That is why we are excited to announce the launch of the FIDO Americas Adoption Forum (FAAF). This is a new initiative designed to advance open standards and accelerate market adoption across the region. It aims to uncover new opportunities to provide simpler and safer authentication with FIDO technologies in the Americas. Initially, the Forum will be focused in Latin America, given its potential.

The opportunity

In many Latin America markets mobile internet penetration exceeds 70% and populations are digitally active at very high levels. For example, Brazil’s “Pix” instant payment system has been adopted by over 90% of adults. That kind of uptake signals both technological readiness and a massive user appetite for frictionless experiences.

But rapid digitization brings challenges. Credit card fraud rates across Latin America are 97% higher than North America, and legacy authentication is failing to stop malware attacks that have risen by 113% in the region, with 79% of fraud occurring on mobile devices. Bad actors are also exploiting new threat vectors. Looking at Brazil again, deepfakes in Q1 2025 occur at five times the rate seen in the US and ten times the rate in Germany.

These conditions create an urgent need for phishing-resistant authentication technology that puts trust and simplicity at the center of digital interactions. With FIDO adoption in the relatively early stages across much of the region, the impact that can be achieved by shaping adoption and solving these security gaps is enormous.

Our Approach

The FAAF will focus on fostering a local community of industry leading organizations and experts to address the specific technical, regulatory, and business challenges of the region. We are drawing on FIDO’s model that has proven successful in driving adoption of open, phishing-resistant standards across the globe, including our APAC Marketing Forum, while adapting to regional dynamics. This includes:

• Local champions: We will identify leaders to advocate for interoperable standards within their markets and connect global best practices to local needs.
• Education and enablement: We will bring FIDO expertise to stakeholders in key verticals – including banking, e-commerce, government, and airlines – through targeted webinars and workshops.
• Regulatory engagement: We will help regulators understand how FIDO standards can support national security and economic objectives.
• Regional insights: We will channel feedback from the Forum to ensure FIDO specifications and market enablement activity address real-world deployment challenges.

Help drive FIDO adoption in the region

We’re starting with quarterly calls focussed on understanding the opportunities, challenges and nuances of the Latin American markets. This will include FIDO members from the region and those with interest and operations there. We will also explore bringing in external speakers to share their expertise on regulation, industry trends, and other topics of interest.

A major part of our initial work will focus on understanding the regulatory environment in key markets, and identifying opportunities to engage with regulators to educate them about FIDO.

If you are a FIDO member, look out for a formal invitation to join the Forum soon. We will follow this with our official kick-off call in the coming weeks.

The opportunity in Latin America is significant. I hope you will join us in bringing greater trust and simplicity to digital interactions across these dynamic markets.

At the FIDO Alliance, our mission has always been to champion open, scalable, and trusted identity and authentication standards that are simple to use. Today those same principles, originally forged to eliminate the weak link of shared secrets on the web, are directly applicable to securing OT connectivity and distributed device environments.

Below I’ll outline how FIDO phishing-resistant authentication (passkeys), FIDO Device Onboard (FDO) and emerging work in Bare Metal Onboarding (BMO) support these secure connectivity principles, enabling organizations to achieve strong authentication, trusted connectivity, secure supply chains and secure update of software at scale.

Phishing-Resistant Authentication Is Now Table Stakes for OT

The OT guidance emphasizes strong authentication at network boundaries, remote access points, and management planes. This is exactly the problem FIDO set out to solve with passkeys. Passkeys replace passwords and shared secrets with device-bound cryptographic credentials that are phishing-resistant, replay-resistant, and built on open standards.

For OT operators, engineers, and vendors accessing jump hosts, DMZ gateways, or privileged access workstations, this removes the most common root cause of breaches: stolen credentials. That simple shift from shared secrets to cryptography dramatically reduces risk at OT boundaries.

Practically speaking, this enables organizations to:

• Enforce phishing-resistant MFA for all remote/vendor access
• Secure privileged admin workflows
• Reduce helpdesk overhead from tokens/password resets
• Strengthen auditability and attribution of actions

This aligns directly with the guidance’s goals of minimizing exposure and hardening connectivity with modern, standardized controls.

Securing Vendor and Remote Access Without Increasing Complexity

OT environments frequently require third-party maintenance and specialized engineering support. Historically, that has meant VPN accounts, shared credentials, or brittle remote access solutions. The guidance recommends organizations move to centralized, controlled connectivity and brokered access patterns. FIDO authentication fits naturally into the recommended control framework:

• FIDO authentication-secured jump hosts, remote workstations, and more
• Privileged access gateways
• Just-in-time access provisioning
• Device-verified operator identity

This approach delivers both least privilege and strong non-repudiation — two capabilities that are increasingly important for regulated industries. Most importantly, it does so without adding friction for operators, which is critical in environments where uptime and usability are non-negotiable.

Establishing Trust in Devices with FIDO Device Onboard (FDO)

Users aren’t the only identities that matter in OT. Devices — gateways, sensors, controllers, and edge systems — must also prove they are trusted before joining operational networks. This is where FIDO Device Onboard (FDO) comes in. FDO provides:

• Zero-touch onboarding
• Cryptographic device attestation
• Secure ownership transfer
• Encrypted provisioning channels
• “Late binding” to the correct management platform at deployment time

Rather than shipping devices with default passwords or manual configuration steps, FDO allows them to securely authenticate and receive credentials automatically. For OT environments, this:

• Eliminates weak factory credentials
• Reduces field provisioning errors
• Supports standardized onboarding across diverse hardware
• Strengthens supply-chain assurance

In other words, devices join the network only after cryptographically proving who they are. This satisfies a foundational requirement for segmentation and isolation strategies described in the guidance, delivering value today for industrial IoT, gateways, and modern edge infrastructure.

But secure onboarding is only the first step.

Bare Metal Onboarding and Lifecycle Resilience

One of the most important, and often overlooked, requirements in the OT guidance is the need to keep systems securely updated and maintain a known-good state over time. This has historically been difficult in OT. Devices may be deployed in remote locations, managed by non-IT personnel, or running outdated software because rebuilding them is complex and risky.

This is exactly the challenge that FIDO Bare Metal Onboarding (BMO) addresses. Building on FDO’s trusted foundation, BMO extends late binding beyond ownership to the entire software stack:

• Operating system
• Applications
• Configuration
• Credentials

With BMO, a device can be powered on with no preinstalled OS and securely receive:

• Authorized OS images
• Approved software packages
• Policy-defined configurations
• Verified updates

All cryptographically validated and delivered through the same attested, encrypted control plane established by FDO. 

In doing so, BMO unlocks several capabilities that are particularly powerful for OT operators:

1. Zero-touch secure deployment: Devices can be installed by non-technical personnel and automatically provision themselves safely.
2. Secure rebuilds and recovery: If compromise or corruption is suspected, systems can be wiped and reinstalled to a known-good state.
3. Reliable patching and upgrades: Organizations can keep software current (a key expectation in the UK guidance) without manual intervention.
4. Standardization across vendors: A consistent, open, interoperable approach replaces fragmented proprietary tooling.

In short, BMO transforms onboarding into lifecycle assurance. Where FDO answers “Can I trust this device?”, BMO answers “Can I trust exactly what is running on it, not just today but after every update?”

That’s a critical step forward for OT resilience.

[For more information on BMO, check out this webinar]

A Clear Roadmap to go from Principles to Practice

Organizations aligning with the OT secure connectivity principles can take concrete action today, while preparing for what’s next:

Now

• Require phishing-resistant FIDO passkeys for all OT remote and privileged access
• Standardize FIDO authentication at gateways and management interfaces
• Adopt FDO for zero-touch, secure onboarding of new edge and industrial devices

2026 and beyond

• Incorporate FIDO Bare Metal Onboarding into procurement requirements
• Enable secure OS/app provisioning and automated rebuilds
• Maintain known-good state and rapid recovery across distributed OT estates

Identity as the Foundation of OT Security

The OT threat landscape has changed permanently. Connectivity is no longer optional, and security can’t rely on isolation alone. The future is identity-first: verifiable users, verifiable devices, and verifiable software state. FIDO standards provide open, scalable building blocks for all three, turning the guidance principles into something actionable:

• Passkeys secure the people.
• FDO secures the devices.
• BMO secures the software lifecycle.

FIDO technologies already deliver meaningful protection today. And with Bare Metal Onboarding, they will enable an even more resilient, zero-touch, secure-by-design OT ecosystem in the years ahead.

Global Momentum: Local Leadership Driving Adoption

The seminar kicked off by highlighting the rapid adoption of FIDO standards and the strong commitment shown by the Japanese market.

Andrew Shikiar, CEO & Executive Director of the FIDO Alliance, shared the latest metrics: over 7 billion accounts worldwide are now protected by passkeys, with more than 3 billion passkeys saved by users. Data from the newly introduced “Passkey Index” further demonstrated the technology’s impact, revealing a 93% authentication success rate and a 73% reduction in login times.

In the Japanese market, Koichi Moriyama (NTT DOCOMO), Chair of the FIDO Japan Working Group (FJWG), reported on the growth of the local community as it celebrates its 10th anniversary and 111th monthly meeting. The day also marked a notable announcement: the FIDO Alliance has signed a liaison partnership with the Japan Securities Dealers Association (JSDA). This partnership is expected to accelerate security improvements and FIDO adoption across the entire securities industry.

Policy & Security: From Recommended to Essential

In 2025, Japan’s policy and security strategies are upgrading phishing-resistant authentication from “recommended” to “essential.”

• Digital Agency: Masanori Kusunoki addressed the revision of the guidelines for online identity verification in administrative procedures (DS-500 to DS-511). He expressed the view that for Assurance Level 2 or higher, phishing-resistant methods like the My Number Card or passkeys will effectively become mandatory.
• NPA & FSA: Takahide Sannomiya (National Police Agency) and Motoshi Matsunaga (Financial Services Agency) emphasized the importance of passkeys in countering cyber threats. In the financial sector specifically, policies are advancing to default to phishing-resistant Multi-Factor Authentication (MFA) for critical operations such as logins and fund transfers.

Proven Success & Next Frontier: Account Recovery

A highlight of the seminar was the consensus that passkeys have moved beyond “early adoption” to become mainstream in Japan’s major services.

The “Passkey Index Japan” panel session (Mercari, NTT DOCOMO, KDDI, FIDO Alliance) revealed that passkey authentication usage has exceeded 50% among smartphone users at these three companies. It was disclosed that 50.4% of all monthly active users (MAU) for authentication services are already utilizing passkeys.

This widespread usage, spanning all ages and demographics, suggests that passkeys are a realistic solution that balances convenience with security.

The discussion also focused on “Account Recovery” as one of the key challenges following widespread passkey adoption. Tatsuya Karino (Mercari), Masao Kubo (NTT DOCOMO), and Hideki Sawada (KDDI) emphasized the importance of secure recovery processes utilizing My Number Cards (JPKI) and eKYC, as well as designing for device changes. This is poised to be a cross-industry theme for 2026.

Securities Transformation: Advancing Passkey Deployment

The transformation within the securities industry is noteworthy. Shinobu Hirayama of Rakuten Securities reported that the company completed the rollout of passkey authentication (FIDO2) across all channels in October 2025. According to Hirayama, five securities firms have already implemented FIDO2, with that number expected to rise to seven by the end of the year. He emphasized that passkeys play a central role in building a technology-based “layered defense” against evolving fraud attacks.

Deep Dive into Tech: Platforms & Security

Technical sessions for developers and security experts explored the latest features supporting passkey implementation.

• Google Platform Evolution: Eiji Kitamura shared the latest updates based on Credential Manager. Of particular note was the “Restore Credentials API,” which promises to improve the developer experience by enabling seamless sign-ins when users migrate to new devices.
• Session Protection: In the “All About Passkeys” session (Eiji Kitamura, Kosuke Koiwai, Masaru Kurabayashi), the discussion turned to the risks of “session hijacking” that remain even after passkey adoption. Speakers argued for the necessity of risk-based session protection and new specifications like Device Bound Session Credentials (DBSC) to counter malware-based cookie theft.

Ecosystem & Innovation: Expanding Use Cases

Presentations from sponsor companies demonstrated a mature ecosystem capable of supporting diverse use cases.

• Regulated Industries & Finance: Gim Leng Koh (OneSpan) presented a dual-key approach for financial institutions, enabling device health assessment and transaction signing (WYSIWYS).
• Scale & Performance: Eugene Lee (RaonSecure) introduced their FIDO solution’s high processing performance, supporting over 10 million monthly users.
• Solving B2B Challenges: Kazuhito Shibata (ISR) addressed the barriers hindering MFA adoption in corporate environments.
• Device Security in the AI Era: Everett Hiroshi Shiina (Yubico) explained the importance of hardware-attested Single Device Passkeys in the face of rising AI threats.
• Lifecycle Protection: Takashi Yoshii (Daon) introduced the integration of FIDO authentication with Deepfake detection-enabled eKYC via the IdentityX platform.
• Customer Engagement: Mitsuharu Nakamura (Twilio) proposed a seamless authentication experience using Twilio Verify, which supports passkeys alongside SMS and TOT

Beyond Authentication: Digital Credentials & Identity

The conversation extended beyond authentication to the entire identity lifecycle.

In a video message, Lee Campbell (Google/FIDO Alliance Digital Credential WG Co-Chair) shared the vision of extending the trust and interoperability established by passkeys to “Digital Credentials,” defining ecosystem standards for wallets and identity verification.

The final panel session, featuring members from the FIDO Alliance, OpenID Foundation, OpenID Foundation Japan, and the Digital Agency, deepened the discussion on managing the entire identity lifecycle—from account creation to recovery.

Looking Forward: Building Japan’s Digital Identity Future

The 12th FIDO Tokyo Seminar served as a testament that passkeys are becoming firmly established as part of Japan’s digital social infrastructure. As we look toward 2026, the FIDO Alliance’s initiatives will continue to expand from authentication to the entire identity lifecycle and into the realm of digital credentials.

We would like to express our sincere gratitude to the sponsor companies who supported this event, as well as to all the speakers and attendees. We look forward to seeing you at our next event!

Setting the Stage: Global Momentum, Local Leadership

The seminar kicked off with a strong message on the state of the industry. Karen Chang, Chair of the FIDO Taiwan Regional Engagement Forum, and Andrew Shikiar, CEO & Executive Director of the FIDO Alliance, opened the day by framing the global success of passkeys.

Andrew Shikiar shared updated metrics on the global adoption of FIDO standards—noting that billions of user accounts are now secured by passkeys—while emphasizing that the technology has moved from “early adoption” to “mainstream deployment.” Karen Chang highlighted the region’s critical role in this ecosystem, detailing how local industries and government bodies are integrating these standards to build a more resilient digital infrastructure.

Keynote: AI, Identity, and Digital Trust

No technology conversation in 2025 is complete without addressing Artificial Intelligence. Dr. Yennun Huang, Distinguished Research Fellow at Academia Sinica and former Minister of Digital Affairs, delivered a compelling keynote titled “AI, Identity, and Digital Trust.”

Dr. Huang bridged the gap between policy and technology, warning that as AI tools reshape the threat landscape, traditional authentication methods are becoming obsolete. He argued that phishing-resistant authentication is no longer just a security feature but a foundational requirement for establishing trust in the AI era.

From the Trenches: Deployments, Strategies, and Future Tech

The sessions then shifted focus to execution, featuring a chronological lineup of industry leaders sharing insights on platforms, deployments, and certification.

Google: The Google team, represented by Niharika Arora and Eiji Kitamura, demonstrated the latest platform enhancements designed to smooth the implementation path for developers.

Keypasco: As the Host Sponsor of the event, Hsin-Yi Lin, General Manager, spoke on “The Passkey Era: Embrace Passwordless Transformation,” offering a roadmap for enterprises to embrace passwordless transformation without disrupting existing workflows.

Mercari: Naohisa Ichihara, CISO of Mercari, provided a view into the e-commerce sector, explaining how FIDO standards are helping the platform reduce fraud rates while keeping checkout flows seamless.

OneSpan: Koh Gim Leng explored “Augmenting Passkey for Different Use Cases,” discussing how to tailor authentication experiences to fit diverse security requirements and user behaviors.

FIME: James Daniels highlighted the “Value of FIDO Certification,” emphasizing how rigorous testing and certification are essential for ensuring global interoperability and trust in authentication products.

HID: Edwardcher Monreal presented “The Passkey Playbook,” outlining a phased approach that allows organizations to transition from legacy credentials to passkeys at a pace that suits their infrastructure.

TikTok: Yan Cao, Engineering Leader at TikTok, shared a fascinating case study on rolling out passkeys to hundreds of millions of users globally, proving that robust security does not have to come at the expense of user experience.

Jmem Technology: Shifting the focus to hardware, John Chang discussed “Building Secure Chips for the Quantum Era,” highlighting the intersection of Post-Quantum Cryptography (PQC) and trusted edge AIoT integration.

Innovation at the Edge: IoT and Zero Trust

The seminar concluded its technical tracks by exploring how authentication standards are securing the Internet of Things (IoT) and edge computing.

A standout moment was the presentation by Simon Trac Do, CEO & Founder of VinCSS. He introduced a “creative combination” of FIDO authentication and FIDO Device Onboard (FDO) standards, demonstrating how fusing these technologies creates a comprehensive Zero Trust Network Access (ZTNA) solution that secures both user identity and device integrity in the IoT era.

Meanwhile, Doris Liu from ASRock Industrial shifted the focus to the hardware foundation of intelligent systems. In her session on pioneering secure Edge AI, she outlined how ASRock is leveraging FDO deployment to build trusted devices, offering a robust, one-stop solution for the burgeoning Edge AI market.

Panel Discussion: The Road Ahead

The day concluded with a dynamic panel discussion moderated by Megan Shamas, CMO of the FIDO Alliance. Panelists, including Koichi Moriyama (NTT DOCOMO, FIDO Executive Council Member, FJWG Chair), Paul Liu (Keypasco), Jiunn-Shiow Lin (Ministry of Digital Affairs), Da-Yu Kao (National Chengchi University), and Niharika Arora (FIDO India Working Group Chair), explored the future of identity.

The conversation reinforced a clear consensus: the standards are mature, the technology is ready, and the focus must now shift to optimizing usability and broadening adoption across all sectors.

Looking Forward

The FIDO Taipei Seminar 2025 was a testament to the strength and collaboration of the APAC identity community. As we move into 2026, the partnership between government, industry, and standards bodies will be the key to finally eliminating the password for good.

A special acknowledgment goes to our Host Sponsor, Keypasco, and other sponsors for their generous support in making this event possible, as well as to all our speakers and attendees. We look forward to seeing you at our next event!

Throughout the week, we released early selections of talks and presentations from our flagship Authenticate 2025 event, shared resources, highlighted passkey success stories from industry leaders, and hosted a live AMA webinar.

In case you missed any of the action on social media, we’ve rounded up everything we shared to help promote the work of those leading the way with passkey deployments and to support everyone on their passkey journey.

Early Access: Authenticate 2025 Presentations

We released early access to select presentations from Authenticate 2025, our flagship conference held in October. These presentations showcase how leading organizations are deploying passkeys at scale and achieving measurable results. These talks are all available to watch on our YouTube channel.

• Apple: Ricky Mondello shared insights on how to “Get the Most out of Passkeys.”
• Google: Chirag Desai and Rohey Livine discussed “The Future of the User Account Lifecycle.”
• TikTok: Cherise Cen, Patrick Liao, and Yingran Xu presented on “Shipping passkeys for hundreds of millions” and shared what they learned during the process.
• Roblox: Yuki Bian and Dylan Siegler gave a fascinating look at “Bringing passkeys to all ages,” addressing deployment across a younger demographic.
• Uber: Ryan O’Laughlin discussed “Realizing the Full Potential of Passkeys at Uber.”
• PayPal: Mahendar Madhavan, Mohit Ganotra, and Walmik Deshpande shared “Learnings and best practices” from their deployment.
• DocuSign: Yuheng Huang and Dina Zheng presented on “Modernizing Authentication with True Passwordless.”
• Dashlane: We released two sessions from Dashlane. First, Tina Zhuo spoke on “Leveling up phishing resistance” using passkeys, confidential computing, and AI. Second, Rew Islam gave a talk titled “What’s wrong with passkeys?”

Success Stories

We also shone a spotlight on companies that have made progress on their Passkey Pledge – a call to action for organizations to accelerate passkey adoption. Here are just a few of the success stories we shared:

• Atlancube: The pledge accelerated their certification timelines, helping them prepare to launch a certified hardware security key.
• Dashlane: Integrated FIDO2 security keys to replace the master password with a hardware-backed secret.
• First Credit Union: After rolling out passkeys to their 60,000+ members, 54.5% of all authentications now use passkeys.
• Glide Identity: Achieved FIDO certification for new products to serve organizations seeking interoperable solutions.
• HYPR: Deployed passkeys at scale to Fortune 500 enterprises, including two of the four largest US banks.
• LY Corporation: Improved passkey sign-in rates to 41% and reduced SMS transmission costs by replacing OTPs.
• NTT DOCOMO: Confident of increasing passkey usage by 10% this year by refining user messaging on enrollment pages.
• Secfense: Enabled passkey sign-ins across banking and insurance sectors without modifying legacy applications.
• Thales: Extensively promoted the benefits of passwordless to customers through workshops and webinars.

You can read more about these success stories on our website. It’s not too late to take the Pledge, you can find out more here.

Resources

Throughout the week, we pointed to key resources to help those implementing passkeys, including:

• Design Guidelines: For consumer use cases, visit PasskeyCentral.org to access the FIDO Alliance Design Guidelines.
• Developer Hub: For technical resources brought to you by the W3C WebAuthn Community Adoption Group and FIDO Alliance, visit passkeys.dev.
• UX Research: Read our blog, “Beyond the Protocol,” co-authored by Patryk Les (Yubico) and Philip Corriveau (RSA), which highlights the human-centered shift defining the future of workforce security.

New Data

We shared new research from our Passkey Index, a confidential survey of nine FIDO Alliance member organizations—Amazon, Google, LY Corporation, Mercari Inc., Microsoft, NTT DOCOMO, PayPal, Target, and TikTok—that have deployed passkeys for 1 to 3 years on eight utilization and performance areas. It shows the adoption and business impact of passkeys from leading service providers. The data reveals that:

• 93% of accounts are now eligible for passkeys.
• 36% of accounts are enrolled with a passkey.
• 26% of all sign-ins now leverage passkeys.
• Read the full Index here.

We also highlighted Dashlane’s new report, which offers a one-of-a-kind look at the apps leading the move to passwordless across consumer and enterprise environments globally. You can read the report here.

The Passkeys AMA

To wrap up the educational aspect of the week, we hosted a live, interactive Ask Us Anything (AMA) session. With speakers from Dashlane, FIDO Alliance, Google, and Okta, this webinar was the perfect chance to bring questions about passkey implementation, UX, security, standards, and ecosystem adoption directly to the experts shaping the industry. If you missed the live session, you can still watch it here.

December 4, 2025 – The FIDO Alliance announced today the launch of a new digital credentials initiative, marking an expansion of its mission to accelerate the adoption of verifiable digital credentials and identity wallets. This initiative is poised to help the world simplify and secure online and in-person interactions by establishing a trusted, and interoperable identity wallet ecosystem.

Work on this new initiative will be carried out by the FIDO Alliance’s new Digital Credentials Working Group (DCWG). 

“FIDO Alliance united the industry to solve the password problem, and the world is now embracing the simplicity and security of passkeys – with billions of accounts now leveraging this seachange in user authentication. We’re now aiming to bring that same proven, collaborative model to the adjacent digital credentials landscape — working closely with partners including EMVCo,  ISO, OpenID Foundation, and W3C to align a fragmented ecosystem,” said Andrew Shikiar, CEO of FIDO Alliance. “Together, we aim to deliver trusted, interoperable digital wallets that make everyday interactions simpler, more secure, and privacy-preserving for everyone.”

Digital credentials have the potential to offer enhanced ease, security, and privacy to everyday interactions and transactions. Governments around the world are helping lead the way in issuing digital identity credentials — including the European Digital Identity Wallet program that will see all 27 member states offer citizens digital identities by the end of 2026, and with 18 departments of motor vehicles in the United States having deployed standards-based mobile drivers licenses to over 5 million American citizens.  

Widespread adoption has been hindered by ecosystem fragmentation, however, including a lack of global alignment and end-to-end certification. Building on its success with passkeys, the FIDO Alliance will address these challenges through its proven ability to unite stakeholders, develop specifications and certification programs, collaborate with other standards organizations, and implement global adoption initiatives. By applying these strategies to the digital credentials ecosystem, the FIDO Alliance aims to foster a future where digital credentials are as pervasive, trusted, and user-friendly as passkeys are today – helping secure the entire identity account lifecycle for consumers and businesses around the world. 

FIDO Alliance will focus on three foundational workstreams in partnership with ecosystem partners such as The OpenID Foundation, ISO, W3C, and EMVCo to unblock the digital credentials ecosystem: 

1. Wallet Certification: This program will establish certification criteria for digital wallets, ensuring they are secure, protect user privacy, and are interoperable with credential issuers and relying parties. This will provide crucial assurance that credentials are handled with proper security, privacy, and functionality.
2. Specification Development: FIDO will develop specifications to complement existing protocols and frameworks from industry partners such as OpenID Foundation, ISO and other standards organizations. For example, the Alliance will develop specifications for presenting credentials across devices by expanding the existing FIDO cross-device protocol. The Alliance also intends to define credential schemes (for example in payments and/or loyalty) as required to address new use cases as they emerge. 
3. Usability and Relying Party (RP) Enablement: This workstream will accelerate adoption by providing the industry with necessary tools, branding, and best practice guidelines for successful implementation. Drawing from its experience with passkeys, the FIDO Alliance will ensure a seamless user experience, which is critical for new technology adoption.

Through these efforts, the Alliance aims to reduce friction for issuers and relying parties, increase user trust in data security and privacy, and create a vibrant, interoperable market for issuers, wallet providers, and identity services.

Work has already commenced, with initial deliverables planned for 2026.

Industry partner comments:

Loffie Jordaan, Business Solutions Architect at AAMVA and Convenor of ISO/IEC JTC1/SC17/WG10 said, “WG10’s work includes standards for digital credential exchange protocols. Wallets, being one side of a credential exchange, have to support these protocols. In addition to requiring support for these protocols, issuing authorities often have additional requirements on the wallets into which they provision, covering things like device security, holder privacy, and credential life cycle management. The FIDO work will allow issuing authorities to confirm if a wallet being presented for provisioning has been certified against a profile representing the issuing authority’s protocol and other requirements. In doing so, the FIDO work will be of significant value to issuing authorities.”

Gail Hodges, Executive Director of the OpenID Foundation said, “OpenID Foundation welcomes FIDO Alliance’s new initiative on digital credentials as an important step toward advancing a secure and interoperable identity ecosystem. Our organizations have a long history of close collaboration on standards that make authentication simpler and more resilient, and we see the same opportunity to align our efforts as the market rapidly moves toward verifiable credentials and identity wallets. We look forward to working with FIDO and the broader community to help ensure that digital credentials are built on open, privacy-preserving standards that scale globally.”

Seth Dobbs, President & CEO, the World Wide Web Consortium (W3C) said, “It will take the cooperation of many to address the challenges and opportunities of Digital Identities on the Web. The W3C Verifiable Credentials and Digital Credentials API specifications are designed to help ensure the privacy and security of web users. W3C is pleased to work with FIDO Alliance and others on the technical foundation for interoperable, secure, privacy-preserving digital credentials that work across different platforms and systems.”

Daniel Goldscheider, Executive Director of the OpenWallet Foundation said, “FIDO Alliance specifications are already foundational to the wallet landscape. We warmly welcome this expansion into digital credentials and wallet certification.”

Patrik Smets, EMVCo Executive Committee Chair, commented: “Through our Digital Identity and Payment Task Force, EMVCo is engaging with industry partners to advance agentic payments, authentication, verifiable digital credentials, passkeys for payment, and digital wallets. Earlier this year, we shared our existing digital payment credential schema activity with FIDO to align and gather feedback from its members. This level of ongoing collaboration is crucial to promoting global interoperability across the ecosystem in how we use identity in payments, and we are committed to working on payments use cases with all stakeholders as this progresses at pace.”

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services. For more information, visit www.fidoalliance.org.

This is especially useful to deploying organizations in regulated industries and organizations handling sensitive data. These organizations can use MDS to verify that accepted authenticators meet certain criteria, such as FIDO L1, L2 and L3 certifications for compliance, as well as leverage security issue notifications to determine suitable responses.

To support the continued evolution of the FIDO ecosystem, we have released an update to the MDS that provides new tools for relying parties (RPs) to verify authenticator compliance, improve interoperability and life cycle management, while enhancing the user experience. This includes several substantial enhancements to the existing service:

• Standardized Security Policy Enforcement: RPs can now ensure the correct level of FIPS compliance by verifying that authenticators meet their exact security criteria before granting access.
• Streamlined Cross-Provider Integration: RPs can dynamically discover and retrieve detailed information about the passkey provider’s Credential Exchange (CX) definitions, streamlining the process of cross-provider communication and setup.
• Authenticator Lifecycle Management: The addition of a new “retired” authenticator status value to accurately reflect MDS entries that are no longer actively supported or recommended for use. This status will help RPs maintain secure and up-to-date deployment strategies by clearly flagging deprecated metadata.
• MDS Version Check: Cuts processing times by introducing localCopySerial, a new parameter that can be specified to only return metadata if a new version of the MDS BLOB is available.

In addition to these MDS updates, the FIDO Alliance also launched a new Convenience Metadata Service. This enables RPs to offer a consistent user experience so that end-users see the same presentation of their passkeys, no matter which service or platform they’re using, to simplify the process of selecting and managing their credentials. This includes standardized, user-friendly names for passkey providers, and high-quality logos for RPs to use in user interfaces and presentation layers.

The updated FIDO MDS and the new Convenience Metadata Service are now live. For more information, visit https://fidoalliance.org/metadata/. For technical questions, implementation guidance, or inquiries regarding the new MDS versions or the Convenience Metadata Service, please reach out to support@mymds.fidoalliance.org.

The FIDO Alliance Korea Working Group (FKWG) held its year-end workshop on November 14, 2025, at the Telecommunications Technology Association (TTA) office in Pangyo. Co-hosted by Samsung Electronics and TTA, the workshop brought together local FIDO members and invited guests to discuss the latest developments in passkey deployment, biometric authentication, and the accelerating momentum behind phishing-resistant authentication across the country.

With a half-day agenda featuring the Q4 member plenary, technical deep-dives, ecosystem updates, and a community networking session, the event highlighted the rapid expansion of Korea’s passkey landscape and the central role of the FKWG in driving adoption across industries.

One of the most important topics covered during the workshop was a newly clarified regulatory interpretation confirming that “FIDO authentication using on-device biometrics does not require separate user consent, since no biometric data leaves the device.”

This clarification removes a long-standing compliance concern for organizations and is expected to significantly accelerate enterprise adoption of FIDO-based biometrics across finance, telecom, commerce, and government services. The update has already drawn national and international attention, including coverage by Biometric Update, underscoring its significance to the broader authentication ecosystem.

Read the Coverage from Biometric Update

The technical presentations and updates from FIDO members provided insights into real-world deployments, new research, and ongoing product development:

• Samsung SDS shared lessons learned from large enterprise-scale passkey rollouts at Samsung Group Companies and UX refinement.
• LINE presented developer-focused guidance and demonstrated how they are using passkeys for end-to-end encryption (E2EE).
• TTA shared perspectives on AI privacy challenges and mitigation strategies, along with associated regulatory considerations.
• Korea Quantum Computing (KQC) discussed how they developed PQC-based FIDO security keys, offering a forward-looking view on post-quantum security.

These sessions demonstrated the depth of local technical expertise and the collaborative spirit that defines the FIDO Alliance Korea Working Group community.

The workshop concluded with a networking dinner, a quiz session, and a prize giveaway that added a fun and engaging community element to wrap up the day.

With clear regulatory support, growing cross-industry deployments, and an active technical ecosystem, the FIDO Alliance Korea Working Group is well positioned to accelerate the adoption of phishing-resistant authentication throughout 2026 and beyond.

The FIDO Alliance extends its appreciation to Samsung Electronics, TTA, all presenters, and all members and guests who contributed to this successful event.

SINGAPORE, 02 December – The FIDO Alliance today announced the expansion of its flagship event series with the launch of Authenticate APAC 2026. This marks the first time the industry’s only conference dedicated to digital identity and phishing-resistant authentication will be held in the Asia-Pacific region. The inaugural event will take place on June 2 – 3 2026, followed by a FIDO Member Plenary from June 4 – 5, 2026, at the Grand Hyatt in Singapore.

As organizations worldwide accelerate the shift from passwords to passkeys and begin to unlock the potential of verifiable digital credentials, Authenticate APAC will serve as a regional hub for education, collaboration, and innovation. The decision to bring Authenticate to the region builds on the success of the FIDO APAC Summit held over the last two years. It also reflects the region’s growing influence in the cybersecurity landscape, where recent momentum in government digital identity initiatives and widespread commercial passkey deployments are helping to drive the global standard for secure, user-friendly authentication.

“The FIDO Authenticate conference has become the defining event for the authentication community, and we are proud to extend this platform to the Asia-Pacific region,” said Andrew Shikiar, CEO of the FIDO Alliance. “There is tremendous innovation happening across APAC, and this event will provide a dedicated space for local and global leaders to collaborate and help build the future of a secure, user-friendly and interoperable internet.”

The Authenticate conference series delivers high-quality content with a highly engaged community of professionals committed to advancing passkeys, digital credentials and related technologies. It is designed to bring together CISOs, business leaders, product managers, security strategists, and identity architects to advance their knowledge of digital identity and shape the future of authentication. 

Call for Sponsors and Registration
The FIDO Alliance will offer a wide range of sponsorship opportunities designed to maximize brand exposure and reach target audiences. The 2026 Prospectus detailing sponsorship packages also launched today and is available here. 

Whether you are new to FIDO, in the midst of deployment or somewhere in between, Authenticate conferences have the right content, and community, for you. Registration for attendees will open later this year.

To stay up to date on speakers, sponsorship opportunities, and registration details, please visit the Authenticate APAC 2026 website, @FIDOAlliance on X, and sign-up to the newsletter.

About Authenticate
Authenticate is the premier conference dedicated to advancing digital identity and authentication, with an emphasis on phishing-resistant sign-ins using passkeys. Hosted by the FIDO Alliance, this event brings together CISOs, security strategists, product managers and identity architects to explore best practices, technical insights and real-world case studies in modern authentication.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication with innovations, like passkeys.

About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services. For more information, visit www.fidoalliance.org.

Contact
press@fidoalliance.org

As we celebrate Passkeys Week 2025, the momentum around passwordless authentication is undeniable. Across industries, organizations are taking real steps toward a future where passwords – and the risks they bring – finally fade away.

Recent research from the FIDO Alliance and its members shows that over 85% of enterprises are implementing or evaluating passkeys. The question is no longer if your organization will deploy them – it’s how you’ll do it effectively.

And that’s where the next chapter begins. Because the hardest part of passwordless security isn’t the cryptography – it’s the culture.

People Are Not the Weakest Link – They’re the Strongest Asset

For years, cybersecurity has been framed as a struggle to “fix” users – those who forget passwords, fall for phishing, or sidestep controls. But people aren’t the problem. They’re responding to systems that often work against natural human behavior.

Passkeys flip that model. They align authentication with how people already act – using biometrics, devices, and gestures they trust. When security design works with human tendencies, compliance becomes intuitive and adoption accelerates.

This is more than a technical improvement. It’s a leadership opportunity.

Three Lessons from the Front Lines

The FIDO Enterprise UX Subgroup’s research with enterprise deployments uncovered one clear truth: the biggest challenges are human, not technical. Here’s what leading organizations are learning.

1. Enrollment Is the First Moment of Trust
The first time a user registers a passkey isn’t just a setup step – it’s their first interaction with your new security culture. Complex flows or unclear prompts can create frustration and mistrust before the rollout even begins.

Leaders who treat enrollment as change management – offering clarity, support, and communication – set the tone for success.

2. Users Need a Mental Model, Not a Cryptography Lesson
Practitioners told us: “Give me a one-sentence definition users actually understand.” That’s because awareness without understanding is ineffective. The best explanation we heard?

“A password is an easy-to-copy key you remember.
A passkey is a hard-to-copy key your device remembers.”

Simple, relatable language builds trust far better than technical jargon.

3. Consistency Builds Confidence
When authentication looks different across browsers and devices, it creates decision fatigue and confusion. This isn’t just a UX problem – it’s a behavioral one. Inconsistency erodes confidence; consistency builds it.

Forward-thinking leaders now recognize that usability isn’t a luxury – it’s a security control.

Redefining Success: From Compliance to Culture

Traditional cybersecurity programs measure success through compliance metrics: completed trainings, documented policies, audit readiness. But those measures miss what truly matters – behavioral outcomes.

Leading organizations are shifting to human metrics:

• Adoption and retention rates
• User satisfaction (CSAT)
• Reduced authentication-related support tickets

One organization exemplified this shift during the passkey rollout: when satisfaction dipped below their 4.0 target, they paused to improve the experience before resuming rollout. That’s human-centered leadership – prioritizing outcomes that strengthen both trust and security.

Leadership in the Human Era of Security

When deployments struggle, it’s rarely due to user resistance – it’s because systems weren’t designed with human behavior in mind.
Leaders now have a clear mandate:

• Simplify choices and reduce cognitive load
• Segment workforce experiences (field staff ≠ office staff)
• Establish feedback loops to learn and iterate

The most successful organizations treat passkey deployment as a cultural transformation, not a technical upgrade. They recognize that security performance is shaped by psychology, environment, and design – not just protocols.

The Path Forward: Share Your Voice

This Passkeys Week, we invite workforce leaders everywhere to help shape the next wave of adoption.

Your insights – what worked, what didn’t, and what surprised you – can help the entire community deploy smarter, faster, and more human-centered systems.

Share your experience and help shape the future of workforce authentication.

Your stories power our collective learning – and move the industry forward.

Closing Thought

The technology is ready. The future of workforce authentication now depends on how we lead.

When we design for human nature instead of against it, security becomes intuitive, sustainable, and strong. The workforce isn’t the weakest link – it’s our greatest asset.

Let’s make Passkeys Week 2025 the moment we prove it.

The first two days of Authenticate 2025 delivered strong technical content, user insights and lots of thoughtful discussions.

The final day of Authenticate 2025 went a step further taking attendees on a deep dive into really important current and emerging topics for authentication including biometrics, agentic AI and verifiable credentials.

Passkeys and Verifiable Digital Credentials are Not Competitors

A key theme across multiple sessions at Authenticate 2025 was the growing need and development of standards for Verifiable Digital Credentials.

In a session led by Christine Owen, Field CTO at 1Kosmos and Teresa Wu, Vice President, Smart Credentials & Access at IDEMIA Public Security, the roles of passkeys and verifiable digital credentials (VDCs) within the evolving landscape of secure digital identity were clarified.

They emphasized that passkeys and VDCs are not competing technologies. Instead, they are best used together to strengthen both authentication and identity verification processes. Passkeys offer privacy preservation and are resistant to phishing, while VDCs provide digital representations of identity attributes that can be selectively shared when needed.

Breaking Glass: Restoring Access After a Disaster

In a thought-provoking session, Dean H. Saxe, Principal Security Engineer, Identity & Access Management at Remitly, explored the challenges and importance of digital estate management, particularly in the context of disasters and emergencies. 

Saxe described how personal experiences and recent natural catastrophes highlight the necessity of preparing for sudden loss of access to digital assets.

A hands-on experiment conducted by Saxe tested how well a “break glass” process works when all personal devices are lost. The process included relying on physical identity documents and a safe deposit box to regain access to important accounts like 1Password, Apple iCloud, and Google services. Saxe faced unexpected obstacles, such as a missing credential and issues getting recovery codes, which illustrated the real-world difficulties of these situations.

The findings of Saxe’s experiment stressed the need for regular testing and updating of disaster preparedness plans.

“So the failure to test your backup strategy means that you do not have a valid backup strategy,” Saxe said.

From the Trenches: Passkeys at PayPal

PayPal is an early adopter of passkeys with the initial motivation being focused on reducing password reliance.

“It’s time to break free from the password prison,” Mahendar Madhavan, Director of Product, Identity at PayPal said.

PayPal launched passkeys in 2022, saw a surge in mid-2024, and now boasts more than 100 million enrolled users with a 96% login success rate. This surge has delivered results—phishing-related losses have dropped by nearly half compared to traditional password and OTP methods.

Mohit Ganotra, Identity PM Lead at PayPal explained that initial efforts zeroed in on user education and reducing friction during login. By optimizing the login experience and targeting enrollment prompts during checkouts and password recovery, PayPal now sees 300,000 incremental enrolments each month from checkout alone, plus 75,000 from automatic passkey upgrades.

“Passkeys is still a new technology, it needs to go through the adoption curve that every new technology has,” Madhavan said. “So you as a relying party need to nudge users, guide users, encourage users to adopt a passkey at various points in their journey and how you do it is, you hyper personalize the content for consumers and users, and you talk in their language.”

Safeguarding Enterprise Online Credentials Post Authentication

While passkeys solve authentication security, post-authentication remains vulnerable through bearer token theft and session hijacking. 

There are however numerous technical approaches that can help mitigate the risk, which were described in detail by An Ho, Software Solution Architect at IBM and Shane Weeden, Senior Technical Staff Member at IBM.

The session introduced two complementary technologies designed to address this vulnerability. DPoP (Demonstrating Proof of Possession) extends OAuth 2.0 to create sender-constrained access and refresh tokens for API flows, while DBSC (Device-Bound Session Credentials) binds browser session cookies to specific devices. Both technologies use asymmetric cryptography to ensure that stolen credentials become unusable by attackers, as they require proof of possession of private keys that only the legitimate client or browser holds.

“We believe that you need to look at a holistic view of your sessions,” Weeden said. “You need to look at not just how clients and users log in, but also how to maintain a form of continuous authentication with the client or browser that is utilizing that session.”

From the Trenches: Improving Experience and Security at Databricks with Passkeys  

Meir Wahnon, Co Founder of Descope, explored how Databricks approached the challenges of unifying authentication and improving security across multiple cloud-based apps.

Databricks partnered with Wahnon’s company to figure out the best approach. The fragmented login experience had made it hard for users and the IAM team to manage access and maintain full visibility. Databricks tackled this by adopting a centralized identity provider and federation to ensure a more seamless single sign-on process. A major focus was the decision to add passkeys as an optional multi-factor authentication method. This choice was driven by Databricks’ commitment to balancing strong security for customers with a smooth, low-friction user experience.

The deployment of passkeys came with careful attention to user adoption and support. Databricks made passkeys optional to minimize disruption, and included easy rollback options if customer uptake became a challenge.

“The balance between user experience and security is always a question when you build a user journey,” Wahnon said.

From the Trenches: Alibaba’s Passkey Story

Alibaba is expanding its use of passkey authentication across business units including AliExpress and DingTalk. 

Preeti Ohri Khemani, Senior Director at Infineon Technologies which works with Alibaba explained that the main goal was to improve security and user experience by reducing dependence on traditional passwords and costly SMS one-time passwords. The rollout has led to faster, more convenient logins and a smoother registration process for users.

On AliExpress, the deployment of passkeys simplified the login flow and eliminated extra steps for users. This change resulted in a reported 94% increase in login success rates along with an 85% reduction in login times. Users no longer need to manage passwords or wait for verification codes, which also lowered operational costs and security risks.

DingTalk, Alibaba’s internal messaging platform with 28 million daily active users, has similarly benefited from passkey integration. Engineers at Alibaba focused on making passkey adoption easy by sharing clear coding samples, open-source libraries, and helpful tools.

Keynotes: The Path to Digital Trust

Ashish Jain, CTO of OneSpan used his keynote to explore the ongoing challenge of establishing trust in digital interactions. Jain traced the journey from physical trust in face-to-face transactions to today’s anonymous digital world.

Ashish outlined the tension between user experience and security. He cited how complex password policies and frequent multi-factor authentication can frustrate users, yet they are essential for protection. The discussion highlighted how the industry is coming closer to a practical solution through the adoption of passkeys.

 “In the physical world, trust is emotional,” Jain said. “In the digital world, trust is an architecture.”

