The State of Passwordless Authentication

So this is the last presentation between now and coffee and coffee. So, which means two things, first of all, you're probably anxious to get outta here, but it also means that if we go long or, you know, if you have questions afterwards, I'm happy to hang out and take any questions that you may have that I don't cover fully in the presentation. Also being at the end of the track, a lot of the things I'm gonna show you. I saw on the, the prior presentations, I thought Adam's pass vision from Fort rock was really had a lot of really great points in there that I will reinforce as well.

But let's start with the problem statement. And honestly, I could spend all 20 minutes of this presentation with slide after slide, after slide looking at, you know, dreadful statistics that are a result of our dependence on passwords and knowledge based credentials.

And, you know, there's more bad news. You know, phishing attacks will continue to succeed. As I just mentioned before, you know, fishing works because it, it preys on, on human nature and they're wildly successful, right? A well designed fishing attack has over a 40% success rate. It's not a click rate, but success of phishing, somebody and more bad news, you know, MFA bypass attacks will become mainstream. That's one of our predictions for this year and next year. And we're seeing this already today. So when we talk about MFA, it's not entirely, you know, it's not infallible.

That's why it's very important to understand, you know, knowledge based MFA versus moderate MFA. So if you look at SMS, SMS bypass attacks in particular, haven't happening with more frequency and they're very successful.

So that's, you know, a lot of bad news there, the prior statistics and these predictions now some good news is that there's no more bad news. So good news is that enterprise pass plus deployments will grow rapidly, right? So we've heard a lot of talk about that here today. Gartners backed this up with their own predictions, co Kohls predicted this basically highlighting passwordless authentication as a now deployment. I've done a series of Analyst briefings over the past couple weeks, you know, time and time again, this is being reinforced at advanced authentication.

Passwordless authentication is the top investment in area for enterprise over the next three to four years. So that's some good news. Additionally, you know, mobile platforms will provide consumer ready solutions at scale. So this kind of teases, the announcement that we made last week, the announcement was made by fi Alliance, along with apple, Google, and Microsoft, with their commitment to support this pass key concept where full fi Fido, multi device credentials, which which stands to put the, you know, PA password list, multifactor capabilities into the hands of more consumers.

So we already know this passwords don't work. They're not good.

They suck, we know this, so I'm gonna skip through this slide. I don't need to reinforce that, but this is what I was getting at before.

Also, is that a fundamental shift is needed in the way that we authenticate users, right? And there's really somewhat black and white. There's old way of doing things. And there's a new way of doing things. The old way of doing things is getting largely, depending on shared secrets, something, you know, whether that's at point of authentication or it actually really starts at the point of proofing, right?

Where, where, you know, if you are creating account based on knowledge based information or actual KBA, you know, a lot of that knowledge is actually out there in the dark web and out available to other people to impersonate you or to take over your account, right? So we need to shift entirely from these, you know, what people know and what, what ultimately hackers know to what you are or what you have. And this is a much more modern and, and Phish fishing resistant means of user authentication. And that's also been PHS vision all along.

I don't know how much you know about pH Alliance, but we've been around for nearly 10 years. Our tagline is simpler, stronger authentication. That's been the focus, the unyielding focus of pH Alliance all along is I find that sweet spot between ease of use and strength of security, you know, strong authentication, isn't new public photography, isn't new, but actually packaging it together in a user friendly approach where a single gesture from that user can, you know, perform the authentication mechanism and can enable the strong authentication to take place that is new. All right.

And that's what pH's focus has been. And as we're seeing, you know, usability is more and more critical and, and, and is actually coming to the, for just about every conversation that we have about deploying strong authentication, A bit more about Fido. So we're an organization. We have 250 members, worldwide growth of our membership is not an objective for the Alliance, but we are growing. We have new participants. This is our board of directors. So 42 companies and our board, it's a great set of logos.

But what I think's most important about these companies is that, you know, if you, if you closed your eyes and thought like, well, which companies need to be collaborating to solve the password problem, you know, who needs to be sitting around that table? And it, you know, it, it would look a lot like this. So companies building the platforms and devices that we all use every day, experts in security, identity and biometrics, and then last but not least the companies whose businesses are dependent upon their ability to securely deliver high assurance services to billions of users worldwide.

So the eCommerce providers, the payment networks, social media companies, and such, and it's that combination of companies working in CTO, Fido Alliance, that's allowed us to produce, you know, market ready, robust specifications that are being used at scale to deploy phyto authentication. So very briefly how Fido works in case you don't know, this is how people, people used to log in. There would be a person on their computer logging into a server. A password would sit in the server. If you got the password, right, you could log in. We all know the problems associated with that.

