All posts by authenticate

05 Apr 2021

FIDO Alliance Announces Authenticate 2021 Conference Coming in October

Call for speakers now opened

SEATTLE, April 6, 2021Authenticate, the only industry conference dedicated to the who, what, why and how of user authentication with a focus on the FIDO standards-based approach, is coming in October 2021. This is the second year the FIDO Alliance is hosting this public conference to provide CISOs, security strategists, enterprise architects, product and business leaders with all the education, tools and best practices to roll out modern authentication across web, enterprise and government applications.

Authenticate 2021 will be held October 18-20, 2021 at the Motif Seattle in Seattle, Washington. For more information and to sign up for event updates, visit

Last year’s Authenticate conference featured 50+ sessions, including detailed case studies, technical tutorials and expert panels — all helping educate attendees on business drivers, technical considerations and overall best practices for deploying modern authentication systems. The 2021 event will again focus on providing excellent content, a dynamic expo hall, and other networking opportunities while adhering to all CDC and local health/distancing requirements. 

Authenticate Call for Speakers Now Open

Speaking at Authenticate 2021 is an opportunity to increase visibility, educate about in-market solutions, and allow for networking between those involved in modern authentication. 

The Authenticate conference program committee is looking for vendor-neutral, educational presentations that focus on modern authentication implementations and best practices. The committee seeks global perspectives and presentations on the following topic areas, though other topics will be considered:

  • Authentication trends & insights
  • Case studies
  • Modern authentication implementation strategy
  • Vertical trends & initiatives
  • Industry standards
  • Regulatory impact on authentication
  • Technical & developer tutorials

The call for speakers is now open through May 31, 2021. Professionals who have ideas that are unique, expertise-driven and reflect diversity are encouraged to submit by visiting It is strongly suggested to submit early, as the program committee will be reviewing and accepting proposals as they are submitted.

Get involved at Authenticate

In addition to the Authenticate stage, the FIDO Alliance has a number of sponsorship and exhibitor opportunities for the 2021 event becoming available on April 15, 2021 Companies looking to showcase their brand and products front and center at Authenticate can contact [email protected]

Follow Authenticate on Twitter @AuthenticateCon to participate in the conversation and get important updates leading up to and during the event.

About Authenticate

Authenticate is the first conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. In 2021, Authenticate will be held October 18-20 at the Motif Seattle in Seattle, Washington. Visit for more information and follow @AuthenticateCon on Twitter.

Authenticate Contact
[email protected]  

PR Contact
Morgan Mason
Aircover PR
[email protected]

05 Apr 2021

FIDO Authenticate Summit Wrap Up: Modern Authentication for Financial Services

By: FIDO Alliance Staff

What’s the role of FIDO authentication in financial services and what can be done to help consumers and issuers be more secure? Those topics were at the foundation of the Authenticate Virtual Summit: Modern Authentication for Financial Services, hosted by the FIDO Alliance on March 25.

The financial services focused event included speakers from eBay, Financial Data Exchange, Gemini, Google, Javelin Strategy and Research, Mastercard, JP Morgan Chase, StrongKey, Trusona and Visa, with topics spanning from the future of authentication to best practices on how to optimize the authentication experience for users.

In his opening keynote, Andrew Shikiar, executive director and CMO of the FIDO Alliance noted that over the course of the pandemic there has been an increase in cyberattacks against financial services institutions, which has only heightened the need for stronger authentication methods.

“At the end of the day, the vast majority of statistics and the vast majority of these problems come down to fundamental truth, which is that we’re trying to run a hyper connected economy, a networked society, on a authentication model that simply is not fit for purpose and that of course is our dependence on passwords,” Shikiar said.

Shikiar detailed how the FIDO Alliance is working to help move the world away from passwords and help users benefit from stronger forms of authentication. In particular, FIDO is playing a key role in the financial services market across a number of categories. FIDO specifications are being used today by financial services firms to help protect online accounts against account takeovers and phishing attacks. A key goal is to also make it easier for organizations to use strong authentication. Shikiar emphasized that the FIDO Alliance’s tagline is: simpler, stronger authentication.

“If there’s one thing the industry has seen is that the more complex the approach is for MFA [Multi-Factor Authentication] , the less likely someone is to stick with it,” Shikiar said. “So for people to keep using strong authentication, it needs to be easy and single gesture, which is the core of FIDO’s approach.” 

Improving Authentication with FIDO at Visa

Visa is one of the world’s largest credit card brands and financial services firms on the planet and it sees FIDO as being a strong tool for helping to improve security and reduce fraud. 

In a keynote presentation, David Henstock, Head of Identity and Authentication Products at Visa, observed that FIDO specifications have a significant role to play in helping to drive better outcomes within the payments industry. Henstock noted that what has increasingly occurred in recent years is that fraudsters are targeting the authentication layer.

“The question that always comes up is what can Visa do to help fight account takeover fraud?” Henstock stated. “The culprit more often than not is knowledge based authentication, or simply put  – passwords.”

Henstock noted that FIDO is an easy way to upgrade from usernames and passwords to a more secure standard upgrading the authentication experience that sellers have. He added that overall FIDO helps to provide a better, more easy to use customer experience for authentication. 

FIDO is also important to help with regulatory compliance. In Europe, the PSD2 [Payment Services Directive version 2] is a key driver for strong authentication adoption as it mandates the use of Strong Customer Authentication (SCA).

“If you’re doing digital commerce in Europe, you must abide by the SCA regulations,” Henstock said.

In a bid to help organizations with FIDO deployment, Arshad Noor, CTO at StrongKey used his Authenticate session to detail new capabilities in the StrongKey FIDO server that can help organizations meet the challenges of global requirements.

