Authenticate Events

Authenticate 2024 Conference

Authenticate 2024: Day 3 Recap

By: FIDO staff

The third and final day of Authenticate 2024 was another jam-packed bonanza of content and insights. If you missed Day 1, check out the recap here. The recap for Day 2 is here.

Multiple users came up on the stage to detail how passkeys have made a difference in consumer, enterprise, and government use cases, and what lessons have been learned. There was also a “Passkeys for Payments” track, where speakers from Visa and Mastercard detailed the challenges and opportunities in the space. Digital identity was another core theme of the day with multiple sessions and a final keynote panel.

By: fido staff

Among the many users that spoke was Elizabeth Beasley, Senior Content Designer at Intuit. She shared insights on implementing passkeys, emphasizing the importance of organization and user testing. 

User Experience (UX) really matters too, and to that end, Beasley stressed the value and importance of the FIDO UX Working Group and the passkeys design guidelines that it has produced. 

“When you go to passkeycentral.org, you can see the stuff that this group has helped create, and we’re going to keep creating more,” Beasley said. 

How Swiss Marketplace Group (SMG) is Embracing Passkeys

Swiss Marketplace Group (SMG) is a group of marketplaces based in Switzerland. SMG is implementing and rolling out passwordless authentication for its workforce to reduce risk and improve security as well as user experience.

By: fido staff

Mikel Grabocka, Security Architect, Identity and Trust at SMG Swiss Marketplace Group AG, explained that the passkey rollout is happening across the company’s users. The target state is to have passwordless alongside managed devices across the entire company.

The initial rollout has been very strong, with 30% of eligible users adopting passwordless within the first month of it being available. He noted that the key focus for the deployment is taking a gradual, well-documented, and iterative approach, with a strong emphasis on user awareness and adoption. SMG plans to have 100% of its employees passwordless by the end of the year.

Bringing Passkeys to DocuSign 

DocuSign, one of the world’s leading e-signature providers, is also adopting passkeys.

By: fido staff

“Safety and trust is the foundation of everything that we do,” Sarah Zou, lead product manager at DocuSign said. “That’s why we decided to invest in passkey. We wanted to make sure the first step of getting users into the signing ceremony, they feel welcome with a seamless protected experience, knowing that they’re using the most innovative new industry standard – passkey.”

DocuSign has also implemented passkey as a service, allowing the company to leverage it beyond just the login flow. DocuSign is using passkey to unlock other use cases, such as the DocuSign ID Wallet in the European market. The ID Wallet allows users to create, manage, and store their digital identity, which can then be used for identity verification before signing documents. Passkey is used to secure access to the ID Wallet.

The Intersection of Passkey and Payments

The intersection of passkey and secure payment was a topic of discussion across multiple sessions on day 3 of Authenticate 2024.

By: fido staff

Among the foundational specifications in payments today is EMV-3D Secure. In a session, Henna Kapur, Director, Product Management at Visa, highlighted the potential for FIDO passkey adoption in financial services through an integration with EMV-3D Secure.

Jonathan Grossar, Vice President, Product Management at Mastercard, provided insight into how the Secure Payment Confirmation (SPC) specification will help improve payment security.

“SPC implements passkeys – but with additional security and better user experience,” Grossar said.

The enhancements that SPC provide include:

  • Cross-origin authentication – It provides the ability for merchants to invoke payment passkeys for authentication without the need to redirect to the Relying Party (Bank or Payment network).
  • Dynamic linking – Transaction amount and merchant identifier are approved by the consumer and included in the FIDO passkey assertion.

The final keynotes also include a panel on payments where the importance of the intersection between passkeys and payment security was reiterated.

“One of the things that is pervasive in both areas are the terms trust and managing risk,” Sean Estrada, Head of Industry Advocacy at Stripe said. “So I think that is really fundamental to a well-functioning ecosystem, and I think passkeys have a very useful position in there.”

By: fido staff

Passkeys are Good, Now Prove Your Identity

Identity security was another hot topic on the final day of Authenticate 2024.

In a session, Abbie Barbir from the ADIA Association and Rolf Lindemann, VP Products at Nok Nok discussed the concept of Reusable Identity, also sometimes referred to as Decentralized Identity.

By: fido staff

While passkeys provide strong authentication for access, the question that can sometimes remain is whether the passkey holder is in fact the rightful holder of the passkey. That’s where reusable identity plays a crucial role.

Reusable identity is a standard-based credential that can be attested and verified to enable interoperability. It allows users to prove their identity without having to repeatedly go through identity-proofing processes, reducing friction and over-sharing of personal data. Lindemann explained that it is enabled by decentralized identifiers (DIDs) that are unique, can be bound to a user’s devices and allow for key rotation if compromised.

Identity and the concept of a digital wallet for identity was the topic of one of the final keynote panels as well. Key points included the lack of a standardized definition for wallets, with opinions ranging from government-issued identity systems to cryptographic containers for verified attributes. 

The conversation highlighted the importance of trust, security, and interoperability, noting the challenges of market-driven standards and the need for global perspectives. Despite these challenges, the panelists agreed on the potential benefits of wallets for convenience and control, emphasizing the need for ethical and inclusive development.

By: fido staff

Toward a Phishing Resistant User

Passkeys offer the promise of phishing-resistant authentication. While that’s extremely helpful in reducing risk, there is still more that’s needed to help create a phishing-resistant user, according to Derek Hanson from Yubico.

By: fido staff

In the closing keynote session, Hanson emphasized the need to remove phishing from the end-to-end risk profile of a user.

“The point being if I’ve given you a very secure method to sign in and I gave you a password on a sticky note to recover access, that’s going to be where the system falls down,” Hanson said. “We need to remove phishing from the end-to-end life cycle, that is how we can actually transform businesses and remove risk.”

Stay Connected and Stay Engaged!

Overall Authenticate 2024 was a stellar event with 120 sessions and 150 speakers across the three-day conference.

Authenticate will be back October 13-16, 2025. Between now and then, the FIDO Alliance will be sharing lots of informative content and hosting educational events. Stay connected and sign up for Authenticate 2025 news here. See you next year!

By: fido staff
Authenticate 2024 Conference

Authenticate 2024 – Day 2 Recap

By: FIDO staff

The second day of Authenticate 2024 continued with a packed schedule of sessions and speakers. If you missed Day 1, check out the recap here.

The day kicked off with a series of insightful keynotes from some of the biggest players in the passkey ecosystem that provided attendees with insights into how to achieve success with passkeys.

Chris Anderson, Product CTO at Cisco, started the day off by reminding everyone of the stark reality of the current cybersecurity landscape. He said that 80% of breaches leverage identity as a key component. As to why identity continues to be the root cause of breaches, Anderson noted limited visibility, gaps in protection, and an overall frustrating user experience continue to pose critical challenges in workforce authentication.

By: fido staff

That situation is improving and will continue to get better, thanks to the continued deployment, adoption and evolution of passkeys. More specifically Matthew Miller Technical Lead at Cisco, detailed a number of new innovations that will make passkey adoption and deployment easier than ever before.

The innovations include:

Device Bound Session Credentials (DBSC) – Miller explained that DBSC will be a way to essentially mark and protect a cookie, using device bound key pair, so that if an attacker were to compromise an endpoint and get that session token it would be useless on their machine.

Shared Signals Framework (SSF) – Miller explained that with SSF there is a common way for services to talk to each other and publish security events, and when they receive those events, they can do something like logging out a user if the user is in a compromised state of some kind.

Verifiable Credentials – Onboarding can potentially be a source of friction for passkey onboarding. Miller explained that Verifiable Credentials, simply put, are cryptographically verifiable documents that are issued by a trusted authority. Those credentials can then be used to help accelerate an onboarding flow.

How Sony Playstation Went Passwordless

Sony PlayStation is all gaming, but when it comes to handling passwords, that’s a game that Sony just didn’t want to play. Instead, the company has embarked on a passwordless journey, with passkeys being front and center.

By: fido staff

“Our users care about playing the game,” Sam Champeau, Product Manager at Sony Interactive Entertainment (PlayStation) said. “They care about accessing our services, and just getting straight into what they want to do. They don’t want to hassle with extra steps on sign in.”

Champeau detailed the core principles that his team embraced for the successful deployment of passkeys. They include making sure that synced passkeys are available to all users and all types of sign-ins. Sony PlayStation began introducing passkeys both as part of new account setup as well when users went through an account recovery process. The result was there was an 88% completion rate from users who started passkey activation. The impact was a 24% reduction in web sign-in time using passkeys.

