3-day program for FIDO Alliance’s flagship event on the future of user authentication
includes 90+ sessions; Early Bird registration available through August 18  

Carlsbad, Calif., August 3, 2023 – The FIDO Alliance announced its keynote speakers and full agenda for Authenticate 2023, the only industry conference dedicated to all aspects of user authentication.

This year’s featured keynote will be presented by Rachel Tobac, white hat hacker and social engineering expert whose exploits have been featured on CNN, 60 Minutes and more. Additional keynote presentations providing diverse and global perspectives on modern authentication will be delivered by speakers from 1Password, Amazon, Google, Microsoft, Yubico and others.

Authenticate 2023 will be held at the Omni La Costa Resort and Spa and from October 16-18, 2023 – with virtual attendance options for those unable to be there in person. Now in its fourth year, the event is focused on providing education, tools and best practices for modern authentication across web, enterprise and government applications. CISOs, security strategists, enterprise architects and product and business leaders are invited to register at https://authenticatecon.com/event/authenticate-2023/.

In response to its rising popularity, the conference now includes 90+ sessions from 125 speakers spread across three content tracks — as well as interactive half-day workshops for developers and user experience leads. Speakers from Alibaba Group, Fox Corporation, GitHub, Intuit, Mercari, Pinterest, Salesforce, Starbucks, Shopify, Target and others will deliver a diverse set of sessions, detailed case studies, technical tutorials and expert panels. Attendees will also benefit from a dynamic expo hall and networking opportunities whether attending in-person or virtually. 

Sponsorship Opportunities at Authenticate 2023 

Authenticate 2023 is also accepting applications for sponsorship, offering opportunities for companies to put their brand and products front and center with brand exposure, lead generation capabilities and a variety of other benefits for both on-site and remote attendees. To learn more about sponsorship opportunities, please visit https://authenticatecon.com/sponsors/. 

There are a limited number of opportunities remaining. Requests for sponsorship should be sent to authenticate@fidoalliance.org. 

About Authenticate 

Authenticate is the only conference dedicated to all aspects of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. 

In 2023, Authenticate will be held October 16-18 at the Omni La Costa Resort and Spa in Carlsbad, CA and virtually. Early bird registration discounts are available through August 18, 2023. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter. 

Signature sponsors for Authenticate 2023 are 1Password, Google, Microsoft and Yubico.

Authenticate Contact 
authenticate@fidoalliance.org  

PR Contact 
press@fidoalliance.org

By: FIDO Staff

Passkeys are emerging as a more secure alternative to legacy multi-factor authentication and password for logging into websites and apps, and enterprise IT teams are exploring how to deploy passkeys within their organizations. 

On June 29, at the Authenticate Virtual Summit organized by the FIDO Alliance, experts discussed the considerations and best practices for deploying passkeys in the enterprise. The virtual summit coincided with the release of a series of white papers by the FIDO Alliance providing detailed guidance to organizations considering passkeys.

“Passwords are fundamentally flawed today,” said Dean Saxe, senior security engineer at Amazon Web Services. “81% of hacking related breaches are caused by weak or stolen passwords. We fundamentally have to change how we manage authentication online.”

With passkeys, there is now an easier, more user friendly way to enable strong authentication, using FIDO standards. Saxe explained that there are two types of passkeys: syncable cloud-backed passkeys and device-bound passkeys. Syncable passkeys provide convenience but device-bound passkeys provide higher security. He noted that different passkey types may be suitable for different enterprise security needs.

When the target is better security, passkeys are answer

According to Tom Sheffield, senior director, cybersecurity at Target, there are five core passkey considerations for enterprise relying parties.

1. Passkeys are a password replacement

Sheffield stated that passkeys are safer, faster and easier to use than a password. He explained that a passkey is a FIDO credential that is phishing resistant, cryptographically backed and leaves no secret to be stolen or compromised. 

“If you take nothing else away today. Remember that passkeys are better than passwords, period,” he said.

2. Passkeys are a multi-factor authenticator

For many organizations that today are relying on passwords with legacy multi-factor authentication (MFA), Sheffield said that synchronized passkeys should work as an MFA authenticator.

3. Client configuration matters with synced passkeys

There are some nuanced configurations the organizations will need to deal with for synced passkey deployments. Among them is how mobile device management (MDM) is handled.

4. Threat landscape changes with synced passkeys

Sheffield explained that synced passkey involves some dependence on the passkey providers. There also remains a risk of a downgrade attack, that enterprises need to recognize.

“I’m not aware of any RP (relying party) who’s actually getting rid of the password completely yet,” Sheffield said. “They still exist and because they still exist, they are still at risk of being attacked.”

5. Passkey education is necessary

Passkeys are easier, but they’re also different. Sheffield emphasized that education of users and stakeholders is critical.

Identifying the right users and application for passkey adoption

The emphasis on user and IT education about passkeys was also emphasized by Jay Roxe, CMO at HYPR.

While there is a need to understand the different technology deployment options around passkeys there is a need to also educate users to want to use passkeys.

Roxe detailed multiple case studies for different organization’s adoption of passkeys. He noted that there needs to be a marketing strategy for convincing employees that they want to adopt the technology.

“Changing people’s beliefs and behaviors is hard,” Roxe said. “It’s going to require frequent dynamic communication with early successes and opportunities for people to engage.”

Khaled Zaky, senior product manager at Amazon Web Services, explained that when considering replacing passwords with passkeys there is a need to identify both the targeted applications and the users for those applications.

“What are these applications and what are the devices that we use and work backwards to understand the customer user device preference as it will influence your decision to choose   the right passkey solution for your consumers,” Zaky said.

Moving from SMS OTP to passkeys

Passkeys are not just better than using passwords on their own, passkeys are also a more secure form of MFA than legacy approaches such as one time passwords (OTP) via SMS.

Jing Gu, product marketing lead at Beyond Identity, said that attackers are constantly trying to get their hands on the second factor. Additionally she said that OTPs are vulnerable to phishing, replay attacks, man in the middle as well as social engineering.

“Passkeys are of course phishing resistant by default, replay resistant, don’t require out of band and are scoped to a particular relying parties domain,” Gu said.

Josh Cigna, solution architect at Yubico explained that the guidance for moving from OTP to passkey is to start small and then expand.

