By: FIDO staff

Passkeys hold the promise of enabling simpler, strong authentication. But first organizations, governments and individuals will have to adopt the technology – and some of them have questions.

At the Authenticate Virtual Summit: Demystifying Passkey Implementation on March 13, speakers from the FIDO Alliance, Intercede, IDEMIA, Yubico, Dashlane and 1Password as well as implementers including Amazon and Target, presented on their experiences implementing and working with passkeys. The virtual summit covered the technical perspective on passkeys from the FIDO Alliance, as well as use cases for passkeys in the enterprise, consumer authentication, and the U.S. government. Along the way, attendees asked lots of questions and got lots of insightful answers.

Fundamentally a key theme that resonated throughout the virtual summit was that passkeys are a password replacement – and it’s a replacement that can’t come soon enough.

“Passwords are still the primary way for logging on and they are still easily phished through social engineering and they tend to be very difficult to use and to maintain,” David Turner, senior director of standards development at the FIDO Alliance said. “The consequences are real and the impact is real to the world at large.”

Passkeys 101

During his session, Turner provided a high-level overview on what passkeys are and how they work.

Passkeys build upon existing FIDO authentication protocols and simplify the user experience. 

Passkeys can now be synchronized across devices through the use of passkey providers, removing the need for separate credentials on each device. Passkeys also enable new capabilities like cross-device authentication. Turner demonstrated how a QR code scanned on one device can securely connect to credentials stored on another nearby device. 

In addition to synced passkeys there are also device-bound passkeys, that rely on technologies like a security key to provide the required credentials.

The State of Passkeys

The current and future state of passkey adoption was the topic tackled by

Andrew Shikiar, executive director and CEO of the FIDO Alliance.

There are now hundreds of services, including the major platform vendors Microsoft, Apple and Google, representing billions of users, that support passkeys at this point in 2024.

“If you are a service provider and you wish to deploy passkeys, you can do so with high confidence that your consumers will be able to leverage them,” he said.

The FIDO Alliance aims to drive passkey support over the coming years, in part by sharing best practices and success stories, which is a core part of what the virtual summit was all about.

Usability was emphasized as a key factor for widespread adoption. 

“Usability is paramount. It must be front and center in what you do,” said Shikiar. 

The FIDO Alliance has released user experience guidelines and a design system to help companies implement passkeys in a user-friendly way. Future guidelines will address additional use cases.

Shikiar emphasized that passkeys are not about being a new addition to improve the security of passwords. His expectation is that passkeys will be seen as a true password replacement rather than just an attempt at bolstering existing authentication methods. He emphasized that the fundamental problem is passwords, and the goal should be replacing them, not just adding extra security layers on top of passwords. Shikiar wants people to stop thinking about multi-factor authentication factors and instead think about enabling phishing resistant identities. 

Passkeys are on Target at Target

Passkeys are already in use at retail giant Target, helping to improve security and optimize authentication for its employees. 

Tom Sheffield, senior director cybersecurity at Target, said that the company has been leveraging FIDO for workforce authentication since 2018 and adopted it as a primary authenticator in 2021.

One of the ways that Target has been able to more easily enable passkey support across its platforms is via Single Sign On (SSO). 

“We have a very robust SSO environment across our web application suite,” Sheffield said. “So for us, that made it very easy to integrate FIDO into the SSO platform, and then therefore every application behind SSO automatically got the benefit of it.”

In terms of how Target was able to get its users to adopt passkeys quickly, Sheffield said that the option was communicated to users in the login flow, rather than trying to explain to users what they should do in an email.

Overall, Sheffield emphasized that if an organization is using OTP (one time passwords) today for multi-factor authentication (MFA), any form of FIDO will provide significantly better user experience and security. 

“There have not been many security programs that I’ve been part of in my 25-year career in this space that offer you security and user experience simultaneously,” he said. “So if you’re using anything other than FIDO you’ve got a great opportunity to up your game and provide a great experience for users which should make you a hero.”

Authenticating a Billion Customers with Passkeys at Amazon

Among the biggest consumer-facing websites that supports passkeys today is online giant Amazon.

Yash Patodia, senior manager of product management at Amazon, detailed how passkeys were rolled out to hundreds of millions of consumers worldwide. Patodia explained Amazon’s motivation noting that passwords are relatively easy for a bad actor to crack. He noted that passkeys help customers to authenticate more easily than other methods with a better user experience. 

Amazon implemented passkeys using different APIs for web, iOS, and Android platforms. Now available across devices, Amazon’s goal is to drive awareness and increase passkey adoption among its customer base over the next year. In his view, passkeys are well suited for mass adoption and early indications from Amazon’s user base are very encouraging.

“If you’re a consumer facing company who has a big customer base, definitely explore this option,” he said.

Considerations for FIDO and Passkeys in the US Government 

The U.S. Government is no stranger to the world of strong authentication, with many staffers already using PIV (Personal Identity Verification) smart card credentials. 

Teresa Wu from IDEMIA and Joe Scalone from Yubico, who both serve on the FIDO Alliance’s Government Deployment Working Group (GDWG), provided an overview of how passkeys can complement PIV credentials and support a zero trust security model. 

As government agencies work to implement phishing-resistant multi-factor authentication, passkeys are an option that could provide a more seamless user experience than one-time passwords or hardware tokens. 

“We are not here to replace PIV, we are here to supplement and use FIDO where PIV is not covered,” said Wu. 

One area they see opportunities for FIDO is for federal contractors and employees who are not eligible for a PIV card due to their job functions. Currently these individuals rely on passwords for system access.

State of Passkey Portability Set to Improve

A critical aspect of user experience is the ability to change passkey providers and move from one provider to another, if that’s what the user wants to do.

With existing password managers and legacy passwords, the process of moving credentials isn’t particularly efficient or secure, according to Rew Islam from Dashlane and Nick Steele from 1Password. It’s a situation that the Credential Provider Special Interest Group within the FIDO Alliance is looking to solve with a new standard for securely porting passwords between different password/passkey management applications.

The group is developing a new Credential Exchange Protocol that will use hybrid public key encryption to securely transfer credentials; the effort also includes the development of a standardized data format for credential information.

“By having the standard credential format, it will allow for interoperability of sharing credentials between two different providers in different organizations,” Steele said.

A proof of concept demo for the credential exchange is currently set for May, during the FIDO Member Plenary in Osaka, Japan. Islam noted that the effort represents a real triumph for the power of FIDO to bring different competitive vendors together for common purpose.

Common Questions about Passkeys 

The virtual summit was concluded with an ‘Ask Me Anything’ (AMA) session where attendees asked their most pressing questions on passkeys.

Among the big questions asked:

How should organizations consider choosing synced passkeys or device-bound passkeys from a security and usability perspective?

Turner answered that the first thing to make really clear is that synced passkeys are probably the right answer for the majority of use cases. That said, he noted that FIDO recognizes that there are some areas where people have a much higher risk profile, and in those cases the device- bound passkeys can provide an extra level of trust.

Can passkeys play a role in transaction signing?