“You can do it too, maximize the results from your passkey deployment,” Champeau said. “Minimize those risks with proper setup and testing. Full password replacement is a reasonable expectation, even for a launch.”

Google Lays Out Path for Passkey Adoption

Google has an ambitious goal of passkey ubiquity. It’s a goal that John Gronberg at Google outlined during his Authenticate 2024 keynote.

By: fido staff

“As of today, we have over two and a half billion sign-ins with 800 million accounts using passkeys on our Google consumer platform,” Gronberg said.

While those are big numbers, there is still more work to be done. To that end, Google has introduced multiple new capabilities so far in 2024 including:

  • Adding passkeys for enrollment into Google’s Advanced Protection Program. This led to a significant increase in enrolment in the program, with tens of thousands to hundreds of thousands of new users adopting it.
  • Rolling out passkey autofill, which turns passkey into a one-step sign-in process where Google can fill out the username and passkey to authenticate the user. This has led to a significant acceleration in passkey adoption across Google’s user base.

A Prime example of Passkey Success: Amazon

In his keynote, Abhinav Mehta, Senior Product Manager – Technical at Amazon, shared the company’s journey to reaching 175 million passkey users worldwide. 

By: fido staff

Mehta outlined the initial launch in September 2023, where Amazon aimed to enable 50% of its customers to use passkeys. The passkey launch resulted in customers signing in six times faster and more securely than before, and by October 2023, passkeys were rolled out to all eligible customers worldwide. 

Mehta explained that Amazon has set an ambitious target to eliminate passwords entirely.

“With the initial success of passkeys, we knew that it’s no longer just a promising technology, but the future of authentication,” he said. “So we set an ambitious target for 100% and a complete elimination of passwords.”

Amazon has adopted a strategic approach, targeting innovators and early adopters first, followed by the early majority. Mehta outlined the key lessons learned which include:

  • Bring passkeys to the customer rather than expecting them to seek out the enrollment settings.
  • Emphasize the convenience of passkeys as customers respond better to this than security-focused messaging.
  • Recognize and address the platform-specific differences in adoption with desktop users requiring more effort reduction compared to mobile users.
  • Actively help customers switch to passkeys by reducing the perceived effort, such as through auto-clicking or making passkeys the default sign-in method.

Come Together Now with the Digital Identity Advancement Foundation (DIA)

Rounding out the morning keynotes, Arynn Crow, Sr. Manager, AWS User Authentication Products, and Director of Governance and Transparency at the Digital Identity Advancement Foundation (DIAF), discussed the organization’s efforts to build a more inclusive community in the digital identity industry.

By: fido staff

“The central thing that brings us together, and the foundation of our bond, is the desire to realize a better, safer internet,” Crow said. 

That said, she acknowledged challenges in integrating new members and ensuring diverse representation. To address these issues, DIAF has launched award programs to provide financial support for newcomers and tenured professionals to attend industry events. Crow said the organization aims to further expand its reach, particularly in underrepresented regions, and improve gender diversity in its program.

Passkey Account Recovery Considerations

A common concern with user accounts is the issue of account recovery.

In a morning session, Kelley Robinson Developer Advocate, Identity & Authentication at Twilio detailed multiple approaches that can be used by various organizations today for account recovery. While it’s a common practice to fallback on insecure options for account recovery – Robinson says there are better options.

By: fido staff

“The biggest thing that you can do, if you take away nothing else in terms of your authentication recommendations for fallback options is you always want to register more authentication methods than you need for everyday login,” Robinson said. “Whether you’re using passkeys or not, you need to register at least three methods if you’re requiring two-step verification, ideally even more than that and you can also encourage users to register multiple passkeys.”

Federal Reserve and CISA Detail Risks and Opportunities

No Authenticate event would be complete without a government track. After all, among the biggest users of strong authentication is the U.S. government.

By: fido staff

In his session, Chris Schnieper, Director, Secure Payments at the U.S. Federal Reserve, underscored the dynamic nature of scams and the ongoing collaborative efforts to enhance detection and prevention. He highlighted the importance of leveraging a broader set of signals, such as device and behavioral data, to quickly detect and mitigate scams.

“We certainly encourage any type of innovation or investment into different technologies that are going to be better for consumers, better for costs and reduce fraud,” Schnieper said.

Grant Dasher, Architecture Branch Chief at CISA, used his session to detail how to apply the concepts of safety engineering to authentication. Dasher emphatically stated that credential phishing is caused by weak authentication controls.

“It is a technical problem that we can solve, and we can engineer solutions such as FIDO passkeys to attack and make the problem go away,” Dasher said. “And companies that have deployed these technologies have, in fact, seen that the problem just goes away.”

How Login.gov Implemented Passkeys

Among the largest and most public-facing implementations of passkeys in the U.S. government is on the login.gov site, which is a service used to get access to different U.S. agencies.

In her session, Allison Rosenberg, Product Manager at the U.S. General Services Administration (GSA) said that today 20% of login.gov users are authenticating with passkeys.

By: fido staff

Rosenberg noted that there are several challenges her organization faces with adoption that the GSA is working to overcome. One such challenge came from different issues on desktop operating systems. To that end, the GSA limited setup during account creation to mobile users. That single change resulted in an increase of the passkey authentication success rate by 35%.

“Though we focused on challenges today, I do want to say that at login, we’re really excited for the potential of passkeys to protect more of our users through secure and convenient authentication,” she said.

TikTok, IBM and Alibaba Detail Passkey Success

The second day of Authenticate 2024 was loaded with numerous user stories, with each organization detailing their passkey journey.

Among the users was Sydney Ng, FIDO2 Engineer at TikTok. The social media company is using passkeys to help secure its own enterprise users.

By: fido staff

“Our goal is to become a phishing-resistant company,” Ng said.

TikTok has taken an iterative process to passkey rollout, initially choosing to use hardware keys. She explained that TikTok took a customized approach to the key, providing a QR code on the device that has information that helps to accelerate the onboarding process significantly. The initial rollout saw adoption by 900 employees across 16 countries. The second rollout added another 1,500 employees. Not only are employees more secure, she also noted that there was an 87% in the time it takes to log in as well.

TikTok plans on rolling out passkeys to all employees by the end of 2024.

Alibaba is also rolling out passkeys to its users. Xiao Qian, Senior Staff Engineer at Alibaba said that there are no approximately 90,000 employees that have been enrolled with passkeys. He estimated that using passkeys is saving over a million dollars a year that had been previously spent using SMS-based MFA.

IBM employees are now also adopting passkeys as well, even though there was some initial hesitation at the company. Shane Weeden, Senior Technical Staff Member at IBM, recounted the long history of authentication tools used by his company over the last several decades.

By: fido staff

While hardware-based keys were not a concern, there was some concern from Weeden’s peers about the security of synced passkeys. Those concerns have been alleviated, as IBM has evaluated and better understood the risk profile and the benefits of passkeys. 

“We firmly believe that any passkey is better than no passkey,” he said.

As it turns out, the vast majority of passkey usage at IBM today is not from hardware keys. Weeden said that 85% of all passkey registrations on the IBM platform were platform authenticators or password managers.

Next Up: Authenticate Day 3

There’s more to come on the third and final day of Authenticate 2024, including more user stories, use cases and technical insights on passkey adoption and deployment.

Not registered? Don’t miss out! Attend remotely and access all previous sessions on demand, and attend day 3 live via the remote attendee platform! See the full agenda and register now at authenticatecon.com.

Authenticate 2024 Conference

Authenticate 2024: Day 1 Recap

By: FIDO staff

Authenticate 2024, the FIDO Alliance’s flagship conference, kicked off strong with more concurrent tracks and sessions than ever before.

The first day of the Authenticate 2024 conference was loaded with insightful user stories, sessions on how to improve passkey adoption and technical sessions about the latest innovations.

The opening panel of the event was moderated by Megan Shamas, Chief Marketing Officer at FIDO Alliance, exploring enterprise trends in passkey adoption. During the session, panelists shared preliminary details of an upcoming FIDO research report on workforce deployments of passkeys.

The research showed that complexity (43%) and cost (33%) are the main reasons for passkeys not being deployed among those who haven’t deployed passkeys.

By: fido staff

Panelist Michael Thelander, Sr. Director of Product Marketing at Axiad, argued that, from his product perspective, complexity and cost are not the primary reasons for organizations to delay on passkey adoption.

“I see that from our product perspective, it is actually about usability and manageability,” Thelander said. “We say complexity, but actually the usability is what we’re complaining about.”