“Plan and come up with a very controlled scope of friendly users, start with your administrators, your users that have some technical savvy, and run them through pilot deployment,” Cigna said. “Listen to the feedback, look at the responses, look at the adoption rate, understand what their hurdles were and then, like the shampoo bottle, rinse and repeat.”

Gu added that as part of the migration process it’s critical to also have metrics to measure success. Adoption metrics including, time of first registration, daily registrations and the percentage of users with passkeys.

Passkeys for moderate and high assurance enterprise environments

Passkeys have broad utility and can be deployed to support different levels of security assurance. Whether an organization will choose to use device bound or synced passkeys will typically depend on the level of assurance that is required.

Jerome Becquart, COO and CISO at Axiad, explained that organizations need to look at both their security and user experience requirements across environments to understand what is needed and what type of passkey deployment is ideal.

“Whatever version of passkey you’re using, you will have good usability and you will have good security,” Becquart said.

Sean Miller, chief architect at RSA explained that generally speaking, high assurance enterprises are dealing with very sensitive data and as a result, any data breach has severe consequences. High assurance organizations tend to be heavily driven by regulatory requirements and have robust controls around access.

“If you’re looking at a high assurance use case, chances are those controls are the most critical thing for you, where you probably want the control of the device bound passkey,” Miller said.

Key Takeaways

Wrapping up the event, Megan Shamas, senior director of marketing at FIDO Alliance provided attendees with a series of key takeaways.

1. Passkeys are discoverable FIDO credentials
2. Passkeys are better than passwords
3. Passkeys are appropriate for all enterprises – whether synced or device bound will depend on your particular use case
4. Get the papers and get started on the path to passkeys.

The papers in the series are:

• FIDO Deploying Passkeys in the Enterprise – Introduction
• Replacing Password-Only Authentication with Passkeys in the Enterprise
• FIDO Authentication for Moderate Assurance Use Cases 
• High Assurance Enterprise FIDO Authentication 
• A fifth paper in the series, “Displacing Password + SMS OTP Authentication with Passkeys,” is expected to publish later this summer.

The recording for the event is now available on the event platform. 

Want to learn more about deploying passkeys? Attend Authenticate 2023 on October 16-18 in Carlsbad, CA!

By: FIDO Staff

Passwords are everywhere with both enterprises and e-commerce organizations feeling the pain as much, if not more, than most.

At the Authenticate Virtual Summit: Authentication in Financial Services and Commerce on March 29, industry experts and practitioners outlined The FIDO Fit for Enterprise and Customer Sign-ins. Throughout the half-day event, the topic of passkeys was a primary theme, with speakers outlining how they work, where they fit in and why they are essential to helping the world move away from legacy passwords and less secure multi-factor authentication.

Andrew Shikiar, executive director and CMO of the FIDO Alliance opened the event with some insights on the many positive benefits that passkeys can bring to enterprise and commerce users. Those benefits include helping users to get online faster with higher levels of satisfaction. Passkeys may also be able to help improve the bottom line for e-commerce vendors as well.

“If you’re an e-commerce vendor, imagine reducing the shopping cart abandonment rate by even 10%,” Shikiar said. “Our data shows that 50% of consumers that had to abandon a purchase in the past six months did so because they forgot your password and that’s a huge opportunity cost.”

While FIDO authentication has been available for anyone to use for over a decade, Shikiar noted that there have been some adoption challenges. Passkeys are, in part, a solution to some of those adoption challenges. With passkeys, there is a more recognizable set of common terminology and the technology also provides a familiar flow for users that aims to reduce friction.

In the enterprise, Shikiar said that passkeys are a very natural fit for things like BYOD [Bring Your Own Device] authentication, allowing employees to sign in with apps on their phones.

“This is becoming more the norm than the exception, and passkeys are just a very natural fit for that environment,” Shikiar said.

The State of Authentication 2023 

Make no mistake about it, there are a lot of problems with passwords. To add some metrics to the argument against passwords, Jay Roxe, CMO at HYPR provided some insights from his firm’s State of Passwordless Security 2023 report.

Roxe noted that one of the things that really jumped out to him was that three out of five of the organizations that HYPR talked to for the report, had an authentication related breach over the past year. He added that each of those organizations had nearly $3 million dollars in costs associated with those breaches on a 12 month basis. Financial Services was the most highly attacked industry vertical with 81% of financial services organizations having recorded some type of attack or breach related to authentication.

The HYPR report also attempted to discover why organizations will move to deploy strong authentication passwordless approaches. Roxe emphasized that it’s critical to have a good user interface and flow, otherwise the technology won’t get adopted. In fact the report found the top reason why organizations are looking to adopt passwordless is to improve the user experience.

“Until we nail that user experience, we’re fundamentally not going to be any better off than we are today,” Roxe said.

Passkeys 101

Among the most interactive sessions of the event was one on the basics of how passkeys work, which kept moderator Megan Shamas, senior director of marketing at the FIDO Alliance very busy handling questions from the engaged audience at the end of the session.

The session actually got started with Tim Cappalli, identity standards architect at Microsoft outlining the historical path of FIDO standards. The big milestones along the path include the debut of the U2F specifications in 2014, FIDO2 in 2017, WebAuthn in 2019 and just last year the emergence of passkeys.

“It has been a journey,” Cappalli said. “We think that in the last two to three years, we really have been moving towards the last step to moving people beyond passwords.”

Cappalli outlined how passkeys works and what the primary advantages are for the approach. He explained that a passkey is fundamentally a FIDO credential with some new properties. Among the properties highlighted by Cappalli are:

• Autofill. With Autofill, much like the experience users have today with a password manager, a passkey can be automatically injected into an authentication flow into existing websites.
• Cross Device Authentication. Instead of a credential being tethered strictly to a single device, passkeys enable a credential to be durable across environments, enabling a phone for example to be able to bootstrap another device or ecosystem.

Championing FIDO adoption at scale

Few professionals have had as much experience deploying FIDO at scale as Marcio Mello, who has led efforts at PayPal, Intuit and eBay.

Mello outlined in great detail the steps that organizations can and should take to support FIDO strong authentication. In his view, the benefits are obvious.

“As soon as we could, we started doing WebAuthn deployment at eBay and saw the benefits almost immediately,” Mello said.