Pedro Martinez from Thales responded that yes, passkeys can be used to sign transactions. He explained that the beauty of the FIDO protocol is that it is based on the signature of a challenge. As such, it’s possible to adjust the challenge in order to contain data related to a transaction that needs to be digitally signed.

When will passkeys be the default mode of authentication? 

Shikiar said that he doesn’t think that all passwords will go away, but he is hopeful for a passwordless future.

“Sophisticated risk engines and anomaly detectors don’t really think twice about accepting a password,” he said. “But as passkeys become more prevalent and become the default all of a sudden using a password will be anomalous in and of itself.and I think that’s when we’ll be in the fabulous future when using a password is rightfully seen as a high risk and anomalous action.”

Carlsbad, Calif., January 24, 2024 – The FIDO Alliance is pleased to announce the return of Authenticate, the only industry conference dedicated to all aspects of user authentication – including a focus on FIDO-based sign-ins with passkeys. 

Authenticate 2024, featuring signature sponsors Google, Microsoft, and Yubico, will be held October 14-16, 2024 at the Omni La Costa Resort & Spa in Carlsbad, CA, just north of San Diego. Information on submitting a speaking proposal is available on the event website.

Aimed at CISOs, security strategists, enterprise architects, and product and business leaders, this is the fifth consecutive year that the FIDO Alliance is hosting the public conference. The annual event is specifically designed to share education, tools, and best practices for modern authentication across web, enterprise, and government applications. 

Last year’s conference welcomed over 850 total attendees in Carlsbad and remotely. The event featured more than 100 sessions with highly engaging content, plus a sold-out exhibit area with 50+ industry-leading exhibitors and sponsors.

Authenticate 2024 will build upon this momentum and feature detailed case studies, technical tutorials, expert panels, and hands-on lab sessions aimed at helping educate attendees on business drivers, technical considerations, and overall best practices for deploying modern authentication systems. Attendees also benefit from a dynamic expo hall and engaging networking opportunities that tap into the natural beauty of Carlsbad and the La Costa Resort. 

Authenticate 2024 Call For Speakers

With today’s announcement, the Authenticate 2024 program committee has opened its call for speakers. Authenticate provides speakers with an opportunity to increase their industry reach and visibility by educating attendees on in-market approaches for deploying modern authentication solutions.

The committee is looking for vendor-neutral, educational presentations that focus on authentication implementations and best practices for specific steps of the passwordless journey from the service provider perspective for consumer and workforce rollouts across regulated and non-regulated industries. 

Submissions can span all aspects of authentication implementations from initial research and business case development through piloting to rollout and beyond. Perspectives on global trends and considerations for user authentication and topics closely related to user authentication and account lifecycle management will also be considered. 

The committee is looking for a variety of session types and formats including main stage market perspectives, detailed case studies, technical tutorials, hands-on labs, and thought provoking panels. Experienced and new speakers alike are encouraged to submit proposals.

Submissions that are unique, expertise-driven, and reflect diversity in speakers are most likely to be accepted. Product and sales pitches will not be accepted.

The Authenticate Call for Speakers closes on March 4, 2024. To submit an application, please visit https://authenticatecon.com/authenticate-2024-call-for-speakers/. 

Sponsorship Opportunities at Authenticate 2024 

Authenticate 2024 offers sponsors a wide range of opportunities to provide broader brand exposure, lead-generation capabilities, and a variety of other benefits for both on-site and remote attendees. Authenticate is currently accepting applications for sponsorship from FIDO Alliance members and will open to the industry at large on February 2, 2024. Sign up for the Authenticate newsletter to receive sponsorship information when it becomes publicly available.

Sponsorship requests will be filled on a first-come, first-served basis; requests for sponsorship should be sent to [email protected].

Signature sponsors for the 2024 event are Google, Microsoft, and Yubico.

About Authenticate

Hosted by the FIDO Alliance, Authenticate is the industry’s only conference dedicated to all aspects of user authentication – including a focus on FIDO-based sign-ins with passkeys. It is the place for CISOs, business leaders, product managers, security strategists and identity architects to get all of the education, tools and best practices to roll out modern authentication across web, enterprise and government applications.

Authenticate 2024 will be held October 14-16, 2024 and will be co-located with the FIDO Alliance’s member plenary (running October 14-17) at the Omni La Costa Resort in Carlsbad, CA, just north of San Diego. The conference will feature ample space for a rapidly growing audience, a variety of session types to appeal to all levels, and its most dynamic expo hall yet for companies bringing passwordless to fruition – as well as added networking opportunities. 

Whether you are new to FIDO, in the midst of deployment or somewhere in between, Authenticate 2024 will have the right content – and community – for you. 

Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter. To receive updates about Authenticate events, speaking and sponsorship opportunities, sign up for the newsletter.

Authenticate Contact

[email protected]   

PR Contact 

[email protected]

By: FIDO staff

The third and final day of Authenticate 2023 delivered a deep dive into the reality of passkey deployment in the real world today.

Speakers talked about how their organizations are adopting and deploying passkeys, while also outlining potential issues that need to be concerned. Research into the current state of passkeys and authentication, authentication for connected TVs and the role of password managers were also a key part of the day’s agenda.

It’s always good to start a day with a smile and that’s where Microsoft’s Erik Dauner opened the day with a session about his company’s efforts, which include Windows Hello (that has a wink and a smile as startup animation). The path toward passwordless at Microsoft has taken some time with the company first introducing Windows Hello in 2010.

“Everybody’s looking for the silver bullet, the catch here is that there is no silver bullet,” Dauner said. “I wish I could say there was, instead it’s more of a journey.”

With the latest release of Windows 11 version 22H2, passkeys are deeply integrated, enabling a strong authentication experience. While Windows can be used as a platform authenticator, there is a need for organizations and applications to adopt passkeys. To that end Dauner encouraged organizations to determine where they can include passkeys across websites and applications. 

“The more prevalent they are with all different websites, the more people can use them, the more people will be comfortable with them,” he said.

Why passkeys and password managers work together

Rew Islam, director of product engineering and innovation at Dashlane, initially was a bit worried what passkeys might do to his company’s business. After all, Dashlane is in the business of providing a password manager and if people don’t need passwords, would they still need Dashlane?

As it turns out there is a great fit for Dashlane and other vendors that make password managers in the new era of synced passkeys. Users can choose to use their platform authenticator or a third party manager to handle management of synced passkeys. 

Islam detailed how Dashlane has implemented passkey support through browser extensions and mobile operating system APIs. He also detailed best practices for relying parties to support passkeys used with password managers. 

Among his key takeaways:

• Consider mobile native app passkey support
• Consider UI that highlights the passkey provider
• Use the backup flags to create helpful user hints

Intuit details financial gains by adopting FIDO authentication

Financial software giant Intuit has seen much success in its implementation of FIDO authentication according to Rakan Khalid, group product manager for identity at Intuit.

Intuit serves over 100 million customers but handles sensitive financial data for each, making security and usability a priority. The company first deployed FIDO2 on mobile apps seeing authentication success rates rise to 97-98% compared to 80% previously.