The research also found that over two thirds (68%) say the development of passkeys is a high or critical priority in their organization. After passkeys were deployed, 90% noticed an impact on increased security for login/authentication.

Additionally, 87% of those that were familiar with passkeys are in a project and or have completed a project. Panelist Sarah Lefavrais, IAM Product Marketing Manager at Thales, commented that means the majority of organizations that have considered passkeys are in the process of deploying or have already succeeded in passkey deployment.

The research also found that there is a significant decline in usage of all alternative authentication methods after passkeys are deployed

“Once they make the switch they are never going back,” commented Sean Dyon, Director of Strategic Alliances at HID Global.

What’s the ROI for Passkeys? 

There are many reasons why organizations are increasingly moving to passkeys. In a morning session, Jeff Hickman, Global Head of Solutions Engineering at HYPR provided some of his insight on the potential return on investment (ROI) for passkeys.

By: fido staff

Hickman said that passkeys could potentially save several seconds per login attempt, leading to significant productivity gains. He estimates that for an organization with 8,000 employees, approximately 7 hours a year are spent on authentication, which could cost nearly $2 million annually.

“That’s a lot of time that’s lost, you know, doing authentication steps along those lines and passkeys can simplify that,” he said.

Japan Loves FIDO 

User stories are a key part of the Authenticate experience, helping attendees to learn from the experience of those that have deployed strong authentication in production.

By: fido staff

Among the earliest adopters of FIDO specifications is NTT DOCOMO, which has helped to spearhead broad interest in Japan overall. In a morning session, Koichi Moriyama, Chief Security Architect at NTT DOCOMO, detailed his firm’s efforts as well as those of the FIDO Japan Working Group. In addition to broad adoption on carrier networks, there has also been strong support from the Japanese government to promote passkey adoption in a bid to protect against phishing attacks.

The 3Fs of Strong Authentication Adoption

Another early adopter of FIDO protocols was Yahoo. In a session with two former Yahoo engineers, Sarit Arora and Lovlesh Chhabra – both currently at Oracle – detailed their experiences and lessons learned. Yahoo implemented its Account Key technology 9 years ago.

By: fido staff

Chhabra explained that the first ‘F’ is fear. He noted that users are afraid of the unknown. As such it’s important to educate them. The second ‘F’ is friction. Adding in a different way to get at what a user is trying to get at introduces friction that needs to be minimized.  

The third ‘F’ is flow.

“So the challenge is that fear and fiction is a known thing,” Chhabra said. “However, we need to make sure that from a user experience perspective, the user should neither feel the fear and they should neither feel the friction and that’s where the flow comes in.”

The “flow” involves principles like providing motivation to change, using multiple touchpoints to prompt the user, and creating a “pocket of success” where the user can experience the new authentication method before fully adopting it.

Passkey Advancements with CTAP 

Technical details on new and emerging specifications are another core element of the Authenticate conference. 

On the first day of the event included multiple sessions on technical innovations, including one on the CTAP 2.1 specification. CTAP stands for Client to Authenticator Protocol.

By: fido staff

“CTAP is how the client or the web browser is going to talk to the security key to allow that security key to provide the passkey,” Will Smart, Sr. Solutions Architect at Yubico explained in a session. 

CTAP 2.1 was published back in the summer of 2022 and it contains a bunch of new features that are focused on making security keys. The CTAP 2.1 capabilities are now making their way into various platforms.

The main new additions in CTAP 2.1 include:

  • Enterprise Authentication (EA) – Allows selective de-anonymization of security keys for specific relying parties during registration.
  • PIN-on-first-use – Requires users to change their PIN before it can be used for security operations.
  • Minimum PIN length – Allows organizations to set and enforce a minimum PIN length during registration.

Always require user verification – Ensures the security key always asks for user verification, even if not required by the relying party.

Credential Exchange Format is Making Progress

A commonly discussed topic relating to passkeys today is the ability to share passkeys across different management applications.

“Generally if you share passwords across different password managing apps today, the trick is to copy/paste your password and then put it right into your importing provider,” Nick Steele, Security Researcher at 1Password, said during his session. “And that’s not great for many reasons.”

By: fido staff

The solution for the challenge is the emerging Credential Exchange Format specification.

The Credential Exchange Format is a comprehensive, standardized JSON-based representation of a user’s credentials and account structure, designed to enable secure and interoperable migration between different password management providers.

“This allows the passkeys and all the other credentials to never leave an unencrypted boundary, so they’re always encrypted in transit within the boundary of the provider,” explained Rene Leveille, Senior Developer at 1Password.

The Credential Exchange Format has a working draft that is being released on Friday October 18, with a review draft expected by the end of the first quarter of 2025.

What’s New with Passkeys at Google and Microsoft?

Both Google and Microsoft are supporters of the FIDO Alliance and both have adopted passkeys. In their respective sessions the two platform providers detailed their latest passkey efforts.

By: fido staff

Diego Zavala, Product Manager at Google told the Authenticate 2024 audience that Android and Chrome first introduced passkeys two years ago. In that short period of time adoption has been nothing short of exceptional. There are already more than 400 million passkeys being used in the Google Password Manager.

Chirag Desai, Product Manager at Google detailed the many improvements that have landed and are coming soon to both Android and Chrome. These include:

  • Enabling a single-tap passkey signing experience by merging the account selector with the biometric prompt.
  • Bringing passkey support to more devices, including Wear OS, allowing users to sign in from their watches.
  • Introducing a “restore credentials” feature to seamlessly sign users in on new devices during the upgrade process.
  • Enabling passkey syncing between Chrome on desktop and Android devices, allowing users to create and access passkeys across their devices.Improving the overall passkey experience to make it more seamless and consistent with the password experience.

“We’re also working to improve the sign up experience for users,” Desai said.

By: fido staff

Over at Microsoft, the passkey experience is also improving rapidly as well. In his session, Bob Gilbert, software engineering manager at Microsoft detailed enhanced capabilities for Windows. These include:

  • Support for plug-in passkey providers: Windows is introducing a native API extension point that will allow third-party passkey providers to integrate directly into the Windows Hello experience. 
  • Microsoft passkey provider for syncing: Microsoft is developing a native passkey provider for Windows that will allow users to sync their passkeys across their different Windows devices.

“So the point on Windows, what we’re trying to achieve here is giving users the opportunity to use passkeys wherever they need them,” Gilbert said.

Keynotes: Passkeys at Two

Day 1 concluded with a series of insightful keynotes kicked off by Andrew Shikiar, Executive Director and CEO of the FIDO Alliance.

Shikiar noted that passkeys are only two years old, yet they’ve already made tremendous inroads. FIDO estimates that 15 billion accounts can leverage passkeys for sign-in today.

By: fido staff

Why have passkeys seen such success? There are many reasons.

“It’s partly because passkeys transform consumer sign-in from a necessary cost to a business opportunity,” Shikiar said.

He noted how passkeys reduce costs and improve overall user experience. During his keynote he brought Anthony Kemp from Air New Zealand up on stage. Air New Zealand is a passkey adopter and has seen great success reducing its call center volume for password related inquiries. Passkeys have also helped to reduce fraud attempts at the airline as well. Air New Zealand will be providing more details about its passkey journey in a session on Day 2 of Authenticate 2024.

Shikiar also used his keynote to announce the new passkeycentral.org resource. Passkey Central is a new FIDO Alliance initiative to democratize and accelerate passkey deployment by providing comprehensive, expert-driven guidance and support materials.

“Passkeys have fundamentally changed the way that we contemplate user authentication,” Shikiar said. “It has been amazing to see how the FIDO community has both addressed and embraced these changes, which ultimately has led to billions of accounts that are simpler and safer than before. The progress has been great, but the best is yet to come.”

Keynotes: Two Rules for Passwordless

During his keynote Mike Slaugh, Principal Engineer, Information Security at Amazon, reminded the Authenticate 2024 audience that passwords, simply stated – suck.

By: fido staff

“We’ve spent the last 60 years teaching people how to choose passwords that are harder and harder and harder to remember, harder and harder to use,” Slaugh said.

The answer is passkeys. Though it is a journey to adoption that will take time. To get there Slaugh has to simple rules:

  1. “Don’t be a jerk” – Create a user-friendly passwordless experience without making users jump through too many hoops.
  2. “Don’t be stupid” – Leverage the security features of passkeys to effectively protect users, eventually eliminating passwords entirely.

Keynotes: How to Convince a Billion Users to Use Passkeys

The final keynote of the day came from Microsoft, with insight on how to help accelerate passkey adoption.

