Intro to Passkeys and the State of Passwordless.pptx
FIDOAlliance
978 views
33 slides
May 15, 2024
Slide 1 of 33
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
About This Presentation
FIDO Seminar RSAC 2024
Slide Content
Intro to Passkeys and the State of Passwordless Andrew Shikiar Executive Director & CEO FIDO Alliance
Today’s Agenda APPROX START TIME SESSION SESSION SPEAKER(S) Session 1: Building the Business Case: Intro to Passkeys & Passkeys in Action 1:15 – 1:40 Intro to Passkeys and the State of Passwordless Andrew Shikiar, FIDO Alliance 1:45 – 2:05 Passkeys Deep Dive Shane Weeden, IBM 2:10 – 2:30 How Hyatt Drives Exceptional Customer Experiences with FIDO Authentication David Treece , Yubico Art Chernobrov , Hyatt Hotels 2:35 – 2:55 Passkeys in the B2B2C World – A Journey to Passwordless Tushar Phondge , ADP Sanjoli Ahuja, ADP 2:55 – 3:10 Break Session 2: Technical Implementation: Implement Passkeys & Meet the Experts 3:10 – 3:30 Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats Bojan Simic , HYPR 3:35 – 3:55 New UX Guidance for Implementing Passkeys Kevin Goldman, UXWG, FIDO Alliance Philip Corriveau, RSA 4:00 – 4:20 Tales from a Passkey Provider – Progress from Awareness to Implementation Nick Steele, 1Password Shane Weeden, IBM Megan Shamas , FIDO Alliance 4:25 – 5:15 Implementation AMA – Ask your passkey questions! Nick Steele, 1Password Christiaan Brand, Google Shane Weeden, IBM Megan Shamas , FIDO Alliance
What is the FIDO Alliance? We are a global tech consortium standardizing password-free sign-ins
Backed by global tech leaders + Sponsor members + Associate members + Liaison members + Government members
Security Usability Poor Easy Weak Strong = Single Gesture Possession-based Phishing-resistant Authentication Open standards for simpler, stronger authentication using public key cryptography FIDO since 2013: Simpler and stronger
2 1 3 Provide great alternative to traditional smart card deployments in high-risk environments Offer phishing-resistant multi-factor authentication in a single authenticator Increase the security of consumer two-factor authentication The very positives …
2 1 3 Inconvenience of physical security keys Higher barrier to adoption for users who don’t (want to) use two-factor authentication at all, and are stuck with passwords Challenges with embedded authenticators as a second factor But challenges for scale
The foundation of authentication is fundamentally flawed of hacking-related breaches are caused by weak or stolen passwords (Ping Identity) 81% 76% Gave up on a purchase because they forgot their password (FIDO Alliance) 43% Rise in direct financial loss from successful phishing attacks from 2022-2023 (Proofpoint) either use weak passwords or repeat variations of passwords (Keeper) 64% When our primary factor is passwords … Easily phished or socially engineered, difficult to use and maintain
Layering on does not work The art of MFA Bypass: How attackers regularly beat two-factor authentication Phishing Attacks Rise Sharply in Southeast Asia: Kaspersky Detects Over 43M Email-Based Phishing Attacks Across Region in 2022 Brace for more phishing, scams, data breaches, APT attacks in APAC 2024 …then our additional layers – while well-intended and necessary – are there to cover up password problems Often still phishable , socially engineered, difficult to use and maintain Data breach cost Latitude $76 million : C yber attack on Australian company Latitude Financial saw the personal data of up to 14 million customers stolen.
967% 54% 1265% Of consumers have noticed phishing messages become more sophisticated in last 60 days (FIDO Alliance) Rise in malicious phishing emails since Q4 2022 ( Slashnext ) Rise in credential phishing in particular since Q4 2022 ( Slashnext ) Generative AI adds fuel to the phishing fire
A fundamental pivot is needed..: What if we could replace the outdated legacy model of “password + something else” and could replace it with a single factor that was much more secure – and easier to use?
A fundamental pivot is needed..: What if we could replace the outdated legacy model of “password + something else” and could replace it with a single factor that was much more secure – and easier to use? If phishing is now the primary threat - a single phishing-resistant authenticator is more valuable (in most cases) than two factors which are both easily phished.