For Mello, passkeys are the next massive step forward as it’s an approach that will reduce consumer friction and hopefully enable adoption at scale. It is fundamentally the ease of use that passkeys promise that is literally the key.

“Consumers expect to see and use a password,” he said. “Yes, everybody’s tired of them, but it’s like smoking, most smokers would like to stop but they can’t, sure they know it’s bad, but you need to have the motivation and a very low bar of ability to be able to drive a habit change.”

FIDO and Zero Trust

In the security world, zero trust is an increasingly common concept that advocates an approach where users and entities need to be constantly validated to limit risks.

For Kurt Johnson, chief strategy officer at Beyond Identity, there is a clear intersection between FIDO authentication and zero trust. After all, a core foundation of zero trust is the need to constantly authenticate users and if organization’s aren’t using strong authentication, that’s a weak link.

Johnson said that with zero trust there is a need to assess and establish a high level of trust in the user identity. That just can’t be done effectively through passwords and that’s where there is a need for FIDO Certified authentication, that’s unphishable.

Helping Amazon’s drive to be customer-obsessed

Amazon operates one of the world’s largest e-commerce sites and it’s also a strong advocate and supporter of the FIDO Alliance.

Yash Patodia, principal product manager, tech, world wide consumer at Amazon said that his team is always looking to improve usability. One of the efforts to improve has been a move to remove passwords wherever possible. Patodia said that Amazon uses FIDO security keys for its own internal security which has worked well.

While security keys have worked for Amazon’s own internal needs, he noted that they can be difficult for consumers to adopt. That’s one of the many reasons why he’s particularly excited about passkeys.

“I think it’s a great leap forward from the password, OTP (one time passwords) and the security keys world,” Patodia said. “Some of the benefits I can see for passkey is that it really makes it very easy for the customer to use.”

Making it easier for consumers is critical for Amazon overall as it’s core to the company’s mission.

“We have this term at Amazon we use a lot called customer obsession,” Patodia said. “And this fits perfectly for us in that this is actually a customer obsessed product where we are making it very easy for the customer to do what they want to do.”

PNC BANK looks to protect its users with FIDO

Susan Koski, CISO of PNC Bank, knows all too well the challenges of password, that’s why she’s such a strong advocate and supporter of FIDO.

She noted that criminals are going after user passwords in a bid to take over accounts. Among the risks that she is trying to help limit is that of phishable credentials, such as passwords.

“We really do want to reduce those phishable  credentials but we do it in a way that a customer wants to use the service,” Koski said. “Balancing security and the customer experience. I think that’s just been a mantra for us in information security in cyberspace for a while.”

Koski said that PNC Bank has embraced FIDO as a way to help move towards passwordless over time. The importance of taking a standardized approach that benefits from the support and participation of a broad array of participants is critical as well.

“Passwords have been around for 50 plus years and it’s time, it’s beyond time for us to move past passwords,” Koski said.

Enterprise guidance for passkeys is on the way

Looking forward, Megan Shamas of FIDO Alliance outlined a series of efforts that are underway to help provide more enterprise guidance for passkeys.

“We will be publishing a group of five papers that address what we hope to be the majority of the use cases that are out there on the enterprise,” Shamas said.

The five papers include:

• Introduction to passkeys in the enterprise
• How to replace password-only authentication with passkeys
• How to displace password + SMS OTP authentication with passkeys
• FIDO authentication for moderate assurance use
• High Assurance Enterprise FIDO Authentication

“If you would like to be part of the conversation around enterprise requirements, please do get in touch with us,” Shamas said. “This is the time now really to give your input on how we’re looking at passkeys from an enterprise perspective.”

Registrants can now view the event recording online. If you missed the event and would like to view the recording, visit the event website to register for access.

Premier authentication conference returns for fourth year; call-for-speakers open

CARLSBAD, CALIF, February 23, 2023  —  The FIDO Alliance is pleased to announce the return of Authenticate, the only industry conference dedicated to all aspects of user authentication – including a focus on FIDO-based sign-ins.

Authenticate 2023, featuring signature sponsors Google, Microsoft, and Yubico, will be held October 16-18, 2023 at the Omni La Costa Resort & Spa in Carlsbad, CA, just North of San Diego. Visit our website for information on submitting a speaking proposal and becoming a sponsor.

Aimed at CISOs, security strategists, enterprise architects, and product and business leaders, this is the fourth consecutive year that the FIDO Alliance is hosting the public conference. The annual event is specifically designed to share education, tools, and best practices for modern authentication across web, enterprise, and government applications.

Last year’s conference sold out for in-person attendance, welcoming over 950 total attendees in Seattle and remotely. The event featured more than 100 sessions with highly engaging content, plus a sold-out exhibit area with 30 industry-leading exhibitors and sponsors.

Authenticate 2023 will build upon this strong foundation and feature detailed case studies, technical tutorials, expert panels, and hands-on lab sessions aimed at helping educate attendees on business drivers, technical considerations, and overall best practices for deploying modern authentication systems. Attendees also benefit from a dynamic expo hall and engaging networking opportunities.

Authenticate Call For Speakers

The Authenticate 2023 conference program committee has opened its call for speakers. Authenticate provides speakers with an opportunity to increase their industry reach and visibility by educating attendees on in-market approaches for deploying modern authentication solutions.

The committee is looking for vendor-neutral, educational presentations that focus on authentication strategies and best practices. Submissions can span all aspects of authentication implementations from initial research and business case development through piloting to rollout and beyond. Perspectives on global trends and considerations for user authentication should also be submitted. The committee is looking for a variety of session types and formats including main stage storytelling, introductory “101’s”, detailed case studies, technical tutorials, hands-on labs, and thought provoking panels.

Diverse, global perspectives and presentations that focus on the following topic areas are welcome:

• Authentication trends & insights
• Modern authentication case studies & implementation strategy

• Hands-on implementation guidance and best practices
• Government impact on authentication

Other topic areas related to authentication will also be considered. Submissions that are unique, expertise-driven, and reflect diversity in speakers are most likely to be accepted. Product and sales pitches will not be accepted.

The Authenticate Call for Speakers closes on March 31, 2023. To submit an application, please visit https://authenticatecon.com/authenticate-2023-call-for-speakers/.