By: fido staff

Sangeeta Ranjit from Microsoft noted that the upcoming Microsoft Digital Defense Report has some stark numbers on the latest security challenges. Over the last year, Microsoft saw 7,000 password attacks and a 58% increase in phishing attacks.

The solution to the challenge is passkey which Microsoft has been advocating. To date she noted that Microsoft has experienced a 99% enrollment success rate for passkeys, which is a 3X higher success rate than passwords. 

Passkeys are not just safer, they’re also faster. Ranjit said that on average it takes a user 24 seconds to login with a password and 69 seconds to login with a password and multi-factor authentication. In contrast with passkeys it only takes 8 seconds to login.

Getting high adoption for passkeys involved a few steps, not the least of which is actually nudging users to adopt them.

Scott Bingham, Principal Product Manager at Microsoft, said that proactive invitations work better than a passive “wait and see” approach. Users were nudged to enroll a passkey at key visit points, like after they sign in or during a password reset/account recovery flow. Bingham emphasized that having the option to add a passkey wherever a user manages their account connections is important, but a purely passive approach is unlikely to drive significant adoption.

No one company alone is enough to make passkey adoption pervasive though.

“So then, how do we convince billions and billions of users with trillions of accounts to be able to enroll and use passkeys? We do it together,” Ranjit said. “Those in this room will make passkeys easy and bring secure and simple experiences to our users and to the world.”

Get Ready for Day 2!

Day 2 will have even more great content across multiple tracks, including an Automotive track, more great user stories and technical insights.

Not registered? Don’t miss out! Attend remotely and access all previous sessions on demand, and attend day 2 and 3 live via the remote attendee platform! See the full agenda and register now at authenticatecon.com

Authenticate 2024 Conference

FIDO Alliance Releases Authenticate 2024 Agenda

3-day program for FIDO Alliance’s flagship event on the future of user authentication
includes over 100 sessions; Early Bird registration available through September 9th.

Carlsbad, Calif, August 14, 2024 – The FIDO Alliance has announced its agenda today for Authenticate 2024, the only industry conference dedicated to all aspects of user authentication. The event is being held October 14-16, 2024 at the Omni La Costa Resort and Spa in Carlsbad, Calif – with virtual participation options also available.

Now in its fifth year, Authenticate has become a ‘must attend’ cybersecurity event. This year’s edition features over 100 sessions and 125 speakers from around the world providing the latest innovations, expertise, and critical conversations for the digital identity industry – with a focus on passwordless authentication with passkeys.

View the full session guide here – Authenticate 2024 Agenda – and register at https://authenticatecon.com/event/authenticate-2024-conference/.

Authenticate is ideal for CISOs, security strategists, enterprise architects, UX leads, and product and business leaders in any phase of their passwordless journey to get immersed in actionable authentication and identity security content. Topics covered include FIDO technology fundamentals, business outcomes, implementation best practices across use cases, UX considerations and real world case studies – all in a resort setting ideal for collaboration, networking and building community.

2024 keynotes will be delivered by speakers with extensive experience bringing passwordless solutions to workforces and consumers alike from organizations such as Amazon, FIDO Alliance, Google, Microsoft, Sony, Visa and Yubico. The conference features content on four stages broken into 11 content tracks to suit attendees’ knowledge base, interests and phase of implementation, along with an interactive expo hall to discover solutions providers, and networking events to connect with peers and subject matter experts.

The 11 tracks for Authenticate 2024 are:

  • Business Case and ROI for Passkeys
  • Technical Fundamentals and Features of Passkeys
  • UX Fundamentals of Passkeys
  • IAM Fundamentals 
  • Identity Verification Fundamentals
  • Passkeys for Consumers
  • Passkeys in the Enterprise
  • Passkeys for Government Use Cases and Policy Making
  • Passkeys for Payments
  • Complementary Technologies and Standards
  • The Passwordless Vision and the Future of Passkeys

Limited Sponsorship Opportunities at Authenticate 2024

Authenticate 2024 is also accepting applications for sponsorship – offering branded opportunities for companies to showcase their solutions with decision-makers and connect with customers. To learn more about the 2024 on-site and virtual sponsorship opportunities, visit https://authenticatecon.com/sponsors/. With a limited number of opportunities remaining, interested parties are encouraged to email [email protected] as soon as possible.

About Authenticate 

Authenticate is the only conference dedicated to all aspects of user authentication – with a focus on the FIDO standards-based approach. Celebrating its fifth year in operation, Authenticate 2024 will be held at the Omni La Costa Resort and Spa from October 14-16, 2024, and includes virtual attendance options for those unable to join the event in person. The event gathers leaders from around the world who are working together to accelerate stronger, phishing-resistant authentication, and highlights the latest educational content, technical insights and tools, and deployment best practices. 

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication with innovations, like passkeys. Signature sponsors for Authenticate 2024 are Cisco, Google, Microsoft and Yubico.

To learn more and register, visit https://authenticatecon.com/event/authenticate-2024-conference/, and follow @AuthenticateCon on X. Register now and get the early bird discount through September 9, 2024.

Authenticate Contact
[email protected]

PR Contact
[email protected]

Recap: Virtual Summit: Demystifying Passkey Implementations

Recap: Virtual Summit: Demystifying Passkey Implementations

By: FIDO staff

Passkeys hold the promise of enabling simpler, strong authentication. But first organizations, governments and individuals will have to adopt the technology – and some of them have questions.

At the Authenticate Virtual Summit: Demystifying Passkey Implementation on March 13, speakers from the FIDO Alliance, Intercede, IDEMIA, Yubico, Dashlane and 1Password as well as implementers including Amazon and Target, presented on their experiences implementing and working with passkeys. The virtual summit covered the technical perspective on passkeys from the FIDO Alliance, as well as use cases for passkeys in the enterprise, consumer authentication, and the U.S. government. Along the way, attendees asked lots of questions and got lots of insightful answers.

By: fido staff

Fundamentally a key theme that resonated throughout the virtual summit was that passkeys are a password replacement – and it’s a replacement that can’t come soon enough.

“Passwords are still the primary way for logging on and they are still easily phished through social engineering and they tend to be very difficult to use and to maintain,” David Turner, senior director of standards development at the FIDO Alliance said. “The consequences are real and the impact is real to the world at large.”

Passkeys 101

During his session, Turner provided a high-level overview on what passkeys are and how passkeys work.

By: fido staff

Passkeys build upon existing FIDO authentication protocols and simplify the user experience. 

Passkeys can now be synchronized across devices through the use of passkey providers, removing the need for separate credentials on each device. Passkeys also enable new capabilities like cross-device authentication. Turner demonstrated how a QR code scanned on one device can securely connect to credentials stored on another nearby device. 

In addition to synced passkeys there are also device-bound passkeys, that rely on technologies like a security key to provide the required credentials.

The State of Passkeys

The current and future state of passkey adoption was the topic tackled by Andrew Shikiar, executive director and CEO of the FIDO Alliance.

There are now hundreds of services, including the major platform vendors Microsoft, Apple and Google, representing billions of users, that support passkeys at this point in 2024.

By: fido staff

“If you are a service provider and you wish to deploy passkeys, you can do so with high confidence that your consumers will be able to leverage them,” he said.

The FIDO Alliance aims to drive passkey support over the coming years, in part by sharing best practices and success stories, which is a core part of what the virtual summit was all about.

Usability was emphasized as a key factor for widespread adoption. 

“Usability is paramount. It must be front and center in what you do,” said Shikiar. 

The FIDO Alliance has released user experience guidelines and a design system to help companies implement passkeys in a user-friendly way. Future guidelines will address additional use cases.

By: fido staff

Shikiar emphasized that passkeys are not about being a new addition to improve the security of passwords. His expectation is that passkeys will be seen as a true password replacement rather than just an attempt at bolstering existing authentication methods. He emphasized that the fundamental problem is passwords, and the goal should be replacing them, not just adding extra security layers on top of passwords. Shikiar wants people to stop thinking about multi-factor authentication factors and instead think about enabling phishing resistant identities. 

Passkeys are on Target at Target

Passkeys are already in use at retail giant Target, helping to improve security and optimize authentication for its employees. 

Tom Sheffield, senior director cybersecurity at Target, said that the company has been leveraging FIDO for workforce authentication since 2018 and adopted it as a primary authenticator in 2021.

By: fido staff

One of the ways that Target has been able to more easily enable passkey support across its platforms is via Single Sign On (SSO). 

