By: FIDO Staff
The Authenticate 2022 conference got underway on Oct. 17 with a stellar lineup of speakers that included enterprises, service providers and government agencies, all gathered to talk about the current and future state of strong authentication.
The opening session was led by FIDO Alliance Executive Director and CMO Andrew Shikiar who detailed the progress that has been made this past year. Among the highlights mentioned by Shikiar was the launch of passkeys.
The FIDO Certified Professional program also got underway in 2022 providing a way for professionals to validate skills. There has also been work done to help with usability as well as adoption with initiatives designed to help accelerate broad deployment of FIDO strong authentication.
“Our mission is to reduce industry’s reliance on passwords and legacy multi factor authentication,” Shikiar said. “From day-one we’ve had this audacious goal of shifting away from centrally stored shared secrets to a model that is more possession based in nature and relies on common end user devices, that has been our guiding principle.”
Marcio Mello, head of product, PayPal identity platform, talked about how the online payment plans to leverage passkeys as a way to realize the promise of passwordless. Mello demonstrated workflows using passkeys showing how easy it is for a user to authenticate.
“I would say this is an inflection point in our decade-long commitment as an industry, to a passwordless world,” Mello said about passkeys.
NTT DOCOMO has been a leader both within and outside FIDO Alliance beginning with its Board appointment in 2015. DOCOMO has helped shape FIDO specifications and is the first mobile operator to deploy FIDO authentication at scale. Shikiar welcomed Koichi Moriyama, a Chief Security Architect at NTT DOCOMO, to the keynote stage where he announced DOCOMO’s intention to support passkeys for its millions of d ACCOUNT users. Moriyama said support would begin in early 2023.
U.S Government sees FIDO as the gold standard for MFA
The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) is taking a very active interest in strong authentication.
“We’ve known for decades that passwords are a weak link in cybersecurity and that the extra layer of protection provided by multi factor authentication prevents cyber attacks,” CISA Director, Jen Easterly said. “Yet only a small percentage of people are using it.”
Easterly emphasized that CISA is aggressively pursuing multiple initiatives to help spur adoption of multi-factor authentication (MFA) and more specifically FIDO standards-based strong authentication.
“We’re using this opportunity to shine the spotlight on FIDO as the gold standard for MFA and the only widely available phishing resistant authentication method.”
Bob Lord, senior technical advisor, cybersecurity division at CISA, told the Authenticate 2022 audience that it is a weird thing that the technology industry has normalized the idea that the burden of staying safe is placed on those organizations that are least able to understand things like threat landscapes.
“We see far too many organizations failing in part because they have no idea they need to do this,” Lord said about strong authentication and FIDO adoption. “And that’s because they don’t have something that is nudging them in the right direction.”
Both Lord and Easterly advocated for technology vendors to make it easier for users to have strong authentication and provide security by default.
“Security features our customer rights, they’re not luxury goods,” Lord said.
FIDO Authentication has social impact
Jonathan Bellack, senior director, identity and counter-abuse technology at Google outlined some of the challenges that Google has seen for users adopting MFA and passwordless security.
“Our user research has shown at least from a consumer point of view, users don’t draw a distinction between any of the words we use in the industry like security, privacy, abuse as it all just kind of fits into this great amorphous blob of safety,” Bellack said.
He noted that consumers have very little time and they just want to know if they can do whatever task they want or need to complete online. To that end, Bellack detailed multiple efforts that Google has underway to embed security in a way that doesn’t introduce friction.
Christopher Harrell, CTO at Yubico, explained during his session how the use of FIDO authentication is being used by organizations around the world to help protect freedom and privacy. Yubico is working with the Freedom of the Press Foundation and Operation Safe Escape among other organizations. The company has donated over 20,000 keys to support many different government agencies in Ukraine.
“We do hope that the war ends soon but in the interim, we hope that we can help protect infrastructure from cyber attacks,” Harrell said.
FIDO users detail adoption challenges and opportunities
A key part of the program for Authenticate 2022 are user stories and there were plenty to be told on the first day of the conference.
Ian Glazer, SVP product management at Salesforce, described the highs and the lows of his company’s MFA adoption efforts. Salesforce decided in the fall of 2019 that it wanted to achieve 100% adoption of MFA across its services and it’s a journey the company has been on ever since.
Salesforce’s path toward 100% MFA adoption involved both technical considerations as well as a massive effort to engage with users, which led to solid results. Glazer noted that at the end of Salesforce’s fiscal year approximately 80% of its monthly active users were using MFA or SSO. While 80% is a noticeable achievement, it’s not the 100% goal that Salesforce has set. Glazer emphasized that the pursuit of the 100% adoption figure forces his team to continue to innovate and find ways to push adoption.
Salesforce has noticed multiple benefits from MFA adoption so far, including cost reduction and security improvements.
“Because we adopted MFA, we have seen a dramatic reduction in account takeovers,” Glazer said.
Microsoft is also pushing hard for broad adoption as it aims to enable a passwordless experience for its users. Scott Bingham, Senior Program Manager in Identity, and Emily Houlihan, Senior Product Manager at Microsoft, explained in their session what lessons have learned so far on their passwordless journey.
Bingham said that Microsoft has spent years rolling out support for temporary one time passwords, security keys, authenticator apps and Windows Hello as different password replacement offerings. Microsoft is increasingly moving toward eliminating passwords entirely.
“People want passwordless,” Bingham said. “Security is important, but user experience is critical and helps to drive demand.”
USAA, which provides financial services to members of the U.S. military and veterans, is also adopting FIDO and MFA to help secure its users. Dereck Henson, technical security architect at USAA, provided a series of key lessons learned during his session.
His first lesson learned is that it’s a good idea to default to strong authentication from the start.
“We found that it’s a whole lot easier to start someone in an MFA, highly secured program, rather than to convince them to change their mind later,” Henson said.
Another key lesson that USAA has learned is that when it comes to a passwordless approach, being entirely passive and not showing users that authentication in place, is not a winning scenario. Henson said that USAA members were calling in saying they had been members for decades and couldn’t believe they could just log in with a fingerprint. To that end, USAA has had to add some interstitial screens to its authentication workflow that tell users their access is being secured.
“So not only do you have to be secure, you have to actually look secure,” he said.
Financial service giant Citi has also embraced the FIDO strong authentication approach. Matthew Nunn, Director, Secure Authentication Architecture & Technology Engineering at Citi, did not mince words in his session about why there is a need to move away from passwords.
Nunn said that there really isn’t a meaningful way to make passwords more secure.
“The reason you’re doing passwords and we’ve been doing it for so long is because we are held hostage to the keyboard being the interface to use in order to interact with the system,” Nunn said.
He added that with passwordless, users are no longer held hostage and there is the ability to take advantage of capabilities in devices to authenticate, instead of users needing to regurgitate a password.
Day 2 of Authenticate 2022 is looking to be another packed day full of insightful content and discussion, with sessions on biometrics, consumer authentication habits, FIDO initiatives and more user sessions.Want to attend the next two days of Authenticate 2022? Registration for virtual attendance is still available, and all registrants have access to past sessions on demand. To register, visit www.authenticatecon.com.