Keynote:  Biometrics Underpinning the Future of Digital Identity

Continuing on many of the same themes from Amlani’s keynote, Stephanie Shuckers, Director, Center for Identification Technology Research (CITeR), University of North Carolina – Charlotte and  Gordon Thomas, Sr. Director, Product Management, Qualcomm  provided more insights on the critical nature of biometrics.

Thomas noted that while face recognition remains popular, fingerprints offer enhanced privacy because they are less likely to be exposed online or through surveillance.

“It’s not really about proving who you are, but it’s about building and securing your digital identity layer by layer with trust every time you use it,” Thomas said.

Shuckers noted that there is a need for strong assurance levels in biometric technology on consumer devices. That’s where standards help ensure both user safety and usability. The FIDO Alliance’s programs test biometric systems for vulnerabilities such as deep fakes and injection attacks. These certifications are crucial for building trust in digital identity systems. 

Keynote: Microsoft Details What’s Needed to Authenticate Agentic AI

Pamela Dingle, Director of Identity Standards, Microsoft led a session on the challenges and opportunities in authenticating AI agents within enterprises. 

She stressed the importance of understanding what an agent is and pointed out that simply asking “who authenticates the agent” is not enough. Dingle highlighted the complexity that arises from having many agents running in different domains, each with unique tasks and identifiers. Administrators often struggle to see the full chain of actions, which complicates decision making and resource management.

Dingle introduced the idea of using “blueprints” and “task masters” to authenticate not just the agent but also the context and source of its tasks. She emphasized that knowing only the identifier is not enough. The future will require richer, composite data about each agent’s purpose and origin.

“The agentic AI push gives us an opportunity to build the tools enterprises need to run better.”

Keynote Panel: Digital Wallets and Verifiable Credentials: Defining What’s Next 

Verifiable credentials was a hot topic at Authenticate 2025 and it was one that was tackled in the final keynote panel.

The panel included Teresa Wu, Vice President, Smart Credentials and Access at IDEMIA Public Security, Loffie Jordaan, Business Solutions Architect at AAMVA, Christopher Goh, International Advisor, Digital Identity & Verifiable Credentials at Valid8 and Lee Campbell, Identity and Authentication Lead, Android at Google.

The discussion began with an overview of the ecosystem, emphasizing the interaction between the wallet, issuer, and relying party. This “triangle of trust” serves as the cornerstone for secure digital credential use. Panelists stressed the need for privacy, interoperability, and certification as this shift accelerates, highlighting lessons learned and ongoing challenges like fragmentation across platforms.

FIDO Alliance’s growing focus on digital credentials was described as a catalyst for industry progress. “FIDO is getting involved in the digital credential space,” Campbell said. “FIDO does an exceptional job at execution.”

That’s a Wrap!

Wrapping up the Authenticate 2025 program, FIDO Alliance Executive Director Andrew Shikiar emphasized that the event continues to grow year by years. 

For the 2025 event there were 150 sessions and 170 speakers. 

“Passkeys are driving measurable business outcomes,” Shikiar said. “One thing I thought was really cool this year about some of the presentations, it wasn’t just another ‘rah rah’ passkeys are great story, but also companies are coming back for their second time or third time, talking about progress and lessons learned and how they’re evolving, pivoting and growing.”

Speaking of growth, the Authenticate event is growing for 2026, with a new Authenticate APAC event set for June 2-3 in Singapore. Authenticate 2026 will be back in California at the same time next year.

Between now and then, the FIDO Alliance will be sharing lots of informative content and hosting educational events. Stay connected and sign up for updates.

Following on the information-packed day one, day two of Authenticate 2025 continued the trend.

Over the course of the day, users from across different geographic areas and industry verticals detailed their experiences with passkeys. Discussion on how passkeys fit into the payment ecosystem and the intersection with agentic AI were also hot topics of discussion across multiple sessions. 

Keynotes: A Brief History of Strong Authentication

Christopher Harrell, Chief Technology Officer at Yubico, kicked off the morning keynote tracing the journey of authentication practices from basic shared secrets to the modern era. 

Harrell outlined how early systems based on shared secrets and memorized passwords often failed due to human error and simplicity. Multi-factor authentication was introduced to address these gaps by layering security, but still relied heavily on passwords or similar secrets. He noted that the evolution of the market to passkeys eliminates the vulnerabilities of shared secrets and reduces the chance of phishing, making access both safer and easier for users.

“Shared secrets were never meant for the internet, we need authentication that protects you without making you remember more,” Harrell said.

Keynotes: Passkey Adoption in the UK

The United Kingdom (UK) has taken a big leap into passkey, embracing its usage at the national level.

Darren Hutton, Identity Advisor for NHS England and Pelin Demir, UX Designer for NHS Login, detailed the adoption path and success of passkeys in the UK. The presenters shared how NHS Login serves as a nation-level identity provider for healthcare access, reaching almost the entire adult population. They discussed the evolution from passwords and OTPs to introducing passkeys. The move aimed to improve both security and accessibility for all users.

Insights from their user research revealed that although over three million users adopted passkeys within months, there were challenges. These included inconsistent user interfaces, confusion around technical terms, and accessibility barriers for screen reader users. The team found that clear guidance and familiar wording were critical to increasing adoption.

“Passkeys, is a beautiful balance of technology that brings security and usability together to create a really good service,” Hutton said.

Leaders from the National Cyber Security Center (NCSC) in the UK detailed the strong imperative to move to passkey, noting that the majority of cyber harm to UK citizens happened through abuse of legitimate credentials.

Keynote: Visa Details Payment Passkey Efforts

Ben Aquilino,VP, Global Head of Visa Payment Passkeys and Digital Identity at Visa explored the evolution of digital payment security from the earliest days of online commerce to the present. 

Aquilino used the history of Pizza Hut’s first online order in 1994 as a gateway to highlight how payment experiences have changed due to rising concerns over fraud, describing how simple early processes became more complex to counter increasingly sophisticated threats.

A significant portion of the session focused on the technological advancements used to combat payment fraud.

Visa’s recent efforts to innovate further by launching Visa Payment Passkeys. This new approach leverages passkeys and biometrics for payment authentication, aiming to offer better protection along with a seamless user experience

“Authentication doesn’t have to be a compromise between security and convenience; it can have both,” Aquilino said.

Keynote Panel: Quantifying Passkey Benefits from Early Adopters 

In a keynote panel session led by FIDO Alliance Executive Director Andrew Shikiar, industry leaders from PayPal, NTT DOCOMO and Liminal explored the ongoing shift in the authentication landscape.

Koichi Moriyama, Chief Security Architect at NTT DOCOMO and Rakan Khalid, Head of Product, Identity at PayPal, recounted the journey from initial pilots to broader adoption, detailing technical evolution and lessons learned. Khalid emphasized the impact of evolving authentication standards on customer experience, while Moriyama described Docomo’s commitment to ecosystem-wide security improvements.

A recurring message throughout was the proven effectiveness and industry momentum behind passkey authentication. Survey data from Liminal revealed that most decision-makers now rank passkeys as their top priority for authentication investments. 

“The big surprise in the survey was that passkeys really have moved from pilot to priority,”  Filip Verley, Chief Innovation Officer at Liminal said. “We’re seeing  huge adoption and nearly every adopter is very satisfied.”

Both PayPal and Docomo shared that organizational and customer metrics improved after moving away from passwords, including increased sign-in success and reduced account takeovers.

“When customers use passkey, we see about a 10-point increase in sign-in success rate over a traditional multi factor authentication.” Khalid said.

From the Trenches: Shipping Passkeys for Hundreds of Millions of users at TikTok

TikTok’s session offered a comprehensive look at its journey to implement passkeys as a login method for hundreds of millions of users. 

The team faced the challenge of introducing passkeys in a way that would not disrupt the user experience. TikTok chose to promote passkeys through a campaign on user profile pages, leading to high engagement rates and a marked increase in adoption. Most users who set up passkeys did so thanks to the visibility and education presented within the app.

Passkey login was not only made the default for users who had enabled it, but TikTok also streamlined the signup process. 

“Overall, it has been a great journey with Passkeys and TikTok,” Yingran Xu, Software Engineer at TikTok said. “Passkey remains one of the authentication methods with the highest success rate and fastest login experience.”

From the Trenches: Lessons Learned from Roblox’s Passkey Deployment

Roblox’s effort to deploy passkeys across its platform is a response to the complex security needs of a massive and diverse user base. 

With more than half of Roblox users under 13, the challenge was to design an authentication system that is easy for children while still robust enough for professionals handling accounts with significant financial stakes. The team aimed to make access secure and simple without passwords, reducing both user frustration and customer support issues tied to account recovery.

Through a phased rollout that began with passkeys in user settings and later added passkey options during account sign-up, Roblox has shown measurable progress. Eighteen percent of active users have adopted passkeys, which led to greater engagement and higher login success rates. Experiments with the user interface revealed that highlighting passkeys at pivotal moments, such as account recovery, can drive adoption as long as users are guided clearly and are not forced through abrupt changes.

Ongoing improvements focus on making passkeys easier to use and more accessible, especially as many Roblox players move between multiple device types. An adaptive login flow led to more passkey logins and fewer users defaulting to traditional passwords. There are also new protections for top game creators, who are frequent phishing targets, ensuring only secure login methods are available for valuable accounts.

“Our vision is that all Roblox users should have secure and accessible accounts without passwords, powered by passkeys,” Yuki Bian, Product Manager at Roblox said.

From the Trenches: Using Windows Hello to Enable Passkeys for SSO

Single Sign-On (SSO) is a common approach enabling users in enterprise environments to use a single credential to get access to multiple applications.

In a deep dive session, Amandeep Nagra, Sr. Director, Identity and Access Management at Crowdstrike detailed how Windows Hello for Business was implemented as a passkey solution for seamless Single Sign-On across enterprise devices. By turning device logins into trusted passkeys, users no longer needed to remember passwords or manage separate app authentications.

The solution involves generating a device-level PRT token using Windows Hello for Business pins, which enables SSO across various apps. The project saved 78,000 hours of work annually, 

“We turned the device login into your passkey—one sign-in, access to everything,” Nagra said.

From the Trenches: Modernizing Authentication with True Passwordless at Docusign

DocuSign is a leading provider of electronic agreement solutions that help individuals and businesses sign documents and manage contracts online. Security and identity verification are critical to its platform, as users rely on DocuSign to complete transactions that often involve sensitive or high-value documents, such as home purchases, business contracts, and legal agreements.

To meet rising threats and user demand for easier, safer access, DocuSign is working to make passwordless authentication the default experience.

The company’s authentication team has introduced passkeys, enabled biometrics, and streamlined account recovery methods. Their goal is to give users secure, reliable, and effortless ways to verify identity, whether that’s logging in to review paperwork or using a mobile device to approve a high-stakes deal.

Yuheng Huang, Engineering Manager at Docusign noted that the login success rate for passkeys on DocuSign is 99%. In contrast, the password login success rate is only 76%.

Going beyond just authentication Dina Zheng, Product Manager at Docusign explained that DocuSign is using a passkey with the company’s identity wallet.

“By combining capabilities with identity wallet, we’ve created a fully frictionless experience, secure enough for identity verification, yet simple enough that users barely notice the authentication step at all,” Zheng said. “This is a perfect example of how passkeys can go beyond just authentication. They’re becoming an enabler of trusted high assurance workflows across Docusign.”

Panel: Industry Perspectives on Securing Agent-Based Authentication

With the emergence of agentic AI, there are new concerns and challenges about how to secure and authenticate agents.

A panel with Lee Campbell, Identity and Authentication Lead, Android at Google,  Rakan Khalid, Head of Product, Identity at PayPal and Reid Erickson, Product Management, Network API at T-Mobile that was moderated by Eran Haggiag, CEO at Glide Identity, discussed the challenges of trust and security in agent-based authentication.

Key points included the need for phishing-resistant authentication methods like passkeys and verifiable credentials to ensure user intent and prevent fraud. The discussion highlighted the importance of standardization, context-aware authentication, and human-in-the-loop verification to mitigate risks. 

“There’s lots of work going on, lots of companies are involved, lots of standards bodies involved with every single standards body out there today having some agentic group,” Campbell said. “Everybody’s talking about it, and one of the challenges is getting everyone and all the right players in the same room to have these conversations. And I think FIDO is actually quite a good place to do this.”

The Big Finale is Coming on Day 3!

While the first two days of Authenticate 2025 were stacked top to bottom with insightful sessions, Day 3 will deliver even more content.

With even more users stories coming, discussion on verifiable digital credentials and digital trust Day 3 will not disappoint.

Not registered? Don’t miss out! Attend remotely and access all previous sessions on demand, and attend day 3 live via the remote attendee platform! See the full agenda and register.

Authenticate 2025, the FIDO Alliance’s flagship conference, kicked off day one on strong footing as passkey adoption continues to grow.

The first day of Authenticate 2025 was loaded with insightful user stories, sessions on how to improve passkey adoption and technical sessions about the latest innovations.

Mastercard: Reimagining Online Checkout with Passkeys

Mastercard presented their ambitious vision to bring contactless payment-level security and convenience to online transactions through passkeys. The company is tackling three major e-commerce pain points: fraud from insecure authentication methods, cart abandonment and false declines of legitimate transactions. 

“There is no secret for this audience that one-time passwords are largely insecure and subject to phishing attacks,” Jonathan Grossar, Vice President of Product Management at Mastercard said. “So this is one big problem that we’re trying to address.”

Mastercard’s approach includes linking passkeys to payment card identities through bank KYC verification, adding device binding layers to meet regulatory requirements like PSD2, and ensuring banks retain control over authentication decisions even when Mastercard acts as the relying party on their behalf.

“When you have a passkey, that’s very easy, you can use it right away, and we see the conversion is just fantastic,” Gorssar said.

Passkey Mythbusters: Short Takes on Common Misunderstandings

As a relatively new technology, there are still a good deal of misunderstandings about passkeys.

In an engaging session led by Nishant Kaushik, CTO of the FIDO Alliance, Matthew Miller, Technical Lead at Cisco Duo and Tim Cappalli, Sr. Architect, Identity Standards at Okta debunked several key misconceptions about passkeys including:

Misconception #1 . Passkeys are stored in the cloud in the clear: The session clarified that passkeys are not stored in plain text. Reputable credential managers use strong end-to-end encryption, so even when passkeys are synced through the cloud, service providers cannot access the actual keys.

Misconception #2. Passkeys lock users into specific vendor ecosystems: The panel explained that new standards like the credential exchange protocol (CXP) and credential exchange format (CXF) enable secure transfer of passkeys between managers. 

Misconception #3. Phishing resistance depends solely on the relying party ID: Presenters emphasized that true phishing resistance comes from verifying the origin of authentication requests, not just matching the relying party ID. Proper server-side origin checks are essential for security.

Misconception #4 Cross-device passkey use enables remote attacks: The panel showed that cross-device authentication relies on proximity checks like Bluetooth, which prevent attackers from authenticating remotely even if they possess a QR code.

Misconception #5. Passkeys are not suitable for enterprise use: The panel highlighted that managed credential managers can offer strong policy control and high assurance for workforce applications, and that flexible management models fit both personal and enterprise contexts.

Misconception #6. Device management is always required for secure workforce passkeys: It was clarified that organizations can provide managed credential managers that enforce policies without requiring complete device management, allowing for greater flexibility.

Misconception #7. Passkeys cannot be used in mixed cloud and on-prem environments: The discussion explained that the right identity provider solutions and federation strategies can enable passkeys across a variety of application types.

What’s New in FIDO2: The New Features in WebAuthn and CTAP

There’s a lot going on with the underlying FIDO standards.

In his session, Nick Steele, Identity Architect at 1Password detailed the latest FIDO2, CTAP2.2 and WebAuthn updates. Steele explained how these new standards offer easier adoption, better security, and a smoother user experience for both enterprises and individuals.

Key technical improvements:

• Hybrid transport for flexible authenticator connections
• Signals API for better credential management
• Conditional passkey enrollment and improved autofill UI
• Stronger encryption and HMAC secret extension
• Broader support for smart cards and related origins

“We really want to increase the risk signalling and the trust that enterprises can get in a single go from a passkey,” Steele said.

Credential Exchange in the Wild

One of the key misconceptions about passkeys is that they lock users into a particular platform. 

Among the reasons why that’s not accurate is the Credential Exchange format effort which was detailed in a session led by Rene Leveille, Sr. Security Developer at 1Password.

Leveille explained how the credential exchange format is designed to help password managers understand and transfer numerous credential types, making it easier for users to migrate securely between different services. He highlighted how this format, paired with a secure protocol, is the foundation for cross-platform compatibility.

Leveille outlined recent progress, including the move from early drafts to a proposed industry standard in August 2025. He discussed how both Apple and Android platforms have introduced APIs that are paving the way for seamless transfers between apps. 

Emphasizing the importance of this work, Leveille stated, “It is an extremely easy way to migrate from one credential manager to another and it is secure.”

From the Trenches: eBay

Among the earliest adopters of passkeys is eBay, which has a long history with FIDO specifications.

Ilangovan Vairakkalai, Senior Member Technical Staff at eBay detailed his organization’s journey and how it has managed to increase adoption.

“Every percentage point we gain in Passkey adoption is another user freed from password frustration,” Vairakkalai said.

Passkey adoption among mobile and native app users has climbed to an impressive 55% to 60%, reflecting how intuitive, nearly invisible authentication is a win for users. Desktop adoption, while more modest at around 20%, is steadily rising as eBay continues to innovate and collaborate with browser and device makers. 

From the Trenches: Uber

Reducing user friction is a primary reason why Uber has embraced passkeys.

Ryan O’Laughlin, Senior Software Engineer at Uber Technologies detailed his organization’s journey to deploy passkeys as a secure and user-friendly login option across its global consumer platform. 

While there was some quick success there were also some early challenges. Despite passkeys offering faster and more secure logins compared to passwords, many users continued using traditional sign-in methods, raising concerns about adoption and the prevalence of phishing risks.

To address these challenges, Uber introduced usability improvements such as clearer entry points for passkey login and proactive prompts encouraging registration. Experiments showed that enrolling users right after account sign-up or login led to a marked increase in adoption.

The company also piloted features like selfie-based account recovery, aiming for secure, phishing-resistant options as part of its broader vision for a passwordless future.

“Passwords just don’t really work for our platform. People forget them,” O’Laughlin 

said. “There is a very realistic future where we don’t have password passwords at all.”

From the Trenches: BankID

In Norway, the BankID system has been around for over two decades, providing a uniform authentication system for the country’s citizens.

Heikki Henriksen, Technology Partnership Manager, Stø AS (BankID BankAxept in Norway) explained that the BankID system started off with hardware devices but in recent years has made a move to mobile, software based approaches.

BankID began moving to passkeys after most users had adopted the BankID app. The transition away from SMS-based authentication finished in 2023. Passkeys were introduced quietly—users were not told about the technical change but were moved to the stronger, phishing-resistant credentials through regular app updates.

“We never bothered talking about passkeys, we got over half of the Norwegian population to use passkeys without ever using the term passkey,” Henriksen said. “People don’t know what passkeys are. They don’t need to understand it either. So they just use Bank ID and for us technical people we know that passkeys are running the tech behind it.”

Keynotes: FIDO Alliance Details the Path Forward

A highlight of every Authenticate event is the keynote address from Andrew Shikiar, Executive Director of the FIDO Alliance.

As part of his Day One keynote, Shikiar detailed the past, present and future of the organization he leads and the standards it develops.

“Our internal estimates point to over 3 billion passkeys securing consumer accounts – actual passkeys in use,” he said. “That’s a massive number, 3 billion in less than three years time.”

Shikiar also revealed new data from a new report, the Passkey Index, which aims to help quantify the impact of the technology. Among the standout figures:

• An average 93% sign-in success rate using passkeys, which is more than double that achieved with other methods.
• A 73% decrease in login time when using passkeys.
• Up to an 81% reduction in login-related Help Desk incidents reported by some organizations.

No technology conversation in 2025 is complete without mention of AI and Shikiar didn’t disappoint. He noted that the FIDO Alliance is actively addressing agentic AI by launching targeted initiatives including the creation of a subgroup focused on agentic commerce, aiming to ensure secure authentication for human-authorized agents.

“We spent the past dozen years or so contemplating how to prevent bots from authenticating, and now we have to figure out how to enable them to authenticate,” he said.

Looking ahead, the need to eliminate knowledge-based recovery methods and improve user experience was stressed. Shikiar also talked about emerging efforts for digital credentialing, with FIDO Alliance developing foundational standards and certification programs to advance the digitization of identity documents and secure mobile credentials.

“We will create foundational specifications that are applicable to the market, building from CTAP to create a new protocol for cross device credential presentation, we’ll focus on enablement and usability,” Shikiar said.

Keynotes: Google Securing the Future of Account Management

Google’s Authenticate 2025 keynote focused on how account security and user experience are improving with the adoption of passkeys. 

With more than a billion users now signed into Google services using passkeys, it is clear these solutions are quickly moving into the mainstream. Chirag Desai, Product Manager at Google emphasized that passkeys make the sign-in process faster and easier for users and provide new opportunities for businesses looking to enhance safety and streamline account access.

“Just as the world moved from horses and carriages to cars and now even self-driving cars, we as an industry need to help our customers do the same thing,” Desai said. “We need to help make that transition from passwords to passkeys, with minimal friction.”

Beyond just passkeys for authentication Rohey Livne, Group Product Manager at Google addressed the critical role of digital credentials for account creation and recovery. These digital, device-bound documents offer stronger protection than emails or SMS, enabling selective disclosure and simplifying verification. They allow organizations to move beyond fragile legacy methods and create a fully secured account lifecycle.

“We’re not really solving account creation and account recovery with passkeys,” Livne said. “And so we are essentially trying to look at how the entire account lifecycle could be aided with digital credentials.”

Keynotes: Apple Details How to Get the Most Out of Passkeys

Apple is all in on passkeys. 

“Simply put, the world would be a better place if the default credential, the one that we all reached for first, was a passkey instead of a password,” Ricky Mondello, Principal Software Engineer at Apple said.

Mondello detailed multiple approaches that Apple is using to accelerate passkey adoption including:

• Account Creation API (iOS/Mac apps): Pre-fills user information (name, email/phone) to create new accounts with passkeys in one step, avoiding passwords entirely from the start.
• Automatic Passkey Upgrades: Seamlessly adds passkeys to existing password-based accounts without showing upsell screens when users sign in with their password manager. Already supported on Apple platforms and Chrome desktop.
• Prefer Immediately Available Credentials: Shows users their saved credentials (passwords or passkeys) when opening an app, eliminating the “which button do I press?” problem.

The most provocative message centered on security. Mondello argued that simply adding passkeys alongside passwords doesn’t deliver true phishing resistance. Organizations must plan to drop passwords entirely for accounts with passkeys.

“The hard truth is that to actually deliver the phishing resistance benefit to any given account, all phishable methods of signing in or recovering it need to be eliminated or otherwise mitigated,” Mondello said.

Get Ready for Day 2!

Day 2 will have even more great content across multiple tracks, with no shortage of user stories. Look for user stories from TikTok, Roblox, Microsoft, Docusign and many others, alongside technical insights for implementation.Not registered? Don’t miss out! Attend remotely and access all previous sessions on demand, and attend day 2 and 3 live via the remote attendee platform! See the full agenda and register now at authenticatecon.com.

CARLSBAD, Calif. – The FIDO Alliance today launched the Passkey Index, revealing significant passkey uptake and benefits for online services offering passkey sign-ins. Launched in partnership with Liminal, the Passkey Index provides a composite view of data from leading service providers on the adoption, utilization and business impacts of passkeys.

The Passkey Index was launched today in concert with Liminal’s Passkey Adoption Study 2025, a survey of 200 organizations either actively deploying passkeys or committed to doing so in the near future. Together, these new resources provide the most comprehensive view of passkey deployments yet, and strategic intelligence for organizations wanting to modernize and de-risk their authentication technology.

The Passkey Index is available at FIDOalliance.org and Liminal’s Passkey Adoption Study 2025 is available at Liminal.co. 

Passkey Index Companies Report Passkey Sign-in Rates and Benefits 

The Passkey Index comprises data from companies that have deployed passkeys over one to three years, including Amazon, Google, LY Corporation, Mercari Inc., Microsoft, NTT DOCOMO, PayPal, Target and TikTok across eight utilization and performance areas. 

The Index reveals that passkey eligibility is high: FIDO Alliance member companies contributing to the Index report that an average of 93% of accounts are now eligible for passkeys. The percentage of accounts with a passkey enrolled is over a third (36%), while more than a quarter (26%) of all sign-ins now leverage passkeys. 

Passkey Index companies also reported strong business benefits with passkeys: 

• Passkeys reduce sign-in time by 73% compared to other authentication methods, averaging just 8.5 seconds per login. Traditional approaches including email verification, SMS codes, and social login options took an average of 31.2 seconds. 
• Passkey sign-ins have a 93% success rate, compared to 63% for other methods; 30% higher success rates mean fewer failed attempts and greater throughput at critical checkpoints
• The Index also revealed that passkey adoption led to an 81% reduction in login-related help desk incidents. Reducing help desk burden allows IT and support teams to focus on higher-value issues.

“The data in the Passkey Index marks the first time we have been able to measure the actual utilization and performance of passkeys. Thanks to this data from several early-adopting organizations, we can confidently say that passkeys are available, being used, and providing quantifiable benefits to deploying organizations,” said Andrew Shikiar, CEO of the FIDO Alliance. “The FIDO Alliance intends to grow this program over time as a benefit to service providers within our membership, a guideline for newer implementers and an industry benchmark to track ongoing growth of passkey utilization over time.”

Liminal’s Passkey Adoption Study 2025 Validates Passkey Index by the Broader Industry 

Liminal’s Passkey Adoption Study 2025 complements the Passkey Index with a look at the industry outlook on passkeys. The survey of 200 IT professionals either actively deploying passkeys or committed to doing so highlights how buyers are turning to Passkeys to modernize and de-risk authentication. It revealed the following key points:

• Passkeys are a strategic priority that delivers, with 63% of all respondents ranking passkeys as their top authentication investment priority for the next year. The majority (85%) of those that have already adopted passkeys report strong satisfaction with both their decision to implement and the business results they’ve seen so far.
• Organizations expect passkeys to deliver both ROI and risk reduction, as 63% of respondents believe strong authentication methods like passkeys can create cost savings and efficiency gains, while they are also expected to reduce risk (56%) and fraud (58%). 
• Passkeys deliver behavioral and business change. After passkeys had been deployed, a significant decline in password usage was reported by 43% of respondents, while the majority (89%) said more than half of their users are expected to opt in to passkeys after being prompted, demonstrating that adoption scales quickly after deployment.
• Organizations are willing and ready to adopt a fully passkey-based strategy, with almost all (97%) respondents reporting that their organization is willing to fully transition to a passkey-based authentication strategy in the future. Readiness to adopt is also widespread, with 86% of respondents stating their organization’s infrastructure is already fully or mostly prepared to support passkey authentication.
• They perform even better than expected. Nearly half of current implementers (49%) report adoption rates exceeding 75%, outperforming initial expectations.

Shikiar added: “It is in every company’s strategic interest to reduce reliance on passwords, and this study clearly illustrates that passkeys are doing exactly that: delivering tangible business benefits through enhanced sign-in success, improved user experience and decreased risk.”   

Passkey Index methodology

In collaboration with Liminal, the FIDO Alliance conducted a confidential survey of nine of its FIDO Member Alliance organizations to gain a deeper understanding of how passkeys are being deployed across their ecosystem and the outcomes being observed. This report offers an aggregate, anonymized view of current implementation patterns, opt-in performance, utilization, and organizational efficiency gains.

Liminal’s Passkey Adoption Study 2025 methodology 

Liminal conducted a proprietary survey of authentication decision-makers to understand how passkeys are being adopted, implemented, and evaluated across digital platforms. The research focuses on 200 organizations that have already deployed passkeys or are planning to adopt them within the next two years. This study examines key performance indicators, including adoption rates, opt-in behavior, user satisfaction, implementation challenges, and buyer priorities. It offers a data-driven perspective on how passkeys are performing in the market today and where the most important opportunities for improvement and growth exist.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services. For more information, visit www.fidoalliance.org.

Contact
press@fidoalliance.org

Passkey adoption is growing rapidly, with tens of billions of user accounts now equipped with the option to use a passkey instead of relying on passwords. We launched the Passkey Pledge to help rally the industry and accelerate adoption even further, helping even more organizations to realize the dual benefits of heightened security and a frictionless user experience.

When we launched the Pledge, we set out five goals to suit a range of organizations and use-cases, with the aim of achieving them over the next 12 months. Over 200 companies responded to our call and took the pledge. As we reach the halfway point in this journey, there have already been some incredible success stories and we wanted to highlight and share some of them with the community for inspiration.

Atlancube: The company’s commitment to the Passkey Pledge “accelerated our internal development and certification timelines” culminating in its product passing interoperability testing and successfully completing both FIDO2 CTAP2.1 and U2F L1 authenticator certifications. Primarily, this will help Atlancube prepare to launch a certified hardware security key that supports passkey sign-ins. It also helped increase awareness of the importance of passkeys among its engineering and business teams, strengthening cross-functional collaboration.

Dashlane: The password manager and credential security platform has upgraded the security of user passkeys it stores, by signing passkey challenges in a remote secure environment. The company has also integrated FIDO2 security keys into its product, replacing the master password with a hardware-backed secret to encrypt the user’s vault.

First Credit Union: The member-owned financial institution in New Zealand with over 60,000 members partnered with Authsignal to implement FIDO Certified passkey infrastructure. It adopted passkeys as it was the only approach that struck the right balance between security, usability and accessibility for its diverse membership base. Since rolling out passkeys, 58.4% of its members adopted the new authentication experience, with 54.5% of all authentications now using passkeys. In addition, over 23,500 members enrolled in multi-factor authentication. Read more in the First Credit Union case study. 

Glide identity: Glide Identity has achieved FIDO certification for its new products, joining the ranks of certified providers delivering standards-based authentication solutions. This certification validates Glide Identity’s commitment to interoperability and positions the company to serve organizations worldwide seeking reliable, FIDO-compliant authentication solutions.

HYPR: Took the Passkey Pledge to help realize a public good in eliminating shared secrets and passwords. The company has already delivered on its pledge, deploying passkeys at scale to Fortune 500 enterprises and beyond, including two of the four largest US banks.

LY Corporation: Made its Passkey Pledge to contribute to the industry-wide adoption of passkeys. During the last six months the company has increased the number of touchpoints where passkey sign-in is triggered, as well as publishing educational content to improve user literacy about passkeys. This has resulted in improved passkey sign-in rates of 41%, and reduced SMS transmission costs by replacing SMS OPTs with passkeys.

NTT DOCOMO: Has made significant progress on its Pledge to demonstrate actions that measurably increase the use of passkeys by users when signing into their services. The company has continuously improved the user experience by improving and refining messages on passkey enrollment and error pages to make them more customer friendly. NTT DOCOMO is confident of reaching its target to increase passkey usage ratio by 10% within the year since taking the Pledge.

Secfense: Has enabled support for passkey sign-ins across enterprise environments without requiring changes to existing applications. The company has implemented large-scale passwordless rollouts in highly regulated sectors, including banking and insurance, completing projects in just a few months. These deployments replaced passwords with phishing-resistant FIDO authentication, without modifying existing systems or disrupting users, proving that full passkey adoption is possible even in legacy infrastructures.

Thales: Over the last six months, Thales has extensively promoted the benefits of passwordless authentication and passkeys to its customer base  and other organizations through sponsored events, workshops, webinars and other channels. This is part of the company’s long-standing commitment to fight against phishing and improve both security and user convenience.

We’d like to extend a big thank you to all those who signed up to the pledge and for sharing an early snapshot of the progress you’ve made. We’ll provide more insights and updates as the Passkey Pledge moves into the final 6-month stretch. It’s not too late to take the Pledge this year – we’ve already seen how much can be achieved in such a short space of time. If you’ve already taken the Pledge, tell us about your progress as we’d love to share your success with others in the future.

Every few months, like clockwork, a talk or article appears claiming that new research has uncovered a “vulnerability” with passkeys.  This can understandably raise concern for executives and product leaders looking to uplift their authentication frameworks. But these reports have a pattern: they highlight opportunities for exploitation in the environment where passkeys are used, not any vulnerability in passkeys themselves.

Passkeys are FIDO authentication credentials that leverage public key cryptography. The authentication protocol relies on the user having control of their private key, which is generated on the user’s device (their smartphone, their FIDO Security Key, etc) and is never shared with the service they are authenticating to (all the service receives and saves is the corresponding public key). That design makes passkeys inherently resistant to phishing, credential stuffing, and large-scale data breaches. Breaking the security model of passkeys would require stealing the private key itself, something cryptographically and practically infeasible without compromising the device in some manner. 

Where the “Breaks” Actually Happen

When researchers announce they’ve “broken passkeys,” what they usually mean is that they’ve compromised something else in the operational environment:

• Browser vulnerabilities that let malicious extensions hijack sessions or impact user behavior.
• Device compromises where malware takes control of the endpoint.
• Application weaknesses in how the authentication flow is integrated.

To be clear, these are real risks, but these are risks for any authentication solution (in addition to other secure tools such as encrypted messaging apps and VPNs). They are not flaws in passkeys themselves. Rather, they are examples of broader environmental compromise which can be mitigated with well-known security controls and policies that IT teams have been deploying for years.

Do Not Confuse Headlines with Reality: Passkeys Work as Intended

No reports have found vulnerabilities in the cryptography or the technical standards underpinning passkeys. What’s being demonstrated by researchers are scenarios where, if the user’s environment is already compromised, attackers may be able to misuse otherwise secure credentials or circumvent the secure authentication process. That’s a meaningful security discussion, and a good reminder that while passkeys are the gold standard for secure authentication, they don’t eliminate the need to have a comprehensive security program. 

Our Commitment to Security and Research

The FIDO Alliance is deeply committed to advancing security through ongoing research, rigorous testing, and collaboration with our members and the broader security community. Our members are actively exploring the impact of emerging technologies like post quantum cryptography, and emerging threats like deepfakes. We also welcome engagement with security researchers who approach their work responsibly, as constructive collaboration helps us strengthen our specifications, certification programs, and implementations. Sensationalist headlines may help a few to market their products or services, but the real win for strong, phishing-resistant authentication is when we combine forward-looking research with open, responsible dialogue. That’s at the heart of the Alliance’s ethos.

The Bottom Line

For anyone responsible for product, security, or compliance, here’s what this means when it comes to adopting passkeys:

• Stay focused on fundamentals: Passkeys eliminate entire classes of attacks (phishing, credential theft, reuse) that drive the majority of breaches today.
• Adopt thoughtfully: Pay attention to the integration and rollout plans, following guidance and best practices with special attention to fallback models.
• Pair with environmental protections: Continuing to strengthen your security program remains essential, especially focusing on strong endpoint security, browser governance, and app hardening.
• Lean on certification: Certified implementations ensure consistency and reduce integration risk across platforms and devices.

Passkeys represent one of the most significant advances in digital identity security in decades, and they work as intended. Headlines suggesting otherwise often sensationalize research that demonstrates something we’ve known forever: no system is immune if the environment it runs in is compromised. Passkeys remain the best path forward to reducing fraud, lowering breach risk, and building customer trust in a digital-first world. 

Carlsbad, Calif., June 18, 2025 – The FIDO Alliance has announced the agenda for Authenticate 2025, the only industry conference dedicated to digital identity and authentication with a focus on phishing-resistant sign-ins with passkeys. The event will take place October 13–15, 2025 at the Omni La Costa Resort and Spa in Carlsbad, Calif., with options for virtual participation available.

The focus of the program for the Authenticate 2025 conference is achieving phishing-resistant authentication with passkeys and the adjacent considerations required to achieve end-to-end account security with usability in mind.

Visit https://authenticatecon.com/event/authenticate-2025/ to view the full session guide and register ahead of the June 20th Super Early Bird deadline.

Authenticate is built for CISOs, security strategists, enterprise architects, product leaders, UX professionals, and anyone engaged in the identity lifecycle from strategy to implementation. Attendees will gain practical knowledge around deploying phishing-resistant authentication at scale, designing secure user experiences, understanding complementary technologies, and navigating policy and compliance requirements. 

This year’s event will showcase keynotes and sessions led by top executives and industry leaders at the forefront of the passwordless movement. The agenda for 2025 has been revamped to include: longer track sessions for more in-depth presentations, an increased focus on masterclasses for actionable synced and device-bound passkey implementation best practices, and a new solutions theater track to showcase live demonstrations of the latest identity and authentication solutions. This year’s agenda also features more opportunities for networking and exploration of the interactive expo hall to foster collaboration and idea sharing.

With four dynamic stages across four curated content tracks,  Authenticate 2025 will offer sessions on: 

• Account onboarding
• Remote identity verification and proofing
• Authorization
• Biometrics
• Session security
• Device onboarding and authentication
• Cybersecurity/fraud threats and detection
• Digital identity/digital wallets
• The future of digital identity and authentication

Sponsorship Opportunities Available
Authenticate 2025 offers unique sponsorship opportunities for companies to showcase solutions to an engaged, decision-making audience. With limited availability remaining, prospective sponsors can learn more and apply at https://authenticatecon.com/sponsors/ or contact authenticate@fidoalliance.org. 

About Authenticate 

Authenticate is the premier conference dedicated to advancing digital identity and authentication, with an emphasis on phishing-resistant sign-ins using passkeys. Hosted by the FIDO Alliance, this event brings together CISOs, security strategists, product managers and identity architects to explore best practices, technical insights and real-world case studies in modern authentication. The 2025 conference will take place from October 13-15 at the Omni La Costa Resort & Spa in Carlsbad, California, and will be co-located with the FIDO Alliance member plenary sessions, which run through October 16. 

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication with innovations, like passkeys. Signature sponsors for Authenticate 2025 are Google, Microsoft, Visa, and Yubico.

To learn more and register, visit https://authenticatecon.com/event/authenticate-2025/, and follow @AuthenticateCon on X. Register now and get the super early bird discount through June 20, 2025.

Authenticate Contact
authenticate@fidoalliance.org

PR Contact
press@fidoalliance.org

In recognition of World Passkey Day (formerly World Password Day), the FIDO Alliance is putting the spotlight on real-world passkey deployments from leading organizations around the globe. Read on for highlights of the successes companies in various industries are seeing from delivering faster, easier, and more secure sign-ins with passkeys—showcasing the global commitment to move away from passwords.

The FIDO Alliance also released today an independent study of consumers to understand how passkey usage and consumer attitudes towards authentication have evolved. The research found that in the last year, over 35% of people had at least one of their accounts compromised due to password vulnerabilities. In addition, 47% of consumers will abandon purchases if they have forgotten their password for that particular account. This is significant for passkey adoption, as 54% of people familiar with passkeys consider them to be more convenient than passwords, and 53% believe they offer greater security. The full report is available here.

ABANCA’s mobile app serves over 1,200,000 customers a month, serving as the bank’s largest branch. Today, more than 42% of its mobile customers are using passkeys via the bank’s ABANCA Key product. As a result, more than 11,000,000 high-risk transactions have been protected without technical or service incidents, and due to the prioritization of UX, they have managed a Customer Effort Score (CES) of 4.7. 

Aflac was the first major insurance company to adopt passkeys in the U.S. Aflac partnered with Transmit Security to launch their passkey authentication initiative Today, only the first phase of the project is complete and yet more than 500,000 Aflac customers have enrolled a passkey, resulting in a 32% reduction in password recovery requests. This has yielded 30,000 fewer calls per month to the call center for identity issues. Aflac reports that the highest enrollment rates occur at the point of registration, reinforcing the FIDO Alliance’s Design Guidelines recommendation to prompt customers during account-related tasks. The steady, organic adoption of passkeys by Aflac customers continues to grow daily and directly contributes to measurable improvements in cost reduction and customer experience.

KDDI now has more than 13.6 million au ID customers that use FIDO and has seen a dramatic decrease (down nearly 35%) in calls to their customer support center as a result. KDDI manages FIDO adoption carefully for both subscribers and non-subscribers. 

LY Corporation property Yahoo! JAPAN ID now has 28 million active passkeys users. Approximately 50% of user authentication on smartphones now uses passkeys. LY Corporation said that passkeys have a higher success rate and are 2.6 times faster than SMS OTP.

Mercari has seen 9 million users enroll with passkeys, and is enforcing passkey login for users who have enrolled with synced passkeys. Notably, there have been zero phishing incidents at Mercari Shop and Mercoin (a Mercari subsidiary) since March 2023.

Microsoft began rolling out passkeys for Microsoft consumer account in 2024. They now see nearly one million passkeys registered every day. Microsoft has found that users signing in with passkeys are three times more successful at getting into their account than password users (about 98% versus 32%), passkey sign-ins are eight times faster than traditional password + MFA flows, and passwordless-preferred UX has reduced password use by over 20%. 

Nikkei rolled out passkeys in February and is already seeing thousands of customers using passkeys. Additionally, they are seeing almost no inquiries about how to use passkeys at the support desk.

NTT DOCOMO has increased its passkey enrollments and now passkeys are used for more than 50% of authentication by d ACCOUNT users. NTT DOCOMO notably reports significant decreases in successful phishing attempts and there have been no unrecognized payments at the docomo Online Shop since September 2022 where NTT DOCOMO continuously improved UX, including increasing the number of other passkey-enabled services.

Samsung Electronics’ Galaxy smartphones support fast and convenient logins through biometric authentication and FIDO protocols. Due to ease of use, speed, compatibility across services, and status as an industry standard made passkeys a compelling choice for Samsung Electronics.

VicRoads is the vehicle registration and driver licensing authority in Victoria, Australia. It registers over six million vehicles annually and licenses more than five million drivers. Within the first weeks of deployment with its passkey vendor Corbado, passkey adoption significantly exceeded VicRoads’ expectations. Users embraced the phishing-resistant authentication method, benefiting from a frictionless login experience optimized for speed and security. The exceptionally high passkey activation rate – peaking at 80% on mobile devices and over 50% across all platforms – led to 30% passkey login rate within the first seven weeks. Uptake continues to rise steadily, translating into measurable operational benefits, including reduced authentication-related support tickets, lower SMS OTP costs and improved user experience and security.

Zoho Corporation has rolled out passkeys to its 100+ million zoho.com customers and has seen a resulting 30% increase month over month in passkey adoption and a 10% drop in password reset queries. As a next step, the company will begin its rollout to Zoho Vault customers in May.

Read the full case studies from ABANCA, Microsoft, Nikkei, Samsung Electronics, VicRoads and Zoho Corporation to learn more about how these companies are discovering the benefits of passkey adoption. To learn more about passkey implementation through other documented case studies, visit the FIDO Alliance’s resource library. Have a case study to share? Contact us!

MOUNTAIN VIEW, Calif., May 1, 2025 – With digital security more critical than ever, the FIDO Alliance is commemorating World Passkey Day 2025 with the release of an independent study of consumers across the U.S., U.K., China, South Korea, and Japan to understand how passkey usage and consumer attitudes towards authentication have evolved. 

The research found that in the last year, over 35% of people had at least one of their accounts compromised due to password vulnerabilities. In addition, 47% of consumers will abandon purchases if they have forgotten their password for that particular account. This is significant for passkey adoption, as 54% of people familiar with passkeys consider them to be more convenient than passwords, and 53% believe they offer greater security. 

World Passkey Day serves as the FIDO Alliance’s annual call to action for individuals and organizations to adopt passkey sign-ins, making the web safer and more accessible.

Highlights from the research show consumer passkey awareness is on the rise and outlines several key trends in adoption among those who are aware of passkeys, including:

• 74% of consumers are aware of passkeys.
• 69% of consumers have enabled passkeys on at least one of their accounts.
• Among those who have used passkeys, 38% report enabling them whenever possible.
• More than half of consumers believe passkeys are both more secure (53%) and more convenient (54%) than passwords. 

The survey report is available at https://fidoalliance.org/wpd-report-2025-consumer-password-passkey-trends/, which includes additional insights on how passkey adoption is trending with consumers and organizations to improve global digital access, authentication, and security.

“The establishment and growth of World Passkey Day reflects the fact that organizations of all shapes and sizes are taking action upon the imperative to move away from relying on passwords and other legacy authentication methods that have led to decades of data breaches, account takeovers and user frustration, which imperil the very foundations of our connected society,” said Andrew Shikiar, Executive Director and CEO of the FIDO Alliance. “We’re thrilled by the fact that over 100 organizations around the world signed our Passkey Pledge, and we are pleased to support the market in their march towards passkeys through a variety of freely available assets, including our market-leading Passkey Central resource center.”