“We have a very robust SSO environment across our web application suite,” Sheffield said. “So for us, that made it very easy to integrate FIDO into the SSO platform, and then therefore every application behind SSO automatically got the benefit of it.”

In terms of how Target was able to get its users to adopt passkeys quickly, Sheffield said that the option was communicated to users in the login flow, rather than trying to explain to users what they should do in an email.

Overall, Sheffield emphasized that if an organization is using OTP (one time passwords) today for multi-factor authentication (MFA), any form of FIDO will provide significantly better user experience and security. 

“There have not been many security programs that I’ve been part of in my 25-year career in this space that offer you security and user experience simultaneously,” he said. “So if you’re using anything other than FIDO you’ve got a great opportunity to up your game and provide a great experience for users which should make you a hero.”

Authenticating a Billion Customers with Passkeys at Amazon

Among the biggest consumer-facing websites that supports passkeys today is online giant Amazon.

By: fido staff

Yash Patodia, senior manager of product management at Amazon, detailed how passkeys were rolled out to hundreds of millions of consumers worldwide. Patodia explained Amazon’s motivation noting that passwords are relatively easy for a bad actor to crack. He noted that passkeys help customers to authenticate more easily than other methods with a better user experience. 

Amazon implemented passkeys using different APIs for web, iOS, and Android platforms. Now available across devices, Amazon’s goal is to drive awareness and increase passkey adoption among its customer base over the next year. In his view, passkeys are well suited for mass adoption and early indications from Amazon’s user base are very encouraging.

“If you’re a consumer facing company who has a big customer base, definitely explore this option,” he said.

Considerations for FIDO and Passkeys in the US Government 

The U.S. Government is no stranger to the world of strong authentication, with many staffers already using PIV (Personal Identity Verification) smart card credentials. 

Teresa Wu from IDEMIA and Joe Scalone from Yubico, who both serve on the FIDO Alliance’s Government Deployment Working Group (GDWG), provided an overview of how passkeys can complement PIV credentials and support a zero trust security model. 

As government agencies work to implement phishing-resistant multi-factor authentication, passkeys are an option that could provide a more seamless user experience than one-time passwords or hardware tokens. 

“We are not here to replace PIV, we are here to supplement and use FIDO where PIV is not covered,” said Wu. 

One area they see opportunities for FIDO is for federal contractors and employees who are not eligible for a PIV card due to their job functions. Currently these individuals rely on passwords for system access.

By: fido staff

State of Passkey Portability Set to Improve

A critical aspect of user experience is the ability to change passkey providers and move from one provider to another, if that’s what the user wants to do.

With existing password managers and legacy passwords, the process of moving credentials isn’t particularly efficient or secure, according to Rew Islam from Dashlane and Nick Steele from 1Password. It’s a situation that the Credential Provider Special Interest Group within the FIDO Alliance is looking to solve with a new standard for securely porting passwords between different password/passkey management applications.

The group is developing a new Credential Exchange Protocol that will use hybrid public key encryption to securely transfer credentials; the effort also includes the development of a standardized data format for credential information.

“By having the standard credential format, it will allow for interoperability of sharing credentials between two different providers in different organizations,” Steele said.

A proof of concept demo for the credential exchange is currently set for May, during the FIDO Member Plenary in Osaka, Japan. Islam noted that the effort represents a real triumph for the power of FIDO to bring different competitive vendors together for common purpose.

Common Questions about Passkeys 

The virtual summit was concluded with an ‘Ask Me Anything’ (AMA) session where attendees asked their most pressing questions on passkeys.

Among the big questions asked:

How should organizations consider choosing synced passkeys or device-bound passkeys from a security and usability perspective?

Turner answered that the first thing to make really clear is that synced passkeys are probably the right answer for the majority of use cases. That said, he noted that FIDO recognizes that there are some areas where people have a much higher risk profile, and in those cases the device- bound passkeys can provide an extra level of trust.

Can passkeys play a role in transaction signing?

Pedro Martinez from Thales responded that yes, passkeys can be used to sign transactions. He explained that the beauty of the FIDO protocol is that it is based on the signature of a challenge. As such, it’s possible to adjust the challenge in order to contain data related to a transaction that needs to be digitally signed.

When will passkeys be the default mode of authentication? 

Shikiar said that he doesn’t think that all passwords will go away, but he is hopeful for a passwordless future.

“Sophisticated risk engines and anomaly detectors don’t really think twice about accepting a password,” he said. “But as passkeys become more prevalent and become the default all of a sudden using a password will be anomalous in and of itself.and I think that’s when we’ll be in the fabulous future when using a password is rightfully seen as a high risk and anomalous action.”

Authenticate 2024 Conference

FIDO Alliance Announces Call for Speakers for Authenticate 2024

Carlsbad, Calif., January 24, 2024 – The FIDO Alliance is pleased to announce the return of Authenticate 2024, the only industry conference dedicated to all aspects of user authentication – including a focus on FIDO-based sign-ins with passkeys. 

Authenticate 2024, featuring signature sponsors Google, Microsoft, and Yubico, will be held October 14-16, 2024 at the Omni La Costa Resort & Spa in Carlsbad, CA, just north of San Diego. Information on submitting a speaking proposal is available on the event website.

Aimed at CISOs, security strategists, enterprise architects, and product and business leaders, this is the fifth consecutive year that the FIDO Alliance is hosting the public conference. The annual event is specifically designed to share education, tools, and best practices for modern authentication across web, enterprise, and government applications. 

Last year’s conference welcomed over 850 total attendees in Carlsbad and remotely. The event featured more than 100 sessions with highly engaging content, plus a sold-out exhibit area with 50+ industry-leading exhibitors and sponsors.

Authenticate 2024 will build upon this momentum and feature detailed case studies, technical tutorials, expert panels, and hands-on lab sessions aimed at helping educate attendees on business drivers, technical considerations, and overall best practices for deploying modern authentication systems. Attendees also benefit from a dynamic expo hall and engaging networking opportunities that tap into the natural beauty of Carlsbad and the La Costa Resort. 

Authenticate 2024 Call For Speakers

With today’s announcement, the Authenticate 2024 program committee has opened its call for speakers. Authenticate provides speakers with an opportunity to increase their industry reach and visibility by educating attendees on in-market approaches for deploying modern authentication solutions.

The committee is looking for vendor-neutral, educational presentations that focus on authentication implementations and best practices for specific steps of the passwordless journey from the service provider perspective for consumer and workforce rollouts across regulated and non-regulated industries. 

Submissions can span all aspects of authentication implementations from initial research and business case development through piloting to rollout and beyond. Perspectives on global trends and considerations for user authentication and topics closely related to user authentication and account lifecycle management will also be considered. 

The committee is looking for a variety of session types and formats including main stage market perspectives, detailed case studies, technical tutorials, hands-on labs, and thought provoking panels. Experienced and new speakers alike are encouraged to submit proposals.

Submissions that are unique, expertise-driven, and reflect diversity in speakers are most likely to be accepted. Product and sales pitches will not be accepted.

The Authenticate Call for Speakers closes on March 4, 2024. To submit an application, please visit https://authenticatecon.com/authenticate-2024-call-for-speakers/

Sponsorship Opportunities at Authenticate 2024 

Authenticate 2024 offers sponsors a wide range of opportunities to provide broader brand exposure, lead-generation capabilities, and a variety of other benefits for both on-site and remote attendees. Authenticate is currently accepting applications for sponsorship from FIDO Alliance members and will open to the industry at large on February 2, 2024. Sign up for the Authenticate newsletter to receive sponsorship information when it becomes publicly available.

Sponsorship requests will be filled on a first-come, first-served basis; requests for sponsorship should be sent to [email protected].

Signature sponsors for the 2024 event are Google, Microsoft, and Yubico.

About Authenticate

Hosted by the FIDO Alliance, Authenticate is the industry’s only conference dedicated to all aspects of user authentication – including a focus on FIDO-based sign-ins with passkeys. It is the place for CISOs, business leaders, product managers, security strategists and identity architects to get all of the education, tools and best practices to roll out modern authentication across web, enterprise and government applications.

Authenticate 2024 will be held October 14-16, 2024 and will be co-located with the FIDO Alliance’s member plenary (running October 14-17) at the Omni La Costa Resort in Carlsbad, CA, just north of San Diego. The conference will feature ample space for a rapidly growing audience, a variety of session types to appeal to all levels, and its most dynamic expo hall yet for companies bringing passwordless to fruition – as well as added networking opportunities. 

