Andrew Shikiar, FIDO Alliance Executive Director & CEO
Adoption of passkeys has grown rapidly since the introduction of sync capabilities less than two years ago, with passkeys being offered by a large and growing proportion of the world’s most visited websites and services. This adoption has come in large part because passkeys offer a true password replacement, helping address the well-known security and user experience weaknesses of knowledge-based authentication like passwords and even other second-factor methods like SMS OTPs.
Market adoption of new technology naturally moves faster than the associated policy and regulatory guidance – which for user authentication still generally reflects the password-centric worldview from when such guidance was developed. This is why we are excited that NIST has taken a lead amongst government agencies and moved quickly to provide new supplemental guidance confirming that synced passkeys meet Authentication Assurance Level 2 (AAL2).
This new NIST guidance makes clear that passkeys – like other FIDO authenticators – can support both AAL2 and AAL3 requirements. Synced passkeys can be AAL2 and device-bound passkeys can be AAL3.
Crucially, the NIST supplement also cites that synced passkeys deployed in a manner consistent with the guidelines as being phishing resistant. This has obvious benefits in a world where 87% of hacking-related breaches are caused by weak or stolen passwords and where there has been a 967% rise in credential phishing since 2022.
Passkey adoption to be boosted by the ‘reassurance of assurance’
While the rate of passkey adoption to date has been nothing short of phenomenal, some organizations – particularly those in regulated industries – understandably want to see that key government bodies accept and recommend new technologies like passkeys before supporting them at scale.
We have heard this from our partners and constituents across the globe about NIST in particular, whose digital identity guidelines are a global gold standard that are frequently cited by other countries. Today’s supplemental guidance from NIST stands to remove a critical barrier to passkey adoption, which now stands to be further accelerated.
However, there is still work to do. We are working closely with other agencies across the globe to educate them about passkeys and the importance of phishing-resistant authentication, and are encouraging them to update legacy policies, guidelines, and regulations to ultimately allow all organizations, wherever they are, to confidently provide more secure and more convenient authentication to their users and customers.
Building NIST guidance into business best practices
Identity and authentication architects should contemplate NIST’s supplemental guidance as part of their broader digital identity strategy. For example, for every use case where password + OTP was used in the past, a synced passkey deployed in accordance with the new NIST guidance is not only sufficient to meet AAL2 requirements, but also more effective. In the vast majority of deployment scenarios, synced passkeys will provide a significant security and UX improvement over today’s authentication patterns – almost all of which are susceptible to phishing.
If organizations have specific business, regulatory, or other security requirements, they can choose whether to accept a synced passkey as the primary authentication method, a second factor, pair it with a risk engine, or require a device-bound key. Today’s guidance frees architects up from thinking about authentication layers and to instead focus on business requirements and related threat models. And today’s primary threat model of phishing and social engineering can be directly addressed by utilization of passkeys.