“We know from our measurements and from our data analytics that every one point increase in signup success rate actually has multi million dollars of top line impact,” he said. 

Looking ahead, Intuit plans to bring FIDO security to the web with passkeys that Khalid said would be really beneficial for Intuit’s customer base.

What Auth is on your connected TV?

The modern connected TV is loaded with multiple services, each requiring its own sign-in method. The typical process for signing into those services can be less than ideal, with challenges for users to actually type in passwords, which often results in individuals reusing passwords or creating very simple passwords.

Tony MacDonell, engineering director at Synacor explained that the current situation is complex for many users, especially those that are not particularly tech-savvy. There are however some newer approaches to minimize complexity including the use of out-of-band QR code that are connected via a user’s smartphone.

MacDonell noted that his firm is now also working on passkey implementation to help ease the challenge of connecting to multiple streaming services.

“This is a holy grail for us in terms of experience,” MacDonell said about the use of passkeys for connected TVs. “The holy grail very particularly is the fact that no text entry is required and once you get it going  the speed to complete the process of authenticating is incredibly fast.”

TikTok dances for passkeys 

Social networking site TikTok is also seeing very impressive results from its use of passkeys.

“We have a 97% login success rate for passkeys on Tiktok,” Daniel Grube, product manager at TikTok said. “This is extremely good as a login method in general.”

TikTok’s move to support passkeys benefited from the fact that the organization had been using FIDO based strong authentication for its internal staff for several years. 

Using FIDO internally has helped to keep the company more secure and that security now extends to user logins. Embracing passkeys has also meant a cost reduction for TikTok too.

“Passkeys are not as expensive as sending an OTP SMS code,” Grube said. “With the way that we implemented passkeys in the platform there was a 2% reduction in SMS OTP login, which saves the company money as well.”

Research shows passkeys are a winner

During Authenticate 2023 a pair of research reports were released that detail the current state of the authentication landscape. The FIDO Alliance’s 2023 Online Authentication Barometer and the joint FIDO and LastPass 2023 Workforce Authentication report both provide insights and were discussed during an afternoon panel session.

Megan Shamas, senior director of marketing at the FIDO Alliance shared that among the non-surprising findings in the FIDO report is that consumers are still using passwords and they are also largely not using multi-factor authentication either. Cart abandonment due to authentication issues is also a recurring issue that the report surfaced.

“A lot of folks are still abandoning purchases because they just can’t get into their accounts,” she said. 

While movement toward stronger forms of authentication with consumers isn’t moving terribly fast, the LastPass report did provide some rays of hope. Barry McMahon, director of marketing at LastPass noted that his firm’s report found that over 90% of the respondents to the survey said that they either have or are planning to move to passwordless. Looking forward, McMahon said that almost 70% of IT leaders said that they would be using passwords for less than 25% of their applications across the next five years.

Retailers like passkeys too

In the afternoon keynotes executives from Skechers, Expedia, and Target participated in a panel discussion yesterday to talk about their experiences rolling out passwordless authentication and the future of passwords. 

“Passwordless authentication is a business enabler that can improve enterprise operations and processes, and really offer a frictionless consumer experience,” said panel moderator Kristen Dalton, Director of Strategic Cyber Engagement at RH-ISAC.

Manish Gupta, director, software development engineering at Expedia commented that from his perspective it has been the leadership of the FIDO Alliance that has helped to accelerate strong authentication and passkeys forward. Tom Sheffield, sr director of cybersecurity at Target emphasized that FIDO authentication is important and passkeys are now being adopted by 400,000 team members at the retailer. Brett Cumming, senior director, information security officer at Skechers discussed how passwordless aligned with his company’s security priorities, as the threat actor ecosystem makes passkeys a super relevant conversation area.

The panelists agreed that now is the time for organizations to adopt standards like FIDO to improve security and usability. As Tom Sheffield stated, “The ecosystem is ready. It’s our collective efforts that will help consumers understand passwordless solutions.”

Authentication leaders look to the future of passkeys

In the final panel of the event, FIDO’s Andrew Shikiar, Google’s Christiaan Brand,  Microsoft’s Pamela Dingle and CISA’s Bob Lord discussed the big trends of the Authenticate 2023 event.

The panel also reflected on progress made in the past year and set goals for the coming year. Significant discussion centered around efforts to drive further adoption of passkeys with panelists all agreeing that it was just a matter of time.

One of the drivers for adoption is also a move toward enabling security by design and by default, which is an effort that CISA is leading. Lord said the security by design initiative is focussed on eliminating entire classes of vulnerabilities and FIDO fits in well as a solution to the issue of password exploitation.

The panel closed by making predictions on passkey support at top websites by the end of 2024, with estimates ranging from 15% to 35%, signaling continued progress toward ubiquitous passwordless authentication.

Shikiar closed out the event commenting that key themes of the event included how to get to passkey nirvana and when do we get there. 

“We’re also mature enough as an e organization now to focus on best practices, not just focus on doing things, but doing them well,” he said.

To that end, there were numerous workshops at Authenticate 2023 as well designed to help educate and inform practitioners in best practices. It’s the attendees of the event and those that learn from FIDO that are the real superheroes in his view as that is the community that is helping in the collective mission towards reducing the reliance on passwords.

That’s a wrap for Authenticate 2023. Authenticate will be back next year at the same location from Oct. 14 -16, 20254. Room block is open – book today!

By: FIDO Staff

Day 2 of Authenticate 2023 was another day packed full of sessions, with a strong emphasis on how organizations across different industries have been able to implement and benefit from strong authentication and passkeys.

The opening keynotes for the day focused on what is needed for widespread deployment of passwordless authentication standards including FIDO and passkeys. 

Anna Pobletts, Head of Passwordless at 1Password, used her time on the keynote stage to highlight the important role that credential managers can play in improving user experience and accessibility. Pobletts noted that credential managers provide a familiar experience for passkey authentication in browsers. She said that since introducing passkey support last month, 1Password has seen over 150,000 users create over 300,000 passkeys.

“We’re all working together to make this passwordless future real, companies like Google, Apple, Microsoft, the major platforms have this enormous reach, they can reach billions of people,” Pobletts said. “They have this ability to educate the masses in a way that, quite frankly, credential managers never will, but on the other hand, we can really help with adoption among our customer bases by meeting them where they’re at.”

Dealing with the challenges of scale and usability

Rolling out strong authentication and passkeys at massive scale is a topic that experts from Amazon and Google also detailed during the morning keynotes.

Mike Slaugh, principal industry specialist at Amazon, discussed the challenges of scaling authentication systems to support billions of global users. He said that when talking about scaling, there is an increase in users, complexity within the environment, and more ways of authenticating with more authentication methods. He also joked that edge cases like authenticating “hermits who live in caves” become real use cases at global scale. To address complexity, Slaugh recommended simplifying systems. 

“Complexity is the enemy of scale,” he said. “The more complex you get, the more of a house of cards you’re building.” 

He proposed viewing authentication as a lifecycle from identity verification to enrollment to authentication to recovery. Giving users choice in authentication methods can also improve throughput.