“We see a lot of confusion in the WebAuthn and FIDO ecosystem where people are confused between security capability, and the user experience that consumers go through when interacting with FIDO,” Noor said. “We believe that FIDO should first be viewed as a security technology, and second as a convenience technology.”

Consumer Confidence in Passwords is Declining

The need to move away from passwords isn’t just about regulation, it’s also about consumer confidence in the security of password based authentication.

In a session, Javelin Strategy & Research analysts Rachel Huber and John Buzzard outlined the state of the market in terms of fraud and online security.

“We have discovered trend wise that consumer confidence with passwords is down substantially and I want to say -finally,” Buzzard stated. 

Buzzard noted that consumers have begun to realize that stronger authentication methods including biometrics are effective ways to validate identity. He added that consumers are now indicating that they are ready to move away from passwords.

“Whether the password disappears, maybe it becomes sort of like the Mayor McCheese of the city in the sense that it’s there but it doesn’t mean anything if that’s what it requires,” Buzzard said. “That’s still okay because we’re ready to move forward with stronger forms of authentication.”

Payments and the Future of Authentication 

FIDO standards are at the core of security efforts at eBay, which helps the online marketplace meet the needs of its diverse user base. In a panel on Payments and the Future of Authentication Ashish Jain, Product Management Executive, Identity, Mobility & Analytics, eBay explained that a key challenge for his platform is having the right experience that can fit the needs and requirements of a broad customer base.

“When we started investigating FIDO and saw that it was supported by Google, Microsoft, and Apple, it gave us the confidence that it can meet the needs for a variety of our customers and hence, we continue to investigate and invest in the protocol,” Jain said.

For Christiaan Brand, Product Manager for Identity & Security at Google, FIDO adoption started out as a way to help curb phishing risks and has evolved to become a way to help improve multiple aspects of security for both Google and its users.

“FIDO is one of those few security inventions, which aims to both address security and improve on that axis, while at the same time also improving on the usability front,” Brand said. “The FIDO components that have been built into the platforms nowadays do give our users, better and more secure experiences.”

For Ranjita Iyer, SVP, Identity Solutions at Mastercard, FIDO specifications are being combined with other standards including the EMV 3D Secure effort to enable a seamless authentication and payment experience that can lead to better approval rates for digital transactions and lower fraud. 

Integrating FIDO with other standards is also something that the Financial Data Exchange (FDX) is implementing with its stack. Don Cardinal, Managing Director, Financial Data Exchange explained in a session that his organization is dedicated to unifying the financial service industry around an interoperable royalty free standard for secure permission to access data.

“The whole idea is to stop sharing user IDs and passwords and stop using them in the entire session,” Cardinal said. “Ideally, if you have OIDC [OpenID Connect] and FIDO throughout FDX you can enroll, use and consume the whole setup and never use a credential, which I think is really powerful in today’s day and age.”

Optimizing UX for Strong Authentication 

While the technical details of FIDO specifications are critical to enabling strong authentication, optimizing the user experience is critical to adoption. 

In the final panel of the day, Megan Shamas, Director of Marketing, FIDO Alliance noted that there is an effort that is currently underway to to test and improve the FIDO user experience. Guidance from that testing effort is set to be publicly available in late 2021.

Kerry Hebert, Design Director (CX/UI) at Visa emphasized that it’s likely that FIDO implementation hinges on user adoption and adoption is only going to happen if the user registers. She noted that for  users to take the step of registering, they need to believe that there’s value in what it provides and in some way makes the consumer’s life a little bit better.

Kevin Goldman, Chief Experience Officer, Trusona strongly suggests that financial services firms not think about user experience as something that is bolted on to the end of the process. Rather he suggests that it’s an integrated part of the entire process of supporting and enabling FIDO standards.

Judy Clare, Vice President, Product Manager, Digital Identity and Authentication at JPMorgan Chase & Co, suggested during the panel that from an experience perspective, FIDO engagement needs to be easily digestible for consumers. 

“You really have to have that value proposition out there  – what’s in it for me, and why should I be clicking through this and take an extra 30 seconds to sign up for it and then go on my way, because I am here to do something and this wasn’t it,” Clare stated. “So it’s really important to keep the user in mind.”

Next Up: More Authenticate Summits and Authenticate 2021 Conference

There’s much more content to come from the FIDO Alliance in 2021.

Looking forward there is another virtual event coming in June which will focus on strong authentication in Europe. Plans are also coming together for a physical Authenticate conference set for October in Seattle.

“In general, what we see is a lot of best practice sharing, everyone is in this together, and is motivated to help protect the networked economy and FIDO authentication presents a great way of doing so,” Shikiar said. “So we encourage you to certainly take part.”

08 Mar 2021

FIDO Alliance Announces First 2021 Authenticate Virtual Summit, focusing on Modern Authentication for Financial Services

By: FIDO Alliance Staff

MOUNTAIN VIEW, CA, March 8, 2021 — Authenticate, the FIDO Alliance’s industry conference dedicated to the who, what, why and how of modern user authentication, announced today the speaker line up for it’s first 2021 Virtual Summit: “Modern Authentication for Financial Services”taking place March 25 from 9:00am – 12:00pm PDT. 

Featured keynotes will be presented by Rachel Huber, Senior Analyst, Payments and John Buzzard, Lead Analyst, Fraud & Security, both of Javelin Research; David Henstock, Head of Identity & Authentication Products, Visa and Arshad Noor, CTO, StrongKey. The half day format includes sessions in which executives from eBay, Gemini, Google, Mastercard, JP Morgan Chase, Visa and Trusona will talk about the rapidly evolving security and usability measures being developed and deployed to safeguard financial service users by way of modern authentication.