What phyto does is introduce the concept of an authenticator, the authenticators with a concept and actually a physical thing. And you could think it as kind intermediate, this, this relationship, we leverage asymmetric, public key cryptography, such that a public key sits on the server and a private key is securely stored in the authenticator. Unlike a password, if the public key is stolen, it has no material value. You can't reuse public key. And the private key is to get protected on the device. User must verify herself to that.

Whether that's a biometric verification or possession based, you know, verification is touching a security key, or a local pin code that's once verification happens, the authentication dialogue can take place. And, you know, in this authentication dialogue, you know, there's a lot of metadata exchange, a lot of information exchange that needs to match just so for the authentication to happen, which is why, if someone tries fishing this or runs a man in the middle attack, you know, the entire system breaks down because the key, the key, the key pair won't match.

So either the man in the middle doesn't have the private key or doesn't have the right public key to show the end user with the legitimate private key. And you know, what we've realized from phyto Alliance is that for, you know, that vision to become reality for phyto authentication, multifactor authentication to be adopted at scale, you know, we need to take on some of the advantages that passwords have and perhaps the greatest advantage that passwords have and OTPs have is that of incumbency and ubiquity, right?

So if for Fido to have a chance, we need to be everywhere and we need to, we need to find that end point ubiquity. Fortunately, you know, we've had strong support starting with the Android and windows, hello, becoming pH oh two certified authenticators. And now really every platform, every browser, every operating system has PHY APIs being built natively into them, such that literally every device being unboxed right now, most likely can support photo authentication. All right.

So we're reaching that ubiquity, which is allowing more and more service providers to deploy with confidence and knowing that their end user, whether it's consumer or, you know, someone in enterprise can, you know, leverage that functionality with their device. And it's a little wonder that we're seeing good adoption. This is a very small sampling of companies that support vital authentication, you know, really we're seeing adoption across borders, across use cases across deployment scenarios.

So both enterprise consumer just, you know, very, very wide, well, I'll, I'll still categorize it as early adoption, right? Early adoption, perhaps for hundreds of millions of users, but it still is kinda the first wave of Fido adoption. And we're seeing good progress here in Europe as well. So I highlighted some companies that have deployed in Europe, but also, you know, a big part of what phyto does is we engage with different government bodies and regulators, either inside of our membership or through external engagements.

In, in Europe, we've seen both NHS and, and, and UK government both deploy phyto. So NHS actually has some incredible data about, you know, cost savings associated with using pH authentication for their healthcare workers, gov UK verify supports Fido U two F authenticators as a means for citizen authentication. And then recently the NCSC in the Netherlands has given a strong endorsement to Fido as is NC in France.

Alright, so we're very keen to engage further in the European market because it's, it's a unique market where we have a lot of stakeholders and we see it very natural fit with Fidos approach for strong user authentication. And to that end, you know, you can't talk about regulations without talking about PST two.

And, and it's interesting. I feel like the conversation around PSC two is actually petered out a little bit. It doesn't mean it's any less important just cause we're talking about it less, but obviously there there's several authentication methods that you can use to comply with PST two from SMS OTP, plus password to hardware, OTP, generators, cap, readers, so and so forth. It also includes phyto. All these can comply, but not all are creative equal.

We feel like the phyto approach, which leverages a device biometric the user biometric brings all the, you know, meets the regulatory requirements while also bringing in advantages of user convenience compliance and all the added security benefits that phyto brings to the table.

And it's not just PST two compliance, you know, looking more globally, you know, phyto is cited by NIST in the us in a, in a number of its publications, both in 863 dash three digital identity guidelines, as well as the forthcoming iteration of that will be updated to talk about how Fidos current and emerging approaches fit with the updated assurance levels that that N specifies. So that's kind of where we've been, that's where we are. That's our current state, if you will. And so I wanna talk a little bit about, you know, next steps reaching. I'm gonna look get at my phone.

So I know what time it is next steps for reaching mainstream adoption and, and it starts and, and really ends with, with usability, frankly. It's interesting, you know, I've been in this role for several years now and I've talked to companies or people who are looking to, to deploy Fido and the conversation conversation shifted from like, well, what is Fido and why should I do this to, you know, very specific questions about like, well, wait a second, how's this gonna impact my customer authentication flow?

And what's the CX gonna look like, and how do I do this without losing my high net worth banking customers? And this all comes down to usability. And so that's really the, the next step is to, you know, further usability while keeping security in mind and fi Alliance has, you know, launched several new initiatives in this vein. I wanna highlight those.

