the two platform providers detailed their latest passkey efforts.

Diego Zavala, Product Manager at Google told the Authenticate 2024 audience that Android and Chrome first introduced passkeys two years ago. In that short period of time adoption has been nothing short of exceptional. There are already more than 400 million passkeys being used in the Google Password Manager.

Chirag Desai, Product Manager at Google detailed the many improvements that have landed and are coming soon to both Android and Chrome. These include:

• Enabling a single-tap passkey signing experience by merging the account selector with the biometric prompt.
• Bringing passkey support to more devices, including Wear OS, allowing users to sign in from their watches.
• Introducing a “restore credentials” feature to seamlessly sign users in on new devices during the upgrade process.
• Enabling passkey syncing between Chrome on desktop and Android devices, allowing users to create and access passkeys across their devices.Improving the overall passkey experience to make it more seamless and consistent with the password experience.

“We’re also working to improve the sign up experience for users,” Desai said.

Over at Microsoft, the passkey experience is also improving rapidly as well. In his session, Bob Gilbert, software engineering manager at Microsoft detailed enhanced capabilities for Windows. These include:

• Support for plug-in passkey providers: Windows is introducing a native API extension point that will allow third-party passkey providers to integrate directly into the Windows Hello experience. 
• Microsoft passkey provider for syncing: Microsoft is developing a native passkey provider for Windows that will allow users to sync their passkeys across their different Windows devices.

“So the point on Windows, what we’re trying to achieve here is giving users the opportunity to use passkeys wherever they need them,” Gilbert said.

Keynotes: Passkeys at Two

Day 1 concluded with a series of insightful keynotes kicked off by Andrew Shikiar, Executive Director and CEO of the FIDO Alliance.

Shikiar noted that passkeys are only two years old, yet they’ve already made tremendous inroads. FIDO estimates that 15 billion accounts can leverage passkeys for sign-in today.

Why have passkeys seen such success? There are many reasons.

“It’s partly because passkeys transform consumer sign-in from a necessary cost to a business opportunity,” Shikiar said.

He noted how passkeys reduce costs and improve overall user experience. During his keynote he brought Anthony Kemp from Air New Zealand up on stage. Air New Zealand is a passkey adopter and has seen great success reducing its call center volume for password related inquiries. Passkeys have also helped to reduce fraud attempts at the airline as well. Air New Zealand will be providing more details about its passkey journey in a session on Day 2 of Authenticate 2024.

Shikiar also used his keynote to announce the new passkeycentral.org resource. Passkey Central is a new FIDO Alliance initiative to democratize and accelerate passkey deployment by providing comprehensive, expert-driven guidance and support materials.

“Passkeys have fundamentally changed the way that we contemplate user authentication,” Shikiar said. “It has been amazing to see how the FIDO community has both addressed and embraced these changes, which ultimately has led to billions of accounts that are simpler and safer than before. The progress has been great, but the best is yet to come.”

Keynotes: Two Rules for Passwordless

During his keynote Mike Slaugh, Principal Engineer, Information Security at Amazon, reminded the Authenticate 2024 audience that passwords, simply stated – suck.

“We’ve spent the last 60 years teaching people how to choose passwords that are harder and harder and harder to remember, harder and harder to use,” Slaugh said.

The answer is passkeys. Though it is a journey to adoption that will take time. To get there Slaugh has to simple rules:

1. “Don’t be a jerk” – Create a user-friendly passwordless experience without making users jump through too many hoops.
   
2. “Don’t be stupid” – Leverage the security features of passkeys to effectively protect users, eventually eliminating passwords entirely.

Keynotes: How to Convince a Billion Users to Use Passkeys

The final keynote of the day came from Microsoft, with insight on how to help accelerate passkey adoption.

Sangeeta Ranjit from Microsoft noted that the upcoming Microsoft Digital Defense Report has some stark numbers on the latest security challenges. Over the last year, Microsoft saw 7,000 password attacks and a 58% increase in phishing attacks.

The solution to the challenge is passkey which Microsoft has been advocating. To date she noted that Microsoft has experienced a 99% enrollment success rate for passkeys, which is a 3X higher success rate than passwords. 

Passkeys are not just safer, they’re also faster. Ranjit said that on average it takes a user 24 seconds to login with a password and 69 seconds to login with a password and multi-factor authentication. In contrast with passkeys it only takes 8 seconds to login.