Mitch Galavan and Court Morgan from Google detailed a different challenge, that of optimizing usability at scale. The two Googlers shared insights into designing passkey authentication for users to help improve usability. 

Galavan explained that at Google, convenience is key for users. So at every part of the passkey experience, the mission is to build it with a core of simplicity. Getting it simple though has been an iterative process where Google has worked to make it as easy as possible for users to understand and use. It’s an effort that has paid off.

Test results showed users found passkeys easier to use than their previous sign in method and that they “feel more secure with passkeys.” Morgan noted that once users try passkeys, 76% are likely to use them again.

User stories at Authenticate 2023 take flight

Air New Zealand, FOX, Shopify and Pinterest were among the large organizations that spoke in sessions on Day 2 of Authenticate 2023, providing insights into the strong authentication landscape.

Anthony Kemp, product platform owner for IAM at Air New Zealand, detailed how the airline has been able to use FIDO strong authentication and passkeys to improve user experience and even save money. Key benefits included a dramatic reduction in account recovery requests.

The ease of use also ended up helping to drive sales, because there wasn’t as much user drop-off during the authentication phase and users were more eager and able to buy travel.

“That was great because I’m in cyber, and cyber never makes money and never saves money,” he said. 

Media conglomerate FOX Corporation has also benefited from FIDO. Dean Perrine, the company’s deputy CISO, was very enthusiastic about the benefits of FIDO authentication as a way to help reduce authentication risk. Perrine said that FOX has over 12,000 users that needed to be protected and buying YubiKeys for all of them and getting it deployed is a process that takes time but there was user demand for the approach.

Integrating some applications to work with FIDO wasn’t hard, as FOX was able to use standards based approaches with existing identity providers. Integrating non-standard applications that didn’t work with an existing identity system was a challenge and one that FOX solved by working with solution provider Cerby. Fox now has over 7,100 users connected to FIDO2 based factors across non-standard applications.

The ins and outs of social authentication at Pinterest

Euccas Chen, senior software engineer at Pinterest, explained in a session how the social media sharing site has been improving its authentication efforts in recent years.

“Every day millions of people across the globe log into Pinterest and they might have different types of devices and they might experience various types of network conditions,” Chen said. “That translates to millions of authentication events. You can imagine how imperative it is for us to keep the user authentication both smooth and secure.”

One increasingly popular option used at Pinterest is to support sign up using other social accounts, including Facebook, Google and Apple. She used most of her time on stage to detail the rigorous steps taken to secure the social login, including taking steps to secure application level credentials and also protect third party API calls.

Shopify details the pitfalls of SMS based authentication

A common approach used for multi-factor authentication is the use of one time tokens sent via SMS. It’s an approach that Avhinav Lele, staff security engineer at Shopify, isn’t all that enthusiastic about.

Lele noted that SMS is easy as a second factor because everyone has a phone, which is why it has been a popular option. That said, he detailed numerous risks including SIM wapping, social engineering, SMS toll fraud and other attacks. 

During the session he also detailed the high costs associated with SMS based on authentication as telecom providers need to get paid for sending messages as well as registering numbers and short codes.

The view from the U.S. Government

Authentication is a big topic within the U.S government and a panel of officials took the stage at Authenticate 2023 to provide insights.

NIST is actively working on multiple publications for guidance that helps government as well as private sector organizations to implement strong authentication. Ryan Galluzzo, Digital Identity Program Lead, Applied Cybersecurity Division at NIST, noted that there is some coming guidance about synced passkeys.

Kenneth Myers, director at U.S. General Services Administration (GSA) talked a bit about how his agency has been able to push FIDO adoption with an effort referred to as, committees of action. The groups are made of six to eight U.S agencies that are actively running FIDO pilots. He noted that approximately 17 agencies have gone through the process so far including the US Department of Agriculture (USDA) which is pushing out FIDO as an authenticator to its 110,000 person workforce.

Authentication in the Payments Industry 

The last session of the day was a panel of payment industry experts gathered to discuss the evolution of authentication and its impact on fraud mitigation. 

While there has been progress, there is also frustration that fraud persists at all levels of the payment ecosystem, including even basic check fraud.

“We keep acting like it’s so sophisticated and we keep making it even faster and faster and more remote, but we can’t even get the basics fixed, so that’s my view of payments,” Kim Sutherland, VP of Fraud and Identity Strategy at LexisNexis Risk Solutions said.

Introducing friction into the payments process isn’t necessarily a bad thing, according to Deepti Kurup, SVP Enterprise Customer IAM at M&T Bank. She noted that in her view, now is the right time to focus on consumer education and helping them to understand that friction is not always a bad situation. She added that helping consumers to understand that when things are happening without friction, that there are really strong authentication methods that are happening passively as well, and they just might not understand.

There are many different components that can work together to help reduce payment fraud and strong authentication from FIDO is part of the mix. Arman Aygen, Director of Technology at EMVCo, explained that his organization collaborates with the FIDO Alliance and the W3C in a web payment security interest group.

“We’ve been focusing on how the different technologies can work together,” he said.Day 3 of Authenticate 2023 is underway on October 18, and if you missed Day 1 be sure to check out the recap here. To register to join the conference in Carlsbad or attend remotely, visit authenticatecon.com.

By: FIDO Staff

What is the current state of authentication? How is passkey adoption coming along across the globe? What are the big issues facing organizations for authentication? Those were among the many topics discussed on the first day of the Authenticate 2023 conference, which got underway at the Omni La Costa Resort in Carlsbad, California on Oct. 17.

The opening keynote for the event was delivered by FIDO Alliance Executive Director and CMO Andrew Shikiar, who provided a summary of the organization’s work over the past year to promote passwordless authentication using passkeys.

“The technology is ready, virtually every modern computing device can support passkeys,” he said. “That means that virtually every customer of yours, every employee of yours can use passkeys instead of passwords.”

Passkeys didn’t magically emerge overnight, rather there has been significant effort that has gone into the FIDO technical specifications over the years. In fact, Shikiar calculated that there has been over 60,000 hours of effort that have gone into FIDO technical specifications so far.

Looking ahead, Shikiar said that the FIDO Alliance has several key items on its to-do list for 2024, including consumer education, advancing adoption in regulated industries, encouraging an open ecosystem, helping developers to integrate the technology and regulatory engagement to make sure passkeys are part of updated guidance and regulations.

How AI Has Changed Hacking

The importance of strong authentication and passkeys was laid bare in an eye opening keynote by ethical hacker Rachel Tobac. 

During her keynote, Tobac discussed how social engineering risks and AI is impacting hacking techniques. She detailed common attacks like phishing, tech support scams, and impersonation. She also demonstrated how attackers can use publicly available information and AI tools like voice cloning to impersonate people. In a somewhat tense moment, Tobac showed FIDO’s Shikiar how easily she could clone his voice and get him to say anything she wanted (she decided to get the AI cloned voice to say he likes cats).