Now, the first one was actually last year, we released the first set of UX. So user experience guidelines for platform authenticators. So the use case where say you're a bank and you want your consumers to build a log in using windows hello, or touch ID, whatever it might be on, on a desktop PC or laptop, which is all capable now, right? So with web offense support being built into browsers, operating systems, technically the vast majority of users should be able to log in using a platform authenticator.

But what we were hearing before we launch a study from relying party after relying party was, well, Hey, it's not that easy. And by the way, there's some, some awkward kind of, you know, device prompts that come up on different browsers and somewhat inconsistent. And I'm worried about losing my customers. What's the best way for us to do this. So we launched a taskforce of UX and design leads, right? So these are not the typical people you see in a phyto standards meeting. These are designers, but from some of the biggest brands of the planet, they came together to help run this study.

And we had people from JP Morgan, chase visa, Wells Fargo, and two at apple, all working to help scope this program. And what it resulted in was a three phase study that led to our actual UX guidelines. So you can go to our website, these guidelines are free for download next to it is the actual reference implementation that follows those guidelines on how to most effectively deploy Fido for this use case. So those guidelines got very, you know, positive feedback and I've seen companies actually follow those guidelines for their own, their own implementations.

And so Fido Alliance took this to heart and we actually launched a UX committee this year. And this is a board committee again of UX designers, UX leads and designers who will be actually implementing a UX system inside of fi Alliance, such that everything we put out, whether it's technical specifications or guidelines will have the ability to, you know, go through this UX system to make sure that UX is being considered in our outputs. And in recommendations, this is a very important in step forward for fi Alliance from a UX standpoint, upcoming, we're doing more UX research, right?

So the, the next step in our UX guidelines compendium will be UX research on security keys, right? So we see a lot of companies deploying security keys, which is great, but the consistency of user experience varies dramatically. If you think of the user journey from enrollment on through to signing up and managing your keys, we we'd like to see that be more consistent and more optimized. So we're doing again, another data-driven study to come up with the best way to deploy pH security keys, and then last but not least multi device photo credentials.

So this is where, you know, usability comes into our specifications, comes into phyto technology. And this is what was announced last week. So let's talk about multi device credentials. Fundamentally, you know, phyto authentication has always had a, an account recovery challenge. We've always had a recovery problem.

You know, possession based authentication is great. Having possession based authenticator is wonderful, but the questions always come well. What happens if I lose possession of my possession based authenticator and the answer hasn't been great, right? The answer has been well, depends on how the RP can choose to recover you, but by and large, it all kind ends up backing up to, yeah, you need to kind of recover your account through, through whatever credentials the RP has about you, which more often than not has been a knowledge based credential, namely a password, right?

That's not only if you lose possession of your authenticator, but also if you want to enroll multiple devices, you know, for your Fido login, you need to enroll each one on each device for each service. And so that creates both a security issue and a usability issue. So what multi device credentials also known as Paske do it really enables deployment of Fido scale to consumers who are moving between their current devices and new ones. All right.

So if I have so across each device platform, so across iCloud, across Google, across Microsoft account, it, it, it allows you to, you know, move seamlessly across those clouds and also across those clouds through a, a local authentication mechanism. So we think this addresses both usability and security account and security challenges with account recovery. So I talked about useability a second ago. So having to re-enroll each device is not a very good user experience, right.

And then having to remember that password, but the, the other kind of byproduct of that is a security byproduct by byproduct, which is after you relying party needs to maintain that password for you to recover your account. Right? So it's almost like we've been taking three steps forward and one step back, right? So as long as you need to maintain that credential, we're not taking credentials off the server, which is what we need to do to stop this ongoing cycle of, you know, credential theft and, and, and credential based attacks.

So now the relying party has the option to actually delete the password entirely cause they don't need to worry as much about recovery. That's a very significant step forward. And then of course, we anticipate this being supported in devices, you know, starting this year. And that was part of the announcement we made last week, Google, apple, Microsoft, all committed to supporting this in their device platforms over the coming year.

So again, there's two specific capabilities in this. The first one is allowing users to access their signing, credentials on all their devices, again, seamlessly without having to re-enroll. And then the second use case is really kind of the bootstrapping use case, which uses a new, you know, Bluetooth protocol to allow you to go from like one device platform to the other.

So specifically the use case of me going from my iPhone to my windows PC, I can do this locally through a single touch of my device to allow me to bootstrap, to, to authenticate myself to a service on my PC, after which the service provider may allow me to enroll my biometrics on that device as well. So bootstrapping from one platform environment to the other. So with that, I think we're about at time.

So in general, I'd say your opportunity here is to leverage the broad deployment we're seeing with Fido and that the broad momentum we're seeing with Fido and happy to take any questions that you may have. Thank you.