Recap: Authenticate Virtual Summit: Considerations for Passkeys in the Enterprise
By: FIDO Staff
Passkeys are emerging as a more secure alternative to legacy multi-factor authentication and password for logging into websites and apps, and enterprise IT teams are exploring how to deploy passkeys within their organizations.
On June 29, at the Authenticate Virtual Summit organized by the FIDO Alliance, experts discussed the considerations and best practices for deploying passkeys in the enterprise. The virtual summit coincided with the release of a series of white papers by the FIDO Alliance providing detailed guidance to organizations considering passkeys.
“Passwords are fundamentally flawed today,” said Dean Saxe, senior security engineer at Amazon Web Services. “81% of hacking related breaches are caused by weak or stolen passwords. We fundamentally have to change how we manage authentication online.”
With passkeys, there is now an easier, more user friendly way to enable strong authentication, using FIDO standards. Saxe explained that there are two types of passkeys: syncable cloud-backed passkeys and device-bound passkeys. Syncable passkeys provide convenience but device-bound passkeys provide higher security. He noted that different passkey types may be suitable for different enterprise security needs.
When the target is better security, passkeys are answer
According to Tom Sheffield, senior director, cybersecurity at Target, there are five core passkey considerations for enterprise relying parties.
- Passkeys are a password replacement
Sheffield stated that passkeys are safer, faster and easier to use than a password. He explained that a passkey is a FIDO credential that is phishing resistant, cryptographically backed and leaves no secret to be stolen or compromised.
“If you take nothing else away today. Remember that passkeys are better than passwords, period,” he said.
- Passkeys are a multi-factor authenticator
For many organizations that today are relying on passwords with legacy multi-factor authentication (MFA), Sheffield said that synchronized passkeys should work as an MFA authenticator.
- Client configuration matters with synced passkeys
There are some nuanced configurations the organizations will need to deal with for synced passkey deployments. Among them is how mobile device management (MDM) is handled.
- Threat landscape changes with synced passkeys
Sheffield explained that synced passkey involves some dependence on the passkey providers. There also remains a risk of a downgrade attack, that enterprises need to recognize.
“I’m not aware of any RP (relying party) who’s actually getting rid of the password completely yet,” Sheffield said. “They still exist and because they still exist, they are still at risk of being attacked.”
- Passkey education is necessary
Passkeys are easier, but they’re also different. Sheffield emphasized that education of users and stakeholders is critical.
Identifying the right users and application for passkey adoption
The emphasis on user and IT education about passkeys was also emphasized by Jay Roxe, CMO at HYPR.
While there is a need to understand the different technology deployment options around passkeys there is a need to also educate users to want to use passkeys.
Roxe detailed multiple case studies for different organization’s adoption of passkeys. He noted that there needs to be a marketing strategy for convincing employees that they want to adopt the technology.
“Changing people’s beliefs and behaviors is hard,” Roxe said. “It’s going to require frequent dynamic communication with early successes and opportunities for people to engage.”
Khaled Zaky, senior product manager at Amazon Web Services, explained that when considering replacing passwords with passkeys there is a need to identify both the targeted applications and the users for those applications.
“What are these applications and what are the devices that we use and work backwards to understand the customer user device preference as it will influence your decision to choose the right passkey solution for your consumers,” Zaky said.
Moving from SMS OTP to passkeys
Passkeys are not just better than using passwords on their own, passkeys are also a more secure form of MFA than legacy approaches such as one time passwords (OTP) via SMS.
Jing Gu, product marketing lead at Beyond Identity, said that attackers are constantly trying to get their hands on the second factor. Additionally she said that OTPs are vulnerable to phishing, replay attacks, man in the middle as well as social engineering.
“Passkeys are of course phishing resistant by default, replay resistant, don’t require out of band and are scoped to a particular relying parties domain,” Gu said.
Josh Cigna, solution architect at Yubico explained that the guidance for moving from OTP to passkey is to start small and then expand.
“Plan and come up with a very controlled scope of friendly users, start with your administrators, your users that have some technical savvy, and run them through pilot deployment,” Cigna said. “Listen to the feedback, look at the responses, look at the adoption rate, understand what their hurdles were and then, like the shampoo bottle, rinse and repeat.”
Gu added that as part of the migration process it’s critical to also have metrics to measure success. Adoption metrics including, time of first registration, daily registrations and the percentage of users with passkeys.
Passkeys for moderate and high assurance enterprise environments
Passkeys have broad utility and can be deployed to support different levels of security assurance. Whether an organization will choose to use device bound or synced passkeys will typically depend on the level of assurance that is required.
Jerome Becquart, COO and CISO at Axiad, explained that organizations need to look at both their security and user experience requirements across environments to understand what is needed and what type of passkey deployment is ideal.
“Whatever version of passkey you’re using, you will have good usability and you will have good security,” Becquart said.
Sean Miller, chief architect at RSA explained that generally speaking, high assurance enterprises are dealing with very sensitive data and as a result, any data breach has severe consequences. High assurance organizations tend to be heavily driven by regulatory requirements and have robust controls around access.
“If you’re looking at a high assurance use case, chances are those controls are the most critical thing for you, where you probably want the control of the device bound passkey,” Miller said.
Wrapping up the event, Megan Shamas, senior director of marketing at FIDO Alliance provided attendees with a series of key takeaways.
- Passkeys are discoverable FIDO credentials
- Passkeys are better than passwords
- Passkeys are appropriate for all enterprises – whether synced or device bound will depend on your particular use case
- Get the papers and get started on the path to passkeys.
The papers in the series are:
- FIDO Deploying Passkeys in the Enterprise – Introduction
- Replacing Password-Only Authentication with Passkeys in the Enterprise
- FIDO Authentication for Moderate Assurance Use Cases
- High Assurance Enterprise FIDO Authentication
- A fifth paper in the series, “Displacing Password + SMS OTP Authentication with Passkeys,” is expected to publish later this summer.
The recording for the event is now available on the event platform.
Want to learn more about deploying passkeys? Attend Authenticate 2023 on October 16-18 in Carlsbad, CA!