Tobac suggests that users be politely paranoid overall and take steps to confirm that people are who they say they are. Among the best ways to improve authentication is the use of FIDO based strong authentication.

“Most everybody is reusing their password and most everyday folks are not using multi factor authentication at all,” she said. “Helping them move towards the right method of multi factor authentication for their threat model, especially if they have admin access, with something like FIDO is a really good move.”

FIDO helps orgs to save money too

As part of the morning keynotes, Derek Hanson, vice president of standards at Yubico, detailed different methods that organizations are using to reduce risk.

A primary way to reduce risk is by improvising identity authentication.

“We need phishing resistant authentication for everyone, everywhere,” he said. “FIDO lays the tools for a lot of those foundations for us.”

Hanson also detailed a brief case study of FIDO adoption by call center operations provider Afni. He noted that by supporting FIDO, Afni was able to substantially improve user experience and reduce risks, so much so that even the company’s cyber insurance provider took notice and lowered the company’s premiums. 

Embracing the sound and the fury of the passwordless revolution at Microsoft

As part of the morning keynotes, Pamela Dingle, Director of Identity Standards at Microsoft, provided updates on the state of password attacks and how her company is working to strengthen authentication. 

“Last year, I gave a number and this number was 1,000 password attacks a second, that is what we as Microsoft were seeing on our platform,” Dingle said. “Does anyone want to guess what that number is now? Well, that number is now 4,000 password attacks a second.”

Dingle highlighted how Microsoft has iterated on authentication methods based on real-world usage data to help improve security and reduce risk. She also outlined multiple efforts underway at Microsoft to improve user identity and authentication including token theft detection and privileged roles. She also showcased Microsoft’s implementation of passwordless authentication using passkeys on Windows 11. In her view, with the ability to sync passkeys across devices, the passkeys could eliminate the weaknesses of passwords if widely adopted.

Google, TikTok and eBay talk identity

Leaders from Google, eBay, and TikTok gathered for a live broadcast of the Identity at the Center podcast during the keynote to talk about innovations in digital identity.

Mahendar Madhavan, group product manager, eBay noted that his company was an early adopter of FIDO strong authentication and the WebAuthn specifications. While specifications matter he emphasized that user experience is critical.

“At eBay, users don’t see authentication as a thing that they need to do, they worry about buying and selling and the same applies to Google, they just want to search, at TikTok  they want to make videos, right?”Madhavan said. “Authentication is the last thing that they worry about, right? So to be able to create  smart contextual authentication that works seamlessly across devices is of paramount importance.”

Christiaan Brand, product manager of identity and security at Google, explained that his organization is increasingly nudging its users toward using passkeys as a default option for authentication. 

“We want to gradually turn that volume upwards with the rest of the industry and that’s why it’s so important also to have my partners here with us on stage because I don’t think passkeys is something that one company alone can take forward and make a success,” Brand said.

Helping to secure and improve the user experience is also why TikTok is moving to adopt passkeys as well.

“The technology has obviously been adopted by a lot of big players in the industry and TikTok wants to be a part of that,” Daniel Grube, product manager at TikTok said.

The intersection of biometrics and authentication

Multiple speakers on Day 1 of Authenticate 2023 discussed the topics of biometrics, among them was Stephanie Schuckers, professor at Clarkson University and Director of the Biometric Institute.

“Biometrics is a key enabler for digital identity and remote identity verification systems, but there are also privacy concerns that individuals and organizations have,” Schuckers said.

Schuckers provided an overview of biometrics and guidelines for responsible adoption of biometrics technology according to the Biometrics Institute. She discussed how biometrics can enable digital identity but also raises privacy concerns. Shuckers emphasized following a process of first understanding the problem, legal framework, and risks before considering technology options.

Google gears up for #passkeysweek

In an afternoon session Google staffers, Kateryna Semenova, Developer Relations Engineer and Eiji Kitamura, Google Developer Advocate, discussed how Google is expanding passkey enablement.

During the session, they detailed what’s new with passkeys on Android and Chrome, Google’s password managers and new unifying authentication APIs. They also shared case studies from partners who have implemented passkeys.

One of the big capabilities detailed by Semenova is for the Google Credential Manager which is a tool that can be used to consolidate different authentication methods, with the new default choice leaning towards passkeys. She also detailed how travel website Kayak has been able to transition to passkeys and in so doing has reduced sign-in time by as much as 50%.

To help push adoption of passkeys across Google and the industry, Kitamura announced that Google is advocating for a #passkeys week that will run from Oct. 23-27.

Cyber Hut: The numbers behind identity

In an afternoon session, Simon Moffat, the founder of the cyber security research firm The Cyber Hut provided some new insights about the state of identity and access management, based on his firm’s research.

When asked what identity components are likely to die off in the next year 30% of identity professional said password based authentication

“How do we kill the password? We have the technology, we have the standards and we have all of the wonderful ways of measuring benefits,” Moffatt said. “Yet, we’re all using passwords every single day.”

When asked what is stopping organizations from moving to passwordless, Moffat noted that the survey found that 64% of respondents said lack of coverage and integration was a barrier.

“It’s definitely a journey,” Moffat said. “I think organizations know passwords are bad and passwordless is great and what they struggle with is where to start.”

How Github’s Project Bulwark raised the bar on passwordless

Passkeys are being adopted quickly at one of the world’s most widely used developer sites. 

GitHub staffers Hirsch Singhal, staff product manager and Hannah Gould, senior software engineer, discussed how passkeys helped the company successfully roll out mandatory two-factor authentication (2FA) for all users.

Singhal noted that GitHub has been committed to rolling out multi-factor authentication across its user base since at least 2022. He said that at the time two core issues with the technology was that it was hard to use and easy to lose. Passkeys help to solve those issues.

In the first three months of an open beta for passkeys, GitHub had 27,000 users. In only three weeks after GitHub made its passkey implementation generally available it got over 100,000 users. As to why the adoption was so rapid, Singhal said that GitHub followed FIDO Alliance guidelines for user interface design.

“We’re not even promoting passkeys or trying to push people to use passkeys,” he said. “I would attribute this mostly to the growth that the rest of the ecosystem has and also we were lucky enough to ship at the same time as both Google and Microsoft were making a lot of noise about passkeys working in their own ecosystem.”

Passkeys and regulated markets

Passkeys can also fit into regulated environments, according to Rolf Lindemann, vice president of products at Nok Nok.

In a session, Lindemann detailed how passkeys can improve security and usability for authentication, especially in regulated industries like banking. Lindemann discussed how passkeys address some limitations of traditional authentication methods and how they can help with multi-device usage. He noted that current regulatory requirements say regulated entities are responsible for handling device additions which could potentially be a challenge for synced passkeys. That said, Lindemann said there are solutions.

“Synced passkeys can be augmented to implement strong device binding, which is required for regulated entities,” he said.

Potential challenges to be aware of for passkey deployment

Passkeys offer tremendous potential for users and organizations, but there are some deployment issues that need to be considered regarding registration, authentication, and account recovery when implementing passwordless authentication.