To further encourage organizations to embrace the shift away toward passkeys, the FIDO Alliance also launched the Passkey Pledge, a voluntary pledge for online service providers and authentication product and service vendors committed to embracing passkeys. The passkey pledge has received commitments from over 100 organizations in just over 20 days. A full list of companies that have taken the passkey pledge can be found here.

The availability of passkeys has steadily increased with implementation reaching 48% of the world’s top 100 websites as enterprises and service providers collectively seek to embrace a new era of faster sign-ins, higher success rates, fewer account takeovers, lower support costs, and reduced cart abandonment.

To learn how to start your organization’s passwordless journey, or to begin using passkeys today, visit: https://www.passkeycentral.org/home. 

Notes to editors:

• This SurveyMonkey online poll was conducted from April 13-14, 2025, among a global sample of 1,389 adults ages 18 and up. Respondents for this survey were selected from the nearly 3 million people who take surveys on the SurveyMonkey platform each day. Data for this survey has been weighted for age, race, sex, education, and geography to adequately reflect the demographic composition of the United States, United Kingdom, China, South Korea and Japan. The modeled error estimate for this survey is plus or minus 3.5 percentage points.
• To calculate the proportion of the world’s top websites and services that support passkeys, the FIDO Alliance combined publicly available information with its own data on passkey deployments. 

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services. For more information, visit www.fidoalliance.org.

Contact

press@fidoalliance.org

The PWG will focus on three areas:

1. Identify and evaluate specific requirements for payment authentication. Requirements will include those in the area of UX, security and regulation unique to payments;.
2. Identify and evaluate existing and emerging solutions to address payment authentication requirements; and
3. Guidelines for use of passkeys and/or proposed FIDO solutions along with existing payment technologies such as EMV® 3-D Secure or EMV® SRC.

The PWG will also work on associated projects relating to the use of FIDO solutions for payments including: collecting and publishing deployment case studies, documenting challenges and potential solutions to issues; and working with FIDO Alliance liaison partners to drive education and adoption.

Join the Payments Working Group

Organizations interested in taking part in the PWG and driving the adoption of passkeys for payments can inquire today. Participation in the PWG is open to all Board, Sponsor, and Government level members of the FIDO Alliance. Non-member organizations interested in participating should contact the FIDO Alliance to become a member; learn more by visiting https://fidoalliance.org/members/become-a-member/.

Among the 70+ participants on-site, we were honored to welcome six FIDO Alliance Board members representing Samsung Electronics, NTT Docomo, Lenovo, RaonSecure, Egis Technology, and Mercari—underscoring the global engagement and strategic importance of this gathering.

Before the main program, international attendees were invited to a special TTA Lab Tour, offering a behind-the-scenes look at Korea’s testing and standards infrastructure supporting FIDO and other telecommunications technologies.

Showcasing Technical Leadership and Regional Collaboration

The day featured an exciting lineup of expert speakers and educational sessions, reflecting the expanding role of passkeys as a trusted, phishing-resistant, and user-friendly authentication solution for both public and private sectors.

• The event opened with an inspiring keynote by Dr. Koichi Moriyama (Chair, FIDO Japan WG; W3C Advisory Board Member), who emphasized the importance of global collaboration in setting interoperable, secure technology standards.
• David Turner, Senior Technical Director at FIDO Alliance, shared in-depth updates on passkey advancements and highlighted future areas of focus, including developer support, user experience, and broader international engagement.
• Wei-Chung Hwang of ITRI presented a thoughtful comparison of passkeys and PKI, outlining how the two can coexist and complement each other within modern authentication architectures.
• Ki-Eun Shin, Principal Software Engineer and FKWG Vice Chair, offered a practical guide for developers building scalable and secure passkey systems, covering implementation, testing, and UX considerations.
• Dovlet Tekeyev from AirCuve introduced Korea’s updated Zero Trust Guideline 2.0, walking the audience through key principles, recommendations, and how FIDO solutions align with national cybersecurity strategies.
• Eugene Lee, Vice President at RaonSecure, shared cross-industry deployment experiences of FIDO-based biometric authentication, highlighting its adaptability to diverse sectors including finance and telecom.
• Jong-Su Kim, Principal Security Engineer at Samsung Electronics, concluded the technical sessions by sharing Samsung’s vision of simplifying cybersecurity for all users through FIDO-driven innovation.

Regional Insights and Shared Momentum

The day closed with regional updates featuring representatives from Japan (Naohisa Ichihara, FJWG Co-Vice Chair and CISO at Mercari), China (Henry Chai, FCWG Chair and CEO at GMRZ Technology, Subsidiary of Lenovo), Taiwan (Karen Chang, FTF Forum Chair and VP at Egis Technology), Malaysia (Sea Chong Seak, CTO at Securemetric), and Vietnam (Simon Trac Do, CEO & Founder at VinCSS), each presenting local updates on passkey deployment. Speakers shared technical challenges, user adoption, and the growing importance of cross-border cooperation to accelerate the passwordless future across APAC.

Moving Passwordless Forward Together

The FIDO APAC Regional Member Meetup & Workshop reaffirmed our collective commitment to advancing phishing-resistant passwordless authentication across the region. Thanks to all the speakers, sponsors, and attendees who contributed to this energizing and forward-looking event.

Stay tuned for more cross-regional collaborative events in the APAC and updates from the FIDO Alliance as we continue to make online authentication simpler and stronger together.

MOUNTAIN VIEW, Calif., April 9, 2025 – The FIDO Alliance is inviting organizations around the world to take the Passkey Pledge, a voluntary commitment to increase awareness and adoption of passkey sign-ins to make the web safer and more accessible.

Since passkeys were introduced to the world in 2022, hundreds of service providers have embraced the greater security and usability that passkeys bring to users. Over 15 billion user accounts are now equipped with the option to use a passkey instead of relying on passwords, which are easy to steal and reuse for account takeovers and fraud. Organizations that deploy passkeys are consistently finding that a greater percentage of their users are able to sign into services in far less time – which helps generate added revenue and/or employee productivity while also reducing fraud and account takeovers.

To further advance and promote the use of passkeys, the first Thursday in May each year is now recognized as World Passkey Day (previously World Password Day). Companies can take the Passkey Pledge in advance of World Passkey Day and commit to making a good-faith effort to achieve the following goals throughout the year:

• For service providers that have an active implementation of passkeys for sign-in – Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of passkeys by users when signing into the company’s services.
• For service providers that are in the process of implementing passkeys for sign-in – Within one year of signing the pledge, demonstrate measurable actions taken to enable passkeys for signing into the company’s services.
• For vendors with a FIDO-based products and/or service – Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of passkeys through adoption of the company’s products and/or services.
• For vendors developing FIDO-based products and/or services – Within one year of signing the pledge, demonstrate measurable actions to FIDO certify its products and launch a product or service with passkey sign-in support.
• For industry associations and standards organizations – Within one year of signing the pledge, demonstrate actions to increase the visibility and benefits of passkey sign-ins.

Organizations that take the pledge will receive assets to support their involvement and will have the opportunity to take part in activities and announcements planned for World Passkey Day on May 1, 2025.

More details on the pledge, including the sign-up form, can be found at https://fidoalliance.org/passkeypledge/. 

Taking Action: Resources to Help Organizations to Fulfill the Pledge

The FIDO Alliance has resources and best practices for Passkey Pledge organizations to take action, including:

• Sharing their commitment to the Passkey Pledge via external communications channels
• Leveraging the guidance on passkeycentral.org to plan, implement and expand their passkey rollouts
• Implementing the FIDO Design Guidelines, data-driven UX best practices for passkey rollouts
• Getting their products FIDO Certified to demonstrate that their products are compliant, interoperable and secure
• Releasing case studies on their or their customers behalf to share implementation journeys and business outcomes. Organizations can reach out to info@fidoalliance.org to submit case studies directly to the FIDO Alliance
• Taking part in the FIDO Alliance member activities and working groups to further drive passkey optimization and adoption 
• Planning and/or taking steps to remove passwords as a sign-in option.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services. For more information, visit www.fidoalliance.org.

Contact

press@fidoalliance.org

February 26, 2025 — The FIDO Alliance along with underwriters Axiad, HID, and Thales today released its State of Passkey Deployment in the Enterprise report, finding that 87% of surveyed companies have, or are in the midst of, rolling out passkeys with goals tied to improved user experience, enhanced security, and compliance. 

The report is the result of an independent survey commissioned in September 2024 by the FIDO Alliance Enterprise Deployment Working Group, with underwriting support from Axiad, HID, and Thales, to understand the state of passkey deployments in the U.S. and UK; the methods used to deploy passkeys and enroll employees; and the perceived barriers to deployment. Read the report at https://fidoalliance.org/research-state-of-passkey-deployment-in-the-enterprise-a-snapshot-of-deployments-employee-sign-ins-us-uk/.

The survey revealed four key findings:

1. Enterprises understand the value of passkeys for workforce sign-ins. A majority of decision makers (87%) report deploying passkeys at their companies. Of these, 47% report rolling out a mix of device-bound passkeys (on physical security keys and/or cards) and synced passkeys (synced securely across the user’s devices).
2. Organizations are prioritizing passkey rollouts to users with access to sensitive data and applications, including the three most commonly cited priority groups: Those requiring access to IP (39%), users with admin accounts (39%) and users at the executive level (34%). Within these deployments, organizations are leveraging communication, training, and documentation to increase adoption.
3. Passkey deployments are linked to significant security and business benefits. Respondents report moderate to strong positive impacts on user experience (82%), security (90%), help-center call reduction (77%), productivity (73%), and digital transformation goals (83%). 
4. Groups that do not have active passkey projects cite complexity (43%), costs (33%), and lack of clarity (29%) about implementation as reasons. This signals a need for increased education for enterprises on rollout strategies to reduce concerns, as there is a correlation between these perceived challenges and the proven benefits of passkeys.

“This study is equally encouraging and illuminating as it points to strong willingness and commitment to deploy passkeys to employees – and also is informative in helping FIDO shape resources that we can deliver to help enterprises around the world more quickly and effectively implement their FIDO authentication strategies,” said Andrew Shikiar, CEO and executive director of the FIDO Alliance. “Passkeys can stop AI-generated social engineering attacks in their tracks while also increasing employee productivity and reducing costs associated with help desk support and security breaches. FIDO Alliance is committed to helping more companies around the world realize these benefits by providing actionable passkey implementation guidance and best practices, which this data will help define.”

New phishing and fraud attempts are being used every day, driven in particular by widespread generative AI use. As reflected in the report, enterprise leaders are becoming aware of the limitations of compromisable passwords, and seeing the value of deploying the most secure and user-friendly authentication methods possible. These insights will be leveraged to further remove the perceived and/or real barriers around passkey adoption so more enterprises can experience their benefits on a global scale. 

Learn More During FIDO’s March 6 Webcast 

The FIDO Alliance will host a webcast on March 6, 2025 at 8am PST to provide further insights into the report methodology, the findings and next steps. The webcast will feature Michael Thelander, senior director of product marketing at Axiad; Katie Björk, director of communications and solution marketing at HID; and Sarah Lefavrais, Authentication devices product marketing director at Thales, along with Megan Shamas, chief marketing officer of the FIDO Alliance.

Michael Thelander, Axiad’s director of product marketing, thinks the survey results will deliver not just interesting data, but will also provide a path for FIDO2 to become a first class citizen alongside other forms of PKI-based authentication in the enterprise. “Passkey technology has not only matured, but this survey reveals how identity practitioners and strategists are beginning to integrate passkeys with their other workforce authentication methods, across different platforms and device types, to deliver what identity architects and users both want: strong authentication that doesn’t place a ‘friction ‘tax’ on the last step of accessing systems and networks.” 

“HID, in collaboration with fellow FIDO Alliance members, launched this survey to gain insights into the priorities of enterprise and security leaders that drive successful passkey implementation. We also aimed to identify the challenges other organizations encounter when integrating FIDO technology into their authentication strategies. HID’s overarching goal is to empower organizations to meet their business objectives by eliminating one of their most significant obstacles: user experience and security challenges linked to passwords,” says Katie Björk, Director of Communications and Solution Marketing.

“Thales is excited to collaborate with the FIDO Alliance for this research, which underscores the growing adoption of passkeys for employee sign-ins,” said Haider Iqbal, Director Product Marketing IAM at Thales. “We’re seeing similar interest from our customers, who recognize the benefits of FIDO authentication for both security and productivity. Thales is committed to enabling organizations to migrate their workforce and customers to passkeys, helping them stay ahead of the curve with secure, seamless and frictionless digital journeys for all users.”

Survey Methodology:

• The survey was conducted among 400 decision makers who would be / are involved in passkey deployment in companies with 500+ employees across the UK and the US.
• The interviews were conducted online by Sapio Research in September 2024 using an email invitation and an online survey.
• At an overall level results are accurate to ± 4.9% at 95% confidence limits assuming a result of 50%.
• The survey was produced by the FIDO Alliance Enterprise Deployment Working Group, with underwriting support from Axiad, HID, and Thales.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

About Axiad

Axiad is an identity security company whose products make authentication and identity risk management simple, effective and real. Our credential management systems make MFA defensible, manageable and usable. Our cutting-edge risk solutions help customers identify and quantify risk and fortify their systems against a barrage of new attacks. Learn more at www.axiad.com.

About HID

HID powers the trusted identities of the world’s people, places and things. We make it possible for people to transact safely, work productively and travel freely. Our trusted identity solutions give people convenient access to physical and digital places and connect things that can be identified, verified and tracked digitally. Millions of people around the world use HID’s products and services to navigate their everyday lives, and billions of things are connected through HID’s technology. We work with governments, educational institutions, hospitals, financial institutions, industrial businesses and some of the most innovative companies on the planet. Headquartered in Austin, Texas, HID has over 4,500 employees worldwide and operates international offices that support more than 100 countries. HID is an ASSA ABLOY Group brand. For more information, visit www.hidglobal.com.

About Thales Cybersecurity Products

In today’s digital landscape, organizations rely on Thales to protect what matters most – applications, data, identities, and software. Trusted globally, Thales safeguards organizations against cyber threats and secures sensitive information and all paths to it — in the cloud, data centers, and across networks. Thales offers platforms that reduce the risks and complexities of protecting applications, data, identities and software, all aimed at empowering organizations to operate securely in the digital landscape. By leveraging Thales’s solutions, businesses can transition to the cloud with confidence, meet compliance requirements, optimize software usage, and deliver exceptional digital experiences to their users worldwide.

More on Thales Cybersecurity Products: https://cpl.thalesgroup.com/

More on Thales Group: www.thalesgroup.com

Contact
press@fidoalliance.org 

The seminar featured a dynamic mix of global and local case studies and offered a comprehensive overview of Passkey/FIDO and FDO (FIDO Device Onboard) implementations. Here are some key highlights:

• FIDO Alliance Update: Andrew Shikiar (Executive Director & CEO of the FIDO Alliance) announced the launch of Passkey Central, a resource hub offering guidance on implementing passkeys for consumer sign-ins. The site is now available in Korean, Japanese, and English.
• What’s New with Passkeys on Google Platforms?: Eiji Kitamura (Developer Advocate at Google) discussed recent passkey advancements, including Android’s Credential Manager API and broader passkey support on Google platforms.
• From Passwords to Passkeys: The TikTok Passkey Journey: XK (Sean) Liu (Technical Program Manager at TikTok) shared how the TikTok platform adopted passkeys for both enterprise and consumer services.
• Secure Smart TV Authentication with Passkeys: Min Hyung Lee (Leader of the VD Business Security Lab at Samsung Electronics) demonstrated how passkeys enhance smart TV user authentication and outlined the future for this technology.
• FIDO in eCommerce: Mercari’s Passkey Journey: Naohisa Ichihara (CISO at Mercari) detailed the company’s motivations, challenges, and strategies for mitigating phishing risks through passkey adoption within the C2C marketplace.

The 2024 Seoul Public Seminar also featured an exciting and interactive segment: the FIDO Quiz Show. Designed to engage attendees while reinforcing key learnings, the quiz brought an additional layer of fun and competitiveness to the event.

How it worked:

Session Pop Quizzes: After each seminar session, key takeaways were tested through pop quizzes. Attendees who answered correctly were rewarded with FIDO Security Keys, generously supported by Yubico.

Real-Time Quiz Show: At the end of the event, a live quiz show engaged all attendees. By scanning a QR code, participants could join in and compete for prizes. Eunji Na from TTA emerged as the top scorer and won a Samsung Galaxy Smartphone!

Think you know FIDO Alliance and passkeys? Test your knowledge with the same 15 quiz questions (in Korean) by scanning the QR code in the image below.

The seminar gained significant local media attention from outlets such as IT Daily, DailySecu, Byline Networks, Datanet, BoanNews, eDaily, and Korea Economic Daily. Coverage highlighted the launch of Passkey Central, emphasizing its potential to accelerate passkey adoption and reduce reliance on passwords.

We extend a heartfelt thanks to all speakers, including Kieun Shin and Hyungchul Jung (Co-Vice Chairs of the FIDO Alliance Korea Working Group), Heungyeol Yeom (Emeritus Professor at Soonchunhyang University), Jaebeom Kim (TTA), Yuseok Han (AirCuve), Heejae Chang and Keiko Itakura (Okta), Junseo Oh (Ideatec), and Simon Trac Do (VinCSS) for their invaluable contributions.

We also express our gratitude to our sponsors, whose support made this year’s Seoul Public Seminar a resounding success.

Proudly Sponsored by:

TOKYO, December 12, 2024 – More than 15 billion online accounts can use passkeys for faster, safer sign-ins – more than double than this time last year. The momentum behind FIDO and passkeys is the focus of today’s 11th annual FIDO Tokyo Seminar, where hundreds gathered to learn about the latest developments in the global push to eliminate dependence on passwords. Presenters include those from Google, Sony Interactive Entertainment, Mastercard, Waseda University, the Institute of Information Security, KDDI, LY Corporation, Mercari and NTT DOCOMO.

Passkeys become more widely available for consumer and workforce applications – and companies are seeing the benefits 

Passkeys provide phishing-resistant security with a simple user experience far superior to passwords and other phishable forms of authentication. Many consumer brands are reporting passkey success stories and business benefits; some notable new and recent announcements include: 

• Amazon made passkeys available to 100% of its users, including in Japan, this year and already has 175 million passkeys created for sign-in to amazon.com across geographies.
• Google recently reported that 800 million Google accounts now use passkeys, resulting in more than 2.5 billion passkey sign-ins over the past two years. Also, Google’s sign-in success rates have improved by 30% and sign-ins speeds have increased by 20% on average.
• Sony Interactive Entertainment, the company behind PlayStation, released passkeys as an alternative option to passwords for their global gaming community and observed a 24% reduction in sign-in time on its web applications for passkey users. Additionally, high conversion rates have been observed, with 88% of customers who are presented with the benefits of passkeys successfully completing enrollment.

Adoption also grew in the workforce this year as more companies bolstered their authentication options with passkeys, including Hyatt, IBM, Target and TikTok.

Consumers gained flexibility and choice for passkey management this year, as more credential managers, such as Apple, Google, Microsoft, 1Password, Bitwarden, Dashlane and LastPass expanded their passkeys support cross-ecosystem, and the FIDO Alliance announced new draft specifications for users to securely move passkeys and all other credentials across providers.

Notable Momentum in Japan

Specifically in Japan, new passkeys deployments and success were announced from Nikkei Inc., Nulab Inc., and Tokyu Corporation:

• Nikkei Inc. unveiled their plan to deploy passkeys for Nikkei ID, for the millions of Nikkei ID customers to begin their migration from passwords to passkeys. This will be launching in February 2025 or later.
• Nulab Inc. announced their dramatic improvement in passkey adoption for Nulab accounts based on the outcome of the Passkey Hackathon Tokyo this past November.
• Tokyu Corporation has reported that 45% of TOKYU ID users have passkeys, and sign-ins with passkeys are 12 times faster than a password plus an emailed OTP.

Additionally, Nikkei Inc., Nulab Inc. and Tokyu Corporation all successfully demonstrated their passkey implementations at the Passkey Hackathon Tokyo, organized by Google and sponsored by FIDO Alliance, in June 2024. Companies receiving awards included Nulab and Tokyu, as well as two teams of students from Japanese universities:

• Keio University team received the grand winner award for adopting passkeys combined with an IoT device – a smart door lock created by a 3D printer.
• Waseda University team received another FIDO award for their unique user authentication protocol and implementation combined with passkeys, verifiable credentials and zero-knowledge proofs.

In addition to these two teams, a group at the Institute of Information Security (Yokohama, Japan) presented their research entitled “A Study on Notification Design to Encourage General Users to Use Passkeys” at a workshop organized by the Information Processing Society of Japan (IPSG) on December 4, 2024. These activities demonstrate how students in academia are embracing passkeys as an attractive option for life without passwords.

Organizations that have already deployed passkeys for more than a year shared new successes:

• KDDI now has more than 13 million au ID customers now using FIDO and has seen a dramatic decrease (nearly 35%)  in calls to its customer support center as a result. Managing FIDO adoption carefully for both subscribers and non-subscribers.
• LY Corporation property Yahoo! JAPAN ID now has 27 million active passkeys users. Approximately 50% of user authentication on smartphones is now passkeys. LY Corporation said that passkeys have a higher success rate over SMS OTP and achieve 2.6 times faster.
• Mercari has 7 million users enrolled in passkeys, and enforcing passkey login for synced passkeys enrolled users of Mercari. Notably, there have been zero phishing incidents at Mercoin, a Mercari subsidiary since March 9, 2023.
• NTT DOCOMO has increased its passkey enrollments and now passkeys are used for approximately 50% of authentication by account users. NTT DOCOMO notably reports significant decreases in successful phishing attempts and there have been no unrecognized payments at docomo Online Shop since September 23, 2022.

To drive further adoption in Japan, the FIDO Alliance announced that Passkey Central, the website for consumer service providers to learn more about why and how to implement passkeys for simpler and more secure sign-ins, is now available in Japanese. Passkey Central provides visitors with actionable, data-driven content to discover, implement, and maintain passkeys for maximum benefits over time. The comprehensive resources on Passkey Central include:  

• Introduction to passkeys
• Business considerations and metrics 
• Internal and external communication materials
• Implementation strategies & detailed roll-out guides  
• UX & Design guidelines
• Troubleshooting
• And more implementation resources, such as glossary, Figma kits, and accessibility guidance

Along with the many in Japan, there are 66 of the FIDO Alliance’s 300+ member companies actively taking part in the FIDO Japan Working Group (FJWG). The FJWG is now beginning its 9th year working together to spread awareness and adoption of FIDO in the region.

Consumers and workforce users are aware of, and want to use, passkeys

Passkeys are not only available across a wide array of services, but recent studies have shown that consumers and workforce users are aware of, and want to use, passkeys. Recent FIDO Alliance research shows that in the two years since passkeys were first made available, consumer awareness has risen by 50%, up from 39% in 2022 to now 57% in 2024. Consumers also report that when they adopt at least one passkey, 1 out of 4 enables passkeys whenever possible. A majority of consumers also believe passkeys are more secure (61%) and more convenient than passwords (58%). Since 2023, consumers from APAC reported passkey awareness has grown significantly more when compared to the global average and other countries in 2024. Consumers from China (80%), India (70%), Japan (62%), and Singapore (58%) reported significantly higher passkey adoption in the last year, with Australia (52%) and South Korea (44%) trending close to the overall average (59%).

Sources:

Online Authentication Barometer 2024: Consumer Trends & Attitudes on Authentication Methods.
https://fidoalliance.org/research-findings-consumer-trends-and-attitudes-towards-authentication-methods/

Consumer Password & Passkey Trends: World Password Day 2024.
https://fidoalliance.org/content-ebook-consumer-password-and-passkey-trends-wpd-2024/

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

• Passkey familiarity growing – Just two years after passkeys were first announced and started to be made available for consumer use, awareness has risen by 50%, from 39% familiar in 2022 to 57% in 2024
• Password usage stagnates as consumers favor alternatives – The majority of those familiar with passkeys are enabling the technology to sign in. Meanwhile, despite passwords remaining the most common way to log in, the number of people using passwords across use cases declined as alternatives continue to rise in availability
• Waning password patience is costing sales and loyalty, especially among younger consumers –  42% of people have abandoned a purchase at least once in the past month because they could not remember their password.​ This increases to 50% for those aged 25-34 versus just 17% of over 65s
• Online scams and AI alarming consumers – Over half of consumers reported an increase in the number of suspicious messages they notice and an increase in scam sophistication, driven by AI. Younger generations are even more likely to agree, while older generations remain unsure how AI impacts their online security

29 October 2024 – The FIDO Alliance today publishes its fourth annual Online Authentication Barometer, which gathers insights into the state of online authentication and consumer perceptions of online security in ten countries across the globe. 

Key findings 

The research revealed promising consumer momentum building around passkey adoption and clear signs people are recognizing the limitations of passwords and are choosing passwordless alternatives, like passkeys, where available. In the two years since passkeys were first announced, global awareness has jumped by 50%, rising from 39% familiar in 2022 to 57% in 2024. Awareness is driving adoption too – the majority of those familiar with passkeys (62%) are using them to secure their apps and online accounts.

The data also revealed the cost to organizations still relying on legacy password sign-ins – especially among younger generations. 42% abandoned a purchase in the last month due to a forgotten password, rising to over half of those under 35. Similarly, over half of consumers (56%) have given up accessing a service online because they couldn’t remember a password in the last month, rising to 66% of those under 35. 

The survey revealed other clear signs that password usage and trust are stagnating globally as more secure and user-friendly passwordless alternatives become available. Overall, the number of consumers entering a password manually across use cases decreased again from 2023, while biometrics ranked the authentication method consumers consider the best login experience and the method they consider most secure for the second year running. 

When consumers were asked about how they have improved account security in the last year, numbers continued to decline among those who increased the complexity of a password, while those choosing biometrics and using authenticator apps have steadily risen. 

Passkeys at two: the road to mainstream 

“Consumer expectations are changing, and this data should serve as a clear call to action for brands and organizations still relying on outdated password systems. Consumers are actively seeking out and prefer passwordless alternatives when available, and brands that fail to adapt are losing patience, money, and loyalty – especially among younger generations. 

When consumers know about passkeys, they use them. Excitingly, 20% of the world’s top 100 websites and services already support passkeys. As the industry accelerates its efforts toward education and making deployment as simple as possible, we urge more brands to work with us to make passkeys available for consumers. The pace of passkey deployment and usage is set to accelerate even more in the next twelve months, and we are eager to help brands and consumers alike make the shift,” comments Andrew Shikiar, CEO at FIDO Alliance. 

Notably, passkeys have seen strong adoption in high-growth, digitally advanced markets like China and India, which ranked top globally with 80% and 73% enablement, respectively. The UK followed close behind in third place, with adoption levels at 66%. 

Younger consumers most attuned to online scams and AI threats 

Consumer concerns about online security were also revealed to be high – and again, it is younger consumers most attuned to new threats. 

Over half of consumers (53%) cited an increase in the number of suspicious messages they noticed in recent months, driven mostly by SMS (53%) and email (49%). Similarly, 51% detected an increase in the sophistication of threats and scam messages, likely driven by AI-enhanced attacks. Zooming in on demographic data suggests older generations are at greatest risk: 54% and 61% of 18-24 and 25-34-year-olds respectively noticed scams getting smarter, while just a third of 55-64-year-olds and 25% of 65+ said the same. Similarly, 20% of people over 55 said they were unsure about the impact AI has on their online security. 

ENDS 

Notes to editors 

• Research for the FIDO Alliance’s Online Authentication Barometer was conducted by Sapio Research among 10,000 consumers across the UK, France, Germany, US, Australia, Singapore, Japan, South Korea, India, and China. 

About FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services. 

Contact
press@fidoalliance.org

October 14, 2024 — Carlsbad, CA —  The FIDO Alliance today announced Passkey Central, a new web resource where consumer service providers can learn more about why and how to implement passkeys for simpler and more secure sign-ins.

Passkeys, an easy-to-use and secure replacement for passwords, are already available for consumer services around the world including Adobe, Amazon, Apple, eBay, Google, Hyatt, Microsoft, Nintendo, NTT DOCOMO, PayPal, PlayStation, Shopify and TikTok. More than 13 billion user accounts can now leverage passkeys. Passkeys offer significant benefits to implementing organizations, including faster user sign-ins, higher sign-in success rates, reduced account takeovers, reduced costs associated with authentication, and lower cart abandonment. Passkey Central provides product leaders and architects with the information required to implement and realize similar benefits with passkeys.

Passkey Central provides visitors with actionable, data-driven content to discover, implement, and maintain passkeys for maximum benefits over time. The comprehensive resources on Passkey Central include:  

• Introduction to passkeys
• Business considerations and metrics 
• Internal and external communication materials
• Implementation strategies & detailed roll-out guides  
• UX & Design guidelines
• Troubleshooting
• And more implementation resources, such as glossary, figma kits, and accessibility guidance 

Service providers should go to passkeycentral.org to get started with passkeys.

“Passkeys are the simplest and most secure way for consumers to access the global connected economy,” said Andrew Shikiar, CEO of FIDO Alliance. “The early adoption of passkeys has been remarkable and it is now time to help more service providers break their dependence on passwords. Passkey Central will accelerate the use of passkeys by providing product leads and architects with independent and authoritative guidance on why and how to implement passkeys for their own website and services.”

A research-backed public resource

The content for Passkey Central is based on several years of FIDO Alliance research, including subject matter expert interviews, focus groups and UX testing, to determine what guidance businesses need when implementing passkeys. Investment and participation from the following companies as Founding Underwriters enabled the underlying research, web and content development costs required to launch Passkey Central: Craig Newmark Philanthropies, Google, Trusona and Yubico.

“Our adversaries attack nations in cyberspace using techniques that are blocked by passkeys and related technologies. We need to do what we can to accelerate passkey adoption, and to help regular people understand that passkeys protect countries, and make their online lives a little easier.” – Craig Newmark, Founder and ISR, Craig Newmark Philanthropies

“Trusona is committed to revolutionizing the authentication experience for digital businesses, ensuring customers can sign up and sign in simply, swiftly, and securely. Passkey Central brings that mission to life with a new resource that will positively impact people’s digital lives today and in the future.” – Ori Eisen, CEO, Trusona

“Phishing attacks resulting from stolen login credentials is one of the greatest cybersecurity risks facing individuals and enterprises today. In order to achieve a phishing-resistant passwordless future, the solution is clear: prioritize education on passkey implementation and broad support for passkey authentication options globally. Passkey Central is a major step toward achieving this goal, and we look forward to working with the FIDO Alliance toward accelerating adoption of passkeys.” – Derek Hanson, VP, Standards and Alliances, Yubico

“The best way to accelerate passkey adoption is to give website owners and app owners the information they need to get oriented with the benefits of passkeys and guidance on how they can start deploying passkeys. FIDO’s Passkey Central will be a key resource that helps meet this need.” – Sam Srinivas, Product Management Director, Google and FIDO Board Rep for Google.

For more information about Passkey Central, visit passkeycentral.org.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services. For more information, visit www.fidoalliance.org.

Contact

press@fidoalliance.org

Secure credential exchange is a focus for the FIDO Alliance because it can help further accelerate passkey adoption and enhance user experience. Today, more than 12 billion online accounts can be accessed with passkeys and the benefits are clear: sign-ins with passkeys reduce phishing and eliminate credential reuse while making sign-ins up to 75% faster, and 20% more successful than passwords or passwords plus a second factor like SMS OTP. 

With this rising momentum, the FIDO Alliance is committed to enabling an open ecosystem, promoting user choice and reducing any technical barriers around passkeys. It is critical that users can choose the credential management platform they prefer, and switch credential providers securely and without burden. Until now, there has been no standard for the secure movement of credentials, and often the movement of passwords or other credentials has been done in the clear.  

FIDO Alliance’s draft specifications – Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) – define a standard format for transferring credentials in a credential manager including passwords, passkeys and more to another provide in a manner that ensures transfer are not made in the clear and are secure by default. 

Once standardized, these specifications will be open and available for credential providers to implement so their users can have a secure and easy experience when and if they choose to change providers. 

The working draft specifications are open to community review and feedback; they are not yet intended for implementation as the specifications may change. Those interested can read the working drafts here, and provide feedback on the Alliance’s GitHub repo. Drafts are expected to be updated and published for public review often until the specifications are approved for implementation.

The FIDO Alliance extends a special thank you to its members in the Credential Provider Special Interest Group and its leads for driving and contributing to this important specification.

Malaysian Government Endorses Phishing-Resistant FIDO Authentication

In his keynote speech, CyberSecurity Malaysia Chief Executive Officer Datuk Amirudin Abdul Wahab emphasized, “Passwordless methods, such as FIDO-based biometric authentication, offer robust alternatives that are harder to compromise than traditional credentials. They also reduce the burden on users to remember complex passwords and mitigate the risks associated with credential theft.” 

The National Agency of Cyber Security (NACSA) officially announced that they have become the first Malaysian government entity to adopt FIDO and passwordless technology. The local organizations classified as National Critical Information Infrastructure (NCII) are now using FIDO Security Keys for authentication and safeguarding applications and sensitive data.

The summit also received extensive media coverage, about 40 stories both pre- and post-event, featured in numerous esteemed publications. Some highlights include:

[The Edge] Over 80% of data breaches tied to weak passwords

[Business Today] Malaysian Businesses Should Ditch Passwords for Better Cybersecurity

[The Sun] Malaysia Advocates Passwordless Authentication to Enhance Cybersecurity

[BERNAMA TV] Malaysia Advocates Passwordless Authentication to Enhance Security

[Astro Awani] Malaysia Supports Passwordless Authentication to Enhance Cybersecurity

40 Speakers from Various Sectors Highlight Key Industry Trends

The Summit featured more than 40 speakers from sectors such as banking, government, telecom, enterprises, defense, eCommerce, solution vendors, online service providers, and manufacturers. Speakers represented leading organizations including Google, Lenovo, Samsung, ETDA Thailand, NTT Docomo, Mercari, Visa, SBI Bank, TikTok, iProov, Okta, TWCA, RSA, OneSpan, Thales, and VinCSS. One of the key themes of the 2024 Summit was the adoption of passkeys and the push towards achieving a passwordless experience across platforms. Here are some notable lessons shared:

Google: Demonstrated passkeys as the key to providing personalized experiences that users love. Cases from X, Amazon, Roblox, Kayak, WhatsApp, Zoho, and 1Password were shared. Roblox reported, “Passkeys are a significant security and usability upgrade for all of our users. In the six months since our launch, we have seen millions of users adopting passkeys to enjoy a simpler, faster, and more secure login experience.” Kayak noted a “50% reduction in average sign-in time with passkeys. With passkeys available on most devices, we’ve phased out traditional password logins and eliminated passwords from our servers.” 1Password highlighted that “in 2023, more than 1 million passkeys were created and saved by our users, and trial users who interact with passkey features are roughly 20% more likely to convert to paying customers.”

Samsung: Presented on passkeys on Galaxy mobile devices. Samsung launched the Passkey Provider Service at the end of 2023, providing a convenient user experience with the passkey as the default provider on Galaxy mobiles. Users can easily log in with fingerprint authentication and manage passkeys at a glance. Samsung ensures safe passkey synchronization across multiple devices logged into a Samsung account, including utilization with Samsung Knox Matrix. Statistics from the seven-month record of Samsung Passkey Provider include 7,672,861 cumulative registrations, 1,000,000 average new monthly registrations, and 850,000 average monthly authentications. Plans are in place to expand passkey usage for home appliance connectivity, such as TVs.

NTT Docomo: Highlighted the advantages of passkeys as an ideal authentication method—simple, frictionless user experience with biometric authentication, taking just 4-7 seconds compared to up to 30 seconds for SMS OTPs. They emphasized that passkeys are the only practical phishing-resistant authentication method.

Visa: Introduced Visa Payment Passkey for cardholder authentication in modern e-commerce. Traditional consumer authentication methods reduce fraud but often add friction, whereas biometric authentication with passkeys reduces both fraud and friction, leading to a 50% lower fraud rate.

TikTok: Reported success with passkeys, noting that over 100 million users registered within a year of implementation, with a 97% login success rate and a 17x faster login experience. There was also a 2% reduction in SMS OTP logins, as users who adopted passkeys chose them over other methods, improving app performance and reducing costs.

Workshops, Panel Discussions, and Networking Opportunities

This year’s Summit offered morning workshops on Passkeys and FDO (FIDO Device Onboard), allowing participants to delve deeper into implementing FIDO solutions. Attendees had the chance to work with FIDO experts to learn about integrating FIDO authentication into their services, understand technical specifications, and explore best practices. Experts also discussed the impact of emerging technologies like AI and post-quantum computing (PQC) on the authentication ecosystem while highlighting vulnerabilities related to human elements that can be addressed through implementing passkeys and FIDO’s efforts on future-proofing security.

Networking sessions, including a gala dinner, provided attendees a venue to relax and connect with peers from different parts of the world and sectors, fostering collaboration on developing solutions tailored to regional needs. Many participants enjoyed and respected the local culture while finding value in exchanging ideas and experiences about overcoming specific challenges in their respective sectors.

Celebrating Progress and Looking Forward

The FIDO APAC Summit 2024 showcased the significant progress towards convenient and secure FIDO-based passwordless authentication in the region. Through the collective efforts of governments, private sector leaders, and technology providers, the adoption of FIDO standards across the Asia-Pacific is accelerating, delivering stronger security and a seamless user experience.

The Asia-Pacific region is at the forefront of building a phishing-resistant, passwordless future, serving as an inspiration for other regions. The spirit of innovation and collaboration at the Summit reflects the dedication of all stakeholders to creating a secure and user-friendly digital landscape.

We extend our gratitude to all speakers, sponsors, participants, and members for making this year’s Summit a success. Together, we are shaping a more secure, passwordless future.

Proudly Sponsored by:

In June, Google and the FIDO Alliance hosted a highly successful event in Tokyo that brought together innovative minds from various universities and companies. The event was marked by a high level of participation and competition, showcasing the latest advancements in authentication technologies.

Event Highlights:

• High Participation: The event saw an impressive turnout, with around 200 participants from 25 different universities and companies.
• Cutting-Edge Innovations: Participants showcased groundbreaking solutions aimed at enhancing security and convenience in authentication processes.
• Technical Workshops: Engaging workshops provided a platform for sharing practical knowledge and experiences.

Key Features:

• Real-World Implementations: A notable aspect of this event was the participation of teams focused on implementing their solutions in real-world services. This added a layer of practicality and relevance, making the event highly impactful.
• High-Level Competition: The level of competition was exceptionally high, reflecting the advanced state of current research and development in the field. In particular, the teams from universities all proposed a high level of implementation.

Awards and Recognition:

Grand Winner: Keio University SFC-RG pkLock team (Keio University)

The team developed an innovative authentication system for IoT space that combines security and user convenience, making it a standout solution in the competition.

FIDO Award 1: SKKN (Waseda University)
This team was recognized for their advanced authentication technology that promises to enhance security in various applications.

FIDO Award 2: TOKYU ID (Tokyu)
Their solution focused on integrating authentication technologies into everyday services, demonstrating practical and scalable applications.

Google Award: Team Nulab (Nulab)
The team impressed with their user-friendly authentication app that combines multiple security features to provide a seamless user experience.

What We Learned from the Event:

Collaboration is Key: The event underscored the importance of collaboration between academia and industry. By working together, we can accelerate the development and implementation of innovative authentication solutions.

Focus on User Experience: Many of the successful solutions emphasized the need for a seamless and user-friendly experience. Security should not come at the expense of convenience.

Scalability and Practicality: Solutions that can be easily integrated into existing systems and scaled to meet the needs of various applications are crucial for widespread adoption.

Continuous Innovation: The rapid advancements in authentication technologies highlight the need for continuous innovation and adaptation to stay ahead of emerging threats.

Acknowledgements: We would like to extend our heartfelt thanks to the tutors from the Japan Working Group for their invaluable support and guidance throughout the event. Their expertise and dedication were instrumental in making this event a success.

These award-winning solutions highlight the diverse approaches and innovative thinking that are driving the future of authentication technologies. Each team demonstrated a unique blend of creativity, technical expertise, and practical application, making this event a true showcase of excellence in the field.
The FIDO Alliance is excited to share the outcomes of this event and looks forward to continuing to support and foster innovation in authentication technologies. To learn more about the background and details, please read the full event report, Passkeys Hackathon Tokyo event report.

Consumers love the convenience and security of biometrics, which has helped propel its growth and mainstream adoption. In the FIDO Alliance’s last global barometer survey, biometrics ranked top as the most secure and the preferred way to log in by consumers.

But for biometrics to continue its success, there is a reputation issue and ‘elephant in the room’ that is holding back consumers, governments, and other implementers alike from full trust and confidence: bias.

Are biometric technologies biased?

Concerns have been circulating for some time about the accuracy of biometric systems in processing diverse demographics. In the UK in 2021, for example, Uber drivers from diverse ethnic backgrounds took legal action over claims its software had illegally terminated their contracts as its software was unable to recognize them.

In the FIDO Alliance’s recent study, Remote ID Verification – Bringing Confidence to Biometric Systems Consumer Insights 2024, consumers made clear that they are concerned about bias in biometric facial verification systems.

While over half of respondents indicated they believe face biometrics can accurately identify individuals (56%), others in the survey report a different experience. 

A quarter of respondents felt they had been discriminated against by biometric face verification systems (25%).

Organizations like NIST have been closely monitoring the disparities in bias performance for some time – with NIST’s most recent evaluation ​​of solutions across different demographics released this year. The headline is: Not all biometric systems are created equal.

As face verification has become adopted globally, the accuracy in identifying diverse demographics has gone from weakness to strength, with most leading solutions today operating with extremely small margins of error. However, less sophisticated solutions do exist and are perpetuating a far bigger reputational and adoption challenge.

Inclusivity and accessibility in remote identity

Inclusivity is just one part of the problem. Bias impacts the entire user experience and erodes faith in the technology overall. Half of American and British consumers in the survey said they would lose trust in a brand or institution if it were found to have a biased biometric system, and 22% would stop using the service entirely.

Remote identity solutions unlock huge benefits for governments, organizations, and consumers alike. Consider already how many more scenarios where we are asked to prove who we are virtually today – starting a new job, opening a bank account, signing legal documents. And, as outlined earlier, we know consumers already love using biometrics – 48% of those we surveyed preferred biometrics to enroll and verify themselves remotely.

However, the excitement of more remote identity solutions is understandably mixed with these bias concerns, causing some organizations to delay or reconsider implementation. We’re in an age where digital inclusivity is highly scrutinized, especially for public services, and governments are increasingly calling for a way to demonstrate equity.

Equitable biometrics systems are both a practical and a moral imperative. So how do we get there? 

Addressing bias in biometric systems

The FIDO Alliance has launched its Face Verification Certification program, with mitigating bias as a key priority. It assesses a face verification system’s performance across different demographics, including skin tone, age, and gender, in addition to far more wide-reaching security and  performance tests.

Why is independent certification for biometrics important?

Currently, testing levels are completed on a case-by-case basis, per organization. This means it’s expensive and time-consuming, and what ‘good’ looks like varies widely. The FIDO Alliance’s program is based on proven ISO standards and has been developed by a diverse, international panel of industry, government, and subject matter experts. This means it is unrivaled in its ability to set equitable performance benchmarks.

More broadly, certification and independent global testing catalyze innovation and technological adoption. Whether launching an identity verification solution or including it in related regulations, open standards and certification set a clear performance benchmark. It removes considerable duplicated efforts, improves the confidence of all stakeholders, and ultimately drives up the performance of all solutions on the market.

How is bias evaluated?

At this time, the FIDO Alliance program considers false reject rate (FRR) for bias, using FRR methodology, and is measured at the transaction level across skin tone, age, and gender. ISO 19795-10 has multiple options for measuring differential performance. One option is described in the Section: Reporting differential performance against a benchmark (Section 7.4.2). In this approach, testers seek to compare the performance of one or more demographic groups to a specific benchmark. FIDO has chosen this approach given the small sample size of the individual groups (50+ per group). For skin tone, groups are defined and distributed across three brackets based on the Monk Scale. For gender, groups are defined and distributed across male, female, and other. For age, groups are defined and evenly distributed across four age brackets. 

