By: FIDO Staff
Passwords are everywhere with both enterprises and e-commerce organizations feeling the pain as much, if not more, than most.
At the Authenticate Virtual Summit: Authentication in Financial Services and Commerce on March 29, industry experts and practitioners outlined The FIDO Fit for Enterprise and Customer Sign-ins. Throughout the half-day event, the topic of passkeys was a primary theme, with speakers outlining how they work, where they fit in and why they are essential to helping the world move away from legacy passwords and less secure multi-factor authentication.
Andrew Shikiar, executive director and CMO of the FIDO Alliance opened the event with some insights on the many positive benefits that passkeys can bring to enterprise and commerce users. Those benefits include helping users to get online faster with higher levels of satisfaction. Passkeys may also be able to help improve the bottom line for e-commerce vendors as well.
“If you’re an e-commerce vendor, imagine reducing the shopping cart abandonment rate by even 10%,” Shikiar said. “Our data shows that 50% of consumers that had to abandon a purchase in the past six months did so because they forgot your password and that’s a huge opportunity cost.”
While FIDO authentication has been available for anyone to use for over a decade, Shikiar noted that there have been some adoption challenges. Passkeys are, in part, a solution to some of those adoption challenges. With passkeys, there is a more recognizable set of common terminology and the technology also provides a familiar flow for users that aims to reduce friction.
In the enterprise, Shikiar said that passkeys are a very natural fit for things like BYOD [Bring Your Own Device] authentication, allowing employees to sign in with apps on their phones.
“This is becoming more the norm than the exception, and passkeys are just a very natural fit for that environment,” Shikiar said.
The State of Authentication 2023
Make no mistake about it, there are a lot of problems with passwords. To add some metrics to the argument against passwords, Jay Roxe, CMO at HYPR provided some insights from his firm’s State of Passwordless Security 2023 report.
Roxe noted that one of the things that really jumped out to him was that three out of five of the organizations that HYPR talked to for the report, had an authentication related breach over the past year. He added that each of those organizations had nearly $3 million dollars in costs associated with those breaches on a 12 month basis. Financial Services was the most highly attacked industry vertical with 81% of financial services organizations having recorded some type of attack or breach related to authentication.
The HYPR report also attempted to discover why organizations will move to deploy strong authentication passwordless approaches. Roxe emphasized that it’s critical to have a good user interface and flow, otherwise the technology won’t get adopted. In fact the report found the top reason why organizations are looking to adopt passwordless is to improve the user experience.
“Until we nail that user experience, we’re fundamentally not going to be any better off than we are today,” Roxe said.
Passkeys 101
Among the most interactive sessions of the event was one on the basics of how passkeys work, which kept moderator Megan Shamas, senior director of marketing at the FIDO Alliance very busy handling questions from the engaged audience at the end of the session.
The session actually got started with Tim Cappalli, identity standards architect at Microsoft outlining the historical path of FIDO standards. The big milestones along the path include the debut of the U2F specifications in 2014, FIDO2 in 2017, WebAuthn in 2019 and just last year the emergence of passkeys.
“It has been a journey,” Cappalli said. “We think that in the last two to three years, we really have been moving towards the last step to moving people beyond passwords.”
Cappalli outlined how passkeys works and what the primary advantages are for the approach. He explained that a passkey is fundamentally a FIDO credential with some new properties. Among the properties highlighted by Cappalli are:
- Autofill. With Autofill, much like the experience users have today with a password manager, a passkey can be automatically injected into an authentication flow into existing websites.
- Cross Device Authentication. Instead of a credential being tethered strictly to a single device, passkeys enable a credential to be durable across environments, enabling a phone for example to be able to bootstrap another device or ecosystem.
Championing FIDO adoption at scale
Few professionals have had as much experience deploying FIDO at scale as Marcio Mello, who has led efforts at PayPal, Intuit and eBay.