Sponsorship Opportunities at Authenticate 2023 

Authenticate 2023 is also now accepting applications for sponsorship, offering a wide range of opportunities to provide broader brand exposure, lead-generation capabilities, and a variety of other benefits for both on-site and remote attendees. To learn more about sponsorship opportunities, please view the prospectus.

Sponsorship requests will be filled on a first-come, first-served basis; requests for sponsorship should be sent to authenticate@fidoalliance.org.

Signature sponsors for the 2023 event are Google, Microsoft, and Yubico.

About Authenticate

Hosted by the FIDO Alliance, Authenticate is the industry’s only conference dedicated to all aspects of user authentication – including a focus on FIDO-based sign-ins. It is the place for CISOs, business leaders, product managers, security strategists and identity architects to get all of the education, tools and best practices to roll out modern authentication across web, enterprise and government applications.

Authenticate 2023 will be held October 16-18, 2023 and will be co-located with the FIDO Alliance’s member plenary (running October 17-19) at the Omni La Costa Resort in Carlsbad, CA, just North of San Diego, with a bigger footprint for more attendees, sessions for all levels, a larger expo hall for companies bringing passwordless to fruition, and added opportunities for networking with your peers.

Whether you are new to FIDO, in the midst of deployment or somewhere in between, Authenticate 2023 will have the right content – and community – for you.

Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter. To receive updates about Authenticate events, sign up for the newsletter.

Authenticate Contact

authenticate@fidoalliance.org

PR Contact

press@fidoalliance.org

By: FIDO Staff

The Internet of Things (IoT) is an increasingly critical and difficult area for IT devices that need to be secured.

At the Authenticate Virtual Summit: The FIDO Fit in IoT held on Dec. 7, a series of experts outlined FIDO Alliance efforts to help device manufacturers and developers better secure IoT. A key theme of the event was all about understanding how the FIDO Device Onboarding (FDO) specifications can help improve IoT security.

David Turner, director of standards development at FIDO Alliance, kicked off the event by noting that passwords remain a large problem across the IT industry. The challenge of passwords is compounded with IoT devices, which scale into the millions and potentially billions of devices. Challenges with passwords for IoT include password re-use, which can be a huge problem with IoT. If a system ships with a default password, it can be trivially easy for attackers to exploit.

“Hackers don’t break into IoT, they log into it,” Turner said.

One way to help secure IoT is with the FIDO Alliance’s FDO standard. Turner explained that FDO is an open standard that allows organizations to quickly and securely onboard IoT devices.

Small things, big impact: The path to FDO

Rolf Lindemann, director of product at Nok Nok and one of the leaders of the FIDO Alliance IoT Technical Working Group, explained that FIDO authentication standards are applicable to users as well as device authentication.

Lindermann said that there is a clear need to have a strong foundation to help secure IoT. The first step is to have hardened hardware elements at the CPU level including things like TPMs, TrustZone and SGX which are provided by the silicon vendors. The next critical step is to add device level attestation to help with supply chain integrity that also helps to reduce the complexity for device onboarding. The third step is to have strong authentication, that ensures only legitimate entries get access.

“To make the IoT ecosystem more secure, you need strong authentication that’s the front door providing fishing resistance and being still practical for daily large scale use,” Lindermann said. 

How FDO tackles the onboarding challenge

The challenge of onboarding is where the FDO specifications come into play.

Richard Kerslake, general manager of industrial controls and robotics, IoT business unit at Intel, explained that onboarding is the process by which a device can establish a trusted connection with a service or platform.

“We have an IoT device, it’s going to connect to a platform or service and we just need to be sure that everyone in that equation is who they say they are,” Kerslake explained. “Is the device talking to the platform that it thinks it is talking to, and is the platform talking to the device that it thinks it is talking to. So we really need to make sure that both sides of that equation are true.”

Onboarding today is often a very manual process. The promise of FDO is an automated approach that benefits from strong authentication. Kerslake explained that in December 2019 the decision was made to base the FDO specification on Intel’s Secure Device Onboard technology. The FDO 1.0 specification was released in March 2021 and updated to version 1.1 in April 2022.

Going a step further beyond just the specifications FIDO has worked with the Linux Foundation’s LF Edge project which has an open source implementation of FDO.

Going for a deep dive with FDO

There is a fair amount of nuance and details that go into the FDO specification.

In a deep dive session, Geoffrey Cooper, principal engineer, IoTG at Intel, explained the workflow, technical specification and procedures that enable FDO implementations.

Cooper explained that for example if a device is drop-shipped to a location and the device gets powered up and connected to the network, the goal with FDO is to enable that device to figure out who it’s supposed to connect to with proper authentication, sets everything up, and then it goes right into service.

“The idea is we’re taking something that was a very heavy touch kind of operation that we’re turning it into a zero touch operation,” Cooper said.

Enabling that zero-touch approach with FDO involves a series of protocols that are part of the specification. The protocols include device initialization and onboarding components. There is also a concept known as the FDO Service Info Module (FSIM) that provides an extension mechanism to help support devices.

During a robust Q&A session during the Authenticate virtual event, attendees asked a wide variety of questions.

Among the questions was one about what’s needed to help spur adoption for FDO.  Kerslake said there are companies today in different industry verticals including the energy sector, where operators are saying they will not proceed with bringing in new devices without an automated secure onboarding solution.

There are also a growing number of industry solutions that support FDO. Megan Shamas, senior director of marketing at the FIDO Alliance, said that by developing FDO in an industry standards body there are lots of opportunities for collaboration and promotion as well.

“We are in the midst of creating an implementer showcase, which should be live on the website soon,” Shamas said.

The path toward FDO certification

Looking beyond just the FDO specification there is also a need for certification, which is something the FIDO Alliance is now working on.

Paul Heim, director of certification at FIDO Alliance, said that  product certification ensures standardization and interoperability of products within an industry. He added that one of the most important factors about certification is that it helps to ensure consumer enterprise, and industrial protection. The lifecycle for FDO certification includes both functional and security certification.

“The FIDO device onboard certification program is intended to certify IoT devices and onboarding services certification that will be available for both FIDO members, and non-members,” Heim said.

The certification effort is still in development with a program launch set for the first quarter of 2023.