Payments and financial services are amongst the leading industries for adoption of modern authentication systems – and digital transformation in general – with use cases ranging from simpler and stronger account sign-on to mobile banking to secure payments. COVID-19 has only accelerated the imperative to protect valuable resources while still providing secure access to online banking services. 

Between current and emerging regulations, the ongoing battle against hackers and a fickle yet demanding consumer base, it is more critical than ever for leaders in this sector to find balance between compliance, security and user experience. This edition of the Authenticate Virtual Summit tackles these issues with an agenda that includes:

  • Keynotes from FIDO Alliance, Visa, StrongKey and Javelin Strategy & Research 
  • Panel discussion on Payments & the Future of Authentication, featuring expert perspectives from eBay, Google and Mastercard
  • Tips on how to secure users can their crypto from Gemini
  • Details on how to leverage the FDX and FIDO protocols to enable secure access and data sharing
  • Considerations and best practices for optimizing the strong authentication user experience

“Building off of the success of our Authenticate conference last year, we developed the Authenticate Virtual Summit Series to provide informative and interactive content on the role of modern authentication in organizations’ evolving digital transformation plans. Payments, financial services and cryptocurrency are natural focus areas for our first Summit, as these are amongst the leading industries for adoption of modern authentication systems – an imperative that has only accelerated during COVID-19,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “We are proud to have such an esteemed roster of financial services industry thought leaders committed to imparting their collective insight, especially as the risks of security breaches remain high and consumers demand increasing convenience.”

To view the full agenda and register, visit

For more information about additional summits:

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance,, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

11 Feb 2021

Introducing the Authenticate Virtual Summit Series

By: FIDO Alliance Staff

Building off of the success of the 2020 Authenticate conference, FIDO Alliance is pleased to introduce Authenticate Virtual Summits!

Authenticate Virtual Summits are a quarterly series of virtual seminars that will delve into specific topics related to the FIDO approach to modern user authentication. The summits will be free to attend to anyone interested in learning more about and/or deploying FIDO Authentication. Each Summit will be approximately three hours in length and include multiple sessions from subject matter experts in identity and authentication in various vertical markets and geographies.

The preliminary schedule for the Virtual Summit Series is as follows (dates subject to change):

  • March 25: Modern Authentication for Financial Services
  • June 17: Focus on Europe
  • September 16: FIDO for Government Services
  • December 9: Focus on APAC

Authenticate Virtual Summits are complementary to our full Authenticate Conferences. The next full conference, Authenticate 2021, will be held in-person in Seattle, Washington USA next October. Please stay tuned for more details on Authenticate 2021!

We look forward to welcoming you to this Summit series. If you are interested in sponsorship or speaking opportunities at Authenticate, please contact [email protected].

19 Nov 2020

Authenticate Day 6: The Future of Strong Authentication

By: FIDO Alliance Staff

After six full days of insightful content and engaging speakers, the inaugural Authenticate Conference wrapped up on Nov. 19.

A theme that resonated throughout multiple sessions on the final day of the conference was the future of authentication. The potential future impact of machine learning on authentication, the future of PKI and the decentralized future, were all topics of discussions across sessions. Another highlight of the day was a morning session where Microsoft outlined its path toward password-less and the lessons learned as it has embraced FIDO standards for strong authentication.

At its core, FIDO standards make use of public-key cryptography though it differs from traditional Public Key Infrastructure (PKI) in a number of important ways. In a session, Arshad Noor, CTO of StrongKey outlined the future PKI and FIDO. Noor explained that unlike PKI, FIDO does not make use of x.509 digital certificates for end users. He added that FIDO keys do not expire like digital certificates and as such managing the lifecycle of FIDO authentication requires a different mindset and philosophy than PKI.

“A lot of the complexity that PKI brings to the table, doesn’t exist with FIDO,” Noor said. “There’s a different kind of complexity. I’m not going to make this sugar coat it, but there is a certain amount of complexity in FIDO too, but it’s not quite as complex PKI in my personal opinion.”

Microsoft Says Hello to FIDO

There are a lot of good reasons why Microsoft has embraced FIDO authentication standards. Aakashi Kapoor, Senior Program Manager at Microsoft explained that one of the reasons why Microsoft began its journey with FIDO is because the company realized that it had to help its customers move away from passwords.

“Everyone assumes passwords are easy to use but they are not,” Kapoor said. “They’re actually difficult to use.”

She noted that users often end up using the same password across multiple platforms. Adding a second factor is often seen as being inconvenient as users not only have to remember a password, but they also need a second factor that is available. 

“So when we were working on our passwordless options we wanted to ensure that there is something that gives users high security while also being convenient to use,” Kapoor said.

To that end Microsoft has embraced FIDO to help enable its strong authentication and password-less approach. Kapoor noted that the biggest learning that Microsoft has had from the deployment was that credential management is equally important as authentication. 

“It’s not only important for users to have a strong highly secure authentication method, but it’s also important for them to have a way to manage the entire end to end lifecycle of that credential,” Kapoor said.

The Future of Machine Learning, Identity and Authentication

While cryptography is at the core of FIDO strong authentication, there is also a role for machine learning and artificial intelligence, according to Asad Ali, Technologist at Thales.

One area where he sees machine learning having potential impact on authentication is with a concept known as device vicinity context. The basic idea behind device vicinity is that a user will have a similar set of devices around them whenever they are performing certain action.

“So I have l this array of peripheral devices around my working life and the question is can we develop an algorithm for an application, which would over time make sense of what it is that I have around me when I work,” Ali said. “And by doing so essentially predict what authentication method should we use, or if any authentication method is needed at all.”