The benchmarks are set at 6% (95% confidence interval), based on bootstrapping simulations. These simulations covered a spectrum of scenarios, population sizes, correlation between attempts. The benchmark chosen reduces the probability that a group will be considered different when it actually is not, i.e., finding a difference by chance (<5%).

What is the value of certification for Biometric Vendors?

• Independent validation of biometric performance
• Opportunity to understand gaps in product performance to then improve and align with market demands
• Demonstrate product performance to potential customers 
• Improve market adoption by holding an industry-trusted certification
• Leverage one certification for many customers/relying parties 
• Benefit from FIDO delta and derivative certifications for minor updates and extendability to vendor customers
• Reduce need to repeatedly participate in vendor bake-offs

What is the value of certification for Relying Parties?

• One-of-a-kind, independent, third-party validation of biometric performance assessing accuracy, fairness and robustness against spoofing attacks
• Provides a consistent, independent comparison of vendor products – eliminating the burden of maintaining own program for evaluating biometric products
• Accelerates FIDO adoption to password-less
• Commitment to ensure quality products for customers of the relying parties 
• Requirements developed by a diverse, international group of stakeholders from industry, government, and subject matter experts
• Conforms to ISO
• FIDO Annex published in ISO standards

What is the value of certification with FIDO accredited laboratories?

FIDO Accredited Laboratories are available worldwide and follow a common set of requirements and rigorous evaluation processes, defined by the FIDO Alliance Biometrics Working Group (BWG) and follow all relevant ISO standards. These laboratories are audited and trained by the FIDO Biometric Secretariat to ensure lab testing methodologies are compliant and utilize governance mechanisms per FIDO requirements. Laboratories perform biometric evaluations in alignment with audited FIDO accreditation processes. In contrast, bespoke, single laboratory biometric evaluations may not garner sufficient trust from relying parties for authentication and remote identity verification use cases.

What are the other ISO Standards that FIDO certification conforms to?

In addition to ISO/IEC 19795-10, vendors and their accredited lab are adhering to the following ISO standards:

Enhancing Confidence in the Biometrics of Identity Verification

The FIDO Alliance continues to champion the cause of combating bias and enhancing security measures in remote biometric identity verification technologies through its Identity Verification and Biometric Component certifications. The FIDO Certification Programs offer reliability, security, and standardization to certify biometric solutions for remote identity verification, and has specifically set benchmarks for face verification technologies to test for bias.

In addition to the Face Verification program, the FIDO Alliance emphasizes the importance of rigorous testing and certification processes in ensuring that identity verification solutions are trustworthy and secure, including the Document Authenticity (DocAuth) Certification. These programs offer solution providers the opportunity to differentiate themselves in the market by leveraging FIDO’s independent, accredited test laboratories and industry-recognized brand.

Learn More about FIDO Biometric Certifications

As digital identity verification landscapes evolve, the demand for independently verified and unbiased biometric systems becomes increasingly vital. The introduction of the FIDO Alliance’s Face Verification Certification Program reinforces the commitment of solution providers to proactively address trust, security, and inclusivity in biometric identity verification technologies.

To learn more, download the in-depth consumer research on remote ID verification here, and discover the certified providers backed by FIDO certification to stay ahead with secure and trustworthy biometric identity verification technologies.

Now in its fifth year, Authenticate is the only industry conference dedicated to all aspects of user authentication, and has become a ‘must attend’ cybersecurity event. This year’s event includes over 100 sessions and 125 speakers from across the globe, offering the latest innovations, expertise, and essential discussions for the digital identity industry, with an emphasis on passwordless authentication using passkeys.

Check out the Authenticate 2024 Agenda and register at https://authenticatecon.com/event/authenticate-2024-conference/.

Authenticate is perfect for CISOs, security strategists, enterprise architects, UX leaders, and product and business executives at any stage of their passwordless journey. Attendees will dive into practical content on authentication and identity security. The topics explored include FIDO technology basics, achieving business results, best practices for implementation in various use cases, UX factors, and case studies from the real world — all hosted in a resort environment that fosters collaboration, networking, and community building.

The 2024 keynote speakers have extensive experience implementing passwordless solutions for workforces and consumers and represent renowned organizations such as Amazon, FIDO Alliance, Google, Microsoft, Sony, Visa, and Yubico. The conference offers four stages with dedicated content tracks tailored to match attendees’ levels of expertise, interests, and implementation stages. Additionally, attendees will be able to get to know FIDO solution providers and join networking events to connect with peers and industry experts.

The Authenticate 2024 agenda features the following 11 content-rich tracks:

• Business Case and ROI for Passkeys
• Technical Fundamentals and Features of Passkeys
• IAM Fundamentals
• UX Fundamentals of Passkeys
• Identity Verification Fundamentals
• Passkeys for Consumers
• Passkeys in the Enterprise
• Passkeys for Government Use Cases and Policy Making
• Passkeys for Payments
• The Passwordless Vision and the Future of Passkeys
• Complementary Technologies and Standards

Sponsoring Authenticate 2024

Authenticate 2024 is accepting sponsorship applications for companies to showcase their solutions to key decision-makers and connect with potential customers. To learn more about the available on-site and virtual sponsorship options for the 2024 event, visit the Authenticate Sponsors page here. Due to the limited opportunities remaining, interested parties are encouraged to reach out to the Authenticate team soon at authenticate@fidoalliance.org.

About Authenticate

Authenticate 2024 is the leading conference dedicated to all aspects of user authentication, with a focus on FIDO standards. Celebrating its 5th year, the event will take place October 14-16, 2024 at the Omni La Costa Resort and Spa, offering both in-person and virtual attendance options. The conference gathers global leaders working to advance stronger, phishing-resistant authentication, and provides the latest educational content, technical insights, tools, and deployment best practices.

Authenticate 2024 is hosted by the FIDO Alliance, the cross-industry consortium that provides standards, certifications, and market adoption programs to accelerate the utilization of simpler, stronger authentication innovations like passkeys. The signature sponsors for the 2024 Authenticate conference include industry leaders Cisco, Google, Microsoft, and Yubico. 

Visit the Authenticate 2024 website to register now and use the early bird discount (through September 9, 2024). Follow @AuthenticateCon on X for the latest updates. 

Authenticate Contact

authenticate@fidoalliance.org

PR Contact

press@fidoalliance.org

In a significant move to bolster software security, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigations have released new guidance that organizations can use to demand better security from their software vendors.

The Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem underscores the pivotal role that software customers play in digital supply chain security. The guide outlines high-priority security requirements from the earliest stages of software development, a principle central to creating “secure by design” products.

Among the items highlighted are phishing-resistant authentication methods, such as passkeys, as a default feature in software products. Announced on Tuesday, August 6, 2024, at Black Hat USA, this new guidance represents a vital step forward in securing the digital supply chain in the United States and worldwide.

Secure by Demand, Secure by Design

This new guidance complements CISA’s recent Secure by Design Guide aimed at technology manufacturers to improve their software product security. By focusing on the procurement aspect in the supply chain, the new guidance advises software buyers to demand modern security features from technology manufacturers, such as phishing-resistant authentication and passkeys. By doing so, customers can drive demand for security as a baseline feature and compel technology manufacturers to adhere to secure design practices.

The guidance also includes an assessment to evaluate software security and include security requirements in contracts. It encourages a proactive procurement approach, where a buyer can assess a manufacturer’s security and capabilities to reduce vulnerabilities and strengthen resilience. The guide establishes best practices for secure software procurement and highlights the product security features that bolster supply chain security and interoperability.

Passkeys Take Center Stage

CISA’s guidance aligns with the recent guidance from the National Institute of Standards and Technology (NIST) in their digital identity guidelines on authentication and lifecycle management. In supplemental guidance, NIST SP 800-63Bsup1, NIST affirmed that synced passkeys meet Authentication Assurance Level 2 (AAL2) requirements and device-bound passkeys satisfy Authentication Assurance Level 3 (AAL3). The two guidance documents emphasize the importance of security, including digital identity and authentication best practices, across the digital supply chain.

The Secure by Demand guidance empowers IT buyers, who can drive market demand for secure software features, such as passkeys and FIDO authentication. Given that weak or stolen passwords account for 80% of hacking-related breaches and credential phishing has skyrocketed by 967% since 2022, buyers can use the guide’s security assessment to evaluate software security, including passkey capabilities, and improve security risk management in the supply chain. With this guidance, CISA aims to increase awareness and drive market demand for secure software.

Key Recommendations for Software Manufacturers

CISA’s Secure by Demand guide outlines several critical requirements that customers should evaluate when procuring software, and includes questions to assess a software manufacturer’s security capabilities in the following areas:

• Authentication: Manufacturers should support secure, standards-based Single Sign-On (SSO) and implement phishing-resistant multi-factor authentication (MFA) or passkeys — by default, and at no extra cost.
• Eliminating Vulnerabilities: Systematic efforts should be made to address and prevent classes of software defects, such as SQL injection and cross-site scripting vulnerabilities.
• Secure Defaults: Security logs should be provided to customers without additional charges, ensuring transparency and accountability in software security.
• Supply Chain Security: Ensuring the provenance of third-party dependencies via Software Bill of Materials (SBOM) and robust processes for integrating open-source components are vital.
• Vulnerability Disclosure: Transparency and timely reporting of vulnerabilities, including authorization for security testing by the public, is crucial for maintaining trust and improving security outcomes.

A Call to Action for Security Leaders

The guidance for those manufacturing or procuring software across the software supply chain is clear: passkeys improve third-party supply chains and ensure higher security standards in software procurement and development processes. By integrating passkeys into authentication processes, organizations can strengthen end-to-end digital identity lifecycle management and significantly reduce the risks of phishing and social engineering attacks.

To learn more about CISA’s Secure by Demand guidance, visit https://www.cisa.gov/resources-tools/resources/secure-demand-guide.
Ready to go passwordless? Learn how to implement passkeys or find a passkey deployment partner using the FIDO Certified Directory and FIDO Certified Member Showcase.

FIDO Momentum in the Automotive Industry

Like just about every market sector, the automotive industry is plagued by risks and ramifications associated with decades of relying on passwords – and is also uniquely poised to improve the user experience by embracing passkeys for user authentication.

With smart cars having embedded technology to connect to digital experiences, there are several innovations primed for take-off in the automotive industry. With nearly 100 million vehicles will be making payments by 2026, up from just 2.3 million in 2021, passkeys will be crucial to simplify the in-vehicle user experience. At the same time, manufacturers have the opportunity to improve IoT and secure embedded devices to improve customer experiences on and off the road.

Manufacturing and Smart Car Case Studies

On the workforce front, the event featured a case study from MTRIX and considerations on how to deploy FIDO security keys to a manufacturer’s workforce – contemplating the many types and locations of workers for today’s global manufacturers. This case study reinforced the factors called out in a presentation by Infineon on the regulatory-driven push and pull with FIDO authentication.

VinCSS described how FIDO Device Onboard is being used today to secure the smart car ecosystem both at point of manufacturing as well as for after-market use cases.

Using Passkeys for In-Vehicle Payments

The final block of sessions looked more closely at our in-vehicle future – including an overview of current trends for in-vehicle payments. Visa and Starfish then presented a blueprint and demo respectively for a standards-based approach for in-vehicle payments before Qualcomm wrapped things up with their vision for a digital chassis as the foundation for a software-defined vehicle that contemplates the need for secure identity, payments and driver/passenger personalization.

Driving FIDO in the Automotive Industry – Next Steps

The FIDO Alliance welcomes input from the public and the identity security community on FIDO’s future in the automotive industry. Comments are welcome via our contact us page. For in-person connections, we encourage identity security and authentication professionals to join us at our conference, Authenticate, where there will be several automotive and passkey related sessions, content, and peer networking. This year’s event, held Oct. 14-16th, 2024, will be held in sunny southern California at the La Costa Omni Resort in Carlsbad, CA.

Amidst this landscape, the FIDO Alliance released its newest research in the eBook, Remote ID Verification – Bringing Confidence to Biometric Systems Consumer Insights 2024, which reveals insights from an independent study surveying 2,000 respondents in the U.S. and the U.K. on consumer perceptions on remote identity verification, online security, and biometrics. While the data showed consumer awareness and adoption of biometrics is increasing, consumers also expressed concerns about the rise of AI-generated deepfakes – reinforcing the need for preventative strategies and technologies focused on secure remote identity verification. 

What is a “deepfake”?

According to the Center for Internet Security, a deepfake consists of convincingly fabricated audio and video content designed to mislead audiences into believing that fabricated events or statements are real. These manipulations can create realistic yet entirely false representations of individuals through synthetic images or complete video footage. This manipulated audio/video content is dangerously effective at spreading false information. In cybersecurity, deepfakes are increasingly being used to spoof identities to fraudulently open accounts or take control of existing accounts.

With the advent of AI and the increasing use of face biometrics for remote identity verification, the deepfake risks to remote identity proofing (RIDP) methods have become a reality. Security researchers have been closely evaluating the identity verification risks associated with deepfakes to increase awareness of the rapidly changing threat landscape and support stronger countermeasures that enhance the trustworthiness and reliability of remote identity proofing (RIDP) methods. In the European Union Agency for Cybersecurity’s (ENISA) latest remote ID report, researchers observed that deepfake injection attacks are increasing and becoming more difficult to mitigate.

Users Express Concerns about Deepfakes and ID Verification

With the rise of generative AI and deepfake videos in the news, there has been a heightened consumer unease about the security of biometrics for online verification. In the FIDO Alliance’s study, the deepfake trends have not escaped consumers’ attention online, who are increasingly using face biometrics to authenticate identities online and are concerned about identity security.

On one hand, the study reinforced consumer preference for using biometrics in remote identity verification, with nearly half of the respondents indicating a preference to use face biometrics, especially for sensitive transactions, like financial services (48%). 

On the other hand, just over half of respondents revealed they are concerned about deepfakes when verifying identities online (52%).

Building Consumer Trust in Face Biometrics

As the concerns around deepfake security threats gain prominence, the industry has taken a significant step forward with the FIDO Alliance’s newly introduced Identity Verification certification program for Face Verification. This industry-first testing certification program, based on ISO standards, with requirements developed by the FIDO Alliance, aims to measure accuracy, liveness (including deepfake detection), and bias (including skin tone, age, and gender) in remote biometric identity verification technologies. By providing a framework for testing biometric performance and a network of accredited laboratories worldwide, this certification program standardizes and evaluates the performance of face verification systems while mitigating the impact of bias and security threats, like deepfakes.

Certifying Identity Verification with the FIDO Alliance

The Identity Verification certifications that the FIDO Alliance provides offer industry providers the ability to demonstrate commitment to addressing bias and security threats in remote biometric identity verification technologies. With a focus on standardizing and enhancing the performance of face verification technologies, the Alliance released its new FIDO Certification Program to elevate the performance, security, and equity of biometric solutions for remote identity verification. Combined with its Document Authenticity (DocAuth) Certification Program, these two certifications work together to ensure identity verification solution providers can leverage FIDO’s independent testing and accredited laboratories as a market differentiator. 

What is the value for IDV Biometric Vendors?

• Independent validation of biometric performance
• Opportunity to understand gaps in product performance to then improve and align with market demands
• Demonstrate product performance to potential customers 
• Improve market adoption by holding an industry-trusted certification
• Leverage one certification for many customers/relying parties 
• Benefit from FIDO delta and derivative certifications for minor updates and extendability to vendor customers
• Reduce need to repeatedly participate in vendor bake-offs

What is the value for Relying Parties?

• One-of-a-kind, independent, third-party validation of biometric performance assessing accuracy, fairness and robustness against spoofing attacks
• Provides a consistent, independent comparison of vendor products – eliminating the burden of maintaining own program for evaluating biometric products
• Accelerates FIDO adoption to password-less
• Commitment to ensure quality products for customers of the relying parties 
• Requirements developed by a diverse, international group of stakeholders from industry, government, and subject matter experts
• Conforms to ISO
• FIDO Annex published in ISO standards

What is the value of accredited laboratories?

FIDO Accredited Laboratories are available worldwide and follow a common set of requirements and rigorous evaluation processes, defined by the FIDO Alliance Biometrics Working Group (BWG) and follow all relevant ISO standards. These laboratories are audited and trained by the FIDO Biometric Secretariat to ensure lab testing methodologies are compliant and utilize governance mechanisms per FIDO requirements. Laboratories perform biometric evaluations in alignment with audited FIDO accreditation processes. In contrast, bespoke, single laboratory biometric evaluations may not garner sufficient trust from relying parties for authentication and remote identity verification use cases.

What are the ISO Standards that FIDO certification conforms to?

When a vendor invests in FIDO’s Face Verification Certification, they and their accredited lab are adhering to the following ISO standards:

Learn More about FIDO IDV Certification

As organizations and policymakers navigate the evolving landscape of digital identity verification, these consumer insights serve as a testament to the pressing need for independently tested and accurate biometric systems. The FIDO Alliance’s new Face Verification Certification Program offers solution providers the opportunity to demonstrate deepfake prevention to relying parties and end users by testing for security, accuracy, and liveness.

Download the Remote ID Verification eBook here today, and discover the world-class offerings from FIDO’s certified providers that have invested in independent, accredited lab testing with FIDO certification.

The summit will feature keynote addresses by notable leaders such as Gobind Singh Deo, Malaysia’s Minister of Digital; Dato’ Dr. Amirudin Abdul Wahab, CEO of CyberSecurity Malaysia; TS. Mohamed Kheirulnaim Mohamed Danial, Senior Assistant Director of National Cyber Coordination and Command Centre (NC4) & National Cyber Security Agency (NACSA); Andrew Shikiar, CEO & Executive Director of FIDO Alliance; and Edward Law, CEO of Securemetric. 

They will be joined by a distinguished roster of speakers including Christiaan Brand, Product Manager: Identity and Security at Google; Eiji Kitamura, Developer Advocate at Google; Henry (Haixin) Chai, CEO of GMRZ Technology / Lenovo; Hyung Chul Jung, Head of Security Engineering Group at Samsung Electronics; Khanit Phatong, Senior Management Officer at Thailand Electronic Transactions Development Agency; Masao Kubo, Manager of Product Design Department at NTT DOCOMO; Naohisa Ichihara, CISO at Mercari; Niharika Arora, Developer Relations Engineer at Google; Sea Chong Seak, CTO at SecureMetric; Simon Trac Do, CEO & Founder of VinCSS; Takashi Hosono, General Manager at SBI Sumishin Net Bank; Yan Cao, Engineering Manager at TikTok; and Hao-Yuan Ting, Senior Systems Analyst at Taiwan Ministry of Digital Affairs.

The updated list of speakers can be found here.

Among the speakers, Tin Nguyen, a former U.S. Marine and FBI Special Agent, now a cybersecurity expert, will discuss the benefits of passwordless authentication and how it enhances organizational defenses against cyber threats. “Cybercriminals continuously search for vulnerabilities to take advantage of. Therefore, it is imperative for organizations to implement strong cybersecurity measures to safeguard their users,” says Nguyen. “Implementing FIDO-based passkeys provides an extra layer of security, mitigating potential threats without compromising user experience.”

The event promises to attract hundreds of attendees and will feature keynote addresses, panel discussions, technical workshops, and an expo hall showcasing the latest innovations from leading technology companies such as Securemetric, VinCSS, OneSpan, iProov, Thales, AirCuve, Zimperium, RSA, Yubico, Identiv, Utimaco, FETIAN, and many more. Attendees will have the opportunity to explore the latest trends in cybersecurity, network with top industry minds, and gain invaluable knowledge on implementing FIDO standards for enhanced security.

“The FIDO Alliance is thrilled to host its second FIDO APAC Summit 2024 in Malaysia, featuring presentations from some of the brightest minds in authentication from the APAC region and beyond,” said Andrew Shikiar, Executive Director and CEO of the FIDO Alliance. “With the continuous rise in the volume and sophistication of cyber-attacks, it is crucial for organizations to move past passwords and adopt passkeys, a user-friendly alternative based on FIDO standards.”

Registrations are now open to the public. For more information and to register, please visit www.fidoapacsummit.com. For sponsorship opportunities, please contact events@fidoalliance.org.

About the FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact 

press@fidoalliance.org 

May 29, 2024 – The FIDO Alliance announced today the launch of the first globally available certification program to test and certify the performance of remote biometric identity verification technology when verifying a user against a trusted identity document for accuracy, liveness, and bias. The Face Verification Certification program comes at a time of soaring demand for face biometric identity solutions and recognition of the importance of robust enrollment and identity re-binding processes to the overall security of online accounts. Dynamic Liveness, the science powering the iProov Biometric Solution Suite’s Remote Onboarding Solution and Authentication Solution, is the first product to pass the rigorous certification testing.

The certification program, consisting of 10,000 tests at a minimum, assesses a biometric system’s performance across different demographics, including skin tone, age, and gender. It measures resistance to spoof and deepfake attacks with Imposter Attack Presentation Accept Rate (IAPAR), and also assesses the usability and security of solutions by measuring False Reject and Accept Rates (FRR and FAR respectively). The certification also tests “selfie match” capabilities to ensure a user’s “selfie” matches their government-issued ID in the initial account setup process. 

Combating bias and deepfake threats in biometric ID systems

Biometrics has ranked top as global consumers’ preferred way to log in and the method they think is most secure for the last two years. However, as governments and businesses globally roll out remote identity solutions, two urgent issues remain to address – bias in some biometric systems and new security threats. 

Organizations including NIST have been closely monitoring the disparities in performance for some time – with NIST’s most recent evaluation of solutions across different demographics ​​released this year. The issue of bias is tightly linked to brand reputation too; new research from FIDO Alliance released today has found 50% of American and British consumers said they would lose trust in an organization if its biometric system was found to be biased, while 22% said they’d stop using a service entirely. Similarly, generative AI’s boom has also heightened security apprehensions about online verification; the same survey revealed over a third of consumers (37%) are more concerned about verifying themselves online due to the rising number of deepfakes. In ENISA’s latest remote ID report, researchers observed that while deepfake injection attacks are increasing and more sophisticated, deepfake presentation and injection attacks remain the top two biometric attack types most difficult to mitigate. 

Bringing trust to the ID ecosystem

Commenting on the news, Andrew Shikiar, Executive Director & CEO of the FIDO Alliance, said: “Remote identity solutions unlock huge benefits for governments, organizations, and consumers alike, but as appetite grows across the globe, there are understandable concerns mixed with excitement. Identity theft is rising, while bias in biometric systems has caused organizations to delay or reconsider implementations at a time when inclusivity and accessibility have never been more important.

“Certification unlocks the power of open standards and catalyzes ecosystem-wide innovation and opportunity. With iProov’s market-first certification for biometric face verification now completed, we look forward to serving additional providers who understand the value of independent, accredited lab testing. This new certification program provides a launchpad that enables all stakeholders to fast-track deployments that are robust enough for the modern threat landscape and work well for everyone, anywhere in the world.” 

Leading biometrics solutions provider, iProov, has become the first vendor to complete the rigorous certification process. iProov provides market-leading biometric solutions that protect the world’s most security-conscious organizations from deepfakes and other types of identity fraud. Andrew Bud, founder and CEO at iProov said: “Biometrics are a powerful tool that organizations can utilize to facilitate secure, inclusive, and user-friendly interactions online. Each of these three fundamental components must be given equal consideration as organizations evaluate their options. With the FIDO Face Verification Certification program, organizations now have a trusted compass for navigating these decisions. We applaud The FIDO Alliance for addressing the importance of biometric identity verification to strengthen the full user identity lifecycle. Independent certification creates a much-needed quality benchmark for this evolving technology and further demonstrates our ability to provide trusted identity assurance in an age of AI threats and identity fraud.” 

Testing requirements are built upon proven ISO standards and are developed by a diverse international authority of stakeholders, including industry, government, and independent subject matter experts. Participating vendors can benefit from identifying gaps in product performance and demonstrating clearly to the market their solutions can be trusted, which can reduce individual testing needs and boost adoption. Two independent labs are currently accredited to support this certification – Ingenium Biometrics and TÜV Informationstechnik (TÜV NORD GROUP) – with more expected to follow later this year. 

The program expands upon the Alliance’s existing Biometric Component Certification and Document Authenticity (DocAuth) Certification programs and demonstrates FIDO’s ongoing commitment to meet marketplace demand and address evolving threats with third-party certifications. Combined, these programs provide unrivaled end-to-end assurance to implementing organizations, consumers and vendors and support the world’s migration to more secure digital verification systems and passwordless security.

The FIDO Design Guidelines aim to help online service providers design a better, more consistent user experience (UX) when signing in with passkeys. 

The guidelines are developed for designers, engineers, product managers, content strategists, and UX researchers to use for reference and guide their initial implementation of passkeys and expansion of passkey support over time.

The new guidelines are available at https://fidoalliance.org/design-guidelines/. 

“As organizations are increasingly deploying passwordless authentication based on FIDO standards around the world, the end users of passkeys – along with the practitioners implementing them – have become top priorities for successful adoption,” said Andrew Shikiar, Executive Director and CEO of The FIDO Alliance. “Our research shows consumers and employees are adopting phishing-resistant passkeys at a rapid pace while relying organizations are experiencing cost savings and fewer security incidents.  By continuing our investment in the evolving user experience, the FIDO Alliance is committed to ensuring brands have a consistent and accessible set of guidelines that are fully aligned with design best practices and FIDO technology requirements. We encourage online service providers everywhere to use these publicly available guidelines to enhance the user experience and enjoy greater success with FIDO passkey deployment and adoption.”

Following the first release of FIDO UX guidelines for passkeys in 2022, the 2024 Design Guidelines have been updated with optimization included for service providers evaluating and deploying passkeys. 

The 2024 Design Guidelines are organized into five sections to provide clear guidance, confirm design principles, and offer flexibility:

• User experience research: Provides confidence that the guidelines are informed by design research
• Principles: 10 UX principles and 3 content principles for passkeys that are core to any passkey implementation
• “Get started” design patterns: Patterns are the heart of the guidelines, containing self-contained experiences that can be combined to match unique business needs
• Optional design patterns: Patterns that can be added after the “get started” patterns over time
• Resources: Provides additional resources like events, Figma UI kits and community groups to jump-start work with passkeys

The FIDO UX Working Group created the guidelines and comprises 131 UX researchers, designers, and PMs from 31 global brands. The guidelines were created in partnership with usability research firm Blink UX – with added underwriting support from 1Password, Dashlane, Google, HID, Trusona, U.S. Bank, and Yubico.

Hear More about the Design Guidelines

Learn about the 2024 Design Guidelines at Identiverse 2024 in Las Vegas May 28-30, 2024. To learn more, visit the FIDO Alliance website.

For a deeper dive, join these sessions from the upcoming Design Guidelines for Passkeys Webinar Series: 

• June 11 | 2:00 PM ET | Essentials for Adopting Passkeys as the Foundation of Your Consumer Authentication Strategy
• June 18 | 2:00 PM ET | Aligning Authentication Experiences with Business Goals
• June 25 | 2:00 PM ET | Drive Revenue and Decrease Costs with Passkeys for Consumer Authentication
• July 2 | 2:00 PM ET | Design Guidelines for Passkeys: Ask Us Anything!

Registrants of this webinar series will have access to all events both live and on-demand after they air. To register, click here.

[Watch the FIDO Taipei Workshop Recap Video]

On April 24, 2024, the FIDO Alliance held its first ever in-person FDO Workshop at the Institute of Information Science, Academia Sinica Nangang Campus in Taipei. The event attracted over 100 attendees from 30 different organizations. This workshop was dedicated to unveiling the power of the FIDO Device Onboard (FDO)—a revolutionary open standard that simplifies and secures the device onboarding process by moving away from legacy approaches that often rely on inefficient and insecure passwords and other knowledge-based credentials.

[Pictures from FIDO Taipei Workshop]

The sessions included “FDO 101,” “FDO Certification Programs,” “How to Deploy FDO” and diverse showcases from leaders in edge computing and IoT. Companies including Intel, ASRock, Red Hat, Dell, VinCSS, and Infineon demonstrated how they have developed, applied, and used FDO in their solutions. We are excited to share slides from the workshop:

• Introduction to FDO and How It Works: Richard Kerslake, Market Development Manager, Connected Device Standards, FIDO Alliance (Download Slides)
• The Value of Certifying Products for FDO: Paul Heim, Director of Certification, FIDO Alliance (Download Slides)
• Choosing the Right FDO Deployment Model for Your Application: Geoffrey Cooper, Intel (Download Slides)
• Simplified FDO Manufacturing Flow with TPMs: Liam Cheng, Marketing Manager, Infineon (Download Slides)
• Linux Foundation Edge – Overview of FDO Software Components: Randy Templeton, Software Engineer, Intel (Download Slides)
• Where to Learn More about FDO: Richard Kerslake, Market Development Manager, Connected Device Standards, FIDO Alliance (Download Slides)
• Secure Zero Touch Enabled Edge Compute with Dell NativEdge via FDO: Brad Goodman, Architect, Edge Computing, Dell (Download Slides)
• FDO for Camera, Sensor, and Networking Device – Commercial Solution from VinCSS: Quan Do Head of IoT Security Solutions & Van Nguyen, Senior Researcher, R&D Center, VinCSS (Download Slides)
• How Red Hat Uses FDO in Device Lifecycle: Costin Gament, Senior Integration Engineer & Vitaliy Emporopulo, Principal Software Engineer, Red Hat (Download Slides)
• ASRock Industrial’s FDO Solutions in Action for Industrial Edge AI: Kenny Chang, VP of Product and Marketing Division, ASRock Industrial (Download Slides)

[Pictures from FIDO Taipei Workshop]

We had the honor of welcoming the newly inaugurated Minister of Digital Affairs, Dr. Yennun Huang, along with other key government officials who participated to extend their congratulations on FIDO Alliance’s contributions to the digitally connected world. The event garnered significant attention from various local media outlets, including Liberty Times Net, Radio Taiwan International, Yahoo Taiwan, EE Times, CNA News, iThome, and many others.

The FIDO Alliance sincerely thanks our sponsors for their unwavering commitment to a password-free future, which was crucial in making the first-ever in-person FDO Workshop possible. Their ongoing dedication was essential to the event’s success. We look forward to the continued partnerships and insights gained during this workshop, which will help shape a more secure digital future.

We invite you to join us for the next in-person event, the FIDO APAC Summit 2024, scheduled for September 10-11, 2024, in Kuala Lumpur, Malaysia. This summit will feature a comprehensive FDO workshop among its sessions.

MOUNTAIN VIEW, Calif., 02 May, 2024 – World Password Day may soon need a rebrand, as the FIDO Alliance survey released today shows that half of people in the US and UK have begun ditching the password in favor of more convenient and secure passwordless alternatives.

An independent survey commissioned by the FIDO Alliance found that 53% of people have enabled passkeys on at least one of their accounts, with 22% enabling them on every account they possibly can. In separate research, the Alliance found that passkeys are now supported by 20% of the world’s top 100 websites and 12% of the top 250. 

This shift away from passwords toward passkeys is being driven by three key trends; people’s concerns over password security, their frustrations in using them, and the growing availability of passkeys on major websites and services.

The Alliance’s research found that in the last year, 24% of people had at least one of their accounts compromised due to password vulnerabilities, and 26% had to reset or recover at least one password every month. In addition, 45% of consumers will abandon purchases if they have forgotten their password for that particular account. This is hugely significant for passkey adoption, as 61% of people familiar with passkeys consider them to be more convenient than passwords, and 58% believe they offer greater security. 

The availability of passkeys has also increased steadily over the last year, with Microsoft today announcing that Microsoft accounts, including a wide range of services like Bing, Microsoft 365 and Xbox.com – now also support passkeys. This is added to support from large global consumer brands, such as Adobe, Amazon, Apple, Google, Hyatt, Nintendo, PayPal, PlayStation, Shopify and TikTok. In all, more than 13 billion user accounts can now leverage passkeys for sign in. 

As a result of high-profile passkey deployments like these, awareness of the technology has grown to 62% of people, according to the research. Among people with some knowledge of passkeys, those enabling them on at least one account rises substantially to 74%, while those enabling passkeys on every account possible rises to 32%. This suggests that adoption will only increase as more people become more familiar with passkeys.

“It was just two years ago that FIDO Alliance, alongside the world’s largest platform providers, introduced the vision for passkeys to accelerate the scale and usability of password-free sign-ins. The market’s reaction since then has been nothing short of phenomenal, with hundreds of services enabling billions of consumers to use passkeys,” said Andrew Shikiar, executive director and CEO of the FIDO Alliance. “We expect this trend to accelerate in the months and years ahead, and our research makes it clear that when offered, people prefer the better security and usability of passkeys over passwords.”

Ends

Notes to editors:

• The independent survey was conducted by Sapio Research in April 2024 among 2,000 consumers across the UK and US – with 1,000 in each country. Results of any sample are subject to sampling variation. In this particular study, the chances are 95 in 100 that a survey result does not vary, plus or minus, by more than 2.2 percentage points from the result that would be obtained if interviews had been conducted with all persons in the universe represented by the sample.
• To calculate the proportion of the world’s top websites and services that support passkeys, the FIDO Alliance combined publicly available information with its own data on passkey deployments. 

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.
Contact
press@fidoalliance.org

Adoption of passkeys has grown rapidly since the introduction of sync capabilities less than two years ago, with passkeys being offered by a large and growing proportion of the world’s most visited websites and services. This adoption has come in large part because passkeys offer a true password replacement, helping address the well-known security and user experience weaknesses of knowledge-based authentication like passwords and even other second-factor methods like SMS OTPs.

Market adoption of new technology naturally moves faster than the associated policy and regulatory guidance – which for user authentication still generally reflects the password-centric worldview from when such guidance was developed. This is why we are excited that NIST has taken a lead amongst government agencies and moved quickly to provide new supplemental guidance confirming that synced passkeys meet Authentication Assurance Level 2 (AAL2).

This new NIST guidance makes clear that passkeys – like other FIDO authenticators – can support both AAL2 and AAL3 requirements. Synced passkeys can be AAL2 and device-bound passkeys can be AAL3.

Crucially, the NIST supplement also cites that synced passkeys deployed in a manner consistent with the guidelines as being phishing resistant. This has obvious benefits in a world where 87% of hacking-related breaches are caused by weak or stolen passwords and where there has been a 967% rise in credential phishing since 2022.

Passkey adoption to be boosted by the ‘reassurance of assurance’

While the rate of passkey adoption to date has been nothing short of phenomenal, some organizations – particularly those in regulated industries – understandably want to see that key government bodies accept and recommend new technologies like passkeys before supporting them at scale.  

We have heard this from our partners and constituents across the globe about NIST in particular, whose digital identity guidelines are a global gold standard that are frequently cited by other countries. Today’s supplemental guidance from NIST stands to remove a critical barrier to passkey adoption, which now stands to be further accelerated.

However, there is still work to do. We are working closely with other agencies across the globe to educate them about passkeys and the importance of phishing-resistant authentication, and are encouraging them to update legacy policies, guidelines, and regulations to ultimately allow all organizations, wherever they are, to confidently provide more secure and more convenient authentication to their users and customers. 

Building NIST guidance into business best practices

Identity and authentication architects should contemplate NIST’s supplemental guidance as part of their broader digital identity strategy. For example, for every use case where password + OTP was used in the past, a synced passkey deployed in accordance with the new NIST guidance is not only sufficient to meet AAL2 requirements, but also more effective. In the vast majority of deployment scenarios, synced passkeys will provide a significant security and UX improvement over today’s authentication patterns – almost all of which are susceptible to phishing.

If organizations have specific business, regulatory, or other security requirements, they can choose whether to accept a synced passkey as the primary authentication method, a second factor, pair it with a risk engine, or require a device-bound key. Today’s guidance frees architects up from thinking about authentication layers and to instead focus on business requirements and related threat models. And today’s primary threat model of phishing and social engineering can be directly addressed by utilization of passkeys.

Passkeys hold the promise of enabling simpler, strong authentication. But first organizations, governments and individuals will have to adopt the technology – and some of them have questions.

At the Authenticate Virtual Summit: Demystifying Passkey Implementation on March 13, speakers from the FIDO Alliance, Intercede, IDEMIA, Yubico, Dashlane and 1Password as well as implementers including Amazon and Target, presented on their experiences implementing and working with passkeys. The virtual summit covered the technical perspective on passkeys from the FIDO Alliance, as well as use cases for passkeys in the enterprise, consumer authentication, and the U.S. government. Along the way, attendees asked lots of questions and got lots of insightful answers.

Fundamentally a key theme that resonated throughout the virtual summit was that passkeys are a password replacement – and it’s a replacement that can’t come soon enough.

“Passwords are still the primary way for logging on and they are still easily phished through social engineering and they tend to be very difficult to use and to maintain,” David Turner, senior director of standards development at the FIDO Alliance said. “The consequences are real and the impact is real to the world at large.”

Passkeys 101

During his session, Turner provided a high-level overview on what passkeys are and how they work.

Passkeys build upon existing FIDO authentication protocols and simplify the user experience. 

Passkeys can now be synchronized across devices through the use of passkey providers, removing the need for separate credentials on each device. Passkeys also enable new capabilities like cross-device authentication. Turner demonstrated how a QR code scanned on one device can securely connect to credentials stored on another nearby device. 

In addition to synced passkeys there are also device-bound passkeys, that rely on technologies like a security key to provide the required credentials.

The State of Passkeys

The current and future state of passkey adoption was the topic tackled by

Andrew Shikiar, executive director and CEO of the FIDO Alliance.

There are now hundreds of services, including the major platform vendors Microsoft, Apple and Google, representing billions of users, that support passkeys at this point in 2024.

“If you are a service provider and you wish to deploy passkeys, you can do so with high confidence that your consumers will be able to leverage them,” he said.

The FIDO Alliance aims to drive passkey support over the coming years, in part by sharing best practices and success stories, which is a core part of what the virtual summit was all about.

Usability was emphasized as a key factor for widespread adoption. 

“Usability is paramount. It must be front and center in what you do,” said Shikiar. 

The FIDO Alliance has released user experience guidelines and a design system to help companies implement passkeys in a user-friendly way. Future guidelines will address additional use cases.

Shikiar emphasized that passkeys are not about being a new addition to improve the security of passwords. His expectation is that passkeys will be seen as a true password replacement rather than just an attempt at bolstering existing authentication methods. He emphasized that the fundamental problem is passwords, and the goal should be replacing them, not just adding extra security layers on top of passwords. Shikiar wants people to stop thinking about multi-factor authentication factors and instead think about enabling phishing resistant identities. 

Passkeys are on Target at Target

Passkeys are already in use at retail giant Target, helping to improve security and optimize authentication for its employees. 

Tom Sheffield, senior director cybersecurity at Target, said that the company has been leveraging FIDO for workforce authentication since 2018 and adopted it as a primary authenticator in 2021.

One of the ways that Target has been able to more easily enable passkey support across its platforms is via Single Sign On (SSO). 

“We have a very robust SSO environment across our web application suite,” Sheffield said. “So for us, that made it very easy to integrate FIDO into the SSO platform, and then therefore every application behind SSO automatically got the benefit of it.”

In terms of how Target was able to get its users to adopt passkeys quickly, Sheffield said that the option was communicated to users in the login flow, rather than trying to explain to users what they should do in an email.

Overall, Sheffield emphasized that if an organization is using OTP (one time passwords) today for multi-factor authentication (MFA), any form of FIDO will provide significantly better user experience and security. 

“There have not been many security programs that I’ve been part of in my 25-year career in this space that offer you security and user experience simultaneously,” he said. “So if you’re using anything other than FIDO you’ve got a great opportunity to up your game and provide a great experience for users which should make you a hero.”

Authenticating a Billion Customers with Passkeys at Amazon

Among the biggest consumer-facing websites that supports passkeys today is online giant Amazon.

Yash Patodia, senior manager of product management at Amazon, detailed how passkeys were rolled out to hundreds of millions of consumers worldwide. Patodia explained Amazon’s motivation noting that passwords are relatively easy for a bad actor to crack. He noted that passkeys help customers to authenticate more easily than other methods with a better user experience. 

Amazon implemented passkeys using different APIs for web, iOS, and Android platforms. Now available across devices, Amazon’s goal is to drive awareness and increase passkey adoption among its customer base over the next year. In his view, passkeys are well suited for mass adoption and early indications from Amazon’s user base are very encouraging.

“If you’re a consumer facing company who has a big customer base, definitely explore this option,” he said.

Considerations for FIDO and Passkeys in the US Government 

The U.S. Government is no stranger to the world of strong authentication, with many staffers already using PIV (Personal Identity Verification) smart card credentials. 

Teresa Wu from IDEMIA and Joe Scalone from Yubico, who both serve on the FIDO Alliance’s Government Deployment Working Group (GDWG), provided an overview of how passkeys can complement PIV credentials and support a zero trust security model. 

As government agencies work to implement phishing-resistant multi-factor authentication, passkeys are an option that could provide a more seamless user experience than one-time passwords or hardware tokens. 

“We are not here to replace PIV, we are here to supplement and use FIDO where PIV is not covered,” said Wu. 

One area they see opportunities for FIDO is for federal contractors and employees who are not eligible for a PIV card due to their job functions. Currently these individuals rely on passwords for system access.

State of Passkey Portability Set to Improve

A critical aspect of user experience is the ability to change passkey providers and move from one provider to another, if that’s what the user wants to do.

With existing password managers and legacy passwords, the process of moving credentials isn’t particularly efficient or secure, according to Rew Islam from Dashlane and Nick Steele from 1Password. It’s a situation that the Credential Provider Special Interest Group within the FIDO Alliance is looking to solve with a new standard for securely porting passwords between different password/passkey management applications.

The group is developing a new Credential Exchange Protocol that will use hybrid public key encryption to securely transfer credentials; the effort also includes the development of a standardized data format for credential information.

“By having the standard credential format, it will allow for interoperability of sharing credentials between two different providers in different organizations,” Steele said.

A proof of concept demo for the credential exchange is currently set for May, during the FIDO Member Plenary in Osaka, Japan. Islam noted that the effort represents a real triumph for the power of FIDO to bring different competitive vendors together for common purpose.

Common Questions about Passkeys 

The virtual summit was concluded with an ‘Ask Me Anything’ (AMA) session where attendees asked their most pressing questions on passkeys.

Among the big questions asked:

How should organizations consider choosing synced passkeys or device-bound passkeys from a security and usability perspective?

Turner answered that the first thing to make really clear is that synced passkeys are probably the right answer for the majority of use cases. That said, he noted that FIDO recognizes that there are some areas where people have a much higher risk profile, and in those cases the device- bound passkeys can provide an extra level of trust.

Can passkeys play a role in transaction signing?

Pedro Martinez from Thales responded that yes, passkeys can be used to sign transactions. He explained that the beauty of the FIDO protocol is that it is based on the signature of a challenge. As such, it’s possible to adjust the challenge in order to contain data related to a transaction that needs to be digitally signed.

When will passkeys be the default mode of authentication? 

Shikiar said that he doesn’t think that all passwords will go away, but he is hopeful for a passwordless future.

“Sophisticated risk engines and anomaly detectors don’t really think twice about accepting a password,” he said. “But as passkeys become more prevalent and become the default all of a sudden using a password will be anomalous in and of itself.and I think that’s when we’ll be in the fabulous future when using a password is rightfully seen as a high risk and anomalous action.”

EMVCo released a white paper with FIDO Alliance’s inputs, “EMV® 3-D Secure White Paper – Use of FIDO® Data in 3-D Secure Messages,” which explains how the use of FIDO authentication data in EMV 3DS messages can streamline e-commerce checkout while reducing friction for consumers. 

Authentication flows are evolving, and merchants are increasingly building seamless experiences based on FIDO standards for device-based authentication, where a trusted device is bound to a payment credential to ensure the credential is being used by the verified cardholder. Consequently, it has become apparent that in some scenarios the issuer may require more data to assess risk and validate the authentication cryptographically. 

This paper addresses these scenarios by providing a data structure that allows for a chain of trust to be established between cardholder authentication, FIDO enrolments and FIDO authentication, hence giving issuers increased control and insight into the authentication process as well as validate authentication. 

In the EU, where payment authentication is required as per PSD2 SCA, this industry-wide guidance can provide assistance to enabling more device-based authentication in a standardized way using globally known authentication standards such as FIDO while using widely accepted authentication rails such as EMVCo.

Read the full white paper on the EMVCo website to learn more.

The FIDO Alliance is excited to announce the return of the FIDO APAC Summit for its second year, building on the success of the 2023 event in Vietnam. Scheduled to take place at the JW Marriott Kuala Lumpur, Malaysia, from September 10th to 11th, this premier event in the APAC region is dedicated to advancing phishing-resistant FIDO authentication – focusing on FIDO-based sign-ins with passkeys, and addressing IoT security and edge computing challenges with FIDO Device Onboarding (FDO).