Enter: Synced passkeys Passkey /’pas, kē / noun A FIDO Authentication credential that provides passwordless sign-ins to online services. A passkey may be synced across a secure cloud so that it’s readily available on all of a user’s devices, or it can be bound to a dedicated device such as a FIDO security key.
A bit deeper on new(er) terminology A passkey is any passwordless FIDO credential Raises the bar for both security and UX Is most commonly synchronized across a user’s devices – but doesn’t have to be A passkey provider might be a platform/OS vendor, or 3rd-party software such as a password manager. Facilitates new device bootstrapping and simplifies account recovery Security of synced passkeys is the responsibility of the passkey provider Live passkey providers include Apple, Google, Dashlane , 1Password
Same approach – with new syncing capabilities (Signed) Response User verification Require user gesture before private key can be used Authenticator FIDO Authentication Private key dedicated to one app Public key stored at service provider Challenge
Same approach – with new syncing capabilities (Signed) Response User verification Require user gesture before private key can be used Authenticator FIDO Authentication Private key dedicated to one app Public key stored at service provider Challenge Private key can be securely synchronized across devices
World Password Day 2024 Consumer Password & Passkey Trends www.fidoalliance.org Passkey
World Password Day 2024 Passkey ^
Passkey support today 98% + 96 % + of active browsers of mobile devices of the world’s top 100 websites and services of the world’s top 250 websites and services 20% 12% accounts can now leverage passkeys for sign in. 13B More than
FIDO’s Focus on Usability Available Now FIDO Design System UX guidelines for passkeys, security keys, and device authenticators UI Kit Coming soon: Passkey Resource Center
Rapid adoption
Proven success 30% opt-in in first 24 hours 4.7x improvement time to complete & improvement in success rate 50% reduction in abandonment rates Reduced account recovery calls and call center attacks 4x improvement in sign-in success rate (vs passwords) ½ the sign-in time Within the first few months… 97% login success rate 14% eligible user adoption rate 2% reduction in SMS OTP login Sign-in success rate grew from 67.7% (SMS 2FA) to 82.5% -- over a 21% improvement Authentication time decreased from 17s (SMS 2FA) to 4.4s – nearly 4x faster
Government utilization of FIDO Authentication
Reframing the regulatory narrative “ Syncable authenticators that are deployed under the requirements set forth in this supplement SHALL be considered sufficient to protect against threat contemplated under AAL2.”
Stop checking a box for “MFA”… … and start thinking about phishing resistance rather than “factors”
A synced passkey is always better than a password alone Stop checking a box for “MFA”… … and start thinking about phishing resistance rather than “factors”
If you’re using password + SMS OTP, passkeys are better A synced passkey is always better than a password alone Stop checking a box for “MFA”… … and start thinking about phishing resistance rather than “factors”
Stop checking a box for “MFA”… … and start thinking about your business requirements One size doesn’t fit all – consider business , regulatory, and security requirements Pair with another factor Leverage risk signals Require device-bound passkey
Looking forward...
KBA Weak remote IDV systems tricked by synthetic documents and fabricated biometrics Accounts created with stolen or synthetic identities Account Enrollment Passwords Phishable MFA Account takeovers via phishing, man in the middle, credential stuffing and other attacks Authentication Only as sound as 1 and 2! Major vector for account takeover Account Recovery/Reverification = = = The Old Way: Every Part of the Online Account Lifecycle Susceptible to Attacks
Backed by FIDO Certification programs Tested by accredited third party labs Removes need for vendor “bake offs” Biometric Component Certification IDV Document Authenticity IDV Selfie & Face (coming soon) The New Way: advanced technologies for remote identity verification snuff out attacks Reliable and accurate document verification Biometric verification checks for liveness to identify spoofs Photos of screens, 2D & 3D masks, image upload manipulation, etc. Biometric systems have advanced reliability presentation attack detection
The New Way: Securing Every Part of the Account Lifecycle Strong remote IDV systems can detect synthetic documents and fabricated biometrics Accounts created only for individuals with proven identity Account Enrollment FIDO phishing-resistant authentication with passkeys Strong security at every sign in Authentication As sound as 1 and 2! Accounts are NOT taken over through account recovery and re-verification methods Account Recovery/Reverification = = =
Questions?
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 978
- Slides 33
- Age 566 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
33 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
27 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
29 views