While machine learning might have a strong role to play in the future of technology, for Steve Wilson, Managing Director at Lockstep Technologies, the future of identity lies in authentication and analyzing data quality. In Wilson’s view, it’s critical to have infrastructure that establishes the quality and reliability of data.

 “A little epiphany I’ve had recently about digital identity is that digital identity can’t be anything other than data – it’s all we’ve got,” Wilson said.

The Decentralized Future of Identity

The final panel of the Authenticate conference was moderated by Brett McDowell who currently serves as the Executive Director of the Hedera Council. McDowell is well known in the FIDO community as being the founding executive director of the FIDO Alliance.

“The cryptographic authentication technologies of FIDO and the cryptographic technologies being deployed in distributed ledgers are complimentary building blocks that can be used to improve the overall state of identity management,” McDowell said.

Ramesh Kesanupalli, who was one of the founders of the FIDO Alliance and currently serves as the CEO of Digital Trust Networks commented that FIDO already has a decentralized authentication process.

“There is no centralization of authentication anymore,” Kesanupalli said.

Nat Sakimura, Chairman of the Open ID Foundation noted that identity now and in the future will remain decentralized. He explained that his version of identity is about the ability to identify a person or entity based on a set of attributes and claims.

“When you think about it, there won’t be any single source of identity for all attributes,” Sakimura emphasized. “Each place has got its own authoritative sources and it’s not going to be unified.”

That’s a Wrap

With six full days of content, over 50 sessions including technical deep dives, panel discussions and case studies, the first Authenticate Conference was a resounding success.

In his closing keynote, Andrew Shikiar, Executive Director and Chief Marketing Officer at FIDO Alliance reminded attendees that FIDO’s mission is to move the world to a modern form of authentication.

“Simply put, the old model isn’t fit for purpose and nor has it been for some time, whereas the FIDO model is built to address today’s use cases, as well as those emerging in the future,” Shikiar said. “I’d say FIDO has matured from a whiteboard concept, nine years ago, through early adoption to becoming a must have feature for user authentication.”

Shikiar also announced that the next Authenticate Conference is planned to be held in person in Seattle, Washington next October 19-20, 2021! Stay tuned for more details!

18 Nov 2020

Authenticate Day 5 Highlights Best Practices for Account Recovery and Password-less Deployment


The penultimate day for FIDO Alliance’s Authenticate conference brought with it more insightful content to help attendees and their organizations benefit from the opportunities of strong authentication.

Among the organizations that presented on the fifth day of the conference was online auction site eBay, which outlined how it has embraced strong authentication and is moving toward enabling a password-less future. A key challenge that many organizations face is how to deal with the issue of account recovery, which was addressed in a morning session. The role of FIDO standards in the smart card world was the topic of a session as attendees learned about how strong authentication is making an impact in that sector. Standards were once again a key topic of discussion during the day, with a lunch and learn session that included speakers from the W3C, EMVCo and FIDO detailing how the different groups can work together.

The day’s session began with an overview of how the government of the Netherlands provides strong authentication to its services. Among the agencies in the Netherlands is SURFconext, which provides a  national identity federation for research and higher education.

“Especially since the COVID crisis began, we’ve seen a lot of phishing campaigns launched against our users and we see FIDO2 as an excellent way to mitigate this threat,” commented Joost van Dijk, Technical Product Manager at SURF.

Raising the Authentication Bar at eBay

Among the most popular websites in the world today is online auction site eBay which has approximately 180 million active users.

Ashish Jain, Head of Identity at eBay noted that for the most part, users need to be able to have an account, either as a seller, or a buyer to be able to transact at eBay. Jain explained that eBay has now implemented FIDO2 WebAuthn to help improve the authentication experience for its users.

“At the end of the day, identity, authentication and sign-in, are means to an end,” Jain said. “We have to make sure that whatever experience we pick is not going to hamper the eventual experience that we want to give to the end user.”

Dealing with the Challenge of Account Recovery

When users lose or forget their password, a common approach is to have an email based recovery option. That approach however is not secure and negates many of the benefits that a strong authentication model from FIDO provides.

Hidehito Gomi, Senior Chief Researcher at Yahoo Japan Corporation explained that when a user loses their authentication credentials there needs to be an alternate method available to recover the account. To that end, he noted that the FIDO Alliance has written several white papers, providing guidance on what organizations can do. Among the options, is enabling users to set up multiple authenticators when the account is created.

Christiaan Brand, Product Manager of Identity and Security at Google noted that the overall issue of account recovery is a really hard problem to solve. That said, in Brand’s view there is a real opportunity for FIDO to help solve the challenge.

“Imagine the following, say the user loses their FIDO authenticator and they have that registered with 40 different relying parties, wouldn’t it be much easier if they had to perform that account recovery process only once, and get access to everything, versus having to do that forty times?” Brand said.

The Intersection of FIDO, EMVco and W3C

The W3C is a web standards body, EMVCo is a technical body that handles EMV payment standards and FIDO, of course, is focused on strong authentication standards and certifications.

The three organizations can and do work together, according to a panel of experts at the Authenticate conference. Christina Hulka,  Executive Director and Chief Operating Officer of the FIDO Alliance noted that representatives of the three groups have a special interest group to see how each respective specification can work with the other and to identify potential gaps.

Ian Jacobs,Web Payments Lead at the W3C explained that his organization started working in the payment space approximately five years ago with an effort to improve and streamline ecommerce. That effort is manifest in the Payment Request API which provides a specification to help enable payment methods.

“A lot of the work in W3C is about  adding capabilities to browsers and then web developers can use these building blocks in different ways to build different payment flows or different user experiences,” Jacobs said. “All along the way we’re trying to ensure that these building blocks provide for security, privacy, accessibility and internationalization and they fit with other blocks in the web architecture.”