Mello outlined in great detail the steps that organizations can and should take to support FIDO strong authentication. In his view, the benefits are obvious.
“As soon as we could, we started doing WebAuthn deployment at eBay and saw the benefits almost immediately,” Mello said.
For Mello, passkeys are the next massive step forward as it’s an approach that will reduce consumer friction and hopefully enable adoption at scale. It is fundamentally the ease of use that passkeys promise that is literally the key.
“Consumers expect to see and use a password,” he said. “Yes, everybody’s tired of them, but it’s like smoking, most smokers would like to stop but they can’t, sure they know it’s bad, but you need to have the motivation and a very low bar of ability to be able to drive a habit change.”
FIDO and Zero Trust
In the security world, zero trust is an increasingly common concept that advocates an approach where users and entities need to be constantly validated to limit risks.
For Kurt Johnson, chief strategy officer at Beyond Identity, there is a clear intersection between FIDO authentication and zero trust. After all, a core foundation of zero trust is the need to constantly authenticate users and if organization’s aren’t using strong authentication, that’s a weak link.
Johnson said that with zero trust there is a need to assess and establish a high level of trust in the user identity. That just can’t be done effectively through passwords and that’s where there is a need for FIDO Certified authentication, that’s unphishable.
Helping Amazon’s drive to be customer-obsessed
Amazon operates one of the world’s largest e-commerce sites and it’s also a strong advocate and supporter of the FIDO Alliance.
Yash Patodia, principal product manager, tech, world wide consumer at Amazon said that his team is always looking to improve usability. One of the efforts to improve has been a move to remove passwords wherever possible. Patodia said that Amazon uses FIDO security keys for its own internal security which has worked well.
While security keys have worked for Amazon’s own internal needs, he noted that they can be difficult for consumers to adopt. That’s one of the many reasons why he’s particularly excited about passkeys.
“I think it’s a great leap forward from the password, OTP (one time passwords) and the security keys world,” Patodia said. “Some of the benefits I can see for passkey is that it really makes it very easy for the customer to use.”
Making it easier for consumers is critical for Amazon overall as it’s core to the company’s mission.
“We have this term at Amazon we use a lot called customer obsession,” Patodia said. “And this fits perfectly for us in that this is actually a customer obsessed product where we are making it very easy for the customer to do what they want to do.”
PNC BANK looks to protect its users with FIDO
Susan Koski, CISO of PNC Bank, knows all too well the challenges of password, that’s why she’s such a strong advocate and supporter of FIDO.
She noted that criminals are going after user passwords in a bid to take over accounts. Among the risks that she is trying to help limit is that of phishable credentials, such as passwords.
“We really do want to reduce those phishable credentials but we do it in a way that a customer wants to use the service,” Koski said. “Balancing security and the customer experience. I think that’s just been a mantra for us in information security in cyberspace for a while.”
Koski said that PNC Bank has embraced FIDO as a way to help move towards passwordless over time. The importance of taking a standardized approach that benefits from the support and participation of a broad array of participants is critical as well.
“Passwords have been around for 50 plus years and it’s time, it’s beyond time for us to move past passwords,” Koski said.
Enterprise guidance for passkeys is on the way
Looking forward, Megan Shamas of FIDO Alliance outlined a series of efforts that are underway to help provide more enterprise guidance for passkeys.
“We will be publishing a group of five papers that address what we hope to be the majority of the use cases that are out there on the enterprise,” Shamas said.
The five papers include:
- Introduction to passkeys in the enterprise
- How to replace password-only authentication with passkeys
- How to displace password + SMS OTP authentication with passkeys
- FIDO authentication for moderate assurance use
- High Assurance Enterprise FIDO Authentication
“If you would like to be part of the conversation around enterprise requirements, please do get in touch with us,” Shamas said. “This is the time now really to give your input on how we’re looking at passkeys from an enterprise perspective.”
Registrants can now view the event recording online. If you missed the event and would like to view the recording, visit the event website to register for access.
