Andrew Shikiar, executive director and CMO, FIDO Alliance
FIDO Alliance released a paper today that outlines the next steps in the evolution of FIDO and passwordless authentication adoption. Specifically, we are introducing the concept of multi-device FIDO credentials to address current challenges with account recovery for consumer deployments at scale.
FIDO Alliance has really been successful in changing the nature of authentication – FIDO Authentication is now built into every leading device and browser and many major brands have made FIDO logins available to their users.
However, a challenge that persists is the requirement that users enroll their FIDO credentials for each service on each new device, which typically requires a password for that first sign-in. So what happens to your FIDO login credentials and how do you recover your account if you change your phone or laptop? They are not recoverable in today’s FIDO model. This presents issues for deploying FIDO at scale to consumers who are constantly moving between devices and updating to new ones. This is less of a challenge in the enterprise, where companies can solve this issue by deploying internal management tools used to support passwordless authentication, and for employees to recover accounts and credentials.
So while FIDO is available to deploy at scale today, a feature has been missing to make it as fully ubiquitous and available as passwords: the ability to have your FIDO credentials available to you across all of your devices, even a new one, without having to re-enroll for every account.
Introducing multi-device FIDO credentials
The new paper released today outlines the next steps for the evolution of FIDO to address this limitation. The paper introduces multi-device FIDO credentials, also informally referred to by the industry as “passkeys,” which enable users to have their FIDO login credentials readily available across all of the user’s devices. This will help service providers bring passwordless sign-in to consumers at scale by addressing the issue of account recovery – the key barrier to mass adoption of cryptographically secure, passwordless authentication.
The paper outlines how the FIDO Alliance and the W3C WebAuthn working group propose to achieve this, which includes two key updates:
- The ability to use a phone as a roaming authenticator through a defined protocol to communicate between the user’s phone (which becomes the FIDO authenticator) and the device from which the user is trying to authenticate.
- Making FIDO credentials universally available on all the user’s devices to ensure they can survive device loss and sync across different devices
By introducing these new capabilities, we hope to empower websites and apps to offer an end-to-end truly passwordless option; no passwords or one-time passcodes (OTP) required. The user experience of sign-in becomes a simple verification of a user’s biometric or a device PIN – the same consistent and simple action that consumers take multiple times each day to unlock their devices. The vision is that these experiences will be available across all our devices, operating systems and browsers.
FIDO Alliance sees the introduction of multi-device FIDO credentials to be an important step towards deployment of phishing-resistant FIDO authentication at a broader scale in many use cases that today are totally reliant on passwords or legacy forms of MFA such as SMS OTPs that are under increasing attack.
We’re looking forward to hearing from industry stakeholders about this development and will be sharing more details on a webinar in April.