As to how the three organizations all fit together to help end users, Nick Telford-Reed Managing Director, Stormglass Consulting Ltd, who moderated the panel session, provided a visual description.

“So this is like a venn diagram where there’s an intersection between the payments expertise of EMVCo,  the authentication experiences and capability of the FIDO Alliance and then the web technologies piece at the W3C,” commented Telford-Reed. “We’re in that sweet spot of privacy and authentication and security for making payments on the web.”

The Path to Passwordless

According to J. Wolfgang Goerlich Advisory CISO at Cisco’s Duo Security division, often more is asked of people than machines, when it comes to passwords and authentication. For example, it is up to the user to choose a password and update it. What’s needed is to have an environment where machines do more and are relied on to protect and authenticate users, which is what the password-less journey is all about.

Chris Demundo, product manager, authentication at Cisco Duo outlined the key steps that organizations need to take on the journey to passwordless.

“The first step is really around ensuring you have strong multi-factor in place already, and really strategizing and identifying use cases that exist in your environment where you can start with passwordless, because there are a ton of them,” Demundo said.

The second key step is to consolidate authentication workflows, with things like Single Sign On (SSO) and federation as a way to reduce the number of passwords that are needed. The third step is to increase trust in password-less authentication across the organization so users feel confident about its use.

“Making systems easier to use and actually aligning with human behavior, so we’re not offloading risk from one system to additional things that we want our users to do, is a critical step for both password-less and zero trust in general,” Demundo said.

Final Day is Up Next!

After five full days of content, the sixth and final day of the Authenticate Conference is up next on Nov. 19 with another great lineup of sessions.

A key theme for Day Six, is the future of authentication. Among the topics is a session about the future PKI and FIDO2.  A panel of experts will discuss whether the future of authentication is decentralized and what the implications are for FIDO and the organizations that use it. And of course, there are user stories, with Microsoft sharing lessons learned from the experience of being an early adopter of FIDO2 WebAuthn standards.

17 Nov 2020

Authenticate Day 4 Brings Regulations and WebAuthn Into Focus


With a weekend sandwiched in between, Day 4 of the Authenticate Conference on Nov. 17, continued the solid lineup of speakers and topics that attendees learned from last week.

The morning sessions had a strong focus on the intersection of regulations, privacy and authentication. During the lunch and learn, attendees got a deep dive on biometrics and the FIDO Alliance’s Alliance’s Biometric Component Certification, including new updates to the program. During the afternoon sessions there were a pair of talks about the latest updates to the W3C Web Authentication specification, as well as insights into how developers can start to make use of technology in their own applications and services.

The Regulatory Environment and FIDO

According to Jeremy Grant Managing Director, Technology Business Strategy at Venable LLP, what governments have to say about authentication often has a significant impact on what types of authentication are used around the world.

In his session on What Regulators Want, Grant explained that authentication is important to governments for a few different reasons. Governments need to have strong authentication to protect access to their own assets and can also enable more high value citizen facing services. Overall, authentication is getting increasing attention as an important layer for cybersecurity risk management, to secure critical assets and infrastructure.

Over the last five years, Grant said that FIDO standards have started to find their way into governmental regulatory standards and guidance as an approach to help enable strong authentication.

“What we’re seeing now in 2020 is FIDO is increasingly emerging as the preferred choice of governments around the world,” Grant said.

In a panel session moderated by Grant, specific regulations in Europe including PSD2 (Payment Services Directive 2), GDPR (General Data Protection Regulation) and eIDAS (electronics IDentification, Authentication and trust Services) were detailed, and how FIDO Authentication can be used to comply with each regulation.

Grant explained that PSD2 is the European Union’s payment services directive that is focused on open banking and opening up the whole financial services ecosystem in terms of data and payments. The eIDAS initiative is about having electronic identification that can be used to help facilitate authentication in different industries including financial services. Finally, Grant noted that GDPR has emerged, not just as a European standard for privacy but arguably a global standard for privacy.  While both PSD2 and eIDAS include some direction on strong authentication, that’s not the case with GDPR.

Alain Martin, Head of Consulting & Industry Relations, Banking & Payment Services at Thales stated that GDPR does not talk about authentication and access rights at all, rather it leaves it open. 

“If you leave the access to the data protected by passwords, clearly there is a big gap,” Martin said. “In light of the heavy fines, our message is that generally speaking service providers should implement strong customer authentication in order to protect access to data.”

Privacy and Data Subject Rights

Looking beyond GDPR, a morning panel looked at the topic of Authentication as an Enabler of Better Privacy.

Annie C. Bai, Global Privacy Lead at  Socure explained that governments and regulators are now trying to empower individuals with data subject rights. That said she noted that there are protections and safeguards that need to accompany them that shouldn’t necessarily be in the hands of individuals. Shannon Dahn, Chief of the Privacy Section & FDIC’s Office of the Chief Information Security Officer outlined what federal rights privacy exist. Those rights provide consumers with information about their data and transparency about how the data is collected. 

“Certainly having your data kept secure is another privacy right,” Dahn said.

Jamie Danker, Director of Privacy at Easy Dynamics Corp, noted that it’s important for organizations to also consider how secure access to private information is enabled.

“If you are advising a program that’s building a product or service that’s creating records or data that can be about individuals, you also have to think about the capabilities for your organization to actually permit such access,” Danker said.

W3C Web Authentication Specification Moving Forward

One of the key technologies that is helping to enable strong authentication is FIDO2 WebAuthn, which is standardized as the W3C Web Authentication specification.

Jeff Hodges, Software Engineer at Google explained that WebAuthn is a web platform API that facilitates strong authentication for web applications.