Last year’s conference in Vietnam welcomed over 300 attendees and featured more than 20 sessions with engaging content alongside a sold-out exhibit area with over 20 industry-leading exhibitors and sponsors. The 2024 summit aims to build upon last year’s momentum with detailed case studies, technical tutorials, expert panels, and hands-on workshops. Sessions are designed to educate attendees on business drivers, technical considerations, and best practices for deploying modern authentication systems across web, enterprise and government applications. Additionally, attendees will benefit from a dynamic expo hall and engaging networking opportunities, set against the backdrop of downtown Kuala Lumpur’s natural beauty.

FIDO APAC Summit 2024 Call for Speakers

The FIDO Alliance invites thought leaders, industry experts, entrepreneurs, and academic professionals to submit speaking proposals to enrich the diverse FIDO APAC Summit 2024 program. Speakers with innovative ideas, implementation strategies, and successes in authentication and/or edge computing, from case studies to transformative projects, can submit proposals here. Selected speakers will join the ranks of top cybersecurity minds, influencing the community and promoting phishing-resistant authentication methods. Submit a proposal for an opportunity to shape cybersecurity’s future in the APAC region. Deadline for submissions is May 31, 2024. 

Sponsorship Opportunities at FIDO APAC Summit 2024

Join sponsors such as Samsung Electronics, SecureMetric, RSA, Thales, VinCSS, iProov, AirCuve, Zimperium, SmartDisplayer, and Utimaco and elevate your brand in the digital security landscape by sponsoring the FIDO APAC Summit 2024. This key event draws the cybersecurity community, offering sponsors a chance to interact with over 30 VIPs, speakers, and 300+ delegates, providing unparalleled brand visibility and thought leadership opportunities in the Asia-Pacific tech ecosystem. The summit is an ideal platform for sponsors eager to connect with an audience passionate about advanced passkeys and phishing-resistant authentication methods. Sponsoring this event places your brand at the forefront, engaging directly with professionals and policymakers driving the future of secure digital identities. Demonstrate your commitment to innovation and the development of secure, user-friendly digital ecosystems and influence the benchmark for authentication technologies by becoming a sponsor.

To become a sponsor, view the prospectus and complete the Sponsorship Request Form.

About FIDO Alliance

Formed in July 2012, the FIDO (Fast IDentity Online) Alliance aims to address the lack of interoperability among strong authentication technologies and the difficulties users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is revolutionizing authentication with standards for simpler, stronger methods that reduce reliance on passwords. FIDO Authentication offers stronger, private, and easier use when authenticating to online services. For more information, visit www.fidoalliance.org.

That was the primary topic addressed in a day full of insightful speaker sessions and panels at the annual Identity, Authentication and the Road Ahead Policy Forum held on January 25 in Washington D.C. The event was sponsored by the Better Identity Coalition, the FIDO Alliance, and the ID Theft Resource Center (ITRC). 

Topics covered included the latest data on identity theft, financial crimes involving compromised identities and the overall ongoing challenges of identity and authentication. The opportunities for phishing-resistant authentication standards and passkeys resonated throughout the event as well. In his opening remarks, Jeremy Grant of the Better Identity Coalition framed identity as both a cause and potential solution to security problems. 

White House advances strong authentication agenda

In the opening keynote, Caitlin Clarke,  Senior Director, White House National Security Council, detailed some of the steps the Biden-Harris administration is taking to improve digital identity and combat rising cybercrime.

“Money is fuelling the ecosystem of crime, but we often see that identity is either the target or the culprit of the cyber incidents that we are seeing every day,” Clarke said. 

In a bid to help improve the state of identity and authentication, the administration is implementing multi-factor authentication (MFA) for all federal government systems. Clarke also highlighted that the administration strongly believes in implementing phishing-resistant MFA.

“We need to make it harder for threat actors to gain access into systems by requiring and ensuring that a person is who they say they are beyond the username and password,” she said. “That is why authentication is also at the heart of the work we are doing to improve the cybersecurity of critical infrastructure, upon which we all rely.”

The role of biometrics

Biometrics have a role to play in the authentication and identity landscape according to a panel of experts.

The panel included Arun Vemury, Biometrics Expert and ITRC Advisory Board Member; James Lee, COO of the Identity Theft Resource Center; Dr. Stephanie Schuckers, Director, Center for Identification Technology Research (CITeR), Clarkson University; and John Breyault VP, Public Policy, Telecom and Fraud, at National Consumers League.

Panelists generally agreed that properly implemented biometrics combined with other security practices could help devalue stolen identity data and strengthen security overall. 

“Biometrics has the potential to affect fraud numbers,” Breyault said. “It’s not a silver bullet, it’s not going to stop everyone and, it may not be useful in every context, but it is something different than what we’re doing now.”

Better Identity at 5 years

Five years ago, the Better Identity Coalition published Better Identity in America: A Blueprint for Policymakers in response to significant questions from both government and industry about the future of how the United States should address challenges in remote identity proofing and other key issues impacting identity and authentication.

Jeremy Grant, Coordinator at the Better Identity Coalition, detailed the progress made in the past five years and also detailed new guidance for 2024.

The report assessed that while some progress has been made in certain areas like promoting strong authentication, overall the government receives poor grades for failing to prioritize the development of modern remote identity proofing systems or establish a national digital identity strategy. 

The revised blueprint outlines 21 new recommendations and action items for policymakers to help close gaps in America’s digital identity infrastructure and get ahead of growing security and privacy challenges posed by issues like synthetic identity fraud and deep fakes.

“Our message today is the same as it was back in 2018, which is that if you take this as a package, if this policy blueprint is enacted and funded by government, it’s going to address some very critical challenges in digital identity and as the name of our coalition would suggest, make things better,” Grant said.

The year of passkeys

While there is much to lament about the state of identity and authentication, there is also cause for optimism too.

Andrew Shikiar, executive director of the FIDO Alliance detailed the progress that has been made in the past year with the rollout and adoption of passkey deployments.

“Passkeys are simpler, stronger authentication, they are a password replacement,” he said. 

Shikiar noted that there are now hundreds of companies enabling consumers to use passkeys, which is helping to dramatically improve the overall authentication landscape. Not only is a passkey more secure, he also emphasized that it’s easier for organizations to use, than traditional passwords and MFA approaches.

“If you’re in the business of selling things, or providing content, or anything like that you want people to get on your site as quickly as possible –  passkeys are doing that,” he said.

Shikiar noted that the FIDO Alliance understands that user authentication is just one piece of the identity value chain. To that end the FIDO Alliance has multiple efforts beyond passkeys, including certification programs for biometrics and document authenticity certification programs among other efforts.

Don’t want to get breached? Use strong, phishing-resistant authentication

The primary importance of strong authentication was highlighted by Chris DeRusha, Federal Chief Information Security Officer in the  Office of Management and Budget (OMB), who detailed a recent report on a Lapsus cybersecurity gang that was released by the Cyber Safety Review Board. 

DeRusha noted that Lapsus hackers were able to beat MFA prompts using a variety of techniques, including social engineering and even just mass spamming employees with prompts to get someone to act.

A key recommendation from the report is to move away from phishable forms of MFA, including SMS and instead embrace FIDO based authentication with passkeys.

The view from FinCEN

The U.S. Treasury’s Financial Crimes Enforcement Network, more commonly known by the acronym FinCEN, is a critical element of the U.S financial system.

FinCEN Director Andrea Gacki spoke at the event about the agency’s recent progress on beneficial ownership reporting and the FinCEN Identity Project. The FinCEN Identity Project refers to FinCEN’s ongoing work related to analyzing how criminals exploit identity-related processes to perpetuate financial crimes. As part of this, FinCEN published a financial trends analysis earlier this month that looked at 2021 Bank Secrecy Act data to quantify how bad actors take advantage of identity processes during account openings, access, and transactions.

“Robust customer identity processes are the foundation of a secure and trusted U.S. financial system and are fundamental to the effectiveness of every financial institution,” Gacki said.

Sean Evans, lead cyber analyst at FinCEN noted that the recent report examined over 3.8 million suspicious activity reports filed in 2021 and found that approximately 1.6 million reports, representing $212 billion in activity, involved some form of identity exploitation.. Evans explained that cybercriminals are finding ways to circumvent or exploit weaknesses in identity validation, verification, and authentication processes to conduct illicit activities like fraud.

Kay Turner, chief digital identity adviser at FinCEN, emphasized that strengthening identity verification is critical for security. 

“We have to get identity right, it is vital to building trust in the system,” Turner stated.

CISA praises the push towards passkeys

Closing out the event was a keynote from Eric Goldstein, Executive Assistant Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency, (CISA), Department of Homeland Security (DHS).

Goldstein emphasized that it’s important to note that while there are challenges, there has also been progress. Passkeys are now used by consumers everyday and increasing numbers of enterprises are moving toward passwordless deployments.

“It’s worth starting out just with some reflection on how far we have come in moving towards a passwordless future,” Goldstein said.”We are seeing more and more enterprises moving to passwordless for their enterprise privileges, their admin, their their employee authentication solutions and that’s a remarkable shift.”

Authenticate 2024, featuring signature sponsors Google, Microsoft, and Yubico, will be held October 14-16, 2024 at the Omni La Costa Resort & Spa in Carlsbad, CA, just north of San Diego. Information on submitting a speaking proposal is available on the event website.

Aimed at CISOs, security strategists, enterprise architects, and product and business leaders, this is the fifth consecutive year that the FIDO Alliance is hosting the public conference. The annual event is specifically designed to share education, tools, and best practices for modern authentication across web, enterprise, and government applications. 

Last year’s conference welcomed over 850 total attendees in Carlsbad and remotely. The event featured more than 100 sessions with highly engaging content, plus a sold-out exhibit area with 50+ industry-leading exhibitors and sponsors.

Authenticate 2024 will build upon this momentum and feature detailed case studies, technical tutorials, expert panels, and hands-on lab sessions aimed at helping educate attendees on business drivers, technical considerations, and overall best practices for deploying modern authentication systems. Attendees also benefit from a dynamic expo hall and engaging networking opportunities that tap into the natural beauty of Carlsbad and the La Costa Resort. 

Authenticate 2024 Call For Speakers

With today’s announcement, the Authenticate 2024 program committee has opened its call for speakers. Authenticate provides speakers with an opportunity to increase their industry reach and visibility by educating attendees on in-market approaches for deploying modern authentication solutions.

The committee is looking for vendor-neutral, educational presentations that focus on authentication implementations and best practices for specific steps of the passwordless journey from the service provider perspective for consumer and workforce rollouts across regulated and non-regulated industries. 

Submissions can span all aspects of authentication implementations from initial research and business case development through piloting to rollout and beyond. Perspectives on global trends and considerations for user authentication and topics closely related to user authentication and account lifecycle management will also be considered. 

The committee is looking for a variety of session types and formats including main stage market perspectives, detailed case studies, technical tutorials, hands-on labs, and thought provoking panels. Experienced and new speakers alike are encouraged to submit proposals.

Submissions that are unique, expertise-driven, and reflect diversity in speakers are most likely to be accepted. Product and sales pitches will not be accepted.

The Authenticate Call for Speakers closes on March 4, 2024. To submit an application, please visit https://authenticatecon.com/authenticate-2024-call-for-speakers/. 

Sponsorship Opportunities at Authenticate 2024 

Authenticate 2024 offers sponsors a wide range of opportunities to provide broader brand exposure, lead-generation capabilities, and a variety of other benefits for both on-site and remote attendees. Authenticate is currently accepting applications for sponsorship from FIDO Alliance members and will open to the industry at large on February 2, 2024. Sign up for the Authenticate newsletter to receive sponsorship information when it becomes publicly available.

Sponsorship requests will be filled on a first-come, first-served basis; requests for sponsorship should be sent to authenticate@fidoalliance.org.

Signature sponsors for the 2024 event are Google, Microsoft, and Yubico.

About Authenticate

Hosted by the FIDO Alliance, Authenticate is the industry’s only conference dedicated to all aspects of user authentication – including a focus on FIDO-based sign-ins with passkeys. It is the place for CISOs, business leaders, product managers, security strategists and identity architects to get all of the education, tools and best practices to roll out modern authentication across web, enterprise and government applications.

Authenticate 2024 will be held October 14-16, 2024 and will be co-located with the FIDO Alliance’s member plenary (running October 14-17) at the Omni La Costa Resort in Carlsbad, CA, just north of San Diego. The conference will feature ample space for a rapidly growing audience, a variety of session types to appeal to all levels, and its most dynamic expo hall yet for companies bringing passwordless to fruition – as well as added networking opportunities. 

Whether you are new to FIDO, in the midst of deployment or somewhere in between, Authenticate 2024 will have the right content – and community – for you. 

Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter. To receive updates about Authenticate events, speaking and sponsorship opportunities, sign up for the newsletter.

Authenticate Contact

authenticate@fidoalliance.org   

PR Contact 

press@fidoalliance.org

[Pictures from 2023 FIDO Seoul Public Seminar]

The sessions, which included diverse case studies from Korea, USA, Vietnam, Malaysia, and other countries, offered attendees a comprehensive view of FIDO authentication and FIDO Device Onboard (FDO) implementations, presenting a unique blend of global insights and practical applications. We are excited to share highlights and recorded videos from some of the seminar’s pivotal sessions:

• FIDO Alliance Update – Passkey Tipping Point: Andrew Shikiar, Executive Director & CMO of the FIDO Alliance, discussed the rapid adoption and market interest in passkeys, underlining their potential to revolutionize online authentication. (Watch Video)
• KISIA-FIDO Alliance Collaboration Guide: Yeri Won, Department Head at KISIA, presented a new subsidized program for Korean small and medium enterprises that apply for FIDO certifications commencing in 2024. (Watch Video)
• The Beginning of the End of Passwords: Christiaan Brand from Google provided insights into Google’s strategy for implementing passkeys as a primary sign-in method. (Watch Video)
• Experience with Passkeys on Galaxy Devices: Samsung Electronics’ Passkey Task Force members, Jong Su Kim and Joon Suk Lee discussed the integration of passkeys in Galaxy devices, along with Samsung Pass and Samsung Internet Web Browser. (Watch Video)
• The Key to the Future: Understanding the Future Brought by Passkeys: Ki-Eun Shin, Principal Researcher at SK Telecom and leader of the FIDO Korea Working Group Technical Sub-Group, offered forward-looking perspectives on the application of passkeys in various Korean business sectors. (Watch Video)

This remarkable event garnered significant attention from various local media outlets, including ZDNet Korea, IT Daily, Data Net, Boan News, Daily Secu, and Byline Networks. Coverage by these media outlets highlighted the seminar’s forward-thinking approach, noting its potential to shape the future of online authentication. They emphasized a move towards less dependency on password and OTP-like, knowledge-based authentication methods, which are easy targets for cyber-attacks like phishing and credential stuffing.

We extend our deepest gratitude to all the distinguished speakers for their invaluable insights and contributions. Special thanks to Seungwon Shin, Vice President of the Security Team at Samsung Electronics, Heungyeol Yeom, Professor at Soonchunhyang University, Jaebeom Kim from TTA, Leewon Ye of KISIA, Yoo Seok Han from AirCuve, Chong Seak Sea of SecureMetric Malaysia, Jaehyung Lee from Octatco, Simon Trac Do of VinCSS Vietnam, Christiaan Brand of Google, Sang Jun Park from Microsoft, Jong Su Kim and Joon Suk Lee of Samsung Electronics, and Kieun Shin of SK Telecom.For additional details about the seminar agenda, please visit the 2023 FIDO Seoul Public Seminar landing page.

This event centers on the advancement of the implementation and utilization of passkeys technology within China’s industrial sector. It serves as a platform for professionals, scholars, entrepreneurs, and technology developers in the field of cybersecurity to engage in meaningful dialogue and collaboration. As technology continues to evolve and demand for application grows, FIDO Alliance anticipates that the implementation of passkeys will become more ingrained in society, serving as a vital tool in safeguarding information security. This development is expected to infuse fresh momentum into the journey of internet security and digitization, and propel the cybersecurity industry forward.

FIDO WeChat official account tweets:

• Invitation: https://mp.weixin.qq.com/s/-96gh7WjQoIWAMy72GRRcg
• Summary: https://mp.weixin.qq.com/s/7SzXM51FsFpMJUOESYkDlg

From August 28th to 30th, 2023, the FIDO Alliance convened industry leaders, government representatives, and cybersecurity experts from the Asia-Pacific region at the FIDO APAC Summit 2023. The summit, hosted by Vietnam’s Ministry of Information and Communication in collaboration with the Vietnam Authority of Information Security and VinCSS, a subsidiary of VinGroup, took place in Nha Trang, Vietnam. The summit, which took place in Vietnam to mirror the nation’s dynamic developments, aimed to foster discussions and strategies around the advancement of phishing-resistant FIDO (Fast Identity Online) authentication.

[Pictures from Hallway: August 29th]

Drawing over 300 attendees from 12 distinct nations, including Vietnam, Korea, Malaysia, Singapore, Taiwan, Thailand, Japan, Indonesia, India, the UK, the USA, and Australia, the FIDO APAC Summit 2023 fostered rich discussions and collaborations. With a lineup of 29 speakers from diverse sectors such as government agencies, corporate enterprises, e-commerce platforms, solution vendors, service providers, and manufacturing firms, the event facilitated the sharing of expertise and insights over the fruitful days of the conference.

[Pictures from the Main Sessions: August 29th]

During the event, attendees had the opportunity to delve deep into more than 30 developer workshops and deployment/implementation case studies, each one offering a window into the rapidly expanding adoption of phishing-resistant FIDO Authentication across the APAC region and beyond. These sessions revealed several critical insights, highlighting current trends and forecasting the promising future of this essential technological progression. Here are some notable observations:

Google: From 2019 to 2022, the APWG (Anti-Phishing Working Group) Phishing Activity Trends Report indicated that the number of phishing attacks increased by more than 150% per year. Attacks targeting the financial sector accounted for 27.7% of all phishing attacks. (Download Slide Deck)

Yubico: Yubico’s State of Global Enterprise Authentication Survey 2022 revealed that 59% of employees continue to use a username and password as their primary authentication method for account access. Furthermore, 54% of respondents confessed to writing down or sharing their passwords. (Download Slide Deck)

Lenovo: Since 2016, over 90 local banks in China, accommodating 700 million-plus users, have adopted FIDO Authentication. The implementation of FIDO has spread from the banking sector to other industries, including manufacturing and smart city initiatives. (Download Slide Deck)

GovTech: The session highlighted the importance of FIDO Authentication, a phishing-resistant and globally recognized industry standard, in countering SMS phishing scams. These scams not only lead to financial and reputational damage but also impede national digitization efforts aimed at fostering growth. (Download Slide Deck)

Mastercard: There was a consensus on the necessity for merchants to have more options to enhance user experience and security, helping to avoid the frictions that lead to issues like a 65% rate of card abandonment during the checkout process. (Download Slide Deck)

NTT Docomo: In the COVID era, particularly from 2020 to 2023, NTT Docomo succeeded in reducing attacks on “d Account” by 99% by introducing a range of authentication options, including FIDO, thereby harmonizing user experience and security. (Download Slide Deck)

Samsung Electronics: Over 30 nations have already adopted mobile eID for identification and authentication processes. Its applications are widening to include functions such as bank loan applications, digital travel credentials, and hotel check-ins. Efforts to merge the mobile eID standard with the biometric authentication standard are underway. (Download Slide Deck)

Mercari: After implementing FIDO/Passkeys, the Japanese marketplace app noted a 14.9% increase in successful authentication processes, a marked improvement over the 67.6% achieved through SMS-based authentication. Additionally, the authentication speed has been reduced to 4.4 seconds, compared to the 24 seconds required with SMS-based authentication. (Download Slide Deck)

Hieu Minh Ngo: A former hacker and identity thief who served 13 years in US federal prison for stealing hundreds of thousands of individuals’ personal information, shared various phishing attack techniques. He demonstrated that phishing-resistant, passwordless authentication could effectively thwart such attacks. (Download Slide Deck)

[Mr. Trần Đăng Khoa, Acting Director General of the Authority of Information Security]

A significant milestone achieved during the summit was the induction of Vietnam’s Ministry of Information and Communications (MIC), through its Authority of Information Security, as the 10th government-level member of the FIDO Alliance. This summit also facilitated a well-rounded media coverage, both pre- and post-event, featured in numerous esteemed publications. Some highlights include:

• [TechinAsia] FIDO APAC Summit Keynotes and Sponsors Announced
• [Frontier Enterprise] Vietnam Joins FIDO Alliance
• [ZDNet Korea] The Password Are Epidemics… Efforts to Spread FIDO in the APAC (Korean)
• [ICT Vietnam] Concrete Action is Imperative to Elevate its Position in the Authentication Landscape
• [VietnamNet] Promoting Cooperation in Deployment of Strong Passwordless Authentication
• [BoanNews] For a Safe and Secure World Without Passwords! (Korean)
• [VTV News] High-tech Future Technology: Passwordless FIDO Authentication (Video)

[Pictures from the Main Sessions: August 30th]

FIDO Alliance extends our deepest gratitude to our sponsors and media partners, whose dedication to a password-free world was instrumental in orchestrating this first-ever FIDO APAC summit. Their sustained efforts were the linchpin for the event’s success. Looking forward, we anticipate the collaborations and knowledge fostered during this summit to pave the way for a more secure digital future in the APAC region. Thanks also to all of the participants for attending and engaging during the event.  
Editor’s Note: This is the final blog post covering the FIDO APAC Summit 2023. We invite you to visit the landing page and read the ‘Opening of Registration‘ and ‘Speaker & Sponsor Line-Up Announcement‘ messages to gain a deeper understanding of the background and details.

Resources

Check out these resources to learn more about FIDO Authentication, passkeys, Authenticate and more!

TOKYO, December 8th, 2023 – 2023 has been ‘the year of passkeys,’ as major consumer brands began offering them to make more than 7 billion user accounts ready for passwordless sign-ins. This momentum behind FIDO is the focus of today’s 10th FIDO Tokyo Seminar, where hundreds gathered to learn about the latest developments in the global push to eliminate dependence on passwords. Presenters include those from the Digital Agency of Japan, the National Institute of Informatics, the Taiwan government, Amazon, FIDO Alliance, Google, KDDI Corporation, LY Corporation, Mercari, NTT DOCOMO, Tik Tok and more.

FIDO Authentication uptake soars in 2023 as passkeys become available for consumer and workforce applications

Passkeys, which can be available across a user’s devices or bound to a single device, provide phishing-resistant security with a user experience far superior to passwords and other phishable forms of authentication. Many major consumer brands including Adobe, Amazon, Apple, CVSHealth, Dashlane, DocuSign, Google, Hyatt, Instacart, Kayak, LY Corporation, Mercari, NTT DOCOMO, Nintendo, 1Password, PayPal, Shopify, TikTok and others began offering them for cross-device sign-in to their services in 2023. Usage jumped in the workforce, too, as companies such as Fox, Hyatt, Intuit, Target and more bolstered their authentication options with passkeys.

Consumers also gained more flexibility for passkey management this year, as credential managers such as 1Password, Bitwarden, Dashlane and LastPass joined Apple, Google and Microsoft as available options for managing passkeys across devices.

Service providers are realizing the benefits of passkeys

Google made passkeys the default sign-in method for personal Google accounts and over 9 million organizations can allow users to sign in-to Google Workspace or Google Cloud using passkeys. Google, which has shared many early results from its implementation, reported passkeys are 40% faster than signing in with passwords. Some other reported benefits have been reported from Intuit, which has seen a 97% sign-in success rate, and a 70% reduction in sign-in time with passkeys, and Mercari, which has seen a 82.5% authentication success rate  with 20.5 seconds time reduction for authentication when compared to  SMS OTP sign-ins. 

Notable Momentum in Japan

Specifically in Japan, notable FIDO momentum discussed in the seminar included: 

• KDDI now has more than 10 million au ID customers now using FIDO authentication (as of August 2023); and KDDI has seen a dramatic decrease (nearly 30%)  in calls to its customer support center as a result. 
• LY Corporation now has 21 million of FIDO active users among 44 millions of enabling the password-less option; over 40% of all user authentication on smartphones are FIDO authentication now. 
• Mercari has seen the benefits of passkeys, with 2.1 million users enrolled, and now seeing sign-in speeds at 4.4 seconds (which is 20.5 second time reduction), and a 82.5% sign-in success rate (15% improvement). 
• NTT DOCOMO has released its own Digital Identity Guidelines, and since deploying passkeys has seen dramatic enrollment (almost double in a year, now 37%) and reduction in successful phishing attacks.

Along with the many deployments in Japan, there are 64 of the FIDO Alliance’s 250+ member companies actively taking part in the FIDO Japan Working Group (FJWG). The FJWG is now beginning its 8th year working together to spread awareness and adoption of FIDO in the region. Notably, SBI Sumishin Net Bank today announced that they have joined FIDO Alliance as a Sponsor member, effective immediately, and Mercari has been appointed to the FIDO Alliance Board of Directors.

Consumers and workforce users are aware of, and want to use, passkeys

Passkeys are not only available across a wide array of services, but recent studies have shown that consumers and workforce users are aware of, and want to use, passkeys. A recent report from FIDO Alliance and LastPass showed that businesses believe passkeys will help make them more secure: 92% believe passkeys will benefit their overall security posture, and 93% agree that passkeys will eventually help reduce the volume of unofficial (i.e., “Shadow IT”) applications. 

Another FIDO Alliance report revealed that passkeys have grown in consumer awareness despite still being live just over a year, rising from 39% in 2022 to 52% awareness today, while more than half of respondents said they had set up a passkey to sign into an account. 

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The FIDO Alliance will host its final free Authenticate Virtual Summit of the year on December 14, 2023, focusing on securing the edge and connected devices with FIDO Alliance’s FIDO Device Onboard (FDO) technology. 

Attendees from manufacturing, automotive, retail, healthcare and more will gather to learn about the benefits of FDO for onboarding devices across edge computing and IoT environments. To register for the summit, “Securing the Edge and Connected Devices with FDO,” visit the website.

Edge nodes and connected devices are bringing transformative benefits to a whole range of industries. However, there are deep-rooted security risks that must be overcome to enable more organizations to take advantage of these benefits. These risks stem from costly and risky installation and onboarding practices. 

Speakers from Dell, FIDO Alliance, IBM, Intel, Red Hat and more will share expert perspectives and education on how to leverage FDO to foster trust in the edge and IoT space and bring mass deployments to the next level. Agenda topics include:

• Introductory sessions on FDO and Certification
• Technical deep dive of FDO
• Walk through of the open source software components available that support FDO
• Case studies from organizations that have already begun to include FDO in products and services, that are now being utilized by customers in a variety of settings and applications

Registrants unable to attend the summit live can view sessions on-demand following the event.

Resources

• FDO Overview
• Introduction to FDO (white paper)
• FIDO Device Onboard: The Device Key (white paper)
• IoT Application Provisioning for Security Using FDO and TPM (white paper)
• Watch sessions from last year’s summit, Securely Onboarding All the Things

To provide this guidance, the FIDO Alliance published a paper, “FIDO Alliance Guidance for U.S. Government Agency Deployment of FIDO Authentication.”

This resource is the first output of a new committee formed by the FIDO Alliance’s Board of Directors at the request of the White House Office of Management and Budget (OMB) and Cybersecurity and Infrastructure Security Agency (CISA). The Committee, whose goal is to improve and accelerate adoption of FIDO technology within federal agencies, includes representatives from CISA, the National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the Department of Defense, in addition to other FIDO Alliance members.

The Committee is aligned with the government’s efforts to modernize identity to counter threats, and encourages agencies to advance their Zero Trust Architecture journeys by implementing identity capabilities that support both FIDO and PKI-based phishing-resistant MFA. 

It also provides guidance on implementation of FIDO credentials within the federal digital identity ecosystem in order to meet immediate priorities defined in OMB 22-09, Federal Zero Trust Strategy and advance cybersecurity outcomes by enabling future phases of Federal Zero Trust Architecture efforts.

Alternative options for phishing-resistant authentication are necessary in the federal workforce, for example, for individuals who are not PIV eligible, or to quickly enable access for new employees who are waiting for their PIV to be issued, or those individuals who work remotely and don’t need access to federal facilities. 

This document highlights areas where FIDO offers the best value to address U.S. Government use cases as an enhancement of existing infrastructure, while minimizing rework as agencies advance their zero trust strategies with phishing-resistant authentication tied to enterprise identity as the foundation.

The FIDO Alliance will host a webinar, “Deploying FIDO Authentication in U.S. Government Agencies,” covering the essential information in this white paper on November 28, 2023 at 1:00 PM ET / 11:00 AM PT. To register for the webinar, click here.

To engage with the FIDO Alliance’s new committee regarding this paper, please contact feedback@fidoalliance.org.

About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

On top of these success stories, the FIDO standards have recently been referenced by two of the most respected EU organizations within cybersecurity and standardization: ENISA (the EU Cybersecurity Agency) and ETSI (the European Telecommunications Standards Institute).

In July 2023, ENISA published the report “Digital Identity Standards”. The report provides a comprehensive overview of digital identity standards, standardization organizations, and authentication protocols. More specifically, the report describes the FIDO Alliance as “an open industry association launched in February 2013 whose stated mission is to develop and promote authentication standards that ‘help reduce the world’s over-reliance on passwords”. Furthermore, the ENISA report describes the FIDO standard suite FIDO2, FIDO U2F and FIDO UAF in technical detail. The ENISA report also explains the concepts of FIDO Authenticators, FIDO Metadata Service, assertions with Relying Parties, and the WebAuthn and CTAP2 APIs. ENISA concludes that the maturity of the FIDO standards is high. This ENISA report re-iterates and emphasizes the recommendation to use FIDO for two-factor authentication, which was published in 2022 in the joint publication “Boosting your Organisation’s Cyber Resilience” issued in cooperation by EU-CERT and ENISA.

Next, ETSI published the technical report ETSI TR 119 476 called “Analysis of selective disclosure and zero-knowledge proofs applied to Electronic Attestation of Attributes”. The ETSI report analyzes cryptographic schemes for selective disclosure and their potential application for Electronic Attestation Attributes in line with the proposed eIDAS2 regulation. The purpose is to allow the users of the EUDI Wallets to select what attributes they want to share with a verifier. For example, a user may only want to disclose that she is over 18 years old at a restaurant, but no more personal information than that. The ETSI report includes a description of the VC-FIDO solution, which has been invented by David Chadwick at the Kent University. The ETSI report states:

“The VC-FIDO integration is based on the W3C WebAuthn protocol in the FIDO2 standard. The WebAuthn stack is extended with a W3C Verifiable Credentials enrollment protocol, resulting in a client that can enroll for multiple atomic short-lived W3C Verifiable Credentials based on W3C Credential templates. These atomic short-lived W3C Verifiable Credentials can then be (temporarily) stored in an EUDI Wallet, and be combined into a Verifiable Presentation that is presented to the relying party (verifier). Selective disclosure is achieved since the user can enroll for the atomic attributes it needs for a specific use case, and present only those atomic (Q)EAAs to a Relying Party.”

These prominent references in the ENISA and ETSI reports demonstrate that FIDO has achieved a firm position as a viable authentication standard for eIDAS2 and regulated use cases in the EU. It will be interesting to follow the continued development of the EUDI Wallet implementations and the related Large Scale Pilots – it is quite likely that FIDO will be deployed in such solutions across the EU.

Author: Sebastian Elfors, senior architect at IDnow

CARLSBAD, California and BOSTON, Massachusetts – October 16, 2023 – The FIDO Alliance and LastPass released the 2023 Workforce Authentication Report today, which gauges IT decision makers’ attitudes and plans for removing passwords in favor of easier and more secure passwordless authentication. The verdict? Businesses are actively moving to eradicate passwords from employees’ lives, with 89% of surveyed IT leaders expecting passwords to represent less than a quarter of their organization’s logins within five years or less.

Top findings from the 2023 Workforce Authentication Report:

• Businesses are ready to embrace a passwordless future, with 92% having a plan to move to passwordless technology and 95% currently using a passwordless experience at their organization. 
• Businesses believe passkeys will help make them more secure: 92% believe passkeys will benefit their overall security posture, and 93% agree that passkeys will eventually help reduce the volume of unofficial (i.e., “Shadow IT”) applications.
• However, many recognize that work still needs to be done: A majority of businesses surveyed are still using phishable authentication methods, such as passwords (76%) and multi-factor authentication (MFA) (43%) when it comes to authenticating users within their organization. 
• The majority recognize that this transition will take time and education: 55% of IT leaders surveyed feel they need more education on how passwordless technology works and/or how to deploy it, and 28% cited concerns that users may be resistant to change or using a new technology.
• When making this transition, businesses made it clear they want to choose where they store passkeys, with 69% of IT leaders anticipating storing them in a third-party password manager. 

“The move towards passwordless authentication has gained steam over the past few years as an increasing number of organizations have moved to eliminate the risk and liability of passwords as they are the source of the vast majority of data breaches,” said Andrew Shikiar, Executive Director and CMO of the FIDO Alliance. “Today’s report backs up this trend by illustrating that global IT leaders are rapidly aiming to reduce their reliance on legacy forms of authentication in favor of passkeys for user-friendly, phishing-resistant sign-ins.”

“These survey results demonstrate that businesses are excited about the prospect of a passwordless future, and all the benefits that future will bring. And the clear majority also recognize that a password manager plays an important role in that future,” said Mike Kosak, Senior Principal Intelligence Analyst at LastPass. “While the adoption of passwordless authentication will take some time and coaching, LastPass is proud to support forward-thinking leaders like these on that journey – ushering their organizations toward security that is stronger and more effortless than ever.”

Resources:
2023 Workforce Authentication Report
LastPass Blog Post on the 2023 Workforce Authentication Findings
LastPass | FIDO Alliance LinkedIn Live: October 16, 12:30 pm PT 

Research for the 2023 Workforce Authentication Report was conducted by Sapio Research through an online survey of 1,005 IT decision makers in the United States, Germany, Australia, United Kingdom, and France. 

# # #

Editor’s note:

• Phishable authentication methods rely on knowledge-based factors or other factors that can be intercepted by a malicious party. Phishable authentication methods include passwords, one-time passwords (OTPs), and SMS OTPs.

About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

About LastPass
LastPass is an award-winning password manager which helps millions of registered users organize and protect their online lives. For more than 100,000 businesses of all sizes, LastPass provides password and identity management solutions that are convenient, easy to manage and effortless to use. From enterprise password management and single sign-on to adaptive multi-factor authentication, LastPass for Business gives superior control to IT and frictionless access to users. For more information, visit https://lastpass.com. LastPass is trademarked in the U.S. and other countries.

PR Contact – FIDO Alliance
press@fidoalliance.org 

PR Contact – LastPass
press@lastpass.com

Summary of key findings: 

• Password usage without two-factor authentication (2FA) is still dominant across use cases – consumers enter a password manually nearly 4 times a day, or 1,280 times a year
• But when given the option, users want other authentication methods – biometrics is both the preferred method for consumers to log-in and what they believe is most secure, while awareness of passkeys continues to grow
• Online scams are becoming more frequent and more sophisticated, likely fuelled by AI – over half (54%) have seen an increase in suspicious messages and scams, while 52% believe they have become more sophisticated
• The impact of legacy sign-in methods is getting worse – the majority of people are abandoning purchases and giving up accessing services online – this is 15% more likely than last year at nearly four times per month per person

October 16, 2023 – FIDO Alliance today publishes its third annual Online Authentication Barometer, which gathers insights into the state of online authentication in ten countries across the globe. New to the Barometer this year, FIDO Alliance has also begun tracking consumer perception of threats and scams online in a bid to understand anticipated threat levels globally. 

Key findings 

The 2023 Online Authentication Barometer found that despite widespread usage of passwords lingering on, consumers want to use stronger, more user-friendly alternatives. Entering a password manually without any form of additional authentication was the most commonly used authentication method across the use cases tracked – including accessing work computers and accounts (37%), streaming services (25%), social media (26%), and smart home devices (17%). Consumers enter a password manually nearly four times a day on average, or around 1,280 times a year. The only exceptional scenario to this trend was financial services, where biometrics (33%) narrowly beat passwords (31%)* as the most used sign-in method. 

This is especially interesting considering biometrics’ rising popularity as an authentication method. When asked what authentication method people consider most secure and the method they most prefer using, biometrics ranked as favourite in both categories, rising around 5% in popularity since last year. This suggests that consumers want to use biometrics more but don’t currently have the opportunity.  

“This year’s Barometer data showed promising signs of shifting consumer attitudes and desire to use stronger authentication methods, with biometrics especially proving popular. That said, high password usage without 2FA worryingly reflects how little consumers are still being offered alternatives like biometrics, resulting in lingering usage,” commented Andrew Shikiar, Executive Director and CMO at FIDO Alliance. 

Scams are getting more frequent and more sophisticated – likely fuelled by AI 

This year’s Barometer also unearthed consumer perception of threats and scams online. 54% of people have noticed an increase in suspicious messages and scams online, while 52% believe these have become more sophisticated. 

Threats are seen to be active across several channels, but primarily email, SMS messages, social media, and fake phone or voicemails. The increased accessibility of generative AI tools is a likely driver of this rise in scams and phishing threats. Tools like FraudGPT and WormGPT, which have been created and shared on the dark web explicitly for use in cybercrime, have made crafting compelling social engineering attacks far simpler, more sophisticated, and easier to do at scale. Deepfake voice and video are also being used to bolster social engineering attacks, tricking people into thinking they are talking to a known trusted person.  

Shikiar added: “Phishing is still by far the most used and effective cyberattack technique, which means passwords are vulnerable regardless of their complexity. With highly accessible generative AI tools now offering bad actors the means to make more convincing and scalable attacks, it’s imperative consumers and service providers listen to consumers and start to look at non-phishable and frictionless solutions like passkeys and on-device biometrics more readily available, rather than iterating on ultimately flawed legacy authentication like passwords and OTPs.” 

Passkeys, which provide secure and convenient passwordless sign-ins to online services, have grown in consumer awareness despite still being live just over a year, rising from 39% in 2022 to 52% awareness today. The non-phishable authentication method has been publicly backed by many big players in the industry – Google recently announced that passkeys are now available for all its users to move away from passwords and two-step verification, as has Apple, with other brands like PayPal also making these available to consumers in the last twelve months.  

The impact of legacy sign-ins worsens for businesses and consumers 

The negative impact caused by legacy user authentication was also revealed to be getting worse. 59% of people have given up accessing an online service  and 43% have abandoned a purchase in the last 60 days, with the frequency of these instances rising year on year to nearly four times per month, per person, up by around 15% on last year. Poor online experiences are ultimately hitting businesses’ bottom lines and causing frustration among consumers. 

70% of people have had to reset and recover passwords in the last two months because they’d forgotten them, further highlighting how inconvenient passwords are and their role as a primary barrier to a seamless online user experience. 

ENDS

Notes to editors:

• Research for the FIDO Alliance’s Online Authentication Barometer was conducted by Sapio Research among 10,010 consumers across the UK, France, Germany, US, Australia, Singapore, Japan, South Korea, India and China.
• *The answer option “Logging in via social sign-in” has been disregarded for the question specific to social media accounts, due to the answer option being included through an error 

About the FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact 
press@fidoalliance.org 

Welcome

As we usher in the participants of Authenticate 2023, we aim to provide a snapshot of various corners of the globe. Today, we’re privileged to bring together our esteemed members—industry luminaries from Thailand, Taiwan, Vietnam, Mainland China, Korea and Japan. Together, we’ll navigate the present landscape, confronting the challenges and celebrating the opportunities inherent in adopting phishing-resistant authentication methods across APAC.

Introducing Our Experts:

Khanit Phaton, Thailand: Senior Management Officer at ETDA

Karen Chang, Taiwan: VP at Egis Technology / Chair of FIDO Taiwan Forum

Simon Trac Do, Vietnam: CEO & Founder at VinCSS

Henry Chai, Mainland China: CEO at Uni-ID Technology, Lenovo / Co-Chair of FCWG

Jaebeom Kim, South Korea: Principal Researcher at TTA / Sub-Group Leader of FKWG

Masao Kubo, Japan: Manager, Product Design Department at NTT DOCOMO

Crafting an inclusive approach to online authentication in Thailand

Joon: Given Thailand’s rich diversity in many aspects, how does this influence the approach to and adoption of new online authentication systems for its citizens?

Khanit: As online services have become primary channels and gained popularity among the Thai population, coupled with the increasing number of cybersecurity threats, it’s crucial for both the public and private sectors to address this issue. Secure authentication is a key consideration. Given our diversity in aspects like culture and socioeconomic status, it’s essential to adopt an approach that’s inclusive and accessible for all. We’re exploring various methods for authentication; for instance, the Thai government’s introduction of the ThaID digital ID system, which utilizes both facial and fingerprint recognition, ensuring robust accessibility for all citizens. Meanwhile, Fintech companies and banks are developing mobile banking apps tailored to a wide range of mobile devices, incorporating online face verification services.

Reflecting on Taiwan’s recent strides with FIDO

Joon: Taiwan has showcased impressive FIDO deployment cases in recent years. Karen, as the chair of the FIDO Taiwan Regional Engagement Forum, can you offer insights on this journey?

Karen: The FIDO Taiwan Regional Engagement Forum (FTF) was formed in 2021, with members spanning IC chip, device, software, system, and application services. As of August 2023, we boast over 25 members and 80 FIDO-certified products. The government’s role in adopting and promoting FIDO standards cannot be understated. The Ministry of Interior joined the FIDO Alliance in 2020 and launched the Taiwan FidO (TW FidO) service. By September 2023, TW FidO was integrated into more than 170 government department systems, encompassing a wide array of services. The Financial Supervisory Commission (FSC) also emphasized the “Research and Development of Standardized Financial Mobile Identification Mechanisms” in the Financial Technology Development Roadmap released in 2020, known as “Financial FIDO”. This allows users to bind their mobile devices with physical financial cards, eliminating the need for traditional physical cards or account/password logins. Several financial institutions are currently piloting this Financial FIDO initiative. Established in August 2022, the Ministry of Digital Affairs (moda) joined the FIDO Alliance in January 2023. Moda has been actively promoting international digital trust standards, like FIDO User Authentication and W3C Decentralized Identifiers, to industries like e-commerce, telecom services, online gaming, semiconductors, and manufacturing, ensuring a seamless and secure authentication experience. In many Asian countries, directives or guidelines from public organizations play a pivotal role in positioning a nation at the forefront of technology adoption. Today, it’s FIDO’s moment. I believe the FTF is on the right trajectory, and FIDO’s popularity is set to soar.

Vietnam’s Path to Simpler and Stronger Online Authentication

Joon: With many members in Vietnam being relatively new to the FIDO Alliance, how do you assess Vietnam’s readiness and the challenges it faces in adopting simpler and stronger online authentication methods?

Simon: Vietnam, like other nations, grapples with an intensifying phishing crisis that poses significant risks to users, agencies, and organizations. Although there are initiatives in place, such as the Anti-Scam Center, which aims to counteract these threats promptly and take down scam sites, their effectiveness is somewhat curtailed due to manual operations and heavy reliance on user awareness. On a brighter note, an increasing number of Vietnamese entities are engaging in the FIDO Alliance’s drive to minimize password reliance. Leading the charge in this passwordless movement in Vietnam are tech frontrunners like VinCSS and MK Group.

Mainland China’s Digital Landscape: Balancing Scale and Security

Joon: Mainland China has one of the largest digital user bases in the world. What unique challenges does this present when considering the adoption of novel simpler and stronger online authentication methods?

Henry: Indeed, in Mainland China, the sheer size of our digital user base brings about unique considerations. For any new security technology to be deployed, there’s an imperative need to consider the diversity in device capabilities. This ensures an optimal user experience for all, especially during the earlier times, before 2019, when not all smartphones were FIDO-enabled. During that period, any deployment of FIDO had to ensure that every user, regardless of their device’s capabilities, had a viable authentication alternative. Additionally, while authentication is a foundational layer, its adoption must align with business returns. When weighed against traditional, albeit less robust, authentication methods such as SMS and OTP, the decision to transition to FIDO becomes multifaceted. In many cases, the end solution is a mix of methods, balancing compatibility with business benefits. Presently, over 90 banks in Mainland China have adopted FIDO technology, and we anticipate this number to grow across different sectors soon.