Hans Reichenbach, Software Architect at Okta, noted that one of the pitfalls he has seen with passkeys has to do with domains. He explained that the way FIDO phishing resistance works is that it’s bound to the domain the credentials are registered on. 

“So the domain you have at your registration needs to be the same domain as you have your authentication stuff, and you better like it, because if you change it, everybody’s gonna have to re-enroll,” he said.

Revocation is also different with passkeys then with passwords. Reichenbach said that revocation in the password world is an atomic action, where an administrator deletes one password and then can create another.

“That is not how it works with passkeys,” he said. “You need to register the new passkey first and then remove the old one, because otherwise you’re just totally locked out and have no credentials. “

The first day of Authenticate 2023 also had a bit of a somber note, as long time FIDO contributor Vittorio Bertocci who recently passed away was remembered and acknowledged with the launch of a new award in his honor, administered by the Digital Identity Advancement Foundation.
Day 2 of Authenticate 2023 is underway on Oct 17 and there’s lots more to come, with more user stories, panels and guidance. To register to join the conference in Carlsbad or attend remotely, visit authenticatecon.com.

3-day program for FIDO Alliance’s flagship event on the future of user authentication
includes 90+ sessions; Early Bird registration available through August 18  

Carlsbad, Calif., August 3, 2023 – The FIDO Alliance announced its keynote speakers and full agenda for Authenticate 2023, the only industry conference dedicated to all aspects of user authentication.

This year’s featured keynote will be presented by Rachel Tobac, white hat hacker and social engineering expert whose exploits have been featured on CNN, 60 Minutes and more. Additional keynote presentations providing diverse and global perspectives on modern authentication will be delivered by speakers from 1Password, Amazon, Google, Microsoft, Yubico and others.

Authenticate 2023 will be held at the Omni La Costa Resort and Spa and from October 16-18, 2023 – with virtual attendance options for those unable to be there in person. Now in its fourth year, the event is focused on providing education, tools and best practices for modern authentication across web, enterprise and government applications. CISOs, security strategists, enterprise architects and product and business leaders are invited to register at https://authenticatecon.com/event/authenticate-2023/.

In response to its rising popularity, the conference now includes 90+ sessions from 125 speakers spread across three content tracks — as well as interactive half-day workshops for developers and user experience leads. Speakers from Alibaba Group, Fox Corporation, GitHub, Intuit, Mercari, Pinterest, Salesforce, Starbucks, Shopify, Target and others will deliver a diverse set of sessions, detailed case studies, technical tutorials and expert panels. Attendees will also benefit from a dynamic expo hall and networking opportunities whether attending in-person or virtually. 

Sponsorship Opportunities at Authenticate 2023 

Authenticate 2023 is also accepting applications for sponsorship, offering opportunities for companies to put their brand and products front and center with brand exposure, lead generation capabilities and a variety of other benefits for both on-site and remote attendees. To learn more about sponsorship opportunities, please visit https://authenticatecon.com/sponsors/. 

There are a limited number of opportunities remaining. Requests for sponsorship should be sent to [email protected]. 

About Authenticate 

Authenticate is the only conference dedicated to all aspects of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. 

In 2023, Authenticate will be held October 16-18 at the Omni La Costa Resort and Spa in Carlsbad, CA and virtually. Early bird registration discounts are available through August 18, 2023. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter. 

Signature sponsors for Authenticate 2023 are 1Password, Google, Microsoft and Yubico.

Authenticate Contact 
[email protected]  

PR Contact 
[email protected]

By: FIDO Staff

Passkeys are emerging as a more secure alternative to legacy multi-factor authentication and password for logging into websites and apps, and enterprise IT teams are exploring how to deploy passkeys within their organizations. 

On June 29, at the Authenticate Virtual Summit organized by the FIDO Alliance, experts discussed the considerations and best practices for deploying passkeys in the enterprise. The virtual summit coincided with the release of a series of white papers by the FIDO Alliance providing detailed guidance to organizations considering passkeys.

“Passwords are fundamentally flawed today,” said Dean Saxe, senior security engineer at Amazon Web Services. “81% of hacking related breaches are caused by weak or stolen passwords. We fundamentally have to change how we manage authentication online.”

With passkeys, there is now an easier, more user friendly way to enable strong authentication, using FIDO standards. Saxe explained that there are two types of passkeys: syncable cloud-backed passkeys and device-bound passkeys. Syncable passkeys provide convenience but device-bound passkeys provide higher security. He noted that different passkey types may be suitable for different enterprise security needs.

When the target is better security, passkeys are answer

According to Tom Sheffield, senior director, cybersecurity at Target, there are five core passkey considerations for enterprise relying parties.

1. Passkeys are a password replacement

Sheffield stated that passkeys are safer, faster and easier to use than a password. He explained that a passkey is a FIDO credential that is phishing resistant, cryptographically backed and leaves no secret to be stolen or compromised. 

“If you take nothing else away today. Remember that passkeys are better than passwords, period,” he said.

2. Passkeys are a multi-factor authenticator

For many organizations that today are relying on passwords with legacy multi-factor authentication (MFA), Sheffield said that synchronized passkeys should work as an MFA authenticator.

3. Client configuration matters with synced passkeys

There are some nuanced configurations the organizations will need to deal with for synced passkey deployments. Among them is how mobile device management (MDM) is handled.

4. Threat landscape changes with synced passkeys

Sheffield explained that synced passkey involves some dependence on the passkey providers. There also remains a risk of a downgrade attack, that enterprises need to recognize.

“I’m not aware of any RP (relying party) who’s actually getting rid of the password completely yet,” Sheffield said. “They still exist and because they still exist, they are still at risk of being attacked.”

5. Passkey education is necessary

Passkeys are easier, but they’re also different. Sheffield emphasized that education of users and stakeholders is critical.

Identifying the right users and application for passkey adoption

The emphasis on user and IT education about passkeys was also emphasized by Jay Roxe, CMO at HYPR.

While there is a need to understand the different technology deployment options around passkeys there is a need to also educate users to want to use passkeys.

Roxe detailed multiple case studies for different organization’s adoption of passkeys. He noted that there needs to be a marketing strategy for convincing employees that they want to adopt the technology.

“Changing people’s beliefs and behaviors is hard,” Roxe said. “It’s going to require frequent dynamic communication with early successes and opportunities for people to engage.”

Khaled Zaky, senior product manager at Amazon Web Services, explained that when considering replacing passwords with passkeys there is a need to identify both the targeted applications and the users for those applications.

“What are these applications and what are the devices that we use and work backwards to understand the customer user device preference as it will influence your decision to choose   the right passkey solution for your consumers,” Zaky said.

Moving from SMS OTP to passkeys

Passkeys are not just better than using passwords on their own, passkeys are also a more secure form of MFA than legacy approaches such as one time passwords (OTP) via SMS.

Jing Gu, product marketing lead at Beyond Identity, said that attackers are constantly trying to get their hands on the second factor. Additionally she said that OTPs are vulnerable to phishing, replay attacks, man in the middle as well as social engineering.