By: FIDO Staff

The final day of the Authenticate 2022 conference was packed with user stories, thought leadership and panel discussions about the challenges and opportunities for FIDO strong authentication today and in the years to come.

The first user story of the day was from global science and technology company EMD Group / Merck KGaA which is now using FIDO to help improve its own authentication system. Dennis Kniep, domain architecture for Identity and access management at the company explained that his team’s mission is to help secure the company where he sees FIDO as playing a major role.

A challenge that EMD Group / Merck KGaA faced with its implementation of FIDO is that there were a number of legacy applications and services that did not support modern web standards.

“We developed the detach authentication mechanism,” Kniep explained. “With that mechanism the users are able to authenticate with FIDO in a phishing resistant way, even if the user needs access to apps with legacy backends, meaning we can enforce FIDO.”

Equity and inclusion matter

A recurring theme through the Authenticate 2022 conference is the need for equity and inclusion.

One panel on the topic specifically looking at the issue of inclusiveness in authentication and identity systems. Jamie Danker, senior director of cybersecurity services at Venable LLP, commented that when solving a problem, the makeup of the people trying to solve a given problem will have an impact on the solution.

Danker noted that a recent equity and inclusion study completed by the U.S. government’s  General Services Administration (GSA) provides some real empirical data on how remote identity proofing solutions will actually operate. 

Danker also mentioned the NIST digital identity guidelines, which are currently being updated to revision 4. She noted that NIST has been very clear that equity considerations are going to be part of that.

Security is more than just the web interface

FIDO strong authentication helps to provide authentication into many different types of systems, but it’s not a ubiquitous option for all types of access.

“Everybody’s talking about web and mobile, and nobody’s talking about the contact center,” John Poirier, Lead Director – EIS at CVS Health said.

Poirier explained that when a password doesn’t work, or a user can’t get access, they will call into a contact center for help. He emphasized that there is a need to make sure there are security policies, procedures and technology in place at contact centers, that secure access, without introducing too much friction.

The idea of extending strong authentication to all types of devices was also discussed by Chad Spensky, CEO of Allthenticate and his co-founder and COO, Rita Mounir.

“The FIDO protocol right now only talks to websites and computers,” Spensky said.

Spensky wants to help bring strong authentication to all types of devices and access ranging from cars, to office doors and everything in between.

Navigating the authentication landscape

In a thematic presentation, Pamela Dingle, director of identity standards at Microsoft, spoke like a pirate and warned about passengers falling off the boat. 

The analogy of the boat is that of helping passengers safely get to their destination, which isn’t always an easy task. Dingle said that Microsoft blocks more than 1000 Password attacks every second, and outlined the multiple reasons why passwords are a weak link. She emphasized that users should wear a life jacket, which in the real world translates into user multi-factor authentication (MFA).

While there are risks with MFA, Dingle said it’s the right first step for many, until they are able to move to phishing resistant strong authentication with FIDO.

“Out of 10,000 compromised accounts, only one will be an MFA credential attack,” she said. “It’s really important to understand the difference in risk between being vulnerable to a password attack, and being vulnerable to an MFA bypass attack.”

That said, she noted that what makes phishing resistant credentials so great, is that they are not susceptible to exactly the same predictable behaviors that make MFA vulnerable. Dingle also noted that she’s very optimistic about the potential for passkeys.

“If we get it right. passkeys become the seat cushion that becomes a flotation device for our passengers,” she said.

Earning Trust in Identity at Scale

With one of the largest ecommerce and cloud platforms in existence Amazon has a real need for strong authentication and it is increasingly relying on FIDO for those needs.

Sarah Cecchetti, head of product for Amazon Cognito explained that identity is handled by the platform team within Amazon Web Services. She noted that identity needs to have a consistent security and usability bar for every service at AWS. To that end, AWS has built out a modular, but centralized approach that uses FIDO.

Arynn Crow, Senior Manager, User Authentication Product at AWS, said that her company has invested really heavily into FIDO2.

“We continue to invest because fundamentally we believe that FIDO supports greater flexibility,” Crow said. “We have fewer trade-offs between our user’s experience and their security.”

Usability is the key to strong authentication adoption

In a panel session on usability, a key theme that emerged is the foundational need for good usability in order for FIDO adoption to grow.

Judy Clare, vice president, product manager, digital authentication at JP Morgan Chase commented that it’s critical to put strong authentication messages and workflow in the right tone. 

“The right wording and to make it clear, simple and understandable for the average user is very important so that you’re not ostracizing anybody by using all technical jargon,” Clare said.

The need for clear language was echoed by Sierre Wolfkostin, senior product designer at Duo Security. Wolfkostin said that it’s hard to adopt what you can’t understand. 

“Getting to simple human language is really important,” Wolfkostin said.

Usability is also about making sure there is a vibrant ecosystem of vendors and technologies that can help businesses small and large to actually implement FIDO strong authentication in the first place. 

In the closing panel of the event, Christiaan Brand, product manager at Google commented that while well staffed organizations might be able to implement strong authentication and passkey options on their own, many other organizations will need help. It’s a situation much like any other enterprise technology where organizations make use of consultants and service providers to implement complex technology.

Bob Lord, senior technical advisor at CISA argued that the best thing to do is to just start with FIDO. He emphasized the organization should focus on what they can do, not what they can’t.

“I think there’s a lot of hesitation at starting,” Lord said. “I think a lot of misconceptions out there would go away if they were to just start the journey, they would find their misconceptions are wrong.”

Next year in San Diego

In the closing session, Andrew Shikiar, executive director of the FIDO Alliance highlighted the key themes of the event.

Those themes are that deployments are real and organization can and should start today. Usability was another strong recurring theme, as a key to helping to ensure adoption. The concept of security by community also resonated at the conference, with users learning from each other about lessons learned.

In the final analysis the Authenticate 2022 was a stellar success with 90 sessions, spread across three tracks and three days of content.

For next year’s event, Authenticate 2023 will be moving to San Diego.

By: FIDO Staff

The second day of the Authenticate 2022 conference had a mix of topics and speakers that spanned multiple facets of the authentication world including payment security, biometrics, national identity and design systems.