Whether you are new to FIDO, in the midst of passkey deployment or somewhere in between, Authenticate 2024 will have the right content – and community – for you. 

Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter. To receive updates about Authenticate events, speaking and sponsorship opportunities, sign up for the newsletter.

Authenticate Contact

[email protected]   

PR Contact 

[email protected]

Authenticate 2023 Conference

Authenticate 2023: Day 3 Recap

Authenticate is the industry's must-attend authentication conference hosted by the FIDO Alliance

By: FIDO staff

The third and final day of Authenticate 2023 delivered a deep dive into the reality of passkey deployment in the real world today.

Speakers talked about how their organizations are adopting and deploying passkeys, while also outlining potential issues that need to be concerned. Research into the current state of passkeys and authentication, authentication for connected TVs and the role of password managers were also a key part of the day’s agenda.

By: fido staff

It’s always good to start a day with a smile and that’s where Microsoft’s Erik Dauner opened the day with a session about his company’s efforts, which include Windows Hello (that has a wink and a smile as startup animation). The path toward passwordless at Microsoft has taken some time with the company first introducing Windows Hello in 2010.

“Everybody’s looking for the silver bullet, the catch here is that there is no silver bullet,” Dauner said. “I wish I could say there was, instead it’s more of a journey.”

With the latest release of Windows 11 version 22H2, passkeys are deeply integrated, enabling a strong authentication experience. While Windows can be used as a platform authenticator, there is a need for organizations and applications to adopt passkeys. To that end Dauner encouraged organizations to determine where they can include passkeys across websites and applications. 

“The more prevalent they are with all different websites, the more people can use them, the more people will be comfortable with them,” he said.

Why passkeys and password managers work together

Rew Islam, director of product engineering and innovation at Dashlane, initially was a bit worried what passkeys might do to his company’s business. After all, Dashlane is in the business of providing a password manager and if people don’t need passwords, would they still need Dashlane?

By: fido staff

As it turns out there is a great fit for Dashlane and other vendors that make password managers in the new era of synced passkeys. Users can choose to use their platform authenticator or a third party manager to handle management of synced passkeys. 

Islam detailed how Dashlane has implemented passkey support through browser extensions and mobile operating system APIs. He also detailed best practices for relying parties to support passkeys used with password managers. 

Among his key takeaways:

  • Consider mobile native app passkey support
  • Consider UI that highlights the passkey provider
  • Use the backup flags to create helpful user hints

Intuit details financial gains by adopting FIDO authentication

Financial software giant Intuit has seen much success in its implementation of FIDO authentication according to Rakan Khalid, group product manager for identity at Intuit.

By: fido staff

Intuit serves over 100 million customers but handles sensitive financial data for each, making security and usability a priority. The company first deployed FIDO2 on mobile apps seeing authentication success rates rise to 97-98% compared to 80% previously.

“We know from our measurements and from our data analytics that every one point increase in signup success rate actually has multi million dollars of top line impact,” he said. 

Looking ahead, Intuit plans to bring FIDO security to the web with passkeys that Khalid said would be really beneficial for Intuit’s customer base.

What Auth is on your connected TV?

The modern connected TV is loaded with multiple services, each requiring its own sign-in method. The typical process for signing into those services can be less than ideal, with challenges for users to actually type in passwords, which often results in individuals reusing passwords or creating very simple passwords.

Tony MacDonell, engineering director at Synacor explained that the current situation is complex for many users, especially those that are not particularly tech-savvy. There are however some newer approaches to minimize complexity including the use of out-of-band QR code that are connected via a user’s smartphone.

By: fido staff

MacDonell noted that his firm is now also working on passkey implementation to help ease the challenge of connecting to multiple streaming services.

“This is a holy grail for us in terms of experience,” MacDonell said about the use of passkeys for connected TVs. “The holy grail very particularly is the fact that no text entry is required and once you get it going  the speed to complete the process of authenticating is incredibly fast.”

TikTok dances for passkeys 

Social networking site TikTok is also seeing very impressive results from its use of passkeys.

“We have a 97% login success rate for passkeys on Tiktok,” Daniel Grube, product manager at TikTok said. “This is extremely good as a login method in general.”

By: fido staff

TikTok’s move to support passkeys benefited from the fact that the organization had been using FIDO based strong authentication for its internal staff for several years. 

Using FIDO internally has helped to keep the company more secure and that security now extends to user logins. Embracing passkeys has also meant a cost reduction for TikTok too.

“Passkeys are not as expensive as sending an OTP SMS code,” Grube said. “With the way that we implemented passkeys in the platform there was a 2% reduction in SMS OTP login, which saves the company money as well.”

Research shows passkeys are a winner

During Authenticate 2023 a pair of research reports were released that detail the current state of the authentication landscape. The FIDO Alliance’s 2023 Online Authentication Barometer and the joint FIDO and LastPass 2023 Workforce Authentication report both provide insights and were discussed during an afternoon panel session.

By: fido staff

Megan Shamas, senior director of marketing at the FIDO Alliance shared that among the non-surprising findings in the FIDO report is that consumers are still using passwords and they are also largely not using multi-factor authentication either. Cart abandonment due to authentication issues is also a recurring issue that the report surfaced.

“A lot of folks are still abandoning purchases because they just can’t get into their accounts,” she said. 

By: fido staff

While movement toward stronger forms of authentication with consumers isn’t moving terribly fast, the LastPass report did provide some rays of hope. Barry McMahon, director of marketing at LastPass noted that his firm’s report found that over 90% of the respondents to the survey said that they either have or are planning to move to passwordless. Looking forward, McMahon said that almost 70% of IT leaders said that they would be using passwords for less than 25% of their applications across the next five years.

Retailers like passkeys too

In the afternoon keynotes executives from Skechers, Expedia, and Target participated in a panel discussion yesterday to talk about their experiences rolling out passwordless authentication and the future of passwords. 

By: fido staff

“Passwordless authentication is a business enabler that can improve enterprise operations and processes, and really offer a frictionless consumer experience,” said panel moderator Kristen Dalton, Director of Strategic Cyber Engagement at RH-ISAC.

Manish Gupta, director, software development engineering at Expedia commented that from his perspective it has been the leadership of the FIDO Alliance that has helped to accelerate strong authentication and passkeys forward. Tom Sheffield, sr director of cybersecurity at Target emphasized that FIDO authentication is important and passkeys are now being adopted by 400,000 team members at the retailer. Brett Cumming, senior director, information security officer at Skechers discussed how passwordless aligned with his company’s security priorities, as the threat actor ecosystem makes passkeys a super relevant conversation area.

The panelists agreed that now is the time for organizations to adopt standards like FIDO to improve security and usability. As Tom Sheffield stated, “The ecosystem is ready. It’s our collective efforts that will help consumers understand passwordless solutions.”

Authentication leaders look to the future of passkeys

In the final panel of the event, FIDO’s Andrew Shikiar, Google’s Christiaan Brand,  Microsoft’s Pamela Dingle and CISA’s Bob Lord discussed the big trends of the Authenticate 2023 event.

By: fido staff

The panel also reflected on progress made in the past year and set goals for the coming year. Significant discussion centered around efforts to drive further adoption of passkeys with panelists all agreeing that it was just a matter of time.

One of the drivers for adoption is also a move toward enabling security by design and by default, which is an effort that CISA is leading. Lord said the security by design initiative is focussed on eliminating entire classes of vulnerabilities and FIDO fits in well as a solution to the issue of password exploitation.

The panel closed by making predictions on passkey support at top websites by the end of 2024, with estimates ranging from 15% to 35%, signaling continued progress toward ubiquitous passwordless authentication.

Shikiar closed out the event commenting that key themes of the event included how to get to passkey nirvana and when do we get there. 

“We’re also mature enough as an e organization now to focus on best practices, not just focus on doing things, but doing them well,” he said.

To that end, there were numerous workshops at Authenticate 2023 as well designed to help educate and inform practitioners in best practices. It’s the attendees of the event and those that learn from FIDO that are the real superheroes in his view as that is the community that is helping in the collective mission towards reducing the reliance on passwords.

That’s a wrap for Authenticate 2023. Authenticate will be back next year at the same location from Oct. 14 -16, 20254. Room block is open – book today!

By: fido staff
Authenticate 2023 Conference

Authenticate 2023: Day 2 Recap

Authenticate is the industry's must-attend authentication conference hosted by the FIDO Alliance

By: FIDO Staff

Day 2 of Authenticate 2023 was another day packed full of sessions, with a strong emphasis on how organizations across different industries have been able to implement and benefit from strong authentication and passkeys.