Discussing South Korea’s technological advancements

Joon: South Korea is renowned for its advanced technological infrastructure. Jaebeom, how does this influence the nation’s approach to adopting new online authentication methods?

Jaebeom: It’s imperative for our country to integrate new authentication methods to facilitate seamless online identity verification for the public. In this quest, the South Korean government and associated agencies prioritize two critical aspects:

Technical Standards and Service Guidelines: We aim for consistent user experiences across platforms, irrespective of the service providers involved. This demands clear technical standards and robust service operation guidelines.

Legal Framework: Many online services require a solid legal basis for identity verification. Thus, legislative amendments and continued dialogues across the private sector, government, and academia are essential to formulating appropriate legal frameworks. Even if it is time-consuming, this step is indispensable. While our focus leans towards new online authentication methods, it’s equally important to ensure stability in both legacy and new systems, guaranteeing that all citizens can access online identity verification without hitches.

Japan – On the rise and acceptance of passkeys

Joon: Given the unified efforts of the FIDO Alliance Japan Working Group and its members, Japan leads in passkey deployments. Kubo-san, can you discuss the current trend and acceptance of passkeys in Japan?

Kubo-san: This year, I’ve observed several RPs deploying synced passkeys. While some organizations have long supported FIDO technology and embraced synced passkeys, others began their FIDO journey with synced passkeys only in 2023. This dynamic suggests that the momentum for passkey deployment is only set to accelerate. From a user perspective, awareness of passkeys is gradually heightening in Japan. Tech enthusiasts frequently discuss passkeys on social media, and according to Google Trends, search queries related to passkeys have surged. We’re in the early stages of a passwordless era in Japan, and I eagerly anticipate the broader acceptance and deployment of passkeys.

Delving deeper into phishing-resistant solutions in Thailand

Joon: Khanit, how can Thailand ensure that its authentication strategy remains robust and beneficial for online users? Would adopting phishing-resistant authentication solutions be advantageous?

Khanit: To bolster online security, Thailand has undertaken multiple strategies. We’re raising awareness through collaborative efforts with global bodies like the FIDO Alliance and defining digital ID standards that embed secure identity proofing and authentication methods. This lays down a foundational benchmark for users and service providers alike. Additionally, we’ve amended the Electronic Transaction Act to clearly delineate the responsibilities of service providers in guaranteeing authentication security and quality. Undoubtedly, integrating phishing-resistant authentication solutions, which use cryptographic techniques over vulnerable methods like PINs or passwords, would be a strategic advantage. Such solutions inherently offer heightened protection against phishing threats and pose a more formidable challenge for attackers compared to conventional methods.

Discussing Taiwan’s firm stance on cybersecurity

Joon: Could you provide an overview of the cybersecurity landscape in Taiwan and identify any notable trends?

Karen: In Taiwan, the zero-trust network security approach has become a pivotal national strategy. The sixth “National Information Security Development Plan (2021-2024)” was announced in February 2021, advocating for the Zero-Trust Architecture across government agencies and industries. The Taiwanese government has mapped out a comprehensive plan for implementing the zero-trust architecture, piloting validation and deployment mechanisms in 2021-2022. Central to this plan are three core mechanisms: identity authentication, device authentication, and trust inference. We place a significant emphasis on multi-factor authentication mechanisms that leverage the FIDO2 standard, allowing passwordless logins using physical security keys or mobile apps. By the end of August 2023, 12 vendors had cleared the government’s Zero Trust Architecture Identity Authentication Compliance Program. All these vendors deploy FIDO-certified solutions for user authentication. In 2023, numerous government agencies and businesses adopted this zero-trust framework in collaboration with these vendors. By incorporating phishing-resistant user authentication mechanisms, like FIDO’s standards, we have enhanced the security of online services, spanning national critical infrastructure, government services, and key industries. Moreover, FIDO’s certification program fosters trust between service providers, vendors, users, and the general populace.

Reflecting on the importance of FIDO certifications in Korea

Joon: Over the years, FIDO’s certification programs have been instrumental in globally promoting standardized technology adoption. Jaebeom, given that Korea is seen as an early FIDO authentication adopter, can you share your observations?

Jaebeom: Authentication essentially certifies a product’s fitness for its intended purpose, which means it’s more about validating product quality than being a mere badge of honor. As new technologies emerge and mature, the relative importance of certification programs wanes. This is primarily due to the initial imperfections in technology specifications and the lack of testing tools and products during the nascent stages. Certification programs then play a crucial role in harmonizing standards, products, and policies while ironing out these issues. As technology matures, these initial challenges are naturally addressed through iterative processes, and certification programs fulfill their designated roles more organically.

Lessons from Early FIDO Adopters: Mainland China

Joon: Henry, as the Co-Chair of one of the very first regional working groups, what insights can you offer the audience regarding early FIDO adoption, ecosystem cultivation, and so on?

Henry: FIDO is a novel authentication technology with clear benefits in security and user experience, but it also requires consumer devices like smartphones to be compatible. It takes time for the whole ecosystem to gradually embrace FIDO and incorporate its capabilities. The FIDO China Working Group collaborated closely with domestic phone OEMs in Mainland China to promote the FIDO concept and accelerate its implementation on devices. Simultaneously, we worked with the FIDO Alliance to establish the world’s first accredited certification lab at CAICT, Mainland China.

Recap of the FIDO APAC Summit 2023 – Vietnam

Joon: Simon, you co-hosted the FIDO APAC Summit 2023 in Vietnam back in August successfully. Can you reflect on the event and share any insights or observations you took away from the experience?

Simon: The inaugural FIDO APAC Summit 2023 truly exceeded our organizing committee’s expectations. Drawing a diverse crowd with over 300 attendees spanning 12 countries, it was heartening to witness such a convergence of perspectives and expertise. With 29 eminent speakers from diverse sectors, the summit facilitated rich discussions, paving the way for meaningful collaborations. A particularly noteworthy highlight was Vietnam’s Ministry of Information and Communications (MIC) joining the ranks as the 10th government-level member of the FIDO Alliance, underscoring our collective dedication to elevating digital authentication standards. This resonated beyond the venue, with our summit receiving comprehensive media coverage across multiple prestigious platforms. Having proudly co-hosted this foundational event, VinCSS is eager to continue endorsing, supporting, and championing its future iterations, as we envisage it becoming a cornerstone event in the APAC digital landscape.

Envisioning the collective journey with FIDO in APAC

Joon: Looking at the broader APAC region’s push towards harmonized phishing-resistant online authentication, how do you view the role and contributions of FIDO Alliance members?

Kubo-san: For years, our collective aim has been to realize a phishing-resistant, passwordless world through FIDO. But achieving this vision is not a solitary endeavor. It requires collaboration with diverse stakeholders to foster a world where everyone recognizes and effortlessly uses passkeys. FIDO alliance members can spearhead this initiative by sharing their deployment experiences and persuading yet-to-adopt service providers. Additionally, a joint effort is required to amplify consumer awareness and understanding of passkeys. FIDO technology, especially passkeys, boasts a remarkable retention rate. Once users experience it, they appreciate its intuitive usability. Therefore, it’s imperative for us, as proponents of passkeys, to emphasize that FIDO isn’t just about phishing resistance—it’s also about enhancing user experience. And that’s not just a marketing spiel—it’s the reality.

Closing

To every attendee of Authenticate 2023 reading this, we extend our heartfelt gratitude for your dedication to making online authentication simpler and stronger. As we navigate this ever-evolving domain, we warmly encourage you to continue these conversations by connecting with the FIDO members featured in this dialogue, ensuring our collective discussions remain fruitful and dynamic.

Mountain View, Calif., September 26, 2023 – The FIDO Alliance’s FIDO Device Onboard (FDO) technology allows edge and IoT users to quickly and securely onboard devices, thereby reducing cost, time and risk. Today the FIDO Alliance announced the launch of its FIDO Device Onboard (FDO) Certification Program, enabling edge node and IoT device vendors to prove that their solutions adhere to the security and interoperability requirements of the FDO specifications. Achieving certification allows vendors to demonstrate their products are high quality and at low risk of cyberthreats, while deploying companies can ensure devices will interoperate more seamlessly and securely within IoT and distributed computing infrastructures.

Leading vendors around the world, including Dell Technologies, IBM, Intel, Red Hat and VinCSS  have already begun to include the FDO specification in products and services, which are being utilized by customers in a variety of settings and applications. [Media note: see quotes from FDO vendors at end of press release].

According to Markets and Markets in their June 2023 report, the “Edge Computing Market size is expected to grow from $53.6 billion in 2023 to $111.3 billion by 2028.”⁽¹⁾ They go on to say that “despite the benefits, the edge computing architecture is susceptible to cyberattacks with the addition of vulnerable edge nodes and IoT devices.” The FIDO Alliance’s FDO technology has been specifically defined by leaders including Infineon, Intel, Google, Microsoft, Qualcomm and ARM to address these concerns so that users in areas such as enterprise and industrial can fully take advantage of edge computing opportunities.

The FDO protocol is a freely available standard that champions a ‘zero trust’ approach to remove these barriers, enabling devices to quickly and securely onboard to cloud and edge management platforms. As a Dell Technologies white paper explained, “The installation of these systems must prioritize simplicity and must be zero-touch once plugged in and powered on. Secure operations require the ability to bring edge devices into your environment with zero touch in mind.”⁽²⁾

FDO Certification, testing for which will take place in early October provides conformance and interop testing, a security risk analysis, and assurance that a company’s device meets FDO Specification and Security and Privacy Requirements. Certification testing builds trust among device owners, as devices are validated as meeting a high level of security by a third-party.

“Edge nodes and IoT devices are bringing transformative benefits to a whole range of industries but overcoming the security risks that exist today is critical to enable more organizations to take the leap,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “The appetite we’ve seen for the FIDO Device Onboard (FDO) standard since we launched last year is a testament to how urgent the business need is to secure the edge in a way that’s quick and cost-effective. Launching the certification program marks another step towards fostering trust in the edge and IoT space and taking mass deployments to the next level.”

FIDO Alliance brings together 250+ of the most influential and innovative companies and government agencies from across the globe to deliver unrivaled security specifications that offer strong security, are free to use and easy to deploy. The FDO Specification is an important pillar in the expansion of the Alliance’s core vision: to boost global cyber security levels, help eliminate data breaches and enable secure online experiences. 

The business benefits of the FIDO Device Onboard (FDO) standard include: 

• Simplicity – Businesses no longer have to pay more for the installation and onboarding process than they do for the actual hardware devices themselves. The highly automated FDO process effectively brings ‘plug and play’ to the world of onboarding edge nodes and IoT devices.
• Flexibility – Businesses can choose which cloud or edge platforms they want to onboard devices to at the point of installation (as opposed to when devices are manufactured). A single device SKU can be onboarded to any platform (edge or cloud), thereby greatly simplifying the device supply chain. 
• Security – FDO leverages an “zero trust” approach, which means the installer no longer needs – nor has access to – any sensitive infrastructure/access control information. 

Developers can view and download the FDO Specification here. Higher levels of security certification are planned for the program in future, and interested parties are encouraged to join the FIDO Alliance and contribute to the evolution of the FDO standard. For more information or help, please contact: certification@fidoalliance.org 

FIDO Alliance will be hosting a workshop on FDO on the opening day of its annual Authenticate conference, which takes place October 16-18 in Carlsbad, CA. More information on Authenticate can be found on the event website.

Ends

Red Hat, Red Hat Enterprise Linux and the Red Hat logo are trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the U.S. and other countries. Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries. 

PR Contact
press@fidoalliance.org 

About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, https://fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. 

1. Edge Computing Market Report Summary & Forecast Analysis, Markets and Markets, June 2023. https://www.marketsandmarkets.com/Market-Reports/edge-computing-market-133384090.html
2. Introduction to the Dell NativeEdge Software Platform, Dell, August, 2023
   https://infohub.delltechnologies.com/t/dell-nativeedge-3/?hve=explore+dell+infohub

Quotes from FDO Stakeholders

ASRock International
“ASRock Industrial is setting the stage for a new era in IoT onboarding through the development of FIDO Device Onboarding (FDO)-enabled devices, embodied by the iEP-5000G Industrial IoT Controller. Harnessing FIDO Alliance’s state-of-the-art FDO technology and the availability of FDO Certification, ASRock Industrial is thrilled to announce its commitment to move forward with the FDO Certification for the iEP-5000G. This achievement shall guarantee both functionality and security for all FDO implementations, reinforcing our dedication to delivering solutions that streamline device connectivity and management. This will mark a significant milestone in our journey to provide innovative and future-ready Industrial IoT solutions,” saidJames Lee, President of ASRock Industrial.

Dell Technologies
“The FDO protocol is extensible beyond IoT and can be used to modernize onboarding and scale of enterprise edge and IT infrastructure,” said Daniel Cummins, Dell Technologies Fellow, edge solutions. “As Dell helps customers simplify and securely manage their edge estate, we’re using the FDO protocol to solve for security constraints at the edge. With Dell NativeEdge, our edge operations software platform, we’ve implemented FDO and Zero Trust enabling technologies to make edge device onboarding secure while improving time to service.”

Device Authority
“Having FIDO Device Onboard integrated in our leading IAM solution, KeyScaler allows our customers to benefit from complete trust in their IoT devices and data throughout their entire lifecycle,” said Darron Antill, CEO of Device Authority. “FIDO’s standardized approach of securely enrolling a device in phase one of its lifecycle, coupled with KeyScaler’s credential management, end to end data crypto, Edge security functionality, and SBOM validation solves the complex and fundamental device security challenges of any connected environment and supports IoT deployments at scale.”

Infineon
“FDO provides an easy and secure installation of devices into a customer’s environment. Certification is key in simplifying and speeding FDO adoption. For edge and IoT devices, FDO and Infineon`s OPTIGATM TPM are an excellent match. The Trusted Platform Module (TPM) secures the FDO credentials, reducing the risk that they could be compromised, while simultaneously simplifying the manufacturing process,” saidVijayaraghavan Narayanan, Infineon’s Head of Edge Identity and Authentication.

Intel
“The FDO standard has helped to reduce cost, save time, and improve security which is helping the industry to expand rapidly at the edge,” said Anand Pashupathy, Vice President and General Manager of Security, Software and Services Division in the Product Assurance and Security Group, at Intel. “The new FDO certification testing program from the FIDO Alliance enables us to increase the attach rate of new devices with confidence, foster interoperability between vendors, and allows the industry to meet the requirements of our customers and partners with an automated, highly secure industry solution.”

Pavana
“Our products primarily serve government, law enforcement, banking, and critical infrastructure sectors, where top-notch security and data protection are paramount. By integrating FIDO Device Onboard into our passwordless cameras, we confidently ensure the high security for our products right off the shelf, safeguarding our customers’ sensitive data while simultaneously mitigating tampering risks and reducing deployment and maintenance costs,”said Cuong Tran, CTO/Co-Founder, Pavana Technologies.

Red Hat
“Red Hat Enterprise Linux is the world’s  leading enterprise Linux platform and the operating system of choice for many organizations deploying IoT and edge compute applications, spanning use cases such as industrial automation, medical, retail and other segments. By collaborating with the FIDO Alliance to implement FDO specifications for Red Hat Enterprise Linux, we can help customers more easily and quickly onboard and provision their devices to support greater interoperability and enhanced security measures at the edge,” said Kelly Switt, senior director, Edge and AI Business Development, Red Hat.

VinCSS
“The deployment of FDO technology for a range of commercial cameras from a Vietnamese camera OEM has yielded remarkable results, which I refer to as a triple-ROI: the camera OEM itself benefits when their product incorporates cutting-edge technology, creating a distinct competitive advantage; customers reap significant benefits, especially if they have a large number of devices to deploy and manage; and the issue of security and personal privacy, one of the pressing national security concerns, has been perfectly addressed,” said Mr. Simon Trac Do, CEO & Founder of VinCSS JSC, Vietnam. “Not stopping there, the integration of FDO with other technologies such as mesh, cyber-physical,… is providing the ability to solve previously unsolvable challenges in various aspects simultaneously, including safety, flexibility in deployment/operation/maintain, and cost-effectively. We consider ourselves fortunate for having made the early decision to embrace and promptly develop our FDO platform in order to bring it to the market on time.”

Carlsbad, Calif., August 3, 2023 – The FIDO Alliance announced its keynote speakers and full agenda for Authenticate 2023, the only industry conference dedicated to all aspects of user authentication.

This year’s featured keynote will be presented by Rachel Tobac, white hat hacker and social engineering expert whose exploits have been featured on CNN, 60 Minutes and more. Additional keynote presentations providing diverse and global perspectives on modern authentication will be delivered by speakers from 1Password, Amazon, Google, Microsoft, Yubico and others.

Authenticate 2023 will be held at the Omni La Costa Resort and Spa and from October 16-18, 2023 – with virtual attendance options for those unable to be there in person. Now in its fourth year, the event is focused on providing education, tools and best practices for modern authentication across web, enterprise and government applications. CISOs, security strategists, enterprise architects and product and business leaders are invited to register at https://authenticatecon.com/event/authenticate-2023/.

In response to its rising popularity, the conference now includes 90+ sessions from 125 speakers spread across three content tracks — as well as interactive half-day workshops for developers and user experience leads. Speakers from Alibaba Group, Fox Corporation, GitHub, Intuit, Mercari, Pinterest, Salesforce, Starbucks, Shopify, Target and others will deliver a diverse set of sessions, detailed case studies, technical tutorials and expert panels. Attendees will also benefit from a dynamic expo hall and networking opportunities whether attending in-person or virtually. 

Sponsorship Opportunities at Authenticate 2023 

Authenticate 2023 is also accepting applications for sponsorship, offering opportunities for companies to put their brand and products front and center with brand exposure, lead generation capabilities and a variety of other benefits for both on-site and remote attendees. To learn more about sponsorship opportunities, please visit https://authenticatecon.com/sponsors/. 

There are a limited number of opportunities remaining. Requests for sponsorship should be sent to authenticate@fidoalliance.org. 

About Authenticate 

Authenticate is the only conference dedicated to all aspects of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. 

In 2023, Authenticate will be held October 16-18 at the Omni La Costa Resort and Spa in Carlsbad, CA and virtually. Early bird registration discounts are available through August 18, 2023. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter. 

Signature sponsors for Authenticate 2023 are 1Password, Google, Microsoft and Yubico.

Authenticate Contact 
authenticate@fidoalliance.org  

PR Contact 
press@fidoalliance.org

Singapore, August 1, 2023 — The FIDO Alliance today provided an updated list of speakers and sponsors for its first-ever FIDO APAC Summit, the premier event dedicated to advancing and promoting phishing-resistant FIDO authentication in the region. Co-hosted by the Ministry of Information and Communications (Vietnam), the summit will take place in Vinpearl Nha Trang, Vietnam, on 28 – 30 August 2023, and centers on the theme of “Connecting for a Safer Digital Future”.

With hundreds of attendees expected, the summit will feature more than 25 VIP guests and speakers from the APAC region. Hieu Minh Ngo, a former hacker turned cybersecurity specialist, will be joining these prominent industry leaders to discuss the latest developments and share best practices. Drawing on his insider knowledge of cybercriminal tactics, Hieu offers insights into common cybersecurity traps and vulnerabilities, and how passwordless authentication technologies can boost organizations’ defenses against hackers.

“As a former hacker turned cybersecurity specialist, I know firsthand how cybercriminals are always looking for loopholes to exploit for their gain. That is why it is imperative for organizations to ensure a robust cybersecurity strategy to safeguard users online,” said Hieu. “Embracing passwordless authentication can offer the highest levels of security and mitigate potential cyber threats from malicious hackers. I am excited to be part of the FIDO APAC Summit 2023 to share my experiences on how going passwordless can thwart phishing attacks and impart valuable lessons to attendees.”

Regional Cybersecurity Thought Leaders

The keynote speakers at the FIDO APAC Summit include:

• Nguyen Huy Dung, Deputy Minister of Information and Communications (Vietnam)
• Andrew Shikiar, Executive Director of FIDO Alliance
• Do Ngoc Duy Trac (Simon), CEO of VinCSS

The summit will also feature case studies and tutorials delivered by industry experts from government organizations and leading technology companies, including:

• Hieu Minh Ngo, Threat Hunter, NCSC Viet Nam & Co-founder of Chongluadao.vn
• Khanit Phatong, Senior Management Officer, Thailand Electronic Transactions Development Agency 
• Teresa Wu, Vice President, Smart Credentials – Civil Identity IDEMIA Identity & Security North America 
• Paul Heim, Director, FIDO Alliance
• Sea Chong Seak, CTO of SecureMetric
• Alex Wilson, Director Engineering, Yubico
• Dovlet Tekeyev (Dave), Director, AirCuve
• Hyung Chul Jung, Head of Security Engineering Group, Samsung Electronics
• Eiji Kitamura, Developer Advocate, Google
• Gautam Pande, Vice President, Identity Solutions, Asia Pacific, Mastercard
• Masao Kubo, Manager, Product Design Department, Smart Life Business Company, NTT DOCOMO
• Henry (Haixin) Chai, CEO of GMRZ Technology, Lenovo
• Cuong Tran, CTO, Pavana
• Thang Phan, Passwordless Transformation Lead, VNPAY
• Truong Nguyen, Back End Developer, PayPay Corporation
• Naohisa Ichihara, CISO, Mercari
• Jaebeom Kim, Principal Researcher, Telecommunications Technology Association

The updated list of speakers can be found here.

In addition, the APAC Summit will feature a busy expo hall, with demo booths from VinCSS, Securemetric Technology, Yubico, AirCuve, CyStack, iProov, Thales, ISR, SMARTdisplayer Technology, and TrustKey.

Event Registration and Sponsorship Opportunities

Attendance is free of charge. For more information and to register your interest in the summit, please visit the website here.

“The FIDO Alliance is excited to host its first Asia-Pacific Summit 2023 in Vietnam, which will feature content presented by some of the brightest minds in authentication from around the world,” said Andrew Shikiar, executive director & CMO of the FIDO Alliance. “As cyber attacks continue to grow in volume and sophistication, it is more important than ever for companies to put passwords in the rear view mirror in favor of passkeys — which present a user-friendly alternative based upon FIDO standards.”

At the initial announcement of the event, Deputy Minister of Information and Communications (Vietnam), Nguyen Huy Dung said, “We are delighted to take part in organizing this event. We fully endorse the adoption of passwordless authentication technology to secure Vietnam’s digital economy. Our aspiration is to foster connections and collaborations with the FIDO Alliance and other APAC region countries for a safer digital future.”

Registrations are now open to the public. While the event is offered free of charge, all delegates are required to book a minimum of three nights at the event venue, Vinpearl Resort Nha Trang. For more information and to register your interest in the summit, please visit the website here.

For companies interested in sponsorship opportunities, please contact events@fidoalliance.org. 

About the FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact 
press@fidoalliance.org 

APAC Media Contact
Evelyn Owen & Farah Aqilah
FINN Partners on behalf of FIDO Alliance
yingFIDO@finnpartners.com 
+65 9109 6954

MOUNTAIN VIEW, Calif., June 27, 2023 – Passkeys are a gamechanger for signing to online services and apps, providing phishing-resistant security and easy user experience far superior to passwords and other phishable forms of authentication. Enterprises globally are interested in passkeys but may be wondering: how do I start? And “what type of passkey is right for my environment?” 

The FIDO Alliance addresses these questions in a new series of papers providing considerations for leveraging passkeys across different enterprise use cases. The series was developed by the FIDO Alliance’s Enterprise Deployment Working Group (EDWG) and can be found at https://fidoalliance.org/fido-in-the-enterprise/.  

The papers in the series are:

• FIDO Deploying Passkeys in the Enterprise – Introduction
• Replacing Password-Only Authentication with Passkeys in the Enterprise
• FIDO Authentication for Moderate Assurance Use Cases 
• High Assurance Enterprise FIDO Authentication 

A fifth paper in the series, “Displacing Password + SMS OTP Authentication with Passkeys,” is expected to publish later this summer.

“Passkeys are a new concept to many enterprise organizations, in terms of both terminology and FIDO authentication capabilities,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “These papers demystify synced and device-bound passkeys and provide the decision points for how to leverage them across a variety of use cases, whether they are using passwords alone, legacy MFA or FIDO-based solutions today. These papers provide a great foundation for anyone looking to understand how passkeys can increase their organization’s security posture, meet legal and regulatory requirements and decrease support and other costs associated with authentication.” 

Get an Overview Live at Authenticate Virtual Summit: Considerations for Passkeys in the Enterprise

Those interested in this topic are encouraged to join the FIDO Alliance and members of its Enterprise Deployment Working Group on June 29, 2023 at 9:00 am PT / 12:00 pm ET for the free Authenticate Virtual Summit: Considerations for Passkeys in the Enterprise to learn how passkeys can fit into a variety of enterprise environments.

Sessions will cover introductory material, considerations across various use cases, and criteria to evaluate how synced passkeys and device-bound passkeys can meet varying legal, regulatory, and security requirements across enterprise environments.

Learn more and register for the free virtual summit at https://authenticatecon.com/event/passkeys-in-the-enterprise/.

About the Enterprise Deployment Working Group (EDWG)

The FIDO Alliance’s Enterprise Deployment Working Group (EDWG) aims to accelerate enterprise deployments of FIDO solutions and advance the FIDO Alliance’s vision for a strong, interoperable modern authentication ecosystem. The EDWG acts as a group of subject matter experts and internal advisors within the FIDO Alliance on issues affecting the deployment of FIDO solutions at the enterprise level. FIDO Alliance members interested in joining the EDWG can contact info@fidoalliance.org for information on how to participate.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Contact
press@fidoalliance.org

Singapore, June 26, 2023 — The FIDO Alliance announced today its first-ever FIDO APAC Summit 2023, the premier event dedicated to advancing and promoting phishing-resistant FIDO authentication in the region. The summit, co-hosted by Vietnam Ministry of Information and Communications, will take place in Vinpearl Nha Trang, Vietnam, on August 28 – 30, 2023.

For more information and to register your interest in the summit, please visit the website here. 

The cybersecurity landscape in Asia-Pacific has undergone significant growth and transformation in recent years, driven by the rapid digitalization, increased internet penetration, and the rapid adoption of advanced technologies such as cloud computing, AI, and the Internet of Things (IoT). As businesses and governments become more reliant on digital infrastructure, cyber threats have grown increasingly sophisticated and widespread, resulting in a surge in prominent cyberattacks and data breaches. With Asia-Pacific accounting for 31% of all incidents globally in 2022, there is a crucial need for more robust authentication methods — and there is no better time than now for organizations to take the necessary steps forward.

The theme for this year’s event is “Connecting for a Safer Digital Future” which aims to highlight the importance of secure, phishing-resistant authentication methods, specifically focusing on FIDO standards and passkeys. The summit will bring together various industry leaders, cybersecurity experts, and government representatives from the region to discuss the latest developments and share best practices and success stories. Attendees can expect insightful keynote presentations, engaging panel discussions, comprehensive technical workshops, and ample networking opportunities. 

“The FIDO Alliance is excited to host its first Asia-Pacific Summit 2023 in Vietnam. Around the globe, we are witnessing an increasing number of cyberattacks and scams stemming from weak or stolen credentials — and this is no different in the APAC region. Fortunately, there has been a steady momentum toward adopting passkeys based on phishing-resistant, FIDO authentication by organizations here to combat these threats,” said Andrew Shikiar, executive director of the FIDO Alliance. “Through this summit, we hope to facilitate knowledge sharing in the various areas of authentication, and we encourage anyone interested to learn more to join us.”

Deputy Minister of Vietnam’s Ministry of Information and Communications, Nguyen Huy Dung, said, “We are delighted to take part in organizing this event.” He emphasized, “We fully endorse the adoption of passwordless authentication technology to secure Vietnam’s digital economy.” He continued, “Our aspiration is to foster connections and collaborations with the FIDO Alliance and other APAC region countries for a safer digital future.”

The conference will feature more than 25 VIP guests and speakers from the APAC region, with over 300 attendees expected. Key summit speakers this year include member companies from the FIDO Alliance, such as VinCSS, Google, Mastercard, Samsung Electronics, NTT Docomo, SK Telecom, SecureMetric, AirCuve, ETDA and Thales, among many others.

Registrations are now open to the public. While the event is offered free of charge, all delegates are required to book a minimum of three nights at the event venue, Vinpearl Resort Nha Trang. For more information and to register your interest in the summit, please visit the website here. 

About the FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact 

press@fidoalliance.org 

APAC Media Contact

Evelyn Owen & Farah Aqilah

FINN Partners on behalf of FIDO Alliance

yingFIDO@finnpartners.com 

+65 9109 6954

ITU-T is the standardization arm of ITU, the United Nations specialized agency for ICT. The FIDO Alliance specifications were approved as official ITU-T Recommendations by ITU members including national administrations and the world’s front-running ICT companies. The new ITU-T Recommendations are under the responsibility of ITU’s standardization expert group for security, ITU-T Study Group 17.

“The FIDO Alliance is improving online authentication through open standards based on public key cryptography that make authentication stronger and easier to use than passwords or one-time passcodes. One of the ways that we fulfill this mission is by submitting our mature technical specifications to internationally recognized standards groups like ITU-T for formal standardization,” said David Turner, senior director of standards development at the FIDO Alliance. “This recognition from ITU-T illustrates the maturity of FIDO authentication technology and complements our web standardization work with the World Wide Web Consortium (W3C).”

“Predecessors of these FIDO UAF and CTAP specifications were first adopted as ITU standards in 2018. ITU-T Study Group 17 will continue to strengthen its collaboration with the FIDO Alliance. These two FIDO Alliance specifications, adopted as ITU standards recently, are being widely used in various industries such as the financial sector to provide strong online authentication based on public key cryptography and various user verification methods,” said Heung Youl Youm, Chairman of ITU-T Study Group 17. “These new ITU standards will provide a concrete basis for the two FIDO specifications to be adopted across the 193 ITU Member States.”

“Our working group within ITU-T Study Group 17 was pleased to be able to collaborate with the FIDO Alliance to promote the standardization of state-of-the-art security technologies,” said Abbie Barbir, Rapporteur for ITU-T’s working group on ‘Identity management and telebiometrics architecture and mechanisms’ (Q10/17). “This work will help address and solve the security limitations of passwords and move the world closer to passwordless solutions.” 

The specifications that are now ITU-T Recommendations are:

• FIDO UAF 1.2 (Recommendation ITU-T X.1277.2). A mobile standard providing authentication without passwords by using biometrics and other modalities to authenticate users to their local device.
• CTAP 2.1 (Recommendation ITU-T X.1278.2). Part of FIDO2 specifications along with the W3C Web Authentication standard,  allows the use of external authenticators (FIDO Security Keys, mobile devices) for authentication on FIDO2-enabled browsers and operating systems over USB, NFC, or BLE for a passwordless, second-factor or multi-factor authentication experience.

For more information on the FIDO Alliance and FIDO authentication, visit https://www.fidoalliance.org.

For more information on ITU-T SG 17 visit https://www.itu.int/en/ITU-T/studygroups/2022-2024/17/Pages/default.aspx.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

About ITU-T SG 17

The ITU Telecommunication Standardization Sector (ITU-T) is one of the three Sectors (branches) of the International Telecommunication Union (ITU). It is responsible for coordinating standards for telecommunications and Information Communication Technology such as X.509 for cybersecurity, Y.3172 and Y.3173 for machine learning, and H.264/MPEG-4 AVC for video compression, between its Member States, Private Sector Members, and Academia Members.

FIDO Alliance Contact
press@fidoalliance.org 

ITU Contact
tsbsg17@itu.int

CARLSBAD, Calif., June 6, 2023  —  The FIDO Alliance is pleased to announce registration is now open for Authenticate, the only industry conference dedicated to all aspects of user authentication – including a focus on passkeys and related FIDO-based solutions. Authenticate will be held October 16-18, 2023 at the Omni La Costa Resort & Spa in Carlsbad, CA, just north of San Diego – with virtual attendance options also available.

To register, visit https://authenticatecon.com/event/authenticate-2023/. Early bird registration discounts are available through August 18.

Aimed at CISOs, security strategists, enterprise architects, and product and business leaders, this is the fourth consecutive year that the FIDO Alliance is hosting the public conference. The annual event is specifically designed to share education, tools, and best practices for modern authentication across web, enterprise, and government applications. 

“Passkeys are the hottest topic in digital identity and authentication as the world accelerates its efforts to put passwords in the rear-view mirror,” said Andrew Shikiar, executive director and CMO of FIDO Alliance. “Authenticate has rapidly established itself as a must-attend event for those interested in learning about how to apply passkeys and other cutting-edge authentication solutions to their business. Between the dozens of sessions and countless networking opportunities, Authenticate attendees will come away from this year’s conference with actionable insights to help accelerate their companies’ transition to a password-free future.”

Last year’s conference sold out for in-person attendance, welcoming over 950 total attendees in Seattle and remotely. The event featured more than 100 sessions with highly engaging content, plus a sold-out exhibit area with 30 industry-leading exhibitors and sponsors.

Authenticate 2023 will build upon this strong foundation and feature detailed case studies, technical tutorials, expert panels, and hands-on lab sessions aimed at helping educate attendees on business drivers, technical considerations, and overall best practices for deploying modern authentication systems. The full 2023 agenda will be published later this month. Attendees benefit again from a dynamic expo hall and engaging networking opportunities. 

Sponsorship Opportunities at Authenticate 2023 

Authenticate 2023 is accepting applications for sponsorship, offering a wide range of opportunities to provide broader brand exposure, lead-generation capabilities, and a variety of other benefits for both on-site and remote attendees. To learn more about sponsorship opportunities, please view the prospectus.

Sponsorship requests will be filled on a first-come, first-served basis; requests for sponsorship should be sent to authenticate@fidoalliance.org.

Signature sponsors for the 2023 event are 1Password, Google, Microsoft, and Yubico.

About Authenticate

Hosted by the FIDO Alliance, Authenticate is the industry’s only conference dedicated to all aspects of user authentication – including a focus on passkeys and FIDO-based solutions. It is the place for CISOs, business leaders, product managers, security strategists and identity architects to get all of the education, tools and best practices to roll out modern authentication across web, enterprise and government applications.

Authenticate 2023 will be held October 16-18, 2023 and will be co-located with the FIDO Alliance’s member plenary (running October 17-19) at the Omni La Costa Resort & Spa in Carlsbad, CA, just north of San Diego, with a bigger footprint for more attendees, sessions for all levels, a larger expo hall for companies bringing passwordless to fruition, and added opportunities for networking with your peers. 

Whether you are new to FIDO, in the midst of deployment or somewhere in between, Authenticate 2023 will have the right content – and community – for you. 

Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter. To receive updates about Authenticate events, sign up for the newsletter.

Authenticate Contact

authenticate@fidoalliance.org

PR Contact 

press@fidoalliance.org

Yesterday, Google announced support for simple and secure sign-ins with passkeys for all Google Account users. This is a huge milestone in our journey towards a passwordless future. Why?

It’s been only a year since Apple, Google and Microsoft announced their commitment to passkeys with plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. Since then, Apple and Google have readied their operating systems for service providers to enable sign-ins with passkeys that sync across devices; Windows 10 and 11 have long supported device-bound passkeys in Windows Hello – and passkeys from iOS or Android devices can also be used to sign into sites in Chrome or Edge on Windows.

Additionally, service providers like PayPal, Yahoo! Japan, NTT DOCOMO, CVS Health, Shopify, Mercari, Kayak, SK Telecom and more are committed to or already providing passkey sign-ins. Google now joins them, and will serve as a great way for large swathes of consumers to become familiar with passkeys, while also helping accelerate deployments from other service providers.

Consumer Readiness On the Rise
The growing number of service providers supporting passkeys matches a growth in consumer awareness and readiness.

According to a new survey released today by FIDO Alliance, over 57% of U.S. consumers said they are interested in using passkeys to replace passwords, compared with 39% who said they were familiar with the concept of passkeys in FIDO’s 2022 Online Authentication Barometer, released in October 2022.

Recovering or resetting passwords is one of the many hassles that consumers face. Only 9% of those surveyed report that they never need to recover their password – with 13% having to recover passwords daily or several times per week and nearly 60% reporting several password resets per quarter.  It is little wonder then that 29% of consumers prefer signing in with biometrics (e.g. fingerprint or face scan) versus 19% who prefer to enter a password manually.

Passkeys are resistant to threats of phishing, credential stuffing and other remote attacks often used to take over online accounts. Based on the survey, approximately 65% of people who prefer to use biometrics to sign in would be interested in using a passkey and nearly half (45%) of people who prefer to use passwords to sign in would be interested in using a passkey. This is another clear signal telling us that consumers want less friction and greater ease of signing into their online accounts.

Passwords Create More Friction for Online Transactions

Consumers are tired of the hassle and complexity of passwords and are ready to embrace passkey sign-ins, which enable them to access online services simply and securely. Passkeys can help reduce shopping cart abandonment and turn the tide against the ongoing plague of data breaches and identity theft.

In addition to security implications, passwords continue to be costly for online retailers – according to the survey, nearly 60% of consumers said they have abandoned their carts due to a forgotten password in the past six months. 

Simply put, passkeys stand to dramatically improve consumers’ online shopping experiences – as well as their service providers’ bottom lines.

Perceived Password Risk
Despite the large number of breaches and warnings, many consumers maintain poor password hygiene, unmoved by the risks passwords pose to their digital lives. According to the survey, 70% of people use passwords that are at least one year old. Despite the known risks of phishing attacks and other security breaches, the survey shows that 21% of respondents believe entering their password manually is the most secure authentication method. 

Nearly 60% said they would not pay for increased security measures or official verification on social media platforms. Earlier this year, Twitter warned users they would lose the ability to secure access to their account via text message two-factor authentication unless they pay to subscribe to Twitter Blue. It seems clear from this data that consumers would naturally look to passkeys as a seamless and secure alternative.

What’s next?
Both the data and the increasing number of organizations rolling out passkeys shows that the future of authentication is here. But this does not mean the work is done. The FIDO Alliance and its members continue to iterate to improve the experience of passkeys. Be on the lookout for upcoming UX research and guidelines to further increase the adoption and usability of passkeys. The FIDO Alliance is also continuing to provide education, UX guidance, adoption perspectives and more through upcoming industry events. Attend our sessions at Identiverse and be sure to attend the FIDO Alliance’s conference, Authenticate, in Carlsbad, CA (or virtually) on October 16-18, 2023.

Passwords are everywhere with both enterprises and e-commerce organizations feeling the pain as much, if not more, than most.

At the Authenticate Virtual Summit: Authentication in Financial Services and Commerce on March 29, industry experts and practitioners outlined The FIDO Fit for Enterprise and Customer Sign-ins. Throughout the half-day event, the topic of passkeys was a primary theme, with speakers outlining how they work, where they fit in and why they are essential to helping the world move away from legacy passwords and less secure multi-factor authentication.

Andrew Shikiar, executive director and CMO of the FIDO Alliance opened the event with some insights on the many positive benefits that passkeys can bring to enterprise and commerce users. Those benefits include helping users to get online faster with higher levels of satisfaction. Passkeys may also be able to help improve the bottom line for e-commerce vendors as well.

“If you’re an e-commerce vendor, imagine reducing the shopping cart abandonment rate by even 10%,” Shikiar said. “Our data shows that 50% of consumers that had to abandon a purchase in the past six months did so because they forgot your password and that’s a huge opportunity cost.”

While FIDO authentication has been available for anyone to use for over a decade, Shikiar noted that there have been some adoption challenges. Passkeys are, in part, a solution to some of those adoption challenges. With passkeys, there is a more recognizable set of common terminology and the technology also provides a familiar flow for users that aims to reduce friction.

In the enterprise, Shikiar said that passkeys are a very natural fit for things like BYOD [Bring Your Own Device] authentication, allowing employees to sign in with apps on their phones.

“This is becoming more the norm than the exception, and passkeys are just a very natural fit for that environment,” Shikiar said.

The State of Authentication 2023 

Make no mistake about it, there are a lot of problems with passwords. To add some metrics to the argument against passwords, Jay Roxe, CMO at HYPR provided some insights from his firm’s State of Passwordless Security 2023 report.

Roxe noted that one of the things that really jumped out to him was that three out of five of the organizations that HYPR talked to for the report, had an authentication related breach over the past year. He added that each of those organizations had nearly $3 million dollars in costs associated with those breaches on a 12 month basis. Financial Services was the most highly attacked industry vertical with 81% of financial services organizations having recorded some type of attack or breach related to authentication.

The HYPR report also attempted to discover why organizations will move to deploy strong authentication passwordless approaches. Roxe emphasized that it’s critical to have a good user interface and flow, otherwise the technology won’t get adopted. In fact the report found the top reason why organizations are looking to adopt passwordless is to improve the user experience.

“Until we nail that user experience, we’re fundamentally not going to be any better off than we are today,” Roxe said.

Passkeys 101

Among the most interactive sessions of the event was one on the basics of how passkeys work, which kept moderator Megan Shamas, senior director of marketing at the FIDO Alliance very busy handling questions from the engaged audience at the end of the session.

The session actually got started with Tim Cappalli, identity standards architect at Microsoft outlining the historical path of FIDO standards. The big milestones along the path include the debut of the U2F specifications in 2014, FIDO2 in 2017, WebAuthn in 2019 and just last year the emergence of passkeys.

“It has been a journey,” Cappalli said. “We think that in the last two to three years, we really have been moving towards the last step to moving people beyond passwords.”

Cappalli outlined how passkeys works and what the primary advantages are for the approach. He explained that a passkey is fundamentally a FIDO credential with some new properties. Among the properties highlighted by Cappalli are:

• Autofill. With Autofill, much like the experience users have today with a password manager, a passkey can be automatically injected into an authentication flow into existing websites.
• Cross Device Authentication. Instead of a credential being tethered strictly to a single device, passkeys enable a credential to be durable across environments, enabling a phone for example to be able to bootstrap another device or ecosystem.

Championing FIDO adoption at scale

Few professionals have had as much experience deploying FIDO at scale as Marcio Mello, who has led efforts at PayPal, Intuit and eBay.

Mello outlined in great detail the steps that organizations can and should take to support FIDO strong authentication. In his view, the benefits are obvious.

“As soon as we could, we started doing WebAuthn deployment at eBay and saw the benefits almost immediately,” Mello said.

For Mello, passkeys are the next massive step forward as it’s an approach that will reduce consumer friction and hopefully enable adoption at scale. It is fundamentally the ease of use that passkeys promise that is literally the key.

“Consumers expect to see and use a password,” he said. “Yes, everybody’s tired of them, but it’s like smoking, most smokers would like to stop but they can’t, sure they know it’s bad, but you need to have the motivation and a very low bar of ability to be able to drive a habit change.”

FIDO and Zero Trust

In the security world, zero trust is an increasingly common concept that advocates an approach where users and entities need to be constantly validated to limit risks.

For Kurt Johnson, chief strategy officer at Beyond Identity, there is a clear intersection between FIDO authentication and zero trust. After all, a core foundation of zero trust is the need to constantly authenticate users and if organization’s aren’t using strong authentication, that’s a weak link.

Johnson said that with zero trust there is a need to assess and establish a high level of trust in the user identity. That just can’t be done effectively through passwords and that’s where there is a need for FIDO Certified authentication, that’s unphishable.

Helping Amazon’s drive to be customer-obsessed

Amazon operates one of the world’s largest e-commerce sites and it’s also a strong advocate and supporter of the FIDO Alliance.

Yash Patodia, principal product manager, tech, world wide consumer at Amazon said that his team is always looking to improve usability. One of the efforts to improve has been a move to remove passwords wherever possible. Patodia said that Amazon uses FIDO security keys for its own internal security which has worked well.

While security keys have worked for Amazon’s own internal needs, he noted that they can be difficult for consumers to adopt. That’s one of the many reasons why he’s particularly excited about passkeys.

“I think it’s a great leap forward from the password, OTP (one time passwords) and the security keys world,” Patodia said. “Some of the benefits I can see for passkey is that it really makes it very easy for the customer to use.”

Making it easier for consumers is critical for Amazon overall as it’s core to the company’s mission.

“We have this term at Amazon we use a lot called customer obsession,” Patodia said. “And this fits perfectly for us in that this is actually a customer obsessed product where we are making it very easy for the customer to do what they want to do.”

PNC BANK looks to protect its users with FIDO

Susan Koski, CISO of PNC Bank, knows all too well the challenges of password, that’s why she’s such a strong advocate and supporter of FIDO.