“We care about it (WebAuthn) because it’s a replacement for username/password, bringing strong, phishing resistant authentication to the web,” Hodges said.

Version one of W3C Web Authentication was published in March 2019, and it’s now being updated in the second version, known as level two. Hodges noted that level two addresses some bugs that were found in the initial specification and it also benefits from a series of enhancements.

John Bradley, Senior Architect for Standards at Yubico highlighted the new Large Blob Storage extension in level two. He explained that the large Blob Storage extension allows a relying party to store encrypted arbitrary data along with the credential. He explained that a primary use case for this is to FIDO enable web based SSH sessions. 

“So think, SSH public key certificates, being stored alongside the credentials on an authenticator,” Bradley said.

Looking beyond just the evolving WebAuthn standards, there is also a need to make sure the standards are adopted. That was the key theme in a session about democratizing WebAuthn that was delivered by Vittorio Bertocci, Principal Architect at Auth0.

Bertocci suggests that organizations embrace a staged approach to WebAuthn implementation. For each and every step, developers should be able to see how WebAuthn is advantageous, providing value for the organization and its users.

“The adoption of WebAuthn is a journey and the standardization was a huge step, but now, we’ve got to roll up our sleeves and help the industry to adopt it,” Bertocci said.

Day 5 is Up Next!

The Authenticate conference continues for its fifth day on Nov. 18 with another great lineup of sessions.

Among the insightful content, there is a user session from eBay, a panel on account recovery best practices and a lunch and learn on how FIDO, EMVCo and W3C specifications work together.

13 Nov 2020

Authenticate Con Day 3: Improving Authentication Improves User Experience


Following day one and two, day three of Authenticate 2020 was another full day of informative sessions about the present and future state of authentication.

A key theme throughout the day was how FIDO authentication is being used by financial services firms to reduce customer friction and enable improved security. Once again, across multiple sessions, speakers detailed why taking a passwordless approach is a cornerstone of digital transformation efforts.

In the opening session for the day, Jim Routh, Chief Information Security Officer, Head of Enterprise Cyber Security at MassMutual and Bojan Simic, CTO and Co-founder of HYPR outlined the challenges of passwords for both consumers and enterprises. Routh noted that while passwords can lead to security problems, it’s the combination of passwords and people that are the real issue. Routh noted that password reuse is a common problem and it’s one that criminals regularly exploit.

“Passwords have served us well for the last 60 years in terms of enterprise protection in the online world so it’s really not a defect in passwords, it’s a defect in how passwords are used by people,” Routh said.

Beyond passwords, Routh commented that it’s time to rethink authentication from just being a point in time event that enables access to a service. Routh suggested  authentication should be a continuous process where information about behavior is being constantly captured to enable a continuous form of authentication.

In his half of the session, Simic emphasized user experience is a primary reason why organization should move toward a passwordless experience.

“As part of the FIDO Alliance and as part of the FIDO standard, we’re always looking at the user experience,” Simic said.

Improving User Experience at PNC Bank

Improving the user experience for authentication is one of the primary reasons why PNC Bank has embarked on the journey to embrace FIDO standards and a password-less future. Sridhar Kotamraju, SVP, Head of Digital Identity & Fraud at PNC, said a key goal for him was to make authentication a frictionless experience under as many situations as possible.

“The key attribute here is when fraud has occurred, we want to make it easy for customers to be able to get back to their accounts in a FIDO way, so that we don’t ask them more questions than obviously we need to,” said Kotamraju.

Target Takes Aim at Password-less

Among the user organizations that spoke on Day 3 of the Authenticate Conference was Target. Nataraj Rao, Principal Engineer for Security Solutions at Target, explained that the retailer was undergoing an effort to modernize its platforms to enable a secure login experience across applications at the company.

Rao noted that a key goal for his group at Target was to reduce friction wherever possible, be it in the authentication flow by reducing the dependencies on passwords, or in the onboarding process by making it easier for applications and business owners to easily consume the enterprise authentication services.

“FIDO2 in particular was of great interest to us, given its WebAuthn API that is baked into most modern browsers, enabling the use of external security keys or on device biometrics without the need of installing any third party software or plugin on my device on the browser,” Rao said.

Standards and the Future of Payments

The role of standards in financial services and payment systems was the topic of several sessions on Day 3 including a panel moderated by Randy Vanderhoof, Director at U.S Payments Forum.

Vanderhoof said that it’s important that the payments industry be aware of the standards  as well as the best practices that have emerged to address identification and authentication challenges. FIDO plays a key role in helping to enable secure authentication for the financial services industry.

“Regardless of who you’re talking to, anyone that’s looking for secure simple interoperable authentication, that’s what we offer,” commented Christina Hulka, Executive Director and Chief Operating Officer at the FIDO Alliance. “We’re very laser focused in terms of that authentication piece, whether that is to make a payment. whether that’s to access financial services, whether that’s access confidential data – that’s really where FIDO is focused.”

Authenticate Returns Next Week

The Authenticate Conference continues next week with Day 4 on Nov. 17 which has a strong focus on the regulatory environment for privacy and authentication. Among the sessions on regulations is a panel session on the intersection of PSD2, GDPR and eIDAS in Europe and how FIDO fits in.

Authentication isn’t just about access either, it’s also an enabler of better privacy, which is a topic that another panel will dig into. Rounding out Day 4 are a number of technical sessions including a deep dive on biometrics and the W3C Web Authentication specification.

12 Nov 2020

Authenticate Day 2 Highlights Identity, IoT and the Passwordless Future


After a busy and eventful first day of sessions of the Authenticate conference, the second day continued the trend with a full lineup of insightful speakers and sessions.