Getting high adoption for passkeys involved a few steps, not the least of which is actually nudging users to adopt them.

Scott Bingham, Principal Product Manager at Microsoft, said that proactive invitations work better than a passive “wait and see” approach. Users were nudged to enroll a passkey at key visit points, like after they sign in or during a password reset/account recovery flow. Bingham emphasized that having the option to add a passkey wherever a user manages their account connections is important, but a purely passive approach is unlikely to drive significant adoption.

No one company alone is enough to make passkey adoption pervasive though.

“So then, how do we convince billions and billions of users with trillions of accounts to be able to enroll and use passkeys? We do it together,” Ranjit said. “Those in this room will make passkeys easy and bring secure and simple experiences to our users and to the world.”

Get Ready for Day 2!

Day 2 will have even more great content across multiple tracks, including an Automotive track, more great user stories and technical insights.

Not registered? Don’t miss out! Attend remotely and access all previous sessions on demand, and attend day 2 and 3 live via the remote attendee platform! See the full agenda and register now at authenticatecon.com. 

3-day program for FIDO Alliance’s flagship event on the future of user authentication
includes over 100 sessions; Early Bird registration available through September 9th.

Carlsbad, Calif, August 14, 2024 – The FIDO Alliance has announced its agenda today for Authenticate 2024, the only industry conference dedicated to all aspects of user authentication. The event is being held October 14-16, 2024 at the Omni La Costa Resort and Spa in Carlsbad, Calif – with virtual participation options also available.

Now in its fifth year, Authenticate has become a ‘must attend’ cybersecurity event. This year’s edition features over 100 sessions and 125 speakers from around the world providing the latest innovations, expertise, and critical conversations for the digital identity industry – with a focus on passwordless authentication with passkeys.

View the full session guide here – Authenticate 2024 Agenda – and register at https://authenticatecon.com/event/authenticate-2024-conference/.

Authenticate is ideal for CISOs, security strategists, enterprise architects, UX leads, and product and business leaders in any phase of their passwordless journey to get immersed in actionable authentication and identity security content. Topics covered include FIDO technology fundamentals, business outcomes, implementation best practices across use cases, UX considerations and real world case studies – all in a resort setting ideal for collaboration, networking and building community.

2024 keynotes will be delivered by speakers with extensive experience bringing passwordless solutions to workforces and consumers alike from organizations such as Amazon, FIDO Alliance, Google, Microsoft, Sony, Visa and Yubico. The conference features content on four stages broken into 11 content tracks to suit attendees’ knowledge base, interests and phase of implementation, along with an interactive expo hall to discover solutions providers, and networking events to connect with peers and subject matter experts.

The 11 tracks for Authenticate 2024 are:

• Business Case and ROI for Passkeys
• Technical Fundamentals and Features of Passkeys
• UX Fundamentals of Passkeys
• IAM Fundamentals 
• Identity Verification Fundamentals
• Passkeys for Consumers
• Passkeys in the Enterprise
• Passkeys for Government Use Cases and Policy Making
• Passkeys for Payments
• Complementary Technologies and Standards
• The Passwordless Vision and the Future of Passkeys

Limited Sponsorship Opportunities at Authenticate 2024

Authenticate 2024 is also accepting applications for sponsorship – offering branded opportunities for companies to showcase their solutions with decision-makers and connect with customers. To learn more about the 2024 on-site and virtual sponsorship opportunities, visit https://authenticatecon.com/sponsors/. With a limited number of opportunities remaining, interested parties are encouraged to email [email protected] as soon as possible.

About Authenticate 

Authenticate is the only conference dedicated to all aspects of user authentication – with a focus on the FIDO standards-based approach. Celebrating its fifth year in operation, Authenticate 2024 will be held at the Omni La Costa Resort and Spa from October 14-16, 2024, and includes virtual attendance options for those unable to join the event in person. The event gathers leaders from around the world who are working together to accelerate stronger, phishing-resistant authentication, and highlights the latest educational content, technical insights and tools, and deployment best practices. 

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication with innovations, like passkeys. Signature sponsors for Authenticate 2024 are Cisco, Google, Microsoft and Yubico.

To learn more and register, visit https://authenticatecon.com/event/authenticate-2024-conference/, and follow @AuthenticateCon on X. Register now and get the early bird discount through September 9, 2024.

Authenticate Contact
[email protected]

PR Contact
[email protected]