When the FIDO Alliance (Fast Identity Online) holds its virtual Authenticate Virtual Summit on passkeys event this week, the focus will be on how enterprises are shifting away from passwords to the new passkey standards and technical innovations, constituting the latest advance in public key cryptography.
And well they should. People, on average, juggle some 100 passwords, according to one study by NordPass, and they still tend to use the same passwords across accounts — an open invitation to brute force exploits.
Passkeys change the game by reducing organizations’ threat surfaces and making log-in tasks across devices infinitely easier thanks to the pairing of biometric authentication with asymmetric cryptography. FIDO — which is similar to Bluetooth device pairing — makes it possible with a set of widely adopted open standards (Figure A).
Figure A
The FIDO Alliance has been working on reducing reliance on passwords for over a decade.
Andrew Shikiar, executive director of the FIDO Alliance, explained that a key ambition behind this initiative was addressing the fundamental data breach problem: Most data breaches involve stolen passwords. Indeed, according to Verizon’s 2023 Data Breach Investigations Report, 74% of all breaches include the human element and stolen credentials.
When you address passwords, you’re addressing data breaches, according to Shikiar. TechRepublic spoke with him about the shift from passwords to passkeys and how the new FIDO2, the third standard developed by FIDO Alliance, enables a frictionless, high-security user experience across desktop and mobile devices, designed to eliminate manual logins.
TR: The move to passkeys has been an evolutionary one, right? It’s been a process.
Shikiar: We have had several technical specifications that have come out over the years, the first being the biometric re-authentication use case: So, using native apps you sign in once, and every time after that you use facial ID or fingerprint biometrics only. Others included protocols for second-factor authentication, using a security key plus a password, for example.
TR: What’s the ‘Dummy’s Guide’ to what FIDO2 does?
Shikiar: FIDO2 enabled passwordless capabilities built directly into operating systems and platforms. It represents an evolution, a next step up the ladder, bringing those capabilities to the platforms themselves — bringing passkey functionality into operating systems, allowing for truly passwordless sign-ins. I type my username and touch my security key and I’m signed in. It also involves protocols: One focused on the device, which was developed by the FIDO Alliance, and the other focused on the web server or web site, and that’s WebAuthn; and you’ll be hearing a lot about that — we jointly developed it with W3C’s (World Wide Web Consortium) Web Authentication Working Group.
TR: What is WebAuthn, in practice?
Shikiar: It’s a core component of FIDO2, basically the API that any web developer can call up to allow for passwordless sign-in using device unlock. So whatever you use to unlock your device you can also use to log into websites, via WebAuthn. To do that, you have to be in possession of the device, and the process is frequently biometric, but could also be a PIN. And of course FIDO2 uses asymmetric public key cryptography, enabled once I verify myself on my device. The public key — the server-side secret — has no value. The private key sits securely on the device and the private and public “talk,” and the process by which the private key talks to the public key prevents phishing and remote attacks.
TR: Explain the evolution, the most recent, allowing a person to apply the private key on their device across all of their verified devices, and why was this done?
Shikiar: So looking at the older FIDO standard for on-device private keys, which is a high security posture, we found that because this private key must stay on the device, it was actually holding back user adoption.
If I have the private key to a site I use housed on my MacBook, I will need to re-enroll again on every other device because, again, the private key is only on my MacBook. This is not a good user experience and it forces the website to keep a different password for each device. So the FIDO2 implementation allows you to sync your private key across devices.
TR: Does this eliminate the need entirely for device-bound private keys?
Shikiar: You can still have device-bound passkeys like a YubiKey, which is obviously important for certain enterprise use cases requiring higher assurance and higher security. For most use cases, however, where the focus is on usability and ease of access while also providing an un-phishable mechanism, the new protocols are effective and secure.
TR: Meanwhile, password and identity management companies are adapting and encouraging the adoption of passkeys by users. What roles do Identity and Access Management Service and password managers play?
Shikiar: Now we are seeing companies like 1Password, Okta and Dashlane moving to passkey management.
SEE: Just what is Okta doing? Read here. (TechRepublic)
TR: But if the passkey is built into the operating system to allow cross-device access, why do I need a third-party password manager at all?
Shikiar: Because it goes beyond just saving passkeys. Personally, I have a password manager because I’m on an iPhone and PC, I have iCloud and Chrome, so I have a password manager across devices as a single source of truth for all of my accounts. They allow me to sync passwords and passkeys more easily across OS systems than if I depended solely on the OS system itself. It transcends password management. It is more like digital credential management; these companies add value to how people securely manage their lives online.
TR: The ultimate goal, I imagine, is that logging in becomes invisible and frictionless?
Shikiar: Before we released our user guidelines recently and we tested extensively… we discovered that the message that resonated most with users to get them dialed in was convenience — having an easier sign in experience. People are sick of resetting passwords. Tell me I don’t have to remember a password again? Yes, sign me up for that! So I think in general the convenience factor is something that will land well with consumers.
TR: When Google announced adoption of passkeys, that was the watershed moment for passkeys.
Shikiar: Yes, when they enabled passkeys for Google accounts and for Workspace those were both massive moments for FIDO adoption and authentication. There are early adopters already doing this — more sites now than we can track supporting passkeys — but Google doing this is huge. Obviously, they are a FIDO alliance stakeholder but that the technology is mature enough for Google to deploy it at scale and turn it on for billions of users, I can’t think of a more powerful statement that they believe in this technology, are presenting it to consumers and they actually need it.