The opening keynotes for the day focused on what is needed for widespread deployment of passwordless authentication standards including FIDO and passkeys. 

Anna Pobletts, Head of Passwordless at 1Password, used her time on the keynote stage to highlight the important role that credential managers can play in improving user experience and accessibility. Pobletts noted that credential managers provide a familiar experience for passkey authentication in browsers. She said that since introducing passkey support last month, 1Password has seen over 150,000 users create over 300,000 passkeys.

By: fido staff

“We’re all working together to make this passwordless future real, companies like Google, Apple, Microsoft, the major platforms have this enormous reach, they can reach billions of people,” Pobletts said. “They have this ability to educate the masses in a way that, quite frankly, credential managers never will, but on the other hand, we can really help with adoption among our customer bases by meeting them where they’re at.”

Dealing with the challenges of scale and usability

Rolling out strong authentication and passkeys at massive scale is a topic that experts from Amazon and Google also detailed during the morning keynotes.

By: fido staff

Mike Slaugh, principal industry specialist at Amazon, discussed the challenges of scaling authentication systems to support billions of global users. He said that when talking about scaling, there is an increase in users, complexity within the environment, and more ways of authenticating with more authentication methods. He also joked that edge cases like authenticating “hermits who live in caves” become real use cases at global scale. To address complexity, Slaugh recommended simplifying systems. 

“Complexity is the enemy of scale,” he said. “The more complex you get, the more of a house of cards you’re building.” 

He proposed viewing authentication as a lifecycle from identity verification to enrollment to authentication to recovery. Giving users choice in authentication methods can also improve throughput.

Mitch Galavan and Court Morgan from Google detailed a different challenge, that of optimizing usability at scale. The two Googlers shared insights into designing passkey authentication for users to help improve usability. 

By: fido staff

Galavan explained that at Google, convenience is key for users. So at every part of the passkey experience, the mission is to build it with a core of simplicity. Getting it simple though has been an iterative process where Google has worked to make it as easy as possible for users to understand and use. It’s an effort that has paid off.

Test results showed users found passkeys easier to use than their previous sign in method and that they “feel more secure with passkeys.” Morgan noted that once users try passkeys, 76% are likely to use them again.

User stories at Authenticate 2023 take flight

Air New Zealand, FOX, Shopify and Pinterest were among the large organizations that spoke in sessions on Day 2 of Authenticate 2023, providing insights into the strong authentication landscape.

By: fido staff

Anthony Kemp, product platform owner for IAM at Air New Zealand, detailed how the airline has been able to use FIDO strong authentication and passkeys to improve user experience and even save money. Key benefits included a dramatic reduction in account recovery requests.

The ease of use also ended up helping to drive sales, because there wasn’t as much user drop-off during the authentication phase and users were more eager and able to buy travel.

“That was great because I’m in cyber, and cyber never makes money and never saves money,” he said. 

Media conglomerate FOX Corporation has also benefited from FIDO. Dean Perrine, the company’s deputy CISO, was very enthusiastic about the benefits of FIDO authentication as a way to help reduce authentication risk. Perrine said that FOX has over 12,000 users that needed to be protected and buying YubiKeys for all of them and getting it deployed is a process that takes time but there was user demand for the approach.

By: fido staff

Integrating some applications to work with FIDO wasn’t hard, as FOX was able to use standards based approaches with existing identity providers. Integrating non-standard applications that didn’t work with an existing identity system was a challenge and one that FOX solved by working with solution provider Cerby. Fox now has over 7,100 users connected to FIDO2 based factors across non-standard applications.

The ins and outs of social authentication at Pinterest

Euccas Chen, senior software engineer at Pinterest, explained in a session how the social media sharing site has been improving its authentication efforts in recent years.

By: fido staff

“Every day millions of people across the globe log into Pinterest and they might have different types of devices and they might experience various types of network conditions,” Chen said. “That translates to millions of authentication events. You can imagine how imperative it is for us to keep the user authentication both smooth and secure.”

One increasingly popular option used at Pinterest is to support sign up using other social accounts, including Facebook, Google and Apple. She used most of her time on stage to detail the rigorous steps taken to secure the social login, including taking steps to secure application level credentials and also protect third party API calls.

Shopify details the pitfalls of SMS based authentication

A common approach used for multi-factor authentication is the use of one time tokens sent via SMS. It’s an approach that Avhinav Lele, staff security engineer at Shopify, isn’t all that enthusiastic about.

By: fido staff

Lele noted that SMS is easy as a second factor because everyone has a phone, which is why it has been a popular option. That said, he detailed numerous risks including SIM wapping, social engineering, SMS toll fraud and other attacks. 

During the session he also detailed the high costs associated with SMS based on authentication as telecom providers need to get paid for sending messages as well as registering numbers and short codes.

The view from the U.S. Government

Authentication is a big topic within the U.S government and a panel of officials took the stage at Authenticate 2023 to provide insights.

By: fido staff

NIST is actively working on multiple publications for guidance that helps government as well as private sector organizations to implement strong authentication. Ryan Galluzzo, Digital Identity Program Lead, Applied Cybersecurity Division at NIST, noted that there is some coming guidance about synced passkeys.

Kenneth Myers, director at U.S. General Services Administration (GSA) talked a bit about how his agency has been able to push FIDO adoption with an effort referred to as, committees of action. The groups are made of six to eight U.S agencies that are actively running FIDO pilots. He noted that approximately 17 agencies have gone through the process so far including the US Department of Agriculture (USDA) which is pushing out FIDO as an authenticator to its 110,000 person workforce.

Authentication in the Payments Industry 

The last session of the day was a panel of payment industry experts gathered to discuss the evolution of authentication and its impact on fraud mitigation. 

While there has been progress, there is also frustration that fraud persists at all levels of the payment ecosystem, including even basic check fraud.

“We keep acting like it’s so sophisticated and we keep making it even faster and faster and more remote, but we can’t even get the basics fixed, so that’s my view of payments,” Kim Sutherland, VP of Fraud and Identity Strategy at LexisNexis Risk Solutions said.

By: fido staff

Introducing friction into the payments process isn’t necessarily a bad thing, according to Deepti Kurup, SVP Enterprise Customer IAM at M&T Bank. She noted that in her view, now is the right time to focus on consumer education and helping them to understand that friction is not always a bad situation. She added that helping consumers to understand that when things are happening without friction, that there are really strong authentication methods that are happening passively as well, and they just might not understand.

There are many different components that can work together to help reduce payment fraud and strong authentication from FIDO is part of the mix. Arman Aygen, Director of Technology at EMVCo, explained that his organization collaborates with the FIDO Alliance and the W3C in a web payment security interest group.

“We’ve been focusing on how the different technologies can work together,” he said.Day 3 of Authenticate 2023 is underway on October 18, and if you missed Day 1 be sure to check out the recap here. To register to join the conference in Carlsbad or attend remotely, visit authenticatecon.com.

Authenticate 2023 Conference

Authenticate 2023: Day 1 Recap

Authenticate is the industry's must-attend authentication conference hosted by the FIDO Alliance

By: FIDO Staff

What is the current state of authentication? How is passkey adoption coming along across the globe? What are the big issues facing organizations for authentication? Those were among the many topics discussed on the first day of the Authenticate 2023 conference, which got underway at the Omni La Costa Resort in Carlsbad, California on Oct. 17.

By: fido staff

The opening keynote for the event was delivered by FIDO Alliance Executive Director and CMO Andrew Shikiar, who provided a summary of the organization’s work over the past year to promote passwordless authentication using passkeys.

“The technology is ready, virtually every modern computing device can support passkeys,” he said. “That means that virtually every customer of yours, every employee of yours can use passkeys instead of passwords.”

Passkeys didn’t magically emerge overnight, rather there has been significant effort that has gone into the FIDO technical specifications over the years. In fact, Shikiar calculated that there has been over 60,000 hours of effort that have gone into FIDO technical specifications so far.

Looking ahead, Shikiar said that the FIDO Alliance has several key items on its to-do list for 2024, including consumer education, advancing adoption in regulated industries, encouraging an open ecosystem, helping developers to integrate the technology and regulatory engagement to make sure passkeys are part of updated guidance and regulations.

How AI Has Changed Hacking

The importance of strong authentication and passkeys was laid bare in an eye opening keynote by ethical hacker Rachel Tobac. 