The day got started with a keynote from Doug Fisher, senior director at Visa, who discussed the current state of the global payments system and the challenges it faces. Fisher noted that while ecommerce fraud remains a pervasive risk, strong online authentication is helpful to help reduce that fraud.  

A challenge for stronger forms of authentication for ecommerce is often that it introduces more friction into the consumer buying process, which can lead to shopping cart abandonment. To help solve that issue, Fisher explained that the FIDO Alliance, EMVCo and the W3C have been working together to help improve interoperability in a bid to reduce payment authentication friction. The joint effort had led to the Secure Payment Confirmation (SPC) standard that is currently in development

“SPC is a web standard currently in development that is built on WebAuthn to support streamlined authentication during a payment transaction,” Fisher said. “SPC and FIDO go together like peanut butter and jelly.”

The perils of MFA

Not all multi-factor authentication (MFA) technologies are equal was the primary message in a session led by Roger Grimes, data-driven defense evangelist at KnowBe4.

Grimes outlined a litany of MFA bypass techniques that could potentially enable attackers to exploit vulnerable users. He emphasized however that FIDO based strong authentication is unlike MFA in that it can help to eliminate many of the man-in-the-middle attacks that enable bypassing techniques.

“MFA attacks have been around for decades but it certainly is going mainstream this year,” Grimes said.

The risks of non-FIDO MFA is top of mind for Heikki Palm Henriksen, CTO of BankID.

Henriksen’s organization provides a digital identification that is widely used in Norway. BankID started to look at FIDO in 2020 and discovered the insightful white papers produced by the alliance which helped Henriksen and his team to choose FIDO and begin implementation.

“We realized that FIDO2 was the best solution to modernize BankID to reach our goals,” Henriksen said.

Biometric considerations for FIDO

Strong authentication can make use of biometrics such as a fingerprint reader or facial recognition system, as an authenticator.

Biometric systems however are not universally without fault or bias, which is an issue that was discussed by Stephanie Schuckers, director, Center for Identification Technology Research (CITeR) at Clarkson University.

“When we talk about bias related to biometrics, what we’re really talking about is variability in performance due to demographics or demographic differentials,” she said.

Shuckers emphasized that bias relates to the specific technology implementation being used, not the whole field of biometric recognition. Through testing and certification, it is possible to better understand and reduce the risk of potential bias.

Greg Cannon, principal AI/ML standards at Amazon joined Schuckers for a panel session, emphasizing that the goal is to help eliminate passwords and biometrics is a great technology for doing that.

To help illustrate the point that biometrics spoofing is a concern that testing can help to solve, Shuckers brought some props on stage, including a mask of her own face, which apparently did not fool the facial detection system on her phone.

Consumer authentication habits

Understanding how users view authentication is an important aspect of understanding what needs to be done to help improve adoption.

The FIDO Alliance conducts an annual survey that looks at consumer habits for trends and adoption of authentication technologies. Megan Shamas, senior director of marketing at FIDO Alliance, said that the 2022 survey shows users are in some respects entering their passwords less than prior years, though the data is far from being definitive.

Perception of biometrics is also re-assuring as a potential way to help eliminate the use of passwords.

“We have actually been very pleased with consumer sentiment towards biometrics,” Shamas said. “In fact, a lot of consumers that we surveyed find it to be the most secure way to log in.”

Helping to reduce remote authentication fraud

Marianne Crowe, vice president, secure payments innovation and research at Federal Reserve Bank of Boston, used her time on stage to ask for more cooperation across the authentication ecosystem to help secure against fraud.

Crowe noted that there is consumer fatigue with passwords and many users will just reuse the same passwords on multiple sites which is an unsafe practice. MFA is helpful, but she noted that it is often inconsistent today in how it is presented to consumers.

“We’ve got to try to increase implementation and adoption of MFA even in industries and businesses that aren’t required to do it,” Crowe said.

Design system comes to FIDO

One of the ways consistency can come to authentication and specifically to FIDO based strong authentication is with the use of a design system. 

Organizations can now benefit from the FIDO design system at fidoalliance.org/design-system that provides principles, patterns and reusable components.

“Our intention for putting all this together is to make FIDO deployments simpler and faster for product designers, for project managers, product managers and engineers,” Kevin Goldman, chief experience officer at Trusona, said. “Our intention is to fill the gaps that they might have around authentication in their own design systems.”

The final day of Authenticate 2022 is looking to be another day loaded with useful content, thoughtful discussion, more user stories and best practices to help organizations move to the passwordless future.Want to attend the final day of Authenticate 2022? Registration for virtual attendance is still available, and all registrants have access to past sessions on demand. To register, visit www.authenticatecon.com.

By: FIDO Staff

The Authenticate 2022 conference got underway on Oct. 17 with a stellar lineup of speakers that included enterprises, service providers and government agencies, all gathered to talk about the current and future state of strong authentication.

The opening session was led by FIDO Alliance Executive Director and CMO Andrew Shikiar who detailed the progress that has been made this past year. Among the highlights mentioned by Shikiar was the launch of passkeys. 

The FIDO Certified Professional program also got underway in 2022 providing a way for professionals to validate skills. There has also been work done to help with usability as well as adoption with initiatives designed to help accelerate broad deployment of FIDO strong authentication.

“Our mission is to reduce industry’s reliance on passwords and legacy multi factor authentication,” Shikiar said. “From day-one we’ve had this audacious goal of shifting away from centrally stored shared secrets to a model that is more possession based in nature and relies on common end user devices, that has been our guiding principle.”

Marcio Mello, head of product, PayPal identity platform, talked about how the online payment plans to leverage passkeys as a way to realize the promise of passwordless. Mello demonstrated workflows using passkeys showing how easy it is for a user to authenticate.

“I would say this is an inflection point in our decade-long commitment as an industry, to a passwordless world,” Mello said about passkeys.

NTT DOCOMO has been a leader both within and outside FIDO Alliance beginning with its Board appointment in 2015. DOCOMO has helped shape FIDO specifications and is the first mobile operator to deploy FIDO authentication at scale. Shikiar welcomed Koichi Moriyama, a Chief Security Architect at NTT DOCOMO, to the keynote stage where he announced DOCOMO’s intention to support passkeys for its millions of d ACCOUNT users. Moriyama said support would begin in early 2023.