“Passkeys are of course phishing resistant by default, replay resistant, don’t require out of band and are scoped to a particular relying parties domain,” Gu said.

Josh Cigna, solution architect at Yubico explained that the guidance for moving from OTP to passkey is to start small and then expand.

“Plan and come up with a very controlled scope of friendly users, start with your administrators, your users that have some technical savvy, and run them through pilot deployment,” Cigna said. “Listen to the feedback, look at the responses, look at the adoption rate, understand what their hurdles were and then, like the shampoo bottle, rinse and repeat.”

Gu added that as part of the migration process it’s critical to also have metrics to measure success. Adoption metrics including, time of first registration, daily registrations and the percentage of users with passkeys.

Passkeys for moderate and high assurance enterprise environments

Passkeys have broad utility and can be deployed to support different levels of security assurance. Whether an organization will choose to use device bound or synced passkeys will typically depend on the level of assurance that is required.

Jerome Becquart, COO and CISO at Axiad, explained that organizations need to look at both their security and user experience requirements across environments to understand what is needed and what type of passkey deployment is ideal.

“Whatever version of passkey you’re using, you will have good usability and you will have good security,” Becquart said.

Sean Miller, chief architect at RSA explained that generally speaking, high assurance enterprises are dealing with very sensitive data and as a result, any data breach has severe consequences. High assurance organizations tend to be heavily driven by regulatory requirements and have robust controls around access.

“If you’re looking at a high assurance use case, chances are those controls are the most critical thing for you, where you probably want the control of the device bound passkey,” Miller said.

Key Takeaways

Wrapping up the event, Megan Shamas, senior director of marketing at FIDO Alliance provided attendees with a series of key takeaways.

1. Passkeys are discoverable FIDO credentials
2. Passkeys are better than passwords
3. Passkeys are appropriate for all enterprises – whether synced or device bound will depend on your particular use case
4. Get the papers and get started on the path to passkeys.

The papers in the series are:

• FIDO Deploying Passkeys in the Enterprise – Introduction
• Replacing Password-Only Authentication with Passkeys in the Enterprise
• FIDO Authentication for Moderate Assurance Use Cases 
• High Assurance Enterprise FIDO Authentication 
• A fifth paper in the series, “Displacing Password + SMS OTP Authentication with Passkeys,” is expected to publish later this summer.

The recording for the event is now available on the event platform. 

Want to learn more about deploying passkeys? Attend Authenticate 2023 on October 16-18 in Carlsbad, CA!

By: FIDO Staff

Passwords are everywhere with both enterprises and e-commerce organizations feeling the pain as much, if not more, than most.

At the Authenticate Virtual Summit: Authentication in Financial Services and Commerce on March 29, industry experts and practitioners outlined The FIDO Fit for Enterprise and Customer Sign-ins. Throughout the half-day event, the topic of passkeys was a primary theme, with speakers outlining how they work, where they fit in and why they are essential to helping the world move away from legacy passwords and less secure multi-factor authentication.

Andrew Shikiar, executive director and CMO of the FIDO Alliance opened the event with some insights on the many positive benefits that passkeys can bring to enterprise and commerce users. Those benefits include helping users to get online faster with higher levels of satisfaction. Passkeys may also be able to help improve the bottom line for e-commerce vendors as well.

“If you’re an e-commerce vendor, imagine reducing the shopping cart abandonment rate by even 10%,” Shikiar said. “Our data shows that 50% of consumers that had to abandon a purchase in the past six months did so because they forgot your password and that’s a huge opportunity cost.”

While FIDO authentication has been available for anyone to use for over a decade, Shikiar noted that there have been some adoption challenges. Passkeys are, in part, a solution to some of those adoption challenges. With passkeys, there is a more recognizable set of common terminology and the technology also provides a familiar flow for users that aims to reduce friction.

In the enterprise, Shikiar said that passkeys are a very natural fit for things like BYOD [Bring Your Own Device] authentication, allowing employees to sign in with apps on their phones.

“This is becoming more the norm than the exception, and passkeys are just a very natural fit for that environment,” Shikiar said.

The State of Authentication 2023 

Make no mistake about it, there are a lot of problems with passwords. To add some metrics to the argument against passwords, Jay Roxe, CMO at HYPR provided some insights from his firm’s State of Passwordless Security 2023 report.

Roxe noted that one of the things that really jumped out to him was that three out of five of the organizations that HYPR talked to for the report, had an authentication related breach over the past year. He added that each of those organizations had nearly $3 million dollars in costs associated with those breaches on a 12 month basis. Financial Services was the most highly attacked industry vertical with 81% of financial services organizations having recorded some type of attack or breach related to authentication.

The HYPR report also attempted to discover why organizations will move to deploy strong authentication passwordless approaches. Roxe emphasized that it’s critical to have a good user interface and flow, otherwise the technology won’t get adopted. In fact the report found the top reason why organizations are looking to adopt passwordless is to improve the user experience.

“Until we nail that user experience, we’re fundamentally not going to be any better off than we are today,” Roxe said.

Passkeys 101

Among the most interactive sessions of the event was one on the basics of how passkeys work, which kept moderator Megan Shamas, senior director of marketing at the FIDO Alliance very busy handling questions from the engaged audience at the end of the session.

The session actually got started with Tim Cappalli, identity standards architect at Microsoft outlining the historical path of FIDO standards. The big milestones along the path include the debut of the U2F specifications in 2014, FIDO2 in 2017, WebAuthn in 2019 and just last year the emergence of passkeys.

“It has been a journey,” Cappalli said. “We think that in the last two to three years, we really have been moving towards the last step to moving people beyond passwords.”

Cappalli outlined how passkeys works and what the primary advantages are for the approach. He explained that a passkey is fundamentally a FIDO credential with some new properties. Among the properties highlighted by Cappalli are:

• Autofill. With Autofill, much like the experience users have today with a password manager, a passkey can be automatically injected into an authentication flow into existing websites.
• Cross Device Authentication. Instead of a credential being tethered strictly to a single device, passkeys enable a credential to be durable across environments, enabling a phone for example to be able to bootstrap another device or ecosystem.

Championing FIDO adoption at scale

Few professionals have had as much experience deploying FIDO at scale as Marcio Mello, who has led efforts at PayPal, Intuit and eBay.

Mello outlined in great detail the steps that organizations can and should take to support FIDO strong authentication. In his view, the benefits are obvious.

“As soon as we could, we started doing WebAuthn deployment at eBay and saw the benefits almost immediately,” Mello said.

For Mello, passkeys are the next massive step forward as it’s an approach that will reduce consumer friction and hopefully enable adoption at scale. It is fundamentally the ease of use that passkeys promise that is literally the key.

“Consumers expect to see and use a password,” he said. “Yes, everybody’s tired of them, but it’s like smoking, most smokers would like to stop but they can’t, sure they know it’s bad, but you need to have the motivation and a very low bar of ability to be able to drive a habit change.”

FIDO and Zero Trust

In the security world, zero trust is an increasingly common concept that advocates an approach where users and entities need to be constantly validated to limit risks.