She noted that criminals are going after user passwords in a bid to take over accounts. Among the risks that she is trying to help limit is that of phishable credentials, such as passwords.

“We really do want to reduce those phishable  credentials but we do it in a way that a customer wants to use the service,” Koski said. “Balancing security and the customer experience. I think that’s just been a mantra for us in information security in cyberspace for a while.”

Koski said that PNC Bank has embraced FIDO as a way to help move towards passwordless over time. The importance of taking a standardized approach that benefits from the support and participation of a broad array of participants is critical as well.

“Passwords have been around for 50 plus years and it’s time, it’s beyond time for us to move past passwords,” Koski said.

Enterprise guidance for passkeys is on the way

Looking forward, Megan Shamas of FIDO Alliance outlined a series of efforts that are underway to help provide more enterprise guidance for passkeys.

“We will be publishing a group of five papers that address what we hope to be the majority of the use cases that are out there on the enterprise,” Shamas said.

The five papers include:

• Introduction to passkeys in the enterprise
• How to replace password-only authentication with passkeys
• How to displace password + SMS OTP authentication with passkeys
• FIDO authentication for moderate assurance use
• High Assurance Enterprise FIDO Authentication

“If you would like to be part of the conversation around enterprise requirements, please do get in touch with us,” Shamas said. “This is the time now really to give your input on how we’re looking at passkeys from an enterprise perspective.”

Registrants can now view the event recording online. If you missed the event and would like to view the recording, visit the event website to register for access.

SK Telecom, a leading mobile phone service provider in Korea, is taking a big step forward in terms of user authentication by adopting passkeys for their online users. 

Passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing resistant. They eliminate the need for users to remember complex passwords and the authentication process is much faster. Passkeys are based on FIDO authentication, which is proven to be resistant to threats of phishing, credential stuffing and other remote attacks. 

SK Telecom has introduced passkeys as a means of user authentication to PASS, their identity verification services with over 18 million users. Customers using iOS16 or higher devices can use the passkeys for PASS login, identity verification through PASS, and electronic signature. Depending on the device, user authentication is performed using Face ID and Touch ID. Android users can now use FIDO2 based authentication methods and perform authentication by utilizing screen locks (biometrics, PINs, patterns, etc.) provided by their devices. In the future, SK Telecom plans to make sign-ins with passkeys available to Android users as well. SK Telecom will introduce new user scenarios in a variety of ways to better protect customers’ assets and identity through the introduction of the passkeys.

[Passkey Registration Process on SK Telecom PASS]

SK Telecom Developed support for passkeys through cooperation with platform operators, and the FIDO authentication server for processing sign-ins with passkeys was developed by SK Telecom’s own technology. By actively introducing not only PASS but also various services provided by SK Telecom, they hope that many customers who use SK Telecom services will be able to use the service more conveniently and without worrying about security.

This deployment represents a new milestone in SK Telecom’s journey with FIDO. In 2019, during the FIDO Alliance Public Seminar in Korea, SK Telecom reported zero credential stuffing once the company adopted FIDO Authentication for internal usage. They also claimed that their FIDO-based biometric authentication reduced the average authentication time to less than 5 seconds, which previously took more than 30 seconds on average, when the internal users tried logging in with ID and passwords. It is great to see that they continue to innovate and now provide the benefits of FIDO Authentication to the general public.

Through this milestone, many users in Korea will be safe from various threats stemming from passwords, and SK Telecom’s movement as an innovator will have a positive impact on spreading password-less authentication not only in Korea but also globally.

To learn more about SK Telecom, please visit their corporate website. You can also download the PASS apps by visiting the App Store or Google Play.

Yahoo! JAPAN is an industry pioneer known for being an early adopter of new technologies to improve the security and usability of its services for its customers. Today, the company is continuing that tradition with its adoption of passkeys across Apple’s iOS, iPad OS, MacOS, and Google’s Android operating systems.

“Yahoo! JAPAN is one of the first companies to support passkeys from Apple and Google,” said Yuya Ito, ID Division, Yahoo! JAPAN. “Passkeys solve the usability issues that FIDO authentication has traditionally faced and dramatically improve users’ difficulties in using FIDO authentication. Through these initiatives, Yahoo! JAPAN and the FIDO Alliance will promote the shift away from passwords and the spread of passkeys and contribute to providing more secure and simple authentication on the Web.”

Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant.​ Passkeys simplify account registration for apps and websites, are easy to use, work across most of a user’s devices, and even work on other devices within physical proximity.​

Passkeys stand to fundamentally shift the way that consumers sign into apps and services across the web and across world, moving away from the burden and vulnerabilities of passwords and OTPs to a fundamentally stronger and simpler approach that allows users to sign in by taking the same action they use to unlock their device dozens of times each day – typically a biometric or local PIN code. 

According to Yahoo! JAPAN, more than 70% of its active users use either SMS or FIDO-based biometric passwordless authentication. With passkeys, Yahoo! JAPAN’s customers can access their FIDO sign-in credentials on many of their devices, even new ones, without having to re-enroll every device on every account. 

By enabling its users to sign in with passkeys, Yahoo! Japan continues to serve as a leading innovator in Japan and in the FIDO Alliance, where it has played a vital role on the Alliance’s Board of Directors, the FIDO Japan Working Group and other FIDO Alliance bodies.

Read Yahoo! JAPAN’s announcement here.

CARLSBAD, CALIF, February 23, 2023  —  The FIDO Alliance is pleased to announce the return of Authenticate, the only industry conference dedicated to all aspects of user authentication – including a focus on FIDO-based sign-ins. 

Authenticate 2023, featuring signature sponsors Google, Microsoft, and Yubico, will be held October 16-18, 2023 at the Omni La Costa Resort & Spa in Carlsbad, CA, just North of San Diego. Visit our website for information on submitting a speaking proposal and becoming a sponsor.

Aimed at CISOs, security strategists, enterprise architects, and product and business leaders, this is the fourth consecutive year that the FIDO Alliance is hosting the public conference. The annual event is specifically designed to share education, tools, and best practices for modern authentication across web, enterprise, and government applications. 

Last year’s conference sold out for in-person attendance, welcoming over 950 total attendees in Seattle and remotely. The event featured more than 100 sessions with highly engaging content, plus a sold-out exhibit area with 30 industry-leading exhibitors and sponsors.

Authenticate 2023 will build upon this strong foundation and feature detailed case studies, technical tutorials, expert panels, and hands-on lab sessions aimed at helping educate attendees on business drivers, technical considerations, and overall best practices for deploying modern authentication systems. Attendees also benefit from a dynamic expo hall and engaging networking opportunities. 

Authenticate Call For Speakers

The Authenticate 2023 conference program committee has opened its call for speakers. Authenticate provides speakers with an opportunity to increase their industry reach and visibility by educating attendees on in-market approaches for deploying modern authentication solutions.  

The committee is looking for vendor-neutral, educational presentations that focus on authentication strategies and best practices. Submissions can span all aspects of authentication implementations from initial research and business case development through piloting to rollout and beyond. Perspectives on global trends and considerations for user authentication should also be submitted. The committee is looking for a variety of session types and formats including main stage storytelling, introductory “101’s”, detailed case studies, technical tutorials, hands-on labs, and thought provoking panels.

Diverse, global perspectives and presentations that focus on the following topic areas are welcome: 

• Authentication trends & insights 
• Modern authentication case studies & implementation strategy

• Hands-on implementation guidance and best practices 
• Government impact on authentication

Other topic areas related to authentication will also be considered. Submissions that are unique, expertise-driven, and reflect diversity in speakers are most likely to be accepted. Product and sales pitches will not be accepted.

The Authenticate Call for Speakers closes on March 31, 2023. To submit an application, please visit https://authenticatecon.com/authenticate-2023-call-for-speakers/.

Sponsorship Opportunities at Authenticate 2023 

Authenticate 2023 is also now accepting applications for sponsorship, offering a wide range of opportunities to provide broader brand exposure, lead-generation capabilities, and a variety of other benefits for both on-site and remote attendees. To learn more about sponsorship opportunities, please view the prospectus.

Sponsorship requests will be filled on a first-come, first-served basis; requests for sponsorship should be sent to authenticate@fidoalliance.org.

Signature sponsors for the 2023 event are Google, Microsoft, and Yubico.

About Authenticate

Hosted by the FIDO Alliance, Authenticate is the industry’s only conference dedicated to all aspects of user authentication – including a focus on FIDO-based sign-ins. It is the place for CISOs, business leaders, product managers, security strategists and identity architects to get all of the education, tools and best practices to roll out modern authentication across web, enterprise and government applications.

Authenticate 2023 will be held October 16-18, 2023 and will be co-located with the FIDO Alliance’s member plenary (running October 17-19) at the Omni La Costa Resort in Carlsbad, CA, just North of San Diego, with a bigger footprint for more attendees, sessions for all levels, a larger expo hall for companies bringing passwordless to fruition, and added opportunities for networking with your peers. 

Whether you are new to FIDO, in the midst of deployment or somewhere in between, Authenticate 2023 will have the right content – and community – for you. 

Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter. To receive updates about Authenticate events, sign up for the newsletter.

Authenticate Contact

authenticate@fidoalliance.org   

PR Contact 

press@fidoalliance.org

The FIDO Developer Challenge 2022 – India has come to a successful close with the award ceremony held on January 20th, 2023, at the Samsung R&D Institute in Noida. The challenge aimed to educate and support local adoption of FIDO technology.

First place was awarded to MonitorExam for their innovative FIDO-based online exam proctoring system. AyanWorks, with their FIDO-based SSI wallet, and AllSafe, a team of students with a FIDO-based SSO service, were also recognized as the other two top finalists.  For the full details of ideas presented by the top three finalists, please view the recorded sessions:

We would like to extend our gratitude to our sponsors, including Visa, Samsung, Infineon, Ensurity, TrustKey, and Octatco, for their support in making this event a success.

Departing Thoughts

The Indian government agencies, including Data Security Council India (DSCI), our local liaison partner, and the Controller of Certifying Authorities (CCA), which officially endorses FIDO as the 2nd factor authentication, are dedicated to promoting robust and user-friendly cybersecurity measures. We are confident that the India-focused FIDO Developer Challenge has made a positive impact by empowering local developers to rapidly deploy FIDO-based services, which provide enhanced protection against phishing-related cyber-attacks while maintaining ease of use for all online users.

Editor’s Note: This is the final blog posting covering the 2022 FIDO Developer Challenge – India. We invite you to read the announcement message to learn more about the background and processes.

The identity landscape is set to undergo tremendous transformation in 2023 as lawmakers and regulators alike struggle to help protect individual privacy and improve access to services and the digital economy. A primary underpinning for what will enable the new identity landscape is strong authentication.

On Jan. 25, the Better Identity Coalition, the FIDO Alliance, and the ID Theft Resource Center (ITRC) co-hosted the Identity, Authentication, and the Road Ahead Cybersecurity Policy Forum in Washington, D.C. to discuss the challenges and opportunities of identity and authentication. 

The full-day event included sessions loaded with data on the current state of data breaches, presentations by government leaders, panels on the state of passkeys and the path toward better identity in 2023 and beyond. A key theme that was often repeated throughout the day, by experts from government and industry alike, was the complexity of the identity landscape and the need for more collaboration and interoperable standards.

“A lot of our ability to make progress on the set of problems starts with a bigger issue, the recognition that identity is critical infrastructure and needs to be treated as such,” Jeremy Grant, Managing Director, Technology Business Strategy at Venable LLP and Coordinator, Better Identity Coalition said during his opening remarks for the event.

“Until we start to think about identity that way we’re going to continue to struggle to address challenges in this space.”

Identity risk continues to grow

In the opening keynote session, Jimmy Kirby, Acting Deputy Director of FinCEN (Financial Crimes Enforcement Network) outlined the identity related issues his agency has seen in recent years.

Kirby said that in recent years financial services have been increasingly migrating towards a primarily online environment. It’s a trend that creates new opportunities for abuse. As a result, FinCEN has been thinking about how it can leverage all of the data that financial institutions send to it to help stem the tide of abuse.  He noted that identity related suspicious activity reports (SARs) submitted to FinCEN grew more than 15%, from 2021 to 2022.

According to Kirby, reports of threats at each stage of the customer identification process continue to grow from the proofing and enrollment stage to the authentication stage, including the use of compromised credentials, impersonation and artificial intelligence to conduct illicit finance.

While there are challenges, there are also opportunities.

“We see opportunities for digital identity to address customer identification breakdowns in customer onboarding, account logins, transaction monitoring, as well as in investigations,” Kirby said. “There are a number of features of a digital identity framework that, taken together, have the potential to address threats and spur innovation across all types of financial services.”

FinCEN isn’t the only organization seeing a spike in cybercrime. James Lee, COO of the ITRC (Identity Theft Resource Center) presented data from his organization’s annual data breach report. Among the top line highlights of the report is that there were 1,802 data breaches during the year impacting over 422 million victims.

Lee commented that a prevailing trend was an increase in supply chain attacks as a preferred attack vector over just malware. He also emphatically complained about the lack of information present in many data breach disclosures. Lee said that 66% of data breaches did not include information about the root cause of the attack which led to the breach or any victims details.

In a panel session, titled “Data Breach Notices Suck,” John Breyault, Vice President, Public Policy, Telecommunications and Fraud at National Consumers League (NCL) lamented the current state of password usage, which inevitably is a root cause for many data breaches.

“I have been doing consumer education work for 15 years now at NCL, and not a day goes by it seems that I don’t tell consumers to not use the same password across multiple accounts,” Breyault said.

Towards the U.S. Government plan on secure digital identity

In a lunchtime keynote, Congressman Bill Foster (IL-11), outlined his view on Congressional efforts to introduce a secure digital identity policy for the U.S. 

Foster emphasized time and again during his keynote that secure digital identity needs to be a bipartisan effort in the U.S. Congress as it’s an issue that impacts all Americans. While he noted that there might be some concerns about the U.S. government having a database of user identities that it issues, he argued that to most people, the real life threat to their privacy comes more from having someone impersonate them online.

The lack of secure digital identity may have also been a factor in the massive volume of fraud experienced by the U.S. government over COVID benefits. Conversely, the fact there wasn’t a secure digital identity scheme in place may have made it more difficult than necessary for some to be able to get benefits. Overall, Foster said that he’s hopeful Congress can put something together.

“It can serve as a gentle reminder that the government does some good in your life,” Foster said. “One of the things that we could do a much better job with is preventing identity fraud, because that’s a real life pain for tens of millions of Americans every year.”

Bias and diversity is a requirement of digital identity

In multiple sessions over the course of the event, the topic of fairness, bias and diversity in relation to digital identity was discussed.

Jordan Burris, VP and Head of Public Sector Strategy at Socure commented that in his view, bias a lot of times comes down to the reality that an identity approach is taken that is solving for the majority of the population, and as such, the minority or those who operate on the fringes are being left out of the ecosystem.

Andrew Stettner, Deputy Director for Policy at the Office of Unemployment Insurance Modernization at the U.S. Department of Labor argued that his agency and the entire administration are taking equity in identity very seriously.

“We’re looking at equity in a much more conscious way, for us is a very key element of identification going forward,” Stettner said.

Why FIDO is critical for better identity

A critical element of secure identity is having strong authentication.

In a keynote session, Andrew Shikiar, Executive Director and CMO of FIDO Alliance, outlined the ways that FIDO is playing a role in helping to improve the state of identity today across multiple efforts. He also predicted that FIDO will become increasingly relevant in the year ahead.

“The average person on the street will start to understand what identity verification means, and actually start to understand what digital identity means,” Shikiar said. “That’s a net benefit because the more people understand what their identity means, and the importance of it, the more steps they’ll take to actually protect it.”

Among the FIDO efforts to help improve identity outlined by Shikiar are:

• Biometric performance criteria. This is a biometric certification program, where FIDO helps to assess the performance of different biometric components that are critical to identity verification.
• Remote Identity Verification. This includes the Document Authenticity (DocAuth) Certification for mobile document verification, with ongoing work into face verification for liveness and selfie-match.

Shikiar also talked at length about passkeys, which brings added usability to FIDO based strong authentication.

“FIDO Alliance’s mission is to reduce the industry reliance on passwords,” Shikiar said. “Simply put, passkeys stand to take passwords out of play for the vast majority of consumer use cases.”

The passkey future for authentication

In a panel session on passkeys, panelists discussed the benefits and opportunities that passkeys will bring.

Tim Cappalli, Identity Standards Architect at Microsoft detailed what passkeys enable, including the ability to take a FIDO credential and use it in a similar way to how password managers work today. Passkeys can also be synchronized with a cloud provider and are interoperable across platform vendors enabling better usability overall.

Panelists emphasized that the promise of passkeys is to more easily enable users to benefit from strong authentication. Christiaan Brand, Product Manager, Identity and Security at Google explained that Google has been supporting FIDO for years, including supporting security key based approaches. In his view, passkeys represent the usability necessary to actually make strong authentication with un-phishable credentials a reality for Google’s users.

Usability was also a theme that Paul Grassi, Principal Product Manager – Identity Services at Amazon emphasized, since in in his view, past efforts to get strong authentication adoption haven’t been entirely successful

“It breaks my heart to say it but consumers are not adopting security keys, they’re not adopting Google Authenticator they’re not adopting two-factor,” Grassi said. “We’re excited to see passkeys as that replacement, and to see the adoption numbers skyrocket, reducing friction while increasing security, which is, I think, the goal of any security practitioner.”

The recording of the full event is available here.

TOKYO, December 9, 2022 – Global, industry-wide commitment is bringing the passwordless future closer to reality, FIDO Alliance members shared today at the first in-person FIDO seminar in Japan since December 2019. During the seminar, leading organizations shared major updates that will further the Alliance’s mission to replace passwords with simpler and stronger authentication. 

A significant milestone came last May when Apple, Google and Microsoft announced plans to expand support for FIDO with passkeys, a phishing-resistant replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Passkeys can be leveraged across devices and platforms to offer an end-to-end passwordless sign-in option, or bound to a particular device such as a FIDO security key for high-assurance use cases. Passkeys are supported today in iOS 16, macOS Ventura, Android and ChromeOS, with Windows coming soon.

Notably, global service providers such as PayPal have expanded their FIDO support and are offering passkey sign-ins, while early FIDO adopters in Japan have announced passkey commitments or adoption as their next steps towards passwordless:

• Yahoo! JAPAN has been working on passwordless initiatives with FIDO since 2015, and more than 38 million active users in 2022 are signing in without passwords. Yahoo! JAPAN now supports passkeys iOS, iPadOS and MacOS.
• KDDI has first launched FIDO in 2020 for its au ID platform with more than 30 million customers. Now au ID is accessible with passkeys on iOS and FIDO2 on Android. 
• NTT DOCOMO has been a leader both within and outside FIDO Alliance beginning with its Board appointment in 2015 and is the first mobile operator to deploy FIDO authentication at scale. DOCOMO has announced its intention to support passkeys for its more than 50 million of d ACCOUNT users beginning in early 2023. 

“From the very beginning of the FIDO Alliance, Japan has been a global hub of innovation, support and deployments of FIDO authentication. It is not a surprise that several leading organizations in the region will be some of the first globally to offer their customers FIDO sign-ins with passkeys,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “This is illustrative of our global membership’s commitment to the passwordless future, and their collaboration to maximize the reach, usability and security of FIDO authentication.” 

Within the FIDO Alliance’s 250+ members, 58 actively take part in the FIDO Japan Working Group, now beginning its 7th year working together to spread awareness and adoption of FIDO in the region. 

About the FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The Internet of Things (IoT) is an increasingly critical and difficult area for IT devices that need to be secured.

At the Authenticate Virtual Summit: The FIDO Fit in IoT held on Dec. 7, a series of experts outlined FIDO Alliance efforts to help device manufacturers and developers better secure IoT. A key theme of the event was all about understanding how the FIDO Device Onboarding (FDO) specifications can help improve IoT security.

David Turner, director of standards development at FIDO Alliance, kicked off the event by noting that passwords remain a large problem across the IT industry. The challenge of passwords is compounded with IoT devices, which scale into the millions and potentially billions of devices. Challenges with passwords for IoT include password re-use, which can be a huge problem with IoT. If a system ships with a default password, it can be trivially easy for attackers to exploit.

“Hackers don’t break into IoT, they log into it,” Turner said.

One way to help secure IoT is with the FIDO Alliance’s FDO standard. Turner explained that FDO is an open standard that allows organizations to quickly and securely onboard IoT devices.

Small things, big impact: The path to FDO

Rolf Lindemann, director of product at Nok Nok and one of the leaders of the FIDO Alliance IoT Technical Working Group, explained that FIDO authentication standards are applicable to users as well as device authentication.

Lindermann said that there is a clear need to have a strong foundation to help secure IoT. The first step is to have hardened hardware elements at the CPU level including things like TPMs, TrustZone and SGX which are provided by the silicon vendors. The next critical step is to add device level attestation to help with supply chain integrity that also helps to reduce the complexity for device onboarding. The third step is to have strong authentication, that ensures only legitimate entries get access.

“To make the IoT ecosystem more secure, you need strong authentication that’s the front door providing fishing resistance and being still practical for daily large scale use,” Lindermann said. 

How FDO tackles the onboarding challenge

The challenge of onboarding is where the FDO specifications come into play.

Richard Kerslake, general manager of industrial controls and robotics, IoT business unit at Intel, explained that onboarding is the process by which a device can establish a trusted connection with a service or platform.

“We have an IoT device, it’s going to connect to a platform or service and we just need to be sure that everyone in that equation is who they say they are,” Kerslake explained. “Is the device talking to the platform that it thinks it is talking to, and is the platform talking to the device that it thinks it is talking to. So we really need to make sure that both sides of that equation are true.”

Onboarding today is often a very manual process. The promise of FDO is an automated approach that benefits from strong authentication. Kerslake explained that in December 2019 the decision was made to base the FDO specification on Intel’s Secure Device Onboard technology. The FDO 1.0 specification was released in March 2021 and updated to version 1.1 in April 2022.

Going a step further beyond just the specifications FIDO has worked with the Linux Foundation’s LF Edge project which has an open source implementation of FDO.

Going for a deep dive with FDO

There is a fair amount of nuance and details that go into the FDO specification.

In a deep dive session, Geoffrey Cooper, principal engineer, IoTG at Intel, explained the workflow, technical specification and procedures that enable FDO implementations.

Cooper explained that for example if a device is drop-shipped to a location and the device gets powered up and connected to the network, the goal with FDO is to enable that device to figure out who it’s supposed to connect to with proper authentication, sets everything up, and then it goes right into service.

“The idea is we’re taking something that was a very heavy touch kind of operation that we’re turning it into a zero touch operation,” Cooper said.

Enabling that zero-touch approach with FDO involves a series of protocols that are part of the specification. The protocols include device initialization and onboarding components. There is also a concept known as the FDO Service Info Module (FSIM) that provides an extension mechanism to help support devices.

During a robust Q&A session during the Authenticate virtual event, attendees asked a wide variety of questions.

Among the questions was one about what’s needed to help spur adoption for FDO.  Kerslake said there are companies today in different industry verticals including the energy sector, where operators are saying they will not proceed with bringing in new devices without an automated secure onboarding solution.

There are also a growing number of industry solutions that support FDO. Megan Shamas, senior director of marketing at the FIDO Alliance, said that by developing FDO in an industry standards body there are lots of opportunities for collaboration and promotion as well.

“We are in the midst of creating an implementer showcase, which should be live on the website soon,” Shamas said.

The path toward FDO certification

Looking beyond just the FDO specification there is also a need for certification, which is something the FIDO Alliance is now working on.

Paul Heim, director of certification at FIDO Alliance, said that  product certification ensures standardization and interoperability of products within an industry. He added that one of the most important factors about certification is that it helps to ensure consumer enterprise, and industrial protection. The lifecycle for FDO certification includes both functional and security certification.

“The FIDO device onboard certification program is intended to certify IoT devices and onboarding services certification that will be available for both FIDO members, and non-members,” Heim said.

The certification effort is still in development with a program launch set for the first quarter of 2023.

FIDO Authentication has reached broad support across the web – all major operating systems, browsers and billions of devices support FIDO Authentication today. Having reached such a milestone and the resulting FIDO roll outs from a broad array of service providers, the FIDO Alliance is increasingly focused on ways to make FIDO Authentication more usable and accessible for all. 

In achieving FIDO Alliance’s mission of more secure and password-free authentication, we must ensure that we meet the needs and preferences of people with disabilities. Today, we are pleased to announce the publication of “Guidance for Making FIDO Deployments Accessible to Users with Disabilities,” to provide guidance on planning FIDO deployments that are accessible to users with a wide range of disabilities. It also aims to help hardware manufacturers identify opportunities to deliver more accessible external authenticators.

An estimated 15% of the world’s population lives with some sort of disability today, and in many countries, laws prohibit discrimination to help ensure that these people can fully and equally participate in every aspect of society. Authentication is an important component of the ability to participate, as it provides digital access to many aspects of society including (but not limited to) education, employment, and entertainment. While legacy forms of multi-factor authentication (MFA) like SMS or email codes are technically “accessible,” they often require advanced skill, knowledge and/or assistive technology to enter the codes. FIDO, with its stronger and simpler authentication model, is well positioned to provide accessible authentication, as it supports a wide range of options that accommodate vastly diverse needs. The paper released today details why, and considerations for, deploying FIDO with the needs of people with disabilities in mind. We strongly encourage service providers to reference these guidelines in planning their FIDO deployments.

Much work and collaboration went into this paper. We would like to thank Yao Ming of Meta for his extensive work as lead author on this paper. We’d also like to thank Joyce Oshita of VMware for her contributions, including providing her own experiences leveraging various authentication methods, including FIDO, as a person who has lost her eyesight. 

In addition to the white paper, Yao and Joyce will be joining us on December 15, 2022 at 2pm ET for a webinar to discuss their perspectives on this topic.

The paper is available here; feedback is always appreciated – please drop a line at info@fidoalliance.org.  

If your organisation were hit by a cyber attack, would you tell anyone?

Historically, the answer would be an unequivocal no. Many believe that sharing that you were a target exposes your company’s (or your personal) vulnerabilities, making you more susceptible to further attack or ridicule. But this ‘security by obscurity’ mindset is not only outdated, it hinders the industry’s ability to harden our collective defences, most notably by eliminating our dependence on passwords and other knowledge-based credentials. 

While this year saw a 5%-7% drop globally in the use of passwords for entry, it is still by far the most popular online authentication method, which is a big problem. Passwords are not only highly insecure, but they also cause major consumer headaches and are costing businesses; 59% of consumers gave up on accessing an online service and 43% abandoned a purchase when asked for a password in the past month. More than 82% of data breaches are caused by weak or stolen login credentials. 

The benefits of multi-factor authentication (MFA) are widely reported but many firms have been sheepish about sharing their adoption figures. 

This may be because the figures weren’t great. Twitter revealed its two-factor-authentication adoption figures last summer, revealing that just 2.3% of accounts had it enabled. Of those, 80% relied on SMS-based backup, the least secure mode. Communicating this doesn’t make Twitter any less secure. Instead, it sets a powerful benchmark for improvement, and gives the industry a reality check that considerable work remains to get more customers using MFA. 

Other organisations to be applauded are Cloudflare and Twilio. The two cloud computing giants recently reported that they were targeted by a near-exact phishing attack. Employees were targeted with a text message from a supposed IT department, directing them to a fake website requesting a password change. Neither Twilio nor Cloudflare’s monitoring systems detected the attack, and, as you’d expect, some employees were caught off-guard and shared credentials. 

While Twilio fell victim to the attack (along with dozens of other companies), Cloudflare’s employees were protected because they use Fast ID Online (FIDO) security keys which are tied to users. Origin binding also prevented any credentials from being shared. Since the incident, Twilio has followed Cloudflare’s lead, as it shared in its updated incident report. This is a great example of how sharing successes and failures alike leads to two on the whole. 

At the FIDO Alliance, we’re working with the world’s leading tech companies and consumer service providers to solve this challenge. Together, we’ve created technology that’s increasingly cited as a ‘gold standard’ by governments, including the US’s cybersecurity body, CISA, and the UK’s National Cyber Security Centre. 

To best defend against cyber attacks, organisations should take inspiration from the Twilio and Cloudflare story and build in security protocols that are phishing-resistant. These protocols are often implemented with USB keys or built-in biometric authentication on devices, and can be added as a critical layer of security to both an organisation’s own network and information, and for customers accessing its services. 

Of course, the work we do at the FIDO Alliance, creating and implementing new technology, is an important part of moving the world away from passwords and other weak forms of legacy authentication – but it isn’t the most critical piece. Industry-wide commitment to creating intuitive and common user journeys, underpinned by architectural best practices, will enable the kind of cultural shift and mass adoption of this technology that will be required if we want to remove passwords from our daily lives. 

Collaboration and transparency are key ingredients that raise the bar for all involved – including for hackers, who need to have a far harder time executing remote attacks.

Mountain View, Calif., November 22, 2022 – The FIDO Alliance today announces its latest Authenticate Virtual Summit: Securely Onboarding All the Things: The FIDO Fit in IoT, sponsored by Daon and Nok Nok. Responding to rising industry demand for more insight into the role of FIDO and passwordless technology in IoT, the free event will offer attendees expert perspectives and education from leading industry organizations and solution providers on strengthening authentication in IoT. The program will take place virtually on December 7 2022, from 8:00am – 12:00pm PT, and will be made available to registrants on-demand following the event. 

Lack of IoT security standards and outdated processes, such as shipping with default password credentials and manual onboarding, leave devices and the networks they operate on open to large-scale attacks. As the IoT market continues to grow, projected to surpass the $1 trillion mark in 2022, the FIDO Alliance formed the IoT Technical Working Group to address these challenges – aiming to provide a comprehensive authentication framework for IoT devices relying on passwordless authentication. 

Launched in 2021, the FIDO Device Onboard (FDO) specification is the working group’s first output: an open IoT standard which enables devices to simply and securely onboard to cloud and on-premise management platforms. The upcoming virtual summit will delve into this specification and FIDO’s role in IoT with speakers from Intel, Qualcomm, FIDO Alliance and more:

• Introduction: The FIDO Fit in IoT
• Introduction to FIDO Device Onboard
• FIDO Device Onboard: Technical Deep Dive
• FDO Demo
• FDO Case Study
• FDO Certification 101

Register for the event here. 

Sponsorship Opportunities 

The Authenticate 2022 Virtual Summit series is accepting applications for sponsorship, offering a number of lead generation and brand visibility opportunities. Visit the Authenticate sponsorship page for more information or contact authenticate@fidoalliance.org.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact
press@fidoalliance.org

The final day of the Authenticate 2022 conference was packed with user stories, thought leadership and panel discussions about the challenges and opportunities for FIDO strong authentication today and in the years to come.

The first user story of the day was from global science and technology company EMD Group / Merck KGaA which is now using FIDO to help improve its own authentication system. Dennis Kniep, domain architecture for Identity and access management at the company explained that his team’s mission is to help secure the company where he sees FIDO as playing a major role.

A challenge that EMD Group / Merck KGaA faced with its implementation of FIDO is that there were a number of legacy applications and services that did not support modern web standards.

“We developed the detach authentication mechanism,” Kniep explained. “With that mechanism the users are able to authenticate with FIDO in a phishing resistant way, even if the user needs access to apps with legacy backends, meaning we can enforce FIDO.”

Equity and inclusion matter

A recurring theme through the Authenticate 2022 conference is the need for equity and inclusion.

One panel on the topic specifically looking at the issue of inclusiveness in authentication and identity systems. Jamie Danker, senior director of cybersecurity services at Venable LLP, commented that when solving a problem, the makeup of the people trying to solve a given problem will have an impact on the solution.

Danker noted that a recent equity and inclusion study completed by the U.S. government’s  General Services Administration (GSA) provides some real empirical data on how remote identity proofing solutions will actually operate. 

Danker also mentioned the NIST digital identity guidelines, which are currently being updated to revision 4. She noted that NIST has been very clear that equity considerations are going to be part of that.

Security is more than just the web interface

FIDO strong authentication helps to provide authentication into many different types of systems, but it’s not a ubiquitous option for all types of access.

“Everybody’s talking about web and mobile, and nobody’s talking about the contact center,” John Poirier, Lead Director – EIS at CVS Health said.

Poirier explained that when a password doesn’t work, or a user can’t get access, they will call into a contact center for help. He emphasized that there is a need to make sure there are security policies, procedures and technology in place at contact centers, that secure access, without introducing too much friction.

The idea of extending strong authentication to all types of devices was also discussed by Chad Spensky, CEO of Allthenticate and his co-founder and COO, Rita Mounir.

“The FIDO protocol right now only talks to websites and computers,” Spensky said.

Spensky wants to help bring strong authentication to all types of devices and access ranging from cars, to office doors and everything in between.

Navigating the authentication landscape

In a thematic presentation, Pamela Dingle, director of identity standards at Microsoft, spoke like a pirate and warned about passengers falling off the boat. 

The analogy of the boat is that of helping passengers safely get to their destination, which isn’t always an easy task. Dingle said that Microsoft blocks more than 1000 Password attacks every second, and outlined the multiple reasons why passwords are a weak link. She emphasized that users should wear a life jacket, which in the real world translates into user multi-factor authentication (MFA).

While there are risks with MFA, Dingle said it’s the right first step for many, until they are able to move to phishing resistant strong authentication with FIDO.

“Out of 10,000 compromised accounts, only one will be an MFA credential attack,” she said. “It’s really important to understand the difference in risk between being vulnerable to a password attack, and being vulnerable to an MFA bypass attack.”

That said, she noted that what makes phishing resistant credentials so great, is that they are not susceptible to exactly the same predictable behaviors that make MFA vulnerable. Dingle also noted that she’s very optimistic about the potential for passkeys.

“If we get it right. passkeys become the seat cushion that becomes a flotation device for our passengers,” she said.

Earning Trust in Identity at Scale

With one of the largest ecommerce  and cloud platforms in existence Amazon has a real need for strong authentication and it is increasingly relying on FIDO for those needs.

Sarah Cecchetti, head of product for Amazon Cognito explained that identity is handled by the platform team within Amazon Web Services. She noted that identity needs to have a consistent security and usability bar for every service at AWS. To that end, AWS has built out a modular, but centralized approach that uses FIDO.

Arynn Crow, Senior Manager, User Authentication Product at AWS, said that her company has invested really heavily into FIDO2.

“We continue to invest because fundamentally we believe that FIDO supports greater flexibility,” Crow said. “We have fewer trade-offs between our user’s experience and their security.”

Usability is the key to strong authentication adoption

In a panel session on usability, a key theme that emerged is the foundational need for good usability in order for FIDO adoption to grow.

Judy Clare, vice president, product manager, digital authentication at JP Morgan Chase commented that it’s critical to put strong authentication messages and workflow in the right tone. 

“The right wording and to make it clear, simple and understandable for the average user is very important so that you’re not ostracizing anybody by using all technical jargon,” Clare said.

The need for clear language was echoed by Sierre Wolfkostin, senior product designer at Duo Security. Wolfkostin said that it’s hard to adopt what you can’t understand. 

“Getting to simple human language is really important,” Wolfkostin said.

Usability is also about making sure there is a vibrant ecosystem of vendors and technologies that can help businesses small and large to actually implement FIDO strong authentication in the first place. 

In the closing panel of the event, Christiaan Brand, product manager at Google commented that while well staffed organizations might be able to implement strong authentication and passkey options on their own, many other organizations will need help. It’s a situation much like any other enterprise technology where organizations make use of consultants and service providers to implement complex technology.

Bob Lord, senior technical advisor at CISA argued that the best thing to do is to just start with FIDO. He emphasized the organization should focus on what they can do, not what they can’t.

“I think there’s a lot of hesitation at starting,” Lord said. “I think a lot of misconceptions out there would go away if they were to just start the journey, they would find their misconceptions are wrong.”

Next year in San Diego

In the closing session, Andrew Shikiar, executive director of the FIDO Alliance highlighted the key themes of the event.

Those themes are that deployments are real and organization can and should start today. Usability was another strong recurring theme, as a key to helping to ensure adoption. The concept of security by community also resonated at the conference, with users learning from each other about lessons learned.

In the final analysis the Authenticate 2022 was a stellar success with 90 sessions, spread across three tracks and three days of content.

For next year’s event, Authenticate 2023 will be moving to San Diego.

By: FIDO Staff

The second day of the Authenticate 2022 conference had a mix of topics and speakers that spanned multiple facets of the authentication world including payment security, biometrics, national identity and design systems.

The day got started with a keynote from Doug Fisher, senior director at Visa, who discussed the current state of the global payments system and the challenges it faces. Fisher noted that while ecommerce fraud remains a pervasive risk, strong online authentication is helpful to help reduce that fraud.  

A challenge for stronger forms of authentication for ecommerce is often that it introduces more friction into the consumer buying process, which can lead to shopping cart abandonment. To help solve that issue, Fisher explained that the FIDO Alliance, EMVCo and the W3C have been working together to help improve interoperability in a bid to reduce payment authentication friction. The joint effort had led to the Secure Payment Confirmation (SPC) standard that is currently in development

“SPC is a web standard currently in development that is built on WebAuthn to support streamlined authentication during a paymen

t transaction,” Fisher said. “SPC and FIDO go together like peanut butter and jelly.”

The perils of MFA

Not all multi-factor authentication (MFA) technologies are equal was the primary message in a session led by Roger Grimes, data-driven defense evangelist at KnowBe4.

Grimes outlined a litany of MFA bypass techniques that could potentially enable attackers to exploit vulnerable users. He emphasized however that FIDO based strong authentication is unlike MFA in that it can help to eliminate many of the man-in-the-middle attacks that enable bypassing techniques.

“MFA attacks have been around for decades but it certainly is going mainstream this year,” Grimes said.

The risks of non-FIDO MFA is top of mind for Heikki Palm Henriksen, CTO of BankID.

Henriksen’s organization provides a digital identification that is widely used in Norway. BankID started to look at FIDO in 2020 and discovered the insightful white papers produced by the alliance which helped Henriksen and his team to choose FIDO and begin implementation.

“We realized that FIDO2 was the best solution to modernize BankID to reach our goals,” Henriksen said.

Biometric considerations for FIDO

Strong authentication can make use of biometrics such as a fingerprint reader or facial recognition system, as an authenticator.

Biometric systems however are not universally without fault or bias, which is an issue that was discussed by Stephanie Schuckers, director, Center for Identification Technology Research (CITeR) at Clarkson University.

“When we talk about bias related to biometrics, what we’re really talking about is variability in performance due to demographics or demographic differentials,” she said.

Shuckers emphasized that bias relates to the specific technology implementation being used, not the whole field of biometric recognition. Through testing and certification, it is possible to better understand and reduce the risk of potential bias.

Greg Cannon, principal AI/ML standards at Amazon joined Schuckers for a panel session, emphasizing that the goal is to help eliminate passwords and biometrics is a great technology for doing that.

To help illustrate the point that biometrics spoofing is a concern that testing can help to solve, Shuckers brought some props on stage, including a mask of her own face, which apparently did not fool the facial detection system on her phone.

Consumer authentication habits

Understanding how users view authentication is an important aspect of understanding what needs to be done to help improve adoption.

The FIDO Alliance conducts an annual survey that looks at consumer habits for trends and adoption of authentication technologies. Megan Shamas, senior director of marketing at FIDO Alliance, said that the 2022 survey shows users are in some respects entering their passwords less than prior years, though the data is far from being definitive.

Perception of biometrics is also re-assuring as a potential way to help eliminate the use of passwords.

“We have actually been very pleased with consumer sentiment towards biometrics,” Shamas said. “In fact, a lot of consumers that we surveyed find it to be the most secure way to log in.”

Helping to reduce remote authentication fraud

Marianne Crowe, vice president, secure payments innovation and research at Federal Reserve Bank of Boston, used her time on stage to ask for more cooperation across the authentication ecosystem to help secure against fraud.

Crowe noted that there is consumer fatigue with passwords and many users will just reuse the same passwords on multiple sites which is an unsafe practice. MFA is helpful, but she noted that it is often inconsistent today in how it is presented to consumers.

“We’ve got to try to increase implementation and adoption of MFA even in industries and businesses that aren’t required to do it,” Crowe said.

Design system comes to FIDO

One of the ways consistency can come to authentication and specifically to FIDO based strong authentication is with the use of a design system. 

Organizations can now benefit from the FIDO design system at fidoalliance.org/design-system that provides principles, patterns and reusable components.

“Our intention for putting all this together is to make FIDO deployments simpler and faster for product designers, for project managers, product managers and engineers,” Kevin Goldman, chief experience officer at Trusona, said. “Our intention is to fill the gaps that they might have around authentication in their own design systems.”

The final day of Authenticate 2022 is looking to be another day loaded with useful content, thoughtful discussion, more user stories and best practices to help organizations move to the passwordless future.Want to attend the final day of Authenticate 2022? Registration for virtual attendance is still available, and all registrants have access to past sessions on demand. To register, visit www.authenticatecon.com.

FIDO Alliance’s second annual Online Authentication Barometer reveals the habits, trends and adoption of authentication technologies

Summary of key findings:

• Entering passwords has dropped globally – by 5% – 9% across all use-cases tracked, as people adopt more convenient ways of logging in.
• Yet passwords are still the most-used authentication method and they are proving costly to service providers – 59% of people gave up on accessing online services and 43% abandoned purchases in a given month.
• The use of SMS OTPs has increased globally – by 1% – 4% as it is increasingly offered by service providers as a multi-factor authentication method.
• Businesses need a way to offer people the convenience they want without sacrificing security – passkeys is one new approach and is on the radars of 48% of 18-34 year-olds.
• The metaverse has gained traction yet phishable authentication dominates despite security concerns – 61% of metaverse users are concerned over their security and privacy yet 38% use a password.

SEATTLE, WA, October 18, 2022 — The FIDO Alliance today published its second annual Online Authentication Barometer, which gathers insights into the state of online authentication in 10 countries across the globe. New to the Barometer this year, the FIDO Alliance has begun tracking authentication in the metaverse, and plans to incorporate utilization of technologies like passkeys in future editions of the report.

Key findings

The 2022 Online Authentication Barometer has identified that entering passwords online has dropped by 5% – 9% across all five major use-cases that it tracks – including accessing financial services, work computers and accounts, social media, streaming services, and smart home devices – compared to last year.

Despite this, passwords remain the dominant form of online authentication and cause major issues for people and businesses. For example, 70% of people had to recover a password at least once in a given month. Service providers and retailers also were impacted, with 59% of people giving up on accessing online services in a given month and 43% abandoning purchases because they couldn’t remember their password.

Data from the Barometer also suggests these issues with remembering and entering passwords are leading more people to stay logged into accounts, rising by 5% – 11% across all use-cases, as people opt for greater convenience. Other notable trends include multi-factor authentication through SMS One-Time Passcodes (OTPs) rising between 1% – 4% across all use-cases, as this legacy form of second-factor authentication is increasingly offered by service providers to rapidly improve consumer security and to meet regulatory requirements.

“This year’s Barometer data reveals that people see entering passwords as a pain and avoid it when they can,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “Service providers realize the inconvenience and security issues with passwords and are offering more ways to authenticate such as cookies to stay logged in and/or legacy MFA like SMS OTPs.” 

Shikiar added: “However, these attempts at convenience and security are still based on outdated and phishable authentication technologies that everyone needs to move away from if we are ever going to stop the constant onslaught of data breaches. Organizations should all have implementation of modern, phishing-resistant authentication on their roadmaps, whether it is via on-device biometrics, FIDO security keys or passkeys.” 

Tracking emerging technologies

The FIDO Alliance’s Online Authentication Barometer is designed to track habits, trends and adoption across key use-cases, including new technologies and use-cases as they are adopted. This year, it began tracking the metaverse as one of its key online use-cases. The Barometer also sampled early insights into passkeys, which are FIDO credentials designed to replace passwords that provide faster, easier, and more secure sign-ins to websites and apps.

Almost a third of people (31%) have logged into the metaverse recently, with 61% concerned over their security and privacy. Despite this, phishable authentication methods dominate with 38% of people logging in with passwords, 24% using password plus OTPs, and 21% remaining logged in. Other, more secure, possession-based methods like biometrics (26%) and physical security keys (16%) are also prevalent.

Passkeys, which provide secure and convenient passwordless sign-ins to online services, appear to 

have a high level of awareness, despite only being announced this year. The data shows that 39% of people are familiar with the concept of passkeys – and this is especially high among 18-34 year-olds at 48%. FIDO’s Online Authentication Barometer will track the adoption of passkeys in next year’s report and determine how far this early awareness translates into usage.