U.S Government sees FIDO as the gold standard for MFA

The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) is taking a very active interest in strong authentication.

“We’ve known for decades that passwords are a weak link in cybersecurity and that the extra layer of protection provided by multi factor authentication prevents cyber attacks,” CISA Director, Jen Easterly said. “Yet only a small percentage of people are using it.”

Easterly emphasized that CISA is aggressively pursuing multiple initiatives to help spur adoption of multi-factor authentication (MFA) and more specifically FIDO standards-based strong authentication.

“We’re using this opportunity to shine the spotlight on FIDO as the gold standard for MFA and the only widely available phishing resistant authentication method.”

Bob Lord, senior technical advisor, cybersecurity division at CISA, told the Authenticate 2022 audience that it is a weird thing that the technology industry has normalized the idea that the burden of staying safe is placed on those organizations that are least able to understand things like threat landscapes.

“We see far too many organizations failing in part because they have no idea they need to do this,” Lord said about strong authentication and FIDO adoption. “And that’s because they don’t have something that is nudging them in the right direction.”

Both Lord and Easterly advocated for technology vendors to make it easier for users to have strong authentication and provide security by default.

“Security features our customer rights, they’re not luxury goods,” Lord said.

FIDO Authentication has social impact

Jonathan Bellack, senior director, identity and counter-abuse technology at Google outlined some of the challenges that Google has seen for users adopting MFA and passwordless security.

“Our user research has shown at least from a consumer point of view, users don’t draw a distinction between any of the words we use in the industry like security, privacy, abuse as it all just kind of fits into this great amorphous blob of safety,” Bellack said.

He noted that consumers have very little time and they just want to know if they can do whatever task they want or need to complete online. To that end, Bellack detailed multiple efforts that Google has underway to embed security in a way that doesn’t introduce friction.

Christopher Harrell, CTO at Yubico, explained during his session how the use of FIDO authentication is being used by organizations around the world to help protect freedom and privacy. Yubico is working with the Freedom of the Press Foundation and Operation Safe Escape among other organizations. The company has donated over 20,000 keys to support many different government agencies in Ukraine. 

“We do hope that the war ends soon but in the interim, we hope that we can help protect infrastructure from cyber attacks,” Harrell said.

FIDO users detail adoption challenges and opportunities

A key part of the program for Authenticate 2022 are user stories and there were plenty to be told on the first day of the conference.

Ian Glazer, SVP product management at Salesforce, described the highs and the lows of his company’s MFA adoption efforts. Salesforce decided in the fall of 2019 that it wanted to achieve 100% adoption of MFA across its services and it’s a journey the company has been on ever since.

Salesforce’s path toward 100% MFA adoption involved both technical considerations as well as a massive effort to engage with users, which led to solid results. Glazer noted that at the end of Salesforce’s fiscal year approximately 80% of its monthly active users were using MFA or SSO. While 80% is a noticeable achievement, it’s not the 100% goal that Salesforce has set. Glazer emphasized that the pursuit of the 100% adoption figure forces his team to continue to innovate and find ways to push adoption.

Salesforce has noticed multiple benefits from MFA adoption so far, including cost reduction and security improvements.

“Because we adopted MFA, we have seen a dramatic reduction in account takeovers,” Glazer said.

Microsoft is also pushing hard for broad adoption as it aims to enable a passwordless experience for its users. Scott Bingham, Senior Program Manager in Identity, and Emily Houlihan, Senior Product Manager at Microsoft, explained in their session what lessons have learned so far on their passwordless journey.

Bingham said that Microsoft has spent years rolling out support for temporary one time passwords, security keys, authenticator apps and Windows Hello as different password replacement offerings. Microsoft is increasingly moving toward eliminating passwords entirely.

“People want passwordless,” Bingham said. “Security is important, but user experience is critical and helps to drive demand.”

USAA, which provides financial services to members of the U.S. military and veterans, is also adopting FIDO and MFA to help secure its users. Dereck Henson, technical security architect at USAA, provided a series of key lessons learned during his session.

His first lesson learned is that it’s a good idea to default to strong authentication from the start. 

“We found that it’s a whole lot easier to start someone in an MFA, highly secured program, rather than to convince them to change their mind later,” Henson said.

Another key lesson that USAA has learned is that when it comes to a passwordless approach, being entirely passive and not showing users that authentication in place, is not a winning scenario. Henson said that USAA members were calling in saying they had been members for decades and couldn’t believe they could just log in with a fingerprint. To that end, USAA has had to add some interstitial screens to its authentication workflow that tell users their access is being secured.

“So not only do you have to be secure, you have to actually look secure,” he said.

Financial service giant Citi has also embraced the FIDO strong authentication approach. Matthew Nunn, Director, Secure Authentication Architecture & Technology Engineering at Citi, did not mince words in his session about why there is a need to move away from passwords.

Nunn said that there really isn’t a meaningful way to make passwords more secure.

“The reason you’re doing passwords and we’ve been doing it for so long is because we are held hostage to the keyboard being the interface to use in order to interact with the system,” Nunn said.

He added that with passwordless, users are no longer held hostage and there is the ability to take advantage of capabilities in devices to authenticate, instead of users needing to regurgitate a password.

Day 2 of Authenticate 2022 is looking to be another packed day full of insightful content and discussion, with sessions on biometrics, consumer authentication habits, FIDO initiatives and more user sessions.Want to attend the next two days of Authenticate 2022? Registration for virtual attendance is still available, and all registrants have access to past sessions on demand. To register, visit www.authenticatecon.com.

By: FIDO Alliance Staff

Few if any industries are as critical as healthcare where literal life and death decisions hang in the balance.

At the Authenticate Virtual Summit: Modernizing Healthcare with Strong Authentication broadcast on June 16, experts outlined how FIDO can fit into healthcare to improve user experience and help secure provider authentication approaches.

Megan Shamas, senior director of marketing at FIDO Alliance, started the event by noting that healthcare is one of the most targeted industries with phishing and ransomware being highly prevalent and highly successful. She noted that passwords are not fit for purpose in healthcare and can be phished by attackers.

Looking at the FIDO imperative for healthcare, Shamas said that FIDO-based technology can help with secure login for patients, as well as supporting authentication in complex medical environments. For example, if a medical professional is wearing gloves, FIDO-based technology can also support local PIN, face recognition or FIDO security keys. She added that FIDO authentication also helps healthcare organizations to comply with regulatory and privacy requirements.