For Kurt Johnson, chief strategy officer at Beyond Identity, there is a clear intersection between FIDO authentication and zero trust. After all, a core foundation of zero trust is the need to constantly authenticate users and if organization’s aren’t using strong authentication, that’s a weak link.

Johnson said that with zero trust there is a need to assess and establish a high level of trust in the user identity. That just can’t be done effectively through passwords and that’s where there is a need for FIDO Certified authentication, that’s unphishable.

Helping Amazon’s drive to be customer-obsessed

Amazon operates one of the world’s largest e-commerce sites and it’s also a strong advocate and supporter of the FIDO Alliance.

Yash Patodia, principal product manager, tech, world wide consumer at Amazon said that his team is always looking to improve usability. One of the efforts to improve has been a move to remove passwords wherever possible. Patodia said that Amazon uses FIDO security keys for its own internal security which has worked well.

While security keys have worked for Amazon’s own internal needs, he noted that they can be difficult for consumers to adopt. That’s one of the many reasons why he’s particularly excited about passkeys.

“I think it’s a great leap forward from the password, OTP (one time passwords) and the security keys world,” Patodia said. “Some of the benefits I can see for passkey is that it really makes it very easy for the customer to use.”

Making it easier for consumers is critical for Amazon overall as it’s core to the company’s mission.

“We have this term at Amazon we use a lot called customer obsession,” Patodia said. “And this fits perfectly for us in that this is actually a customer obsessed product where we are making it very easy for the customer to do what they want to do.”

PNC BANK looks to protect its users with FIDO

Susan Koski, CISO of PNC Bank, knows all too well the challenges of password, that’s why she’s such a strong advocate and supporter of FIDO.

She noted that criminals are going after user passwords in a bid to take over accounts. Among the risks that she is trying to help limit is that of phishable credentials, such as passwords.

“We really do want to reduce those phishable  credentials but we do it in a way that a customer wants to use the service,” Koski said. “Balancing security and the customer experience. I think that’s just been a mantra for us in information security in cyberspace for a while.”

Koski said that PNC Bank has embraced FIDO as a way to help move towards passwordless over time. The importance of taking a standardized approach that benefits from the support and participation of a broad array of participants is critical as well.

“Passwords have been around for 50 plus years and it’s time, it’s beyond time for us to move past passwords,” Koski said.

Enterprise guidance for passkeys is on the way

Looking forward, Megan Shamas of FIDO Alliance outlined a series of efforts that are underway to help provide more enterprise guidance for passkeys.

“We will be publishing a group of five papers that address what we hope to be the majority of the use cases that are out there on the enterprise,” Shamas said.

The five papers include:

• Introduction to passkeys in the enterprise
• How to replace password-only authentication with passkeys
• How to displace password + SMS OTP authentication with passkeys
• FIDO authentication for moderate assurance use
• High Assurance Enterprise FIDO Authentication

“If you would like to be part of the conversation around enterprise requirements, please do get in touch with us,” Shamas said. “This is the time now really to give your input on how we’re looking at passkeys from an enterprise perspective.”

Registrants can now view the event recording online. If you missed the event and would like to view the recording, visit the event website to register for access.

Premier authentication conference returns for fourth year; call-for-speakers open

CARLSBAD, CALIF, February 23, 2023  —  The FIDO Alliance is pleased to announce the return of Authenticate, the only industry conference dedicated to all aspects of user authentication – including a focus on FIDO-based sign-ins.

Authenticate 2023, featuring signature sponsors Google, Microsoft, and Yubico, will be held October 16-18, 2023 at the Omni La Costa Resort & Spa in Carlsbad, CA, just North of San Diego. Visit our website for information on submitting a speaking proposal and becoming a sponsor.

Aimed at CISOs, security strategists, enterprise architects, and product and business leaders, this is the fourth consecutive year that the FIDO Alliance is hosting the public conference. The annual event is specifically designed to share education, tools, and best practices for modern authentication across web, enterprise, and government applications.

Last year’s conference sold out for in-person attendance, welcoming over 950 total attendees in Seattle and remotely. The event featured more than 100 sessions with highly engaging content, plus a sold-out exhibit area with 30 industry-leading exhibitors and sponsors.

Authenticate 2023 will build upon this strong foundation and feature detailed case studies, technical tutorials, expert panels, and hands-on lab sessions aimed at helping educate attendees on business drivers, technical considerations, and overall best practices for deploying modern authentication systems. Attendees also benefit from a dynamic expo hall and engaging networking opportunities.

Authenticate Call For Speakers

The Authenticate 2023 conference program committee has opened its call for speakers. Authenticate provides speakers with an opportunity to increase their industry reach and visibility by educating attendees on in-market approaches for deploying modern authentication solutions.

The committee is looking for vendor-neutral, educational presentations that focus on authentication strategies and best practices. Submissions can span all aspects of authentication implementations from initial research and business case development through piloting to rollout and beyond. Perspectives on global trends and considerations for user authentication should also be submitted. The committee is looking for a variety of session types and formats including main stage storytelling, introductory “101’s”, detailed case studies, technical tutorials, hands-on labs, and thought provoking panels.

Diverse, global perspectives and presentations that focus on the following topic areas are welcome:

• Authentication trends & insights
• Modern authentication case studies & implementation strategy

• Hands-on implementation guidance and best practices
• Government impact on authentication

Other topic areas related to authentication will also be considered. Submissions that are unique, expertise-driven, and reflect diversity in speakers are most likely to be accepted. Product and sales pitches will not be accepted.

The Authenticate Call for Speakers closes on March 31, 2023. To submit an application, please visit https://authenticatecon.com/authenticate-2023-call-for-speakers/.

Sponsorship Opportunities at Authenticate 2023 

Authenticate 2023 is also now accepting applications for sponsorship, offering a wide range of opportunities to provide broader brand exposure, lead-generation capabilities, and a variety of other benefits for both on-site and remote attendees. To learn more about sponsorship opportunities, please view the prospectus.

Sponsorship requests will be filled on a first-come, first-served basis; requests for sponsorship should be sent to [email protected].

Signature sponsors for the 2023 event are Google, Microsoft, and Yubico.

About Authenticate

Hosted by the FIDO Alliance, Authenticate is the industry’s only conference dedicated to all aspects of user authentication – including a focus on FIDO-based sign-ins. It is the place for CISOs, business leaders, product managers, security strategists and identity architects to get all of the education, tools and best practices to roll out modern authentication across web, enterprise and government applications.

Authenticate 2023 will be held October 16-18, 2023 and will be co-located with the FIDO Alliance’s member plenary (running October 17-19) at the Omni La Costa Resort in Carlsbad, CA, just North of San Diego, with a bigger footprint for more attendees, sessions for all levels, a larger expo hall for companies bringing passwordless to fruition, and added opportunities for networking with your peers.

Whether you are new to FIDO, in the midst of deployment or somewhere in between, Authenticate 2023 will have the right content – and community – for you.

Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter. To receive updates about Authenticate events, sign up for the newsletter.

Authenticate Contact

[email protected]

PR Contact

[email protected]