FIDO for Developers - How Developers Can Master FIDO and Passwordless Authentication Without Adding Unnecessary Complexity.

All right. This session will be about Fido, Fido, authentication, Fido, four developers. So a bit of out of a developer perspective without going onto the technical details too much. Today, few words about myself, I already said it. I'm the founder and CEO of Vango. I'm active in the fi year working group. We are driving the marketing efforts mostly, but also creating white papers about Fido and its applications and banking. For example, on the PST two requirements. And I'm also recently joined our also recently joined the fi two technical working group. So there's no talk about Fido without the, the P word, the passwords and big gates predicted their desk. And in 2004, so 17 years ago, let's see where we stand. 2 billion credentials are stoned each year from service. So credentials, meaning passwords, mostly and 81% of the cases. The data breaches itself are caused by weak or stone passwords and the cost for a company impacted by a breach like this around 5 million. So I ask you a question, why is every login today looking like this still right. 17 years later, and, and many technology steps later, and with webinar, sand and fighter two, this, this, this screenshots are from, from last week. So it's pretty, pretty the latest we can get and all of them have a password in it. So it's not passwordless.
We can have an experience like this. You enter your email address. There are instances where you don't even have to do that, but I, I, I skip that for today. The next would be a touch ID or a window cell, or a biometric authentication on your Android device. And you're in, this is the experience that is possible today. So this quote here, I found it and I like it. Making things simpler is actually hard work. And we came across this and of course, everyone involved in the Fido efforts will agree to that. Having, creating an experience for the user as I showed this very, very much work to do. And I go through some steps that are, that are, have to be taken care of when implementing Fido. And yeah, I just guide you through it.
Andrew mentioned this in the last session as well about Fido, how to log in on a new device. This is one of the key questions you have to ask yourself. So with vital, the credentials are bound to the device you are actually using in that moment. So you go to from your laptop to your phone, what do you do the need to be some form of rollback, fallback authentication mechanism today? There's no way around it next web and platform authenticators. So the technology that drives the experience I showed, they are available to around 35, to 80% of all users, but not a hundred percent of our users. You have to make sure that you also create an experience that caters to the other 20 or whatever percent of users that are not able to enroll their platform. Authenticator. Next, I get that a lot. Registering a two F a platform.
Authenticator does not make your account two F a protected. If the fallback authentication is still a password, your account is protected with that password. Make sure you, you know, that. And the next thing is, and this is maybe an answer to the first question you can switch to passwordless alternatives. And one, one hot topic today is we call them parcelling. Some companies are calling the magic links. So this allows an account to be created and to be used on a new device, without a password. So, but to, to make your account, to have a protected, you also need additional steps aside from the, from the pass link. And this could be, for example, if I security key, when you integrate the platform authenticator, you almost have everything to also support security keys, and a security key would be perfect. Second step after a past link, if your audience is suitable for that next, you have to integrate fi application stack.
There are solutions available on the market. We offer one of them that have SDKs and integrations plugins for, for all major platforms, but you always should start with UIUX planning. How is the user experience impacted by rolling out fi to your users? This is what we always propose to start with next. Most users never heard, unfortunately, never heard of fi or web. So you have to be careful how you, how you tell this new feature, how you announce it to your users. And as I, as I said already, don't build your own Fido stack. Their solutions already available, open source projects were maintained. And also, like I said, we offer for example, web and API backend, that does everything that that's need to be done. And you can just go ahead and, and build your application logic around that. And of course, I think the highest, the best and the least, the least code involved will be when you use an open ID connect identity provider that has native support for webs and already integrated.
So migrating is my third point. I want to dig into, we propose for migrating existing users. We propose an intercept like this. I don't know if you can, if you can read it, but it is on the legacy login and you tell your users, you can enable, for example, touch ID. If that would be on a newer MacBook, you can enable touch ID. Do you want to use that to sign and faster next time? And yeah, this is what we do with our implementation and we see good, good results with that. It is also in line with, with the latest user experience studies that have been done by the fighter lines. And yeah, the first point I already talked about the next thing that is very important, and they have been some, some studies by a German fellow that you should tell the user that the biometrics are stored only on the device and never leaves the device. So this helps with building trust for, for web and Fido. And of course we, yeah, we'll give trust to your application as well. And as I said, already, consider support for security keys. If you can, if your user base allow for it to have really strong QFA for platform authenticated, but also for the fallback authentication mechanism.
And I close with, with something I said is a PSA. We will offer hunk identity. That's our new product. It will be the world first passwordless native identity provider. So we built an open ID connect identity provider that is not based on passwords, but it is based on fi web both. And, and yeah, I mentioned it is pass links for, for bank authentication. We build that on top of our open source authentication API that consists of a certified fi server. Yeah. And I think it's perfect for in the first step, at least for green free project startups, everyone who wants to go password list and won't want to do anything at all. That's it from, from my side. Thank you.