“Our goal at the FIDO Alliance from day-one was to transform the market away from a dependence on centrally stored shared secrets and knowledge based authentication to a model that is possession based and uses public key cryptography,” Shamas said. “It allows consumers, patients and employees to authenticate through devices that they literally have at their fingertips, every single day and it’s just simpler and it’s stronger.”

FIDO Reduces Friction, Complies with eIDAS

Rolf Lindemann, VP of Product at Nok Nok Labs, noted that IT should help to simplify healthcare operations and not contribute additional friction for practitioners and patients.

“Patients want assurance that their sensitive health data cannot be stolen,” Lindemann said.

Lindemann said that health insurance cards are widely used in Europe but are not practical to use as an authentication mechanism on mobile devices. Additionally,  he noted that in Europe, the eIDAS (electronic IDentification, Authentication and trust Services) identification standard needs to be complied with by providers.

“Passwords are insecure, and legacy two- factor methods like OTPs (one time passwords) are inconvenient, and they still don’t protect against phishing,” Lindermann said.

That’s where he sees FIDO as fitting in, providing a strong authentication approach that can help healthcare providers to secure user access as well as being compliant with regulations like eIDAS.

Abbie Barbir, FIDO board member and co-founder of ADIA, detailed security challenges of passwords in his session at Authenticate.  

“Passwords are shared secrets and shared secrets can be stolen, copied, used and shared, and as such passwords are a security risk,” Barbir said. “They should not be relied upon if you really need to secure your accounts and your users, ideally, the best way going forward is to actually not use passwords.”

In Barbir’s view, good risk-based authentication introduces friction for hackers and is transparent to the end user.

Timy Kim, senior solutions engineer at Daon, commented that due to the increase of online services rendering different modalities of care, hackers and fraudsters will look for a weak point to penetrate. The weak point more often than not is a password that can easily be phished.

“Patient authentication can be your face, finger, or even your voice,” Kim said. “This will save you from needing to remember lengthy or complex passwords, which sometimes become a frustration point when trying to access your patient portal.”

Healthcare Organizations detail FIDO Uses

Merck KGaA, Darmstadt is a Germany-based science and technology conglomerate with operations across multiple sectors including healthcare.

Andreas Pellengahr, Head of IAM at Merck Merck KGaA, Darmstadt, Germany, said that his organization has approximately 80,000 users that need secure access. To help enable that, Merck relies on FIDO authentication.

Pellengahr said that they could not use a SaaS service to enable FIDO as the company needs to control its own authentication and credentials. Dennis Kniep, domain architect of IAM at Merck KGaA, Darmstadt, Germany,  explained that the core of the authentication infrastructure is a locally-hosted open source FIDO server.

Kniep noted that the authentication service is certified by the FIDO Alliance, which ensures interoperability with other FIDO products. 

“We are running multiple servers in a cluster, which are hosted across different data centers,” Kniep explained. “The responsibility of the FIDO server is to securely store the registered FIDO credentials in our self hosted environment, so that we really have full control over these credentials.”

The United Kingdom’s National Health Service (NHS) is also using FIDO authentication to help secure its users. 

Priyanka Mittal, senior technical architect at NHS Digital, explained that the NHS Login service is an authentication and identity verification service, which enables people to access healthcare apps and websites securely. She noted that over the last 18 months, NHS has seen a dramatic increase in its user base for NHS Login, which now supports 25 million users. The NHS App is a mobile application that brings a variety of healthcare services to users and also provides COVID-19 passport functionality.

Sean Devlin, tech lead for NHS App, explained that his organization’s journey to FIDO began two years ago. NHS required that users have two factor authentication for every login, but that approach introduced some friction and there was a desire to make the process more seamless. That’s why the NHS started to look at passwordless approaches, and settled on FIDO.

NHS Digital decided to build its own FIDO server and client, based on existing open source projects from eBay, which is also a large FIDO user. Devlin explained that his group converted the eBay open source FIDO server to the Python programming language and implemented a serverless approach to run on the AWS Lambda service.

The overall approach for the NHS App of enabling FIDO has helped to save the NHS a good deal of money as well.

“11 million users that have registered with NHS logon have also registered a FIDO device and  that sort of equates to about 500,000 FIDO logins per day,” Devlin said.

Devlin noted that the NHS was paying 1.6 pence per text message to send out two factor authentication code on 500,000 logins per day. 

“That equates to about 8,000 Pound Sterling, that we are saving on SMS by using FIDO,” Devlin said.

Modernizing Healthcare Identity and Authentication Regulations

The regulatory environment around healthcare has been evolving in recent years. 

Among the most impactful, yet least well known regulations is the 21st Century Cures Act which mandated the implementation of application programming interfaces (APIs) in healthcare. In a panel session, Jeremy Grant, managing director of technology business strategy at Venable; Christine Owen, director at Guidehouse, and Ryan Howells, principal at Leavitt Partners, discussed the impact of healthcare regulations and where FIDO fits in.

Howells explained that his organization helped to create the CARIN Alliance which aims to improve the state of identity and authentication in healthcare. Using APIs to help connect information, as mandated by the 21st Century Cures Act, also requires authentication.

“Approximately 84% of all the major health plans in the country have actually implemented an API based architecture now,” Howells said. “They’re all asking very similar questions that we’re asking other industries, which is how do you identify and authenticate an individual securely across systems.”

That’s an area where FIDO fits in.

Owen said that adding FIDO is an obvious choice for healthcare providers and plans that want to make sure that there is a strong credential behind users.

“The reason why FIDO is really important is because it helps healthcare organizations to meet HIPAA and other regulatory requirements,” she said. “FIDO in my mind equates to frictionless authentication, so the user has less to do to be able to show a very strong credential and because of that, it’s actually perfect for healthcare.”

To engage with the FIDO Alliance on FIDO authentication for healthcare, visit www.fidoalliance.org or get in touch at info@fidoalliance.org. 

The next Authenticate event will be the flagship conference, Authenticate 2022, being held in Seattle, WA and virtually on October 17-19. For more details or to register, visit www.authenticatecon.com.