Ends

Notes to editors:

• Research for the FIDO Alliance’s Online Authentication Barometer was conducted by Sapio Research among 10,044 consumers across the UK, France, Germany, US, Australia, Singapore, Japan, South Korea, India and China.

About the FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact 

press@fidoalliance.org 

As high-value services increasingly move online – from banking applications to government services – demand is rising for more robust verification solutions to validate user identities remotely by leveraging trusted government-issued ID documents. Accurate remote identity verification is also critical at the point of account creation, prior to FIDO authentication, and during the account recovery process. 

The DocAuth Certification Program provides a standard testing process for organizations to prove their products can validate different government-issued ID document types across multiple geographies, and that they are fit for commercial use. For service providers, the program provides a benchmark when evaluating multiple vendors to ensure they meet global performance standards and can assist in stopping bad actors from creating accounts using fake or stolen documentation. 

“FIDO Alliance was pleased to collaborate with our FIDO Accredited laboratory partners on this important program, as accurately verifying a user’s identity during initial account creation is a critical step in the overall integrity of the account – and also strengthens the security of subsequent FIDO-based sign-ins,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “The launch of FIDO’s Document Authenticity Certification Program gives service providers a FIDO Certified mark to ensure the mobile document verification solutions they choose have met globally-recognized standards and can assist them in providing greater security across the entire account lifecycle. We look forward to seeing the first FIDO DocAuth Certified products early next year.” 

Program Details 

The DocAuth Certification Program provides certification performance criteria for vendors, and sets test procedures that FIDO Accredited Laboratories use for evaluating mobile document verification solution capabilities. A full list of FIDO Accredited Document Authenticity Laboratories can be found here. 

The program is open to vendors seeking certification for their mobile document verification solutions. Vendors who achieve certification receive a Document Authenticity Certificate, as well as granted use of the FIDO Certified mark, to demonstrate they have passed the well-defined testing administered by the FIDO Alliance and Accredited Laboratories. 

FIDO Document Authenticity Certification is independent of other FIDO certification programs. There are no FIDO Certification prerequisites to apply for Document Authenticity Certification. 

The FIDO Alliance plans to expand its identity verification program in 2023 with the launch of a face verification certification, including performance criteria requirements that address liveness and selfie-match.

About the FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services. 

PR Contact 
press@fidoalliance.org

Megan Shamas, senior director of marketing, FIDO Alliance

Cybercriminals are like trick or treaters – knocking on doors and helping themselves to your freely-given credentials. Whether traditional phishing emails or more sophisticated deepfake-bolstered attacks, our digital lives and the proliferation of passwords are making us increasingly vulnerable to the cyber threat.

Awareness is a core part of FIDO Alliance’s mission to move the world away from passwords to simpler, stronger authentication. Standards and technology is just one half of solving cybersecurity challenges – we have a duty to educate and provide the best information and resources to help everyone make smart decisions in whatever online environment they’re in – whether you’re at work, studying, or in your personal life. 

That’s why we love working with CISA and NCSAM and their efforts around Cybersecurity Awareness Month, as it gets to the ‘people’ part of cybersecurity. And undoubtedly, when we think of that ‘people’ part, phishing and social engineering attacks are top of the list.

To promote this year’s Cybersecurity Awareness Month, we’ve taken inspiration from the impending spooky season to unmask the scariest techniques and technologies criminals are using to steal your sweet candy credentials – and, how to stop them.

The Wolf in Sheep’s Clothing 

The online world can be a great space for finding friends, work, and romance. But wolves can be lurking behind friendly chats and interactions. These types of attacks are quite sophisticated, and usually take place over an extended period while the attacker wins the trust of their unsuspecting victims.  

Plenty of Fish can quickly become Plenty of Phish, catching consumers when they have their guard down and least expect anything. The recent Netflix documentary ‘Tinder Swindler’ is a great example of how convincing and persistent these fraudsters can be. When forming relationships online, remember that those on the other end of apps might not always be who they seem before sharing any sensitive information that could help them take over your online accounts.  

The Ghosts of Phishmas Past 

An email from the bank wanting to confirm your details. A text from couriers asking you to reschedule your delivery. The cheery retailer message to say you’ve won $100 to spend if you register a new account.

You might think you’ve seen and heard it all before, but these older, tried and tested phishing techniques are haunting us and are still by far the most effective. Take the Royal Mail SMS scam that blew up last Christmas time in the UK, or the recent global attack on Facebook Business/ad users. An estimated three in five were targeted by fake delivery text messages in 2021. As both the volume and quality of attacks continue to rise, the simplest of phishing and smishing could catch any of us out.

The Shapeshifter

You’ve no doubt seen funny viral videos of deepfakes, like Tom Cruise singing, or heard of the fake videos created of Ukranian President Zelensky earlier this year. But deepfake technology isn’t just limited to comedy and political attacks – this technology is becoming both more readily available and more convincing, bringing to the fore even more effective attacks on everyday consumers. Back in June, the FBI even issued a warning to employers about fake employees using the technology to apply for jobs under false pretences to defraud organisations.

Deepfake video and audio is now being used to bolster more standard phishing attacks and convince victims they’re engaging with those closest to them to pressure them into giving away sensitive information and details.

The Terminator

This is one type of social engineering attack that should send shivers down your spine. Recent advances in AI and machine learning are enabling attackers to automate highly targeted attacks – known as spear-phishing – by data scraping and integrating convincing details like name, date of birth and employer details, into attacks. 

By revealing just enough legitimate information, consumers are lured into a false sense of security and even more likely to share credentials. Now automated at an alarming rate and level of sophistication, this is one attack that will keep coming back… that is, if we don’t find a strong enough defence. 

Boo, Passwords!

The only way we can truly protect ourselves from sharing our most precious credentials online is to not have credentials we can share in the first place. If passwords are like Halloween candy at our doors, moving to something we simply can’t share like FIDO cryptographic-based signs ins and on-device biometrics means even if you fall for the trick, fraudsters are going hungry.   

FIDO authentication, created by global collaboration of the world’s biggest tech companies, numerous service providers and security stakeholders, is the only widely available phishing-resistant authentication method. Increasingly, governments like the US and the UK are citing FIDO as the ‘gold standard’ for organisations to implement and access robust cybersecurity. FIDO technology is readily available for companies big and small to implement and, as Cloudflare’s recent thwarted cyberattacks shows, it’s effective. 

FIDO technology is about to become more readily available and ubiquitous among consumers too. Earlier this year, the world’s biggest platforms – Apple, Google and Microsoft – committed to supporting our new security key standards, FIDO multi-device credentials, also known as ‘passkeys’. This means, across our most favoured browsers and devices, we’ll soon be able to access FIDO-based passwordless sign-in technology with the same gestures we use every day on mobile devices, using biometrics or PIN. 

This Cybersecurity Awareness Month, we’re urging service providers to get phishing-resistant passwordless authentication on their roadmap so consumers can make the move to passwordless – or at the very least, using passwords less – so we can leave these social engineering monsters toothless.

July 2022 was a busy month for FIDO members in APAC, particularly with the events that took place in Korea and Vietnam:

FIDO Tech Seminar in Korea

On July 13th, the FIDO Korea Working Group held a half-day virtual tech seminar with 250+ attendees.  The sessions included updates on the state of the FIDO Alliance and its certification programs, an introduction to FIDO Device Onboard (FDO), a FIDO Authentication 101, an introduction to multi-device FIDO credentials (also known as “passkeys”), and a presentation on understanding Korean  laws mandating the use of passwords.

[Pic 1: Snapshot of FIDO Tech Seminar Platform]	[Pic 2: Samples of Virtual Sessions]

This tech seminar covered topics such as FDO and passkey, and provided a forum for industry experts to learn about phishing-resistant online authentication. 

Based on the post-event survey, over 30% of attendees reported they were victims of credential thefts, though they are online security industry experts or studying in the related fields.  Mr. Hyeong Won Pyo at Chosun Media thoughtfully summarized what he learned from the seminar while sharing with his colleagues and friends: “Our journalists are under attack by online phishing campaigns, and it was great to learn how to protect them with FIDO Authentication.”

Those who missed the live streaming sessions can watch the recordings here.

Vietnam Goes Passwordless Roundtable

On the same afternoon, FIDO Alliance participated in another hybrid event, the Vietnam Goes Passwordless Roundtable, organized by VinCSS and Vietnamese Ministry of Information and Communication.

It was the first forum on passwordless authentication in Vietnam, and the cyber security industry leaders in the region gathered representatives from the state banks, and local journalists.

[Pic 3: FIDO Update by Andrew Shikiar]	[Pic 4: Panel Discussion Session]

During the event local cyber security leaders discussed and shared best practices on digital authentication, disruptive technologies, and mega trends of passwordless authentication.  The experts recognized the recent increase of cyber-attacks in Vietnam as a risk factor for further developing digital applications, which is one of the top strategic activities of Vietnamese National Digital Transformation Program.

Mr. Do Ngoc Duy Tranc, CEO of VinCSS said, “VinCSS is ready to sponsor and support the nation by integrating strong FIDO-based passwordless authentication technology by building broader cooperation mechanisms with multi-sectors.”

Seattle, Washington, August 2, 2022 – The FIDO Alliance announced its keynote speakers and full agenda for Authenticate 2022, the only industry conference dedicated to the who, what, and where of user authentication. 

This year’s featured keynote will be presented by Cybersecurity and Infrastructure Security Agency (CISA’s) Director, Jen Easterly, and Senior Technical Advisor, Bob Lord. Additional speakers including Jonathan Bellack, Senior Director, Identity & Counter-Abuse Technology at Google; Pamela Dingle, Director of Identity Standards, Microsoft; Luis G. DaSilva, Head of Digital Identity Products at Visa; and Christopher Harrell, Chief Technology Officer at Yubico will deliver keynote presentations exploring the theme of “taking modern authentication to the next level” from a variety of diverse, global perspectives. 

Authenticate 2022 is a hybrid event, held at the Sheraton Grand in Seattle, Washington and virtually on October 17-19, 2022. Now in its third year, the event is focused on providing education, tools, and best practices for modern authentication across web, enterprise, and government applications. CISOs, security strategists, enterprise architects, and product and business leaders are invited to register at https://authenticatecon.com/event/authenticate-2022-conference/. 

In response to its rising popularity, the conference now features a third content track and offers more than 80 sessions. Speakers from ADP, Amazon, Citi, CVS Health, Salesforce, Target, USAA and others will deliver a diverse set of sessions, detailed case studies, technical tutorials, and expert panels. Attendees will also benefit from a dynamic expo hall and networking opportunities whether attending in-person or virtually. 

Sponsorship Opportunities at Authenticate 2022 

Authenticate 2022 is also accepting applications for sponsorship, offering opportunities for companies to put their brand and products front and center with brand exposure, lead-generation capabilities, and a variety of other benefits for both on-site and remote attendees. To learn more about sponsorship opportunities, please visit https://authenticatecon.com/event/authenticate-2022-conference/. 

There are a limited number of opportunities remaining. Requests for sponsorship should be sent to authenticate@fidoalliance.org. 

About Authenticate 

Authenticate is the first conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. 

In 2022, Authenticate will be held October 17-19 at the Sheraton Grand in Seattle, Washington and virtually. Early-bird registration discounts are available through September 2, 2022. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter. 

Signature sponsors for Authenticate 2022 are Google, Microsoft, Visa, and Yubico.

Authenticate Contact 
authenticate@fidoalliance.org  

PR Contact 
press@fidoalliance.org  
SOURCE FIDO Alliance, Inc.

New Delhi, India, June 28^th, 2022 – The FIDO Alliance today announced the FIDO Developer Challenge – India. Building on the success of the FIDO Developer Challenges over the past three years, the FIDO Alliance is focusing the program on the Indian market, encouraging local developer teams to create and present compelling and innovative applications leveraging FIDO standards and technologies.

In India, cyber-attacks have doubled in the past three years, according to University of Surrey research, with enterprises the most common target of these attacks. Knowledge-based authentication, such as passwords, is no longer fit for the rapidly developing and connected Indian market. The FIDO Alliance is bringing its Developer Challenge to India to empower local developers to explore new options for moving beyond passwords with simpler, stronger FIDO Authentication.

“Educating and supporting the developer community is a priority for the FIDO Alliance, and is one of the key elements to driving market adoption of FIDO Authentication standards,” said Andrew Shikiar, executive director and CMO at the FIDO Alliance. “Over the years, the FIDO Developer Challenge programs have been a major component in successfully engaging local developers. India has a rich history of developer talent and innovation – we are looking forward to seeing how these bright minds leverage FIDO standards to bring simpler, stronger authentication capabilities to web applications and services.”

Participating teams will use public web frameworks and/or SDKs from FIDO Alliance’s members and sponsors of the Developer Challenge. Sponsors currently include Visa, Infineon, Samsung Electronics, Trustkey, Ensurity, and Octatco.

The Challenge is open to students, individual developers, and pre-seed-stage companies residing in India. Projects should apply FIDO Authentication protocols to address modern technical or social challenges within various fields such as fintech, ecommerce, IoT, retail, blockchain, healthcare, public service, gaming, education, AI and the Metaverse.

In addition to receiving goods and prizes from FIDO Alliance and the Challenge sponsors, the winning team will be invited by the FIDO India Working Group to make their final presentations to FIDO Alliance global stakeholders.

The deadline to submit an application is August 12, 2022. Registration to participate can be found here: https://forms.gle/infm9319Ph8HwbJv8

(*The application submission deadline has been extended from August 12th to September 12th.)

Additional resources for the event can be found on the FIDO Developer Challenge India homepage: https://fidoalliance.org/fido-developer-challenge-2022-india/

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. By harnessing the collective expertise of hundreds of leading technology, consumer services and government organizations, the FIDO Alliance is enabling simpler and stronger online experiences and more secure online identities and devices. The FIDO Alliance creates and publishes specifications, executes rigorous certification programs and educates consumers in order to build confidence and trust in FIDO Certified products and services.

World Password Day was created in 2013 to help people better secure their accounts by providing tips for better password hygiene: don’t reuse passwords; use a complex, random string of letters, numbers and characters; use a password manager. At the time of its inception the intentions of this day were positive and necessary as we didn’t have more secure consumer-friendly alternatives readily available. 

Technology and best practices have changed over the years and many now use World Password Day to encourage users to level-up their account security by enabling multi-factor authentication. This is certainly a best practice for password-based logins, but falls short of addressing the evolving threat landscape which has commercialized the ability for hackers to bypass legacy forms of MFA. 

What we ultimately need is widespread availability of passwordless sign-in technology that is more convenient and more secure – and we have that today with FIDO Authentication, which is already supported in over 90% of web browsers and virtually every modern handset and computing device. 

In March of this year the FIDO Alliance shared its vision to make FIDO Authentication even more widely available and consumer-ready through the advent of multi-device FIDO credentials (referred to by some as “passkeys”). 

Today, as an evolution of this announcement, FIDO Alliance is excited to share that Apple, Google and Microsoft are aligned with this vision and will be implementing multi-device FIDO credentials in their respective platforms. Read the press release for more details.

From a user experience standpoint, this will be very similar to how one interacts with a password manager today to help them securely enroll and sign into websites – only it will be far more secure as the process will issue a FIDO keypair instead of a password. 

From a service provider perspective, the availability of multi-device FIDO credentials will join the ongoing and growing utilization of security keys to allow for a full range of options for deploying modern, phishing-resistant authentication.

In addition to facilitating a better user experience, the broad support of this standards-based approach will enable service providers to offer FIDO credentials without needing passwords as an alternative sign-in or account recovery method. This is a critical step in helping the industry at large break its dependence on the passwords and other knowledge-based credentials which to this day are the cause of over 80% of data breaches.

I am often asked when the industry will be able to get rid of passwords – to which I respond that the path towards passwordless is a journey and not a sprint. That being said, the first step on the password-less journey is to use less passwords – which is embodied by the commitment made today by the world’s largest platform providers.  While “Less Passwords Day” doesn’t roll off the tongue as well as “World Password Day,” it certainly is a day worth celebrating!

Mountain View, California, MAY 5, 2022  – In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.  

Password-only authentication is one of the biggest security problems on the web, and managing so many passwords is cumbersome for consumers, which often leads consumers to reuse the same ones across services. This practice can lead to costly account takeovers, data breaches, and even stolen identities. While password managers and legacy forms of two-factor authentication offer incremental improvements, there has been industry-wide collaboration to create sign-in technology that is more convenient and more secure.  

The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN. This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS. 

An Expansion of Passwordless Standard Support 

Hundreds of technology companies and service providers from around the world worked within the FIDO Alliance and W3C to create the passwordless sign-in standards that are already supported in billions of devices and all modern web browsers. Apple, Google, and Microsoft have led development of this expanded set of capabilities and are now building support into their respective platforms. 

These companies’ platforms already support FIDO Alliance standards to enable passwordless sign-in on billions of industry-leading devices, but previous implementations require users to sign in to each website or app with each device before they can use passwordless functionality. Today’s announcement extends these platform implementations to give users two new capabilities for more seamless and secure passwordless sign-ins: 

1. Allow users to automatically access their FIDO sign-in credentials (referred to by some as a “passkey”) on many of their devices, even new ones, without having to re-enroll every account. 
2. Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.

In addition to facilitating a better user experience, the broad support of this standards-based approach will enable service providers to offer FIDO credentials without needing passwords as an alternative sign-in or account recovery method. 

These new capabilities are expected to become available across Apple, Google, and Microsoft platforms over the course of the coming year. 

“‘Simpler, stronger authentication’ is not just FIDO Alliance’s tagline — it also has been a guiding principle for our specifications and deployment guidelines. Ubiquity and usability are critical to seeing multi-factor authentication adopted at scale, and we applaud Apple, Google, and Microsoft for helping make this objective a reality by committing to support this user-friendly innovation in their platforms and products,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “This new capability stands to usher in a new wave of low-friction FIDO implementations alongside the ongoing and growing utilization of security keys — giving service providers a full range of options for deploying modern, phishing-resistant authentication.”

“The standards developed by the FIDO Alliance and World Wide Web Consortium and being led in practice by these innovative companies is the type of forward-leaning thinking that will ultimately keep the American people safer online. I applaud the commitment of our private sector partners to open standards that add flexibility for the service providers and a better user experience for customers,” said Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency. “At CISA, we are working to raise the cybersecurity baseline for all Americans. Today is an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords. Cyber is a team sport, and we’re pleased to continue our collaboration.”

“Just as we design our products to be intuitive and capable, we also design them to be private and secure,” said Kurt Knight, Apple’s Senior Director of Platform Product Marketing. “Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.” 

“This milestone is a testament to the collaborative work being done across the industry to increase protection and eliminate outdated password-based authentication,” said Mark Risher, Senior Director of Product Management, Google. “For Google, it represents nearly a decade of work we’ve done alongside FIDO, as part of our continued innovation towards a passwordless future. We look forward to making FIDO-based technology available across Chrome, ChromeOS, Android and other platforms, and encourage app and website developers to adopt it, so people around the world can safely move away from the risk and hassle of passwords.”

“The complete shift to a passwordless world will begin with consumers making it a natural part of their lives. Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today,” says Alex Simons, Corporate Vice President, Identity Program Management at Microsoft. “By working together as a community across platforms, we can at last achieve this vision and make significant progress toward eliminating passwords. We see a bright future for FIDO-based credentials in both consumer and enterprise scenarios and will continue to build support across Microsoft apps and services.”

Available Resources:

White Paper: Multi-Device FIDO Credentials

Blog: Charting an Accelerated Path Forward for Passwordless Authentication Adoption

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

About Apple

Apple revolutionized personal technology with the introduction of the Macintosh in 1984. Today, Apple leads the world in innovation with iPhone, iPad, Mac, Apple Watch, and Apple TV. Apple’s five software platforms — iOS, iPadOS, macOS, watchOS, and tvOS — provide seamless experiences across all Apple devices and empower people with breakthrough services including the App Store, Apple Music, Apple Pay, and iCloud. Apple’s more than 100,000 employees are dedicated to making the best products on earth, and to leaving the world better than we found it.

About Google

Google’s mission is to organize the world’s information and make it universally accessible and useful. Through products and platforms like Search, Maps, Gmail, Android, Google Play, Google Cloud, Chrome and YouTube, Google plays a meaningful role in the daily lives of billions of people and has become one of the most widely-known companies in the world. Google is a subsidiary of Alphabet Inc.

About Microsoft

Microsoft enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.

According to recent research reports and news, Asia Pacific regions are witnessing a surge in cyber-attacks – and the highly publicized online attacks all start with compromised passwords. 

In December 2021, nearly 470 customers of a Singapore bank had fallen victim to SMS phishing attacks, with total losses amounting to at least $8.5 million. In New Zealand, the Department of Internal Affairs (DIA) received over 114,000 SMS scam reports between September and October 2021, the highest in the Department’s history. In India, cyber-attacks have doubled in the past three years, according to University of Surrey research, with enterprises the most common target of these attacks. In January, a local payment provider experienced a data breach, with 35 million customers having their data, including card information and fingerprint scans, released on the dark web for anyone to buy. These are just a few examples on a list that continues to grow.

The Industry Is Uniting to End the Password Problem

On February 15^th, the FIDO APAC Marketing Forum (AMF) brought together FIDO members from 12 countries in APAC to share insights, lessons learned and best practices to mitigate the surge of cyber-attacks that have taken hold of the region. 

 Here are the highlights of the sessions:

The agenda started with a welcome message from Andrew Shikiar, Executive Director and CMO of the FIDO Alliance.  Shikiar said, “2022 is the year of FIDO adoption and this time we mean it. FIDO adoption is truly happening now at scale.  Asia has always been at the forefront with early FIDO adoptions, and it is wonderful to see a new momentum in Taiwan and ASEAN.”

Megan Shamas, Senior Director of Marketing at the FIDO Alliance, reviewed 2021 highlights and shared 2022 global marketing programs that are being prepared. She detailed FIDO’s new year marketing programs that are divided into many different boxes, such as PR, digital, content, industry events, seminars, and research, while seeking member feedback.

The group heard from Karen Chang of Egis Technology, who is also Chair of FIDO Taiwan Engagement Forum while serving as a member at SEMI E187 Standard Committee. Chang pointed out that SEMICON Taiwan released SEMI E187, the first ever semiconductor standard. FIDO is listed as a reference of ‘Authentication Technologies’ in the document.

Le Tuan Khoi from MK Group in Vietnam shared their FIDO deployment case study. The insightful local trends on cybersecurity and cybercrime statistics were highly appreciated by the members. It was very helpful for us to understand the local markets and how FIDO can be accepted there.

Keiko Itakura from Rakuten Group shared Rakuten’s FIDO implementation case study. Itakura, who also serves as Co-Vice Chair of the FIDO Japan Working Group, said, “FIDO has great availability to unify authentication methods and phishing resistance by utilizing standard technology.”  At the end of her presentation, the members congratulated the 25th year anniversary of Rakuten.

Special guest Yusuf Khan from Digital Dubai joined us to share digital ID trends and related activities in Dubai.  He emphasized that balance between usability and security is very important, which FIDO Authentication is on the sweet spot.  It was also exciting to learn that Dubai is exploring passwordless and secure mobile based digital identity.

Finally, Young Lee from DEFEND in New Zealand joined us as a special speaker.  Lee gave us a bird-eye view of New Zealand’s 2021 Cybersecurity Landscape.  He said, “thousands of phishing and credential harvesting attacks were recorded in Q2 2021, and it was a 73% increase from the previous quarter.”

A Call to Participate

The FIDO APAC Marketing Forum (AMF), under the FIDO Marketing and Communications Board Committee, was inaugurated on November 28^th, 2020, to provide a platform for regional members to connect, learn from each other and share best practices. Although it was established during the worst period of the global pandemic, the forum has now grown to 98 members from Australia, China, Japan, Korea, Hong Kong, Indonesia, India, Malaysia, Saudi Arabia, Taiwan, and Vietnam. Members in the APAC region are encouraged to participate in this forum and can get involved by contacting info@fidoalliance.org.

We look forward to hosting yet another exciting AMF meeting in Q2 2022!

FIDO Alliance released a paper today that outlines the next steps in the evolution of FIDO and passwordless authentication adoption. Specifically, we are introducing the concept of multi-device FIDO credentials to address current challenges with account recovery for consumer deployments at scale.

FIDO Alliance has really been successful in changing the nature of authentication – FIDO Authentication is now built into every leading device and browser and many major brands have made FIDO logins available to their users. 

However, a challenge that persists is the requirement that users enroll their FIDO credentials for each service on each new device, which typically requires a password for that first sign-in. So what happens to your FIDO login credentials and how do you recover your account if you change your phone or laptop? They are not recoverable in today’s FIDO model. This presents issues for deploying FIDO at scale to consumers who are constantly moving between devices and updating to new ones. This is less of a challenge in the enterprise, where companies can solve this issue by deploying internal management tools used to support passwordless authentication, and for employees to recover accounts and credentials.

So while FIDO is available to deploy at scale today, a feature has been missing to make it as fully ubiquitous and available as passwords: the ability to have your FIDO credentials available to you across all of your devices, even a new one, without having to re-enroll for every account. 

Introducing multi-device FIDO credentials

The new paper released today outlines the next steps for the evolution of FIDO to address this limitation. The paper introduces multi-device FIDO credentials, also informally referred to by the industry as “passkeys,” which enable users to have their FIDO login credentials readily available across all of the user’s devices. This will help service providers bring passwordless sign-in to consumers at scale by addressing the issue of account recovery – the key barrier to mass adoption of cryptographically secure, passwordless authentication. 

The paper outlines how the FIDO Alliance and the W3C WebAuthn working group propose to achieve this, which includes two key updates:

• The ability to use a phone as a roaming authenticator through a defined protocol to communicate between the user’s phone (which becomes the FIDO authenticator) and the device from which the user is trying to authenticate.
• Making FIDO credentials universally available on all the user’s devices to ensure they can survive device loss and sync across different devices

By introducing these new capabilities, we hope to empower websites and apps to offer an end-to-end truly passwordless option; no passwords or one-time passcodes (OTP) required. The user experience of sign-in becomes a simple verification of a user’s biometric or a device PIN – the same consistent and simple action that consumers take multiple times each day to unlock their devices. The vision is that these experiences will be available across all our devices, operating systems and browsers.

FIDO Alliance sees the introduction of multi-device FIDO credentials to be an important step towards deployment of phishing-resistant FIDO authentication at a broader scale in many use cases that today are totally reliant on passwords or legacy forms of MFA such as SMS OTPs that are under increasing attack. 

We’re looking forward to hearing from industry stakeholders about this development and will be sharing more details on a webinar in April.

MOUNTAIN VIEW, CA – March 10, 2022 – The FIDO Alliance is pleased to announce its first Authenticate Virtual Summit of 2022: The FIDO Fit in Commerce: Examining the Present and Future of Authentication in Banking, Retail, Crypto and Blockchain. The summit features Signature Sponsors Daon, Keyless and Nok Nok. 

Attendees will hear from industry experts on the authentication challenges facing all commerce stakeholders today, and learn about FIDO’s invaluable role in the industry.  The program provides market-specific insights, and will air March 30 in the U.S. (2:00 – 5:30pm Eastern) and March 31 in  Europe (2:00 – 5:30pm CET). 

Online payment fraud is rising globally, totalling an estimated $20bn USD in losses last year. Meanwhile, Forrester research suggests poor online checkout experiences are costing brands over $18bn a year in cart abandonment. This event invites players across banking, retail, crypto and blockchain to learn how they can meet the urgent need to deliver simpler, stronger user authentication, and why FIDO has  quickly become a key cornerstone in the future of commerce.

The agenda features presentations from leading financial institutions, solution providers and industry analysts to explore: 

• Commerce authentication today and its challenges
• The benefits and risks of different authentication methods
• Key privacy and regulatory requirements – and how they’re evolving
• The imperative for modern strong authentication in commerce
• Use cases and practical insights into deploying FIDO 
• The future of authentication in commerce

Speakers include executives from RH-ISAC, eBay, Gemini, Goode Intelligence, PLUSCARD, Entersekt, LoginID, the Greensheet, IDnow and more.

Register for free and view the agenda for the event here. All sessions will also be available on-demand after the second airing.

Sponsorship Opportunities

The Authenticate 2022 Virtual Summit series is accepting applications for sponsorship, offering a number of lead generation and brand visibility opportunities for interested organizations. Visit the Authenticate sponsorship page for more information or contact authenticate@fidoalliance.org.

About FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

SEATTLE, February 15, 2022  —  The FIDO Alliance is pleased to announce the return of Authenticate, the only industry conference dedicated to the who, what, and where of user authentication. Authenticate, featuring Signature Sponsors Google, Microsoft, Visa and Yubico, will take place at the Sheraton Grand in Seattle, Washington and virtually on October 17-19, 2022. 

Aimed at CISOs, security strategists, enterprise architects, and product and business leaders, this is the third consecutive year that the FIDO Alliance is hosting the public conference. The annual event is specifically designed to share education, tools, and best practices for modern authentication across web, enterprise, and government applications. 

Last year’s conference featured more than 70 sessions and welcomed over 650 attendees, 97% of whom agreed  that the content was exactly what they were looking for. The exhibit area included 25 industry-leading exhibitors and sponsors.

Authenticate 2022 will build upon this strong foundation and feature detailed case studies, technical tutorials, and expert panels aimed at helping educate attendees on business drivers, technical considerations, and overall best practices for deploying modern authentication systems. Attendees also benefit from a dynamic expo hall and networking opportunities. 

Authenticate Call For Speakers

The Authenticate 2022 conference program committee is currently holding an open call for speakers. Authenticate provides speakers with an opportunity to increase visibility, educate on in-market solutions, and allow for networking between those involved in modern authentication. 

The committee is looking for vendor-neutral, educational presentations that focus on modern authentication implementations and best practices. For this year’s event, the focus will be on “taking modern authentication to the next level.” Diverse, global perspectives and presentations that focus on the following topic areas are welcome: 

• Authentication trends & insights 
• Modern authentication case studies & implementation strategy
• Regulatory impact on authentication 
• Technical & developer tutorials

Other topic areas related to authentication will also be considered. Submissions that are unique, expertise-driven, and reflect diversity in speakers are most likely to be accepted. 

The Authenticate Call for Speakers closes on March 15, 2022. To submit an application, please visit https://authenticatecon.com/event/authenticate-2022-conference/. 

Sponsorship Opportunities at Authenticate 2022 

Authenticate 2022 is also now accepting applications for sponsorship, offering a wide range of opportunities to provide broader brand exposure, lead-generation capabilities, and a variety of other benefits for both on-site and remote attendees. To learn more about sponsorship opportunities, please visit https://authenticatecon.com/event/authenticate-2022-conference/.

Sponsorship requests will be filled on a first-come, first-served basis. Requests for sponsorship should be sent to authenticate@fidoalliance.org.

About Authenticate

Authenticate is the first conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. 

In 2022, Authenticate will be held October 17-19 at the Sheraton Grand in Seattle, Washington and virtually. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter.

Authenticate Contact
authenticate@fidoalliance.org  

PR Contact 
press@fidoalliance.org

The FIDO Alliance endorses The U.S. Office of Management and Budget’s finalized Federal Zero Trust Strategy, supporting their efforts to implement stronger cybersecurity methods across government agencies. The Federal Zero Trust Strategy now requires agencies to use phishing-resistant multi-factor authentication (MFA) to access agency-hosted accounts, highlighting FIDO Authentication as a quality option to ensure user security. Notably, the OMB also recommends this approach in environments where the use of Personal Identity Verification (PIV) isn’t feasible. 

“The Federal Zero Trust Strategy provides a robust roadmap for agencies to follow to ensure best practices in creating a zero trust environment. The FIDO Alliance commends the Office of Management and Budget for requiring phishing-resistant authentication to protect agencies as phishing attacks become significantly more sophisticated – including the increasingly common ability to bypass legacy MFA approaches such as OTPs,” said Andrew Shikiar, executive director of the FIDO Alliance. “Authentication is a critical component of any zero trust architecture. As cited by OMB, FIDO Security Keys and authenticators present a practical alternative to PIV and can provide agencies with a rapidly deployable solution to harden their defenses against hackers armed with increasingly sophisticated and persistent threat campaigns.”

WHO: The FIDO Alliance

WHAT: The OMB’s Federal Zero Trust Strategy, which aims to accelerate the migration of U.S. Government agencies towards zero trust cybersecurity principles, mandates the use of phishing-resistant authentication, such as FIDO Authentication. This serves as yet another example of the government recognizing the importance of not only MFA, but phishing-resistant MFA to secure accounts.

As the OMB initiates this paradigm shift in how Federal agencies approach cybersecurity, the broader adoption of FIDO Authentication will provide simpler and more secure authentication for agencies, especially as enterprise users continue to be the most valuable targets for phishing.

WHEN: The OMB released its final Federal Zero Trust Strategy on January 26, 2022. As detailed in the strategy, agencies are required to achieve the zero trust security goals outlined in the strategy by the end of 2024.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact
press@fidoalliance.org

Over the course of two days from Jan. 24 – 25, the Better Identity Coalition, the FIDO Alliance, and the ID Theft Resource Center (ITRC) co-hosted the Identity, Authentication, and the Road Ahead Cybersecurity Policy Forum with representatives from government and industry providing insight into the policies, challenges and opportunities for identity and authentication in 2022 and beyond.

Identity has always been important, and during the pandemic the gaps in identity verification capabilities were dramatically exposed in a number of ways. The challenges of identity in the pandemic were detailed in a keynote fireside chat with Susan Gibson, chair of the U.S. Pandemic Response Accountability Committee (PRAC) Identity Fraud Reduction & Redress Working Group, and Jeremy Grant, coordinator of the Better Identity Coalition. Gibson explained that the PRAC was formed by the U.S. Government with the goal of promoting transparency and facilitating coordinated oversight of the federal government’s pandemic response, which totaled some $5 trillion in aid.

Gibson noted that there have been many instances of pandemic aid fraud, due in no small part to weaknesses in identity verification and coordination. For example, she noted that a single social security number was used to claim unemployment insurance in 29 different states. 

While identity fraud, with social security numbers and other means is common, Gibson emphasized that trying to stop identity thieves isn’t the only answer to the problem as the volume of personally identifiable information that is already out in the public domain is large.

“Really, we need to focus less on trying to fix the problem by stopping identity theft and focus more on: how do you get to the strong authentication, with a realization that the identity theft has already happened,” Gibson said.

Data breaches continue to happen

Identities are often at the root of data breaches, both as a root cause, as well as a consequence. 

In a morning session, James Lee, Chief Operating Officer of the ID Theft Resource Center (ITRC), outlined some of the key data points from his organization’s 2021 End-of-Year Data Breach Report. Among the highlights is the fact that 2021 was the worst year ever for data breaches, with 1,862 incidents impacting 294 million victims.

Lee said that the top data attribute that is stolen in data breaches are names of users, followed by social security numbers. That said he noted that in fraud forums, stolen social security numbers are sold for $2 each. In contrast, logins and passwords associated with email accounts and in particular Gmail accounts are worth $80 each.

The first day of the event concluded with a pair of panels on different aspects of identities and authentication. In a panel on things the government is doing to co-ordinate and improve identity, Jason Lim, Branch Manager for Screening Technology Integration Program (STIP), TSA, Phil Lam Executive Director for Identity, U.S. General Services Administration, Tim Weiler Economic Policy Advisor & Legislative Counsel, U.S. Rep. Bill Foster, and Kate Wechsler, Executive Director, Consumer First Coalition, each detailed their views on what different agencies are doing.

Identity is also about access, which isn’t the same for all members of society. That was a key theme in the final panel of the day hosted by Eva Velasquez President and CEO, Identity Theft Resource Center (ITRC), alongside panelists Birdell Lewis, Senior Vice President, Centralized Shared Services, Synchrony; Pastor Ben Roberts, Foundry United Methodist Church; and Chris Peterson, Penny Forward and Community Member.

Day Two: The Future of Strong Authentication

In an opening keynote on the second day of the event, Eric Mill Senior Advisor, White House Office of Management and Budget (OMB) delivered a keynote that outlined the direction of strong authentication in the government.

Mill noted that in the fall of 2021, the OMB published a draft of its federal zero trust strategy, which defines having a defense against phishing as a key priority. Mills said that phishing is one of the most common ways that adversaries gain a foothold in an enterprise and the government wants to focus on having an order of magnitude better defense against that kind of attack.

“We are trying to create a clear baseline for civilian federal agencies around not using multifactor authentication methods that don’t resist phishing,” Mills said.

Mills noted that PIV, or Personal Identity Verification cards are commonly used in the government and they can be an effective phishing deterrent. He added that there is a need to have a broader approach with FIDO WebAuthn platform authenticators as well.

“We really expect to see PIV, FIDO and web based authenticators in commingled use throughout the federal government and other weaker methods in the context  of phishing,  discontinued,” Mills said.

The zero trust strategy was officially published the day following the conference and requires the use of phishing-resistant MFA, like FIDO Authentication.

FIDO Alliance’s efforts for strong authentication and identity

In a keynote, Andrew Shikiar, Executive Director of the FIDO Alliance, outlined the progress and initiatives that his organization has underway to help improve the state of strong authentication.

Shikiar emphasized that the imperative that FIDO is seeking to address is not just to be a checkbox item for multi-factor authentication (MFA), but rather to truly be a foundation to secure connected services that are critical to today’s networked society. 

Shikiar predicted that 2022 will be the year that MFA attacks become mainstream. Having a phishing-resistant approach, which is what FIDO provides, is critical. The need for phishing-resistant MFA and strong authentication has been cited by multiple governments as a best practice. 

“Passwords are part of our lives because they’re ubiquitous and they’re part of the web’s DNA,” Shikiar said. “Simply put, we need to supplant them, keep them out of that role and take their place.” 

Barriers to MFA and the need for improved identity proofing

In a panel on how the government and industry are rethinking authentication, panelists provided insight into what holds adoption back and what needs to happen next.

Pam DIngle, Director of Identity Standards at Microsoft, commented that while there is awareness about the need for strong authentication and MFA there are several reasons why it isn’t always implemented. One type of organization that doesn’t deploy is where there are some sort of organization barriers to MFA.

“So customers come to us and say they know they need to do it right, but they have legacy technology or they have other reasons why they can’t adopt,” Dingle said. “For everyone else, I believe it’s on people’s lists.”

Christine Owen Director, Advanced Solutions, Cybersecurity at Guidehouse, commented that a challenge she sees with MFA deployment is on service accounts. Owen noted that adding MFA to those types of accounts is not always as easy as it should be. Grant Dasher from CISA noted in his organization’s view, identity is clearly the foundation of a zero trust architecture. Dasher added that the President’s Executive Order has committed the government on both civilian and national security sides to go in that direction.In fact CISA has referred to FIDO as the gold standard for authentication in its recent guidance.

Helping to ensure that a given identity is in fact authentic is the domain of identity proofing, that also helps with the initial verification of identity documentations and attributes. In an afternoon panel, Rae Rivera, Director of Certification Programs at the FIDO Alliance, outlined the ongoing efforts to create certification programs for identity proofing.

Brighton Haslett, Counsel in the U.S. House of Representatives, Committee on Financial Services, noted that it’s important that any new regulations in the identity proofing space need to be based on real information.

“I think the biggest threat in this space is any kind of legislation or regulation born out of misunderstanding and fear,” Haslett said. “I think when we see a rush to regulate a new technology, it’s usually an attempt to mitigate bad outcomes whether those are real or not.”

Strong Authentication, Identity and the Banking System

The need for strong authentication to help secure identity is of critical importance to the financial sector and its government regulators.

“If you look at so many of the things that bring risk to the financial sector in the United States they are all anchored on identity, ” commented Sultan Meghji, Chief Innovation Officer, FDIC.

Meghji’s views were echoed by Kay Turner, Senior Counselor to the Director, FinCEN Digital Identity, Inclusion, and Digital Payment Infrastructure. She noted that FinCEN’s role in the financial sector as the primary administrator of the Bank Secrecy Act and the U.S. financial intelligence unit, is to help prevent illicit finance, money laundering and related crimes like countering the financing of terrorism.

“Identity is at the heart of all financial services, and it’s core to trust,” Turner said. “So we recognize that the ability to assess risk is only as good as your ability to figure out with whom you’re engaging.”

Much of Turner’s sentiment were echoed in a keynote by Elizabeth Rosenberg Assistant Secretary for Terrorist Financing and Financial Crimes, at U.S. Treasury.

Rosenberg said that many of the critical problems plaguing the financial system stem from an inability to readily and reliably know who is dealing with whom.

“As a policy matter, digital ID has the potential to immediately and dramatically improve how we protect our national security and financial security,” Rosenberg said. 

Looking beyond just being aware of the importance of strong authentication for identity, Rosenberg said that the U.S. Treasury is approaching 2022 as a year of action for digital ID.

“I don’t want us to be addressing the same problems when next year’s identity forum convenes,” Rosenberg said. “At least I don’t want to see the same problems happening as frequently to the same degree as they are right now and the Treasury is committed to making that happen.”

In the closing keynote, Carole House Director for Cybersecurity and Secure Digital Innovation, White House National Security Council (NSC), also noted that she sees identity as being critical to national security.

“Many cyber incidents that we’ve seen involve vectors of compromise that could have been thwarted through stronger identity and access management solutions, including implementation of multifactor authentication solutions,” House said.

Recordings of Day 1 and Day 2 are now available.

Editor’s Note: This is the final blog posting covering the 2021 FIDO Developer Challenge. We invite you to read the previous blog posts to learn more about past stories:

• Announcing the FIDO Developer Challenge for Developers Across the Globe
• FIDO Developer Challenge: Welcoming Teams to the Implementation Stage

This year’s FIDO Developer Challenge reached a successful conclusion, with a ceremonial event during Authenticate 2021 in Seattle. The recorded video of the ceremony is available now, and we’re pleased to share more detailed stories of the three finalists as well as the rest of the teams that made it to the final stage.

Gold Winner – Lockdrop

Lockdrop, a company based in Toronto, Canada, strengthened their document transfer service using end-to-end encryption with WebAuthn as an MFA authentication option. The team wants to help businesses and people exchange larger datasets easily and securely, a problem that is prevalent across most industries and results in people falling back to insecure and/or archaic forms of data transfer such as email, fax, CD-ROMs (yes, CD-ROMs!), and USB sticks.

Silver Winner – Shaxware

Shaxware is a company located in Tokyo, Japan. They created a Proof of Concept, fashioning the Japanese National ID Card (My Number Card) into a FIDO roaming authenticator. They proposed to extend WebAuthn by using the external IC card as a primary digital certificate.

Bronze Winner – SoundAuth

SoundAuth is the team name for a company (Trillbit) based in Boston with R&D staff stationed in India. This team built a FIDO MFA solution that leverages data over sound technology to provide a seamless user experience while eliminating the need to rely on an additional hardware token or internet connectivity.

From the initial pool of applicants, fourteen teams from eight different countries (Canada, France, India, Japan, Malaysia, South Korea, USA, Vietnam) competed throughout the FIDO implementation stage – including the three finalists detailed above. There were also many concepts that did not make the top three yet have shown compelling ways to leverage the strength and usability of FIDO Authentication. Examples include:

• FIDO and AI-based remote test proctoring system (India)
• Web payment system, leveraging FIDO-based digital wallet (France)
• FIDO-based online note-taking apps for developers (Vietnam)
• FIDO-based VPN access (South Korea)
• FIDO and AI-based assisted technology for visually impaired people (South Korea)

Thanks and final thoughts

The 2021 FIDO Developer Challenge was made possible by the support and active engagement from the event sponsors – who not only helped fund the event operations and prizes, but gave hands-on feedback and guidance as judges. Thanks also to the W3C and WebAuthn community for guidance and support through the FDC Discord Channel – it was great to see so many people weighing in to help these development teams.

We were very pleased to have built off of our prior developer hackathon efforts in Korea, to have brought the challenge global, and to have added  a focus on public APIs. The Challenge demonstrated that the combination of open technology coupled with the entrepreneurial vision of a developer will result in inspiring outcomes and innovation. We look forward to expanding this effort in 2022. Please don’t hesitate to reach out (https://fidoalliance.org/contact/) should you have any feedback or suggestions on the program.  

SINGAPORE, November 5, 2021 — The FIDO Alliance announced the agenda and speaker lineup for its free