By: fido staff

During her keynote, Tobac discussed how social engineering risks and AI is impacting hacking techniques. She detailed common attacks like phishing, tech support scams, and impersonation. She also demonstrated how attackers can use publicly available information and AI tools like voice cloning to impersonate people. In a somewhat tense moment, Tobac showed FIDO’s Shikiar how easily she could clone his voice and get him to say anything she wanted (she decided to get the AI cloned voice to say he likes cats).

Tobac suggests that users be politely paranoid overall and take steps to confirm that people are who they say they are. Among the best ways to improve authentication is the use of FIDO based strong authentication.

“Most everybody is reusing their password and most everyday folks are not using multi factor authentication at all,” she said. “Helping them move towards the right method of multi factor authentication for their threat model, especially if they have admin access, with something like FIDO is a really good move.”

FIDO helps orgs to save money too

As part of the morning keynotes, Derek Hanson, vice president of standards at Yubico, detailed different methods that organizations are using to reduce risk.

By: fido staff

A primary way to reduce risk is by improvising identity authentication.

“We need phishing resistant authentication for everyone, everywhere,” he said. “FIDO lays the tools for a lot of those foundations for us.”

Hanson also detailed a brief case study of FIDO adoption by call center operations provider Afni. He noted that by supporting FIDO, Afni was able to substantially improve user experience and reduce risks, so much so that even the company’s cyber insurance provider took notice and lowered the company’s premiums. 

Embracing the sound and the fury of the passwordless revolution at Microsoft

As part of the morning keynotes, Pamela Dingle, Director of Identity Standards at Microsoft, provided updates on the state of password attacks and how her company is working to strengthen authentication. 

By: fido staff

“Last year, I gave a number and this number was 1,000 password attacks a second, that is what we as Microsoft were seeing on our platform,” Dingle said. “Does anyone want to guess what that number is now? Well, that number is now 4,000 password attacks a second.”

Dingle highlighted how Microsoft has iterated on authentication methods based on real-world usage data to help improve security and reduce risk. She also outlined multiple efforts underway at Microsoft to improve user identity and authentication including token theft detection and privileged roles. She also showcased Microsoft’s implementation of passwordless authentication using passkeys on Windows 11. In her view, with the ability to sync passkeys across devices, the passkeys could eliminate the weaknesses of passwords if widely adopted.

Google, TikTok and eBay talk identity

Leaders from Google, eBay, and TikTok gathered for a live broadcast of the Identity at the Center podcast during the keynote to talk about innovations in digital identity.

By: fido staff

Mahendar Madhavan, group product manager, eBay noted that his company was an early adopter of FIDO strong authentication and the WebAuthn specifications. While specifications matter he emphasized that user experience is critical.

“At eBay, users don’t see authentication as a thing that they need to do, they worry about buying and selling and the same applies to Google, they just want to search, at TikTok  they want to make videos, right?”Madhavan said. “Authentication is the last thing that they worry about, right? So to be able to create  smart contextual authentication that works seamlessly across devices is of paramount importance.”

Christiaan Brand, product manager of identity and security at Google, explained that his organization is increasingly nudging its users toward using passkeys as a default option for authentication. 

“We want to gradually turn that volume upwards with the rest of the industry and that’s why it’s so important also to have my partners here with us on stage because I don’t think passkeys is something that one company alone can take forward and make a success,” Brand said.

Helping to secure and improve the user experience is also why TikTok is moving to adopt passkeys as well.

“The technology has obviously been adopted by a lot of big players in the industry and TikTok wants to be a part of that,” Daniel Grube, product manager at TikTok said.

The intersection of biometrics and authentication

Multiple speakers on Day 1 of Authenticate 2023 discussed the topics of biometrics, among them was Stephanie Schuckers, professor at Clarkson University and Director of the Biometric Institute.

By: fido staff

“Biometrics is a key enabler for digital identity and remote identity verification systems, but there are also privacy concerns that individuals and organizations have,” Schuckers said.

Schuckers provided an overview of biometrics and guidelines for responsible adoption of biometrics technology according to the Biometrics Institute. She discussed how biometrics can enable digital identity but also raises privacy concerns. Shuckers emphasized following a process of first understanding the problem, legal framework, and risks before considering technology options.

Google gears up for #passkeysweek

In an afternoon session Google staffers, Kateryna Semenova, Developer Relations Engineer and Eiji Kitamura, Google Developer Advocate, discussed how Google is expanding passkey enablement.

By: fido staff

During the session, they detailed what’s new with passkeys on Android and Chrome, Google’s password managers and new unifying authentication APIs. They also shared case studies from partners who have implemented passkeys.

One of the big capabilities detailed by Semenova is for the Google Credential Manager which is a tool that can be used to consolidate different authentication methods, with the new default choice leaning towards passkeys. She also detailed how travel website Kayak has been able to transition to passkeys and in so doing has reduced sign-in time by as much as 50%.

To help push adoption of passkeys across Google and the industry, Kitamura announced that Google is advocating for a #passkeys week that will run from Oct. 23-27.

Cyber Hut: The numbers behind identity

In an afternoon session, Simon Moffat, the founder of the cyber security research firm The Cyber Hut provided some new insights about the state of identity and access management, based on his firm’s research.

By: fido staff

When asked what identity components are likely to die off in the next year 30% of identity professional said password based authentication

“How do we kill the password? We have the technology, we have the standards and we have all of the wonderful ways of measuring benefits,” Moffatt said. “Yet, we’re all using passwords every single day.”

When asked what is stopping organizations from moving to passwordless, Moffat noted that the survey found that 64% of respondents said lack of coverage and integration was a barrier.

“It’s definitely a journey,” Moffat said. “I think organizations know passwords are bad and passwordless is great and what they struggle with is where to start.”

How Github’s Project Bulwark raised the bar on passwordless

Passkeys are being adopted quickly at one of the world’s most widely used developer sites. 

By: fido staff

GitHub staffers Hirsch Singhal, staff product manager and Hannah Gould, senior software engineer, discussed how passkeys helped the company successfully roll out mandatory two-factor authentication (2FA) for all users.

Singhal noted that GitHub has been committed to rolling out multi-factor authentication across its user base since at least 2022. He said that at the time two core issues with the technology was that it was hard to use and easy to lose. Passkeys help to solve those issues.

In the first three months of an open beta for passkeys, GitHub had 27,000 users. In only three weeks after GitHub made its passkey implementation generally available it got over 100,000 users. As to why the adoption was so rapid, Singhal said that GitHub followed FIDO Alliance guidelines for user interface design.

“We’re not even promoting passkeys or trying to push people to use passkeys,” he said. “I would attribute this mostly to the growth that the rest of the ecosystem has and also we were lucky enough to ship at the same time as both Google and Microsoft were making a lot of noise about passkeys working in their own ecosystem.”

Passkeys and regulated markets

Passkeys can also fit into regulated environments, according to Rolf Lindemann, vice president of products at Nok Nok.

By: fido staff

In a session, Lindemann detailed how passkeys can improve security and usability for authentication, especially in regulated industries like banking. Lindemann discussed how passkeys address some limitations of traditional authentication methods and how they can help with multi-device usage. He noted that current regulatory requirements say regulated entities are responsible for handling device additions which could potentially be a challenge for synced passkeys. That said, Lindemann said there are solutions.

“Synced passkeys can be augmented to implement strong device binding, which is required for regulated entities,” he said.

Potential challenges to be aware of for passkey deployment

Passkeys offer tremendous potential for users and organizations, but there are some deployment issues that need to be considered regarding registration, authentication, and account recovery when implementing passwordless authentication.

By: fido staff

Hans Reichenbach, Software Architect at Okta, noted that one of the pitfalls he has seen with passkeys has to do with domains. He explained that the way FIDO phishing resistance works is that it’s bound to the domain the credentials are registered on. 

“So the domain you have at your registration needs to be the same domain as you have your authentication stuff, and you better like it, because if you change it, everybody’s gonna have to re-enroll,” he said.

Revocation is also different with passkeys then with passwords. Reichenbach said that revocation in the password world is an atomic action, where an administrator deletes one password and then can create another.

“That is not how it works with passkeys,” he said. “You need to register the new passkey first and then remove the old one, because otherwise you’re just totally locked out and have no credentials. “

The first day of Authenticate 2023 also had a bit of a somber note, as long time FIDO contributor Vittorio Bertocci who recently passed away was remembered and acknowledged with the launch of a new award in his honor, administered by the Digital Identity Advancement Foundation.
Day 2 of Authenticate 2023 is underway on Oct 17 and there’s lots more to come, with more user stories, panels and guidance. To register to join the conference in Carlsbad or attend remotely, visit authenticatecon.com.