Multiple speakers including those from CVS, NTT Docomo and Intuit outlined their respective efforts using FIDO standards as a base to improve authentication and move toward a passwordless future. 

Looking beyond user authentication, the co-chairs of the FIDO Alliance Identity Verification and Binding Working Group (IDWG) outlined how the Alliance is expanding its efforts to help enable identity verification as well. FIDO2 WebAuthn was the topic of discussion during a Lunch and Learn session, providing technical details on how FIDO works from the developer perspective. Looking to the future, members of the FIDO Alliance IoT working group detailed how the future of IoT device onboarding and authentication might work with FIDO. 

A key theme throughout the day’s sessions was about the value that organizations, individuals as well as industries as a whole, can gain from FIDO Alliance efforts.

In a morning session, Dr. Rae Rivera, certification director for the FIDO Alliance outlined the benefits of FIDO certification and the path to get there, in a way that enables interoperability and market differentiation.

“We have found that organizations have seen around a 30% saving in their purchase operation when buying products that have been developed against industry standards,” Rivera said.

The FIDO Fit for Identity Verification

Authentication is at the core of what the FIDO Alliance and its specifications are all about. There is however another class of issues that are related to authentication where FIDO might soon be playing a key role. That area is in identity proofing which comes into play for account creation and account recovery activities. Within the FIDO Alliance, this work is led by the Identity Verification and Binding Working Group (IDWG)

“The work we are doing in the IDWG is identity-proofing as opposed to authentication,” commented Rob Carter Director, Product Development for Identity Solutions, Mastercard and co-chair of the IDWG . “There is a gap with account recovery and IDWG is trying to help close that gap.”

Carter explained that part of the IDWG’s efforts are to define acceptance criteria for identity document verification and then building test programs to support the adoption of those criteria. Additionally, the IDWG will be working on defining acceptance criteria for facial similarity match, an approach more commonly known as “selfie match.” With both the selfie and document match, a user has to provide the information or live picture to prove that they are who they say they are to confirm identity.

IDWG co-chair Hsin Hau Hanna explained that a key part of the ID proofing process is also verifying the integrity of the process that validates a given identity.

“The ultimate goal of having these ID proofing mechanisms in place is really to go back to enabling the FIDO authentication mechanism,” Hanna said. “So there’s a very important step in between those two which is how to make sure that we bind the ID proofing ourselves to the FIDO authenticator.”

FIDO for IoT

Another key area where FIDO Authentication will play a key role in the future is with the Internet of Things (IoT). 

Intel’s Richard Kerslake who co-chairs the IoT working group explained during a session that one of the key goals of the group is to develop a standardized solution that  automates the whole challenge of onboarding devices. Kerslake noted that it typically takes 20 minutes or more to onboard a new device.

“We want companies to be able to drop ship their device to the point of installation, have a semi skilled technician present to connect it to the network, and then then have all of the provisioning handled in a secure and automated fashion,” Kerslake said.

A key part of the effort to enable secure authentication with IoT devices is with the Secure Device Onboard (SDO) project which was started by Intel and is now part of the Linux Foundation’s LF Edge organization. Giridhar (Giri) Mandyam Chief Security Architect – IoT and Automotive, Qualcomm and co-chair of the IoT working group explained that the SDO project is effectively an open source implementation of the FIDO IoT standards. While much has been done, he emphasized that it’s still a work in progress that won’t be finalized until early 2021.

“Solving the challenge of secure device onboarding in the IoT world we believe is critical to the safe growth of IoT,” Mandyam said. “The FIDO Alliance, and its members, are really making great progress here.”

Moving Toward a Passwordless Future with FIDO 

Among the end user organizations that spoke on the second day of Authenticate was CVS Health. Amy Ulrich, security advisor at CVS Health commented during a session that her company is on a path to help make its consumer authentication experience not only secure, but easier to use. CVS Health is also on a path toward enabling passwordless experiences for consumers wherever possible.

Cisa Kurian, senior security advisor at CVS Health said that her company is building out an authentication platform to provide passwordless authentication capabilities in its web, mobile, IoT and voice applications.

“Our goal is to increase friction for a potential threat actor, while enabling ease of use for the legitimate user,” Kurian said.

NTT Docomo is also on a journey to create a passwordless experience for its users in Japan. Koichi Moriyama, Senior Director of Security Service and Platform at NTT DOCOMO detailed his organization’s FIDO adoption path beginning with the deployment of UAF 1.0 standards in 2015 and more recently moving to support FIDO2 standards.

“NTT Docomo is on a journey to create a world without passwords,” Moriyama said.

Intuit is also on the passwordless journey to help the customers of its various platforms including Turbotax, Quickbooks and Mint. Marcio Mello, Head of Product for Identity and Profile Platform & Solutions at Intuit, emphasized that consumers just want to get their own jobs done and don’t want to be wasting time with authentication. Reducing the friction associated with authentication, while still maintaining the highest levels of security is critical for Intuit.

Mello explained how Intuit has embraced FIDO standards to help reduce authentication friction for users. The end result has been a measurable improvement to Intuit’s operations.

“Identity and authentication, instead of being a source of pain and drop is actually a source of reduction of costs and increase of customer satisfaction,” Mello said. “So we are now part of the success of the company.”

Authenticate Day 3 is Jam Packed

Coming up for day 3 of Authenticate is another packed slate of informative sessions. The opening session will see speakers from MassMutual and HYPR providing insight into how passwordless is taking the center stage for the next generation of authentication… We’ll also see more companies detail how they are leveraging FIDO Authentication to protect their customers and employees including PNC Financial Services and Target, among others. The day will close out with a great panel session on the topic of standards and the future of payments – we can’t wait to see you there! 

11 Nov 2020

Authenticate Conference Day 1: Continuing FIDO’s Audacious Mission


The inaugural Authenticate Conference got underway on Nov. 10, kicking off six days full of sessions on the future of authentication, including speakers talking about their organization’s experiences with FIDO and the route toward a passwordless future.

The opening day started with a series of keynotes, including: cryptography pioneer Dr. Whitfield Diffie; Joy Chik, corporate vice president of identity at Microsoft; Stina Ehversard, founder of Yubico, and Mark Risher, senior director of product management, security and private at Google. Setting the tone and the direction for the event as a whole, Andrew Shikiar, executive director and chief marketing officer for the FIDO Alliance outlined in his keynote address why FIDO exists, the ecosystem of certified vendors and the path forward.

“The FIDO Alliance has always had a truly audacious mission: to change the nature of authentication, to move the entire world away from usernames and passwords and traditional multi-factor authentication to a much simpler and stronger way to log in with FIDO,” Shikiar said. “Audacious, yes, but given the progress we’ve made in 7-8 years..  suddenly, this thing seems doable.”

Shikiar noted that over 2 billion devices support FIDO authentication standards today and more than 250 of the world’s leading organizations across a diverse set of industries are part of the FIDO Alliance. He went on to emphasize that all of FIDO’s specifications are built upon the same principles of usability, security and privacy preservation. He also touched on the impact of the pandemic on FIDO adoption.

“COVID has turned digital transformation from a buzzword with vague 5-year plans, to a massive imperative to get complete in 5 months,” Shikiar commented. “While COVID has thrown just about everyone’s development timelines out of whack, FIDO stands to provide banks and other businesses a strong and secure cornerstone for digital transformation.”

The Role of Cryptography in Enabling Privacy and Authentication

The FIDO Alliance and its specifications make use of public key cryptography to help enable user authentication and privacy. 

Whitfield Diffie, who helped to create the foundations of modern cryptography, delivered a keynote address at Authenticate where he outlined the history of cryptography and explained why it is effective. In his view, despite having some problems, cryptography has made amazing progress over the last 50 years.

“How do you protect information that isn’t under your control?” Diffie stated. “Cryptography seems to be the only tool that is of any use.”

Microsoft’s View of a Passwordless Future

There are many reasons to like FIDO standards and one of them is because passwords are widely disliked.

“At Microsoft we like to say that nobody likes passwords, except for the hackers,” said Joy Chik, corporate vice president of identity at Microsoft, during her keynote address.

Chik noted that passwords are the weak point in modern security. Microsoft handles over 30 billion authentication requests every day and what virtually every successful attack has in common is a weak or stolen password. She added that not only are passwords insecure, they are also a pain as millions of users forget their passwords, triggering reset requests that are one of the top help desk cost drivers.

“People need more secure and more convenient alternatives,” she said. “So it’s time to say goodbye to passwords.”

FIDO is a core component of Microsoft’s password strategy as it aims to provide users with a secure way to authenticate. She noted that over 150 million Microsoft customers have already gone passwordless for a more secure, and more convenient sign-in experience.

“We built FIDO support into Windows 10, so that you can use Windows Hello authentication without any relying party,” Chik said. “And we have enabled WebAuthn in the Microsoft Edge browser, so that you can sign into your favorite web apps and services using FIDO credentials.”

FIDO: A Seat Belt for Digital Security

During her keynote address, Yubico CEO and Founder Stina Ehrensvärd detailed how the introduction of seat belts in the automobile industry 60 years ago is like authentication security today.

“Just like cars, the internet was not designed for security,” she said.

Ehrensvärd noted that in 1959 Volvo engineer Nils Bohlin invented the first three-point safety belt for automobiles. What had happened is that in the 1950’s there were more cars than ever before on the roads and those cars were going faster, which unfortunately led to fatalities.

“Today we all use seatbelts and the good news is that while there are 10 times more cars than in the 50s, there is a smaller total number of fatal accidents,” Ehrensvärd said.

She added that the same steps that led to the introduction and adoption of seat belts can be used to help advance the state of authentication security and FIDO adoption, starting with acknowledging the problem at hand. The other key steps include: simplifying the user experience, driving open standards, measuring results, educating stakeholders, building trust with transparency and continuing to innovate.

Googling the Future of (Digital) Identity

As life and work have increasingly gone online during the pandemic era, there is little distinction anymore between a user’s identity and digital identity, according to Mark Risher, senior director of product management, security and privacy at Google.

In a keynote address, Risher explained that the foundation of digital identity is authentication technology. In Risher’s view, there are three key trends that are driving the future of digital identity: the need for protection, the ability to connect with multiple services and the desire for personalization. When it comes to security, like Microsoft, Google is seeing a threat from phishing attacks that steal user credentials.

“We have an antidote for that, and the antidote is the Security Key technology that FIDO has been driving from the beginning,” Risher said. 

He noted that Google deployed FIDO Security Keys in 2017 for its employee base and has not had any successful phishing attacks since then. That technology has increasingly been made available to Google’s users in recent years to help protect high-risk individuals and organizations.

“Our digital identities, which increasingly are our real world identities, and authentication with FIDO standards are right at the heart of it,” Risher said.

More to Come on Day Two

Beyond the keynotes, the first day of Authenticate had other great sessions including one on how FIDO authentication can be used for the US government as an alternative to Common Access Card (CAC) or Personal Identity Verification (PIV) cards. IBM explained how it is deploying FIDO across its organization, and during a lunch and learn session attendees learned the basics of FIDO.

Day Two of Authenticate gets underway on Thursday November 12 with another packed day of content including identity verification, FIDO & IoT, best practices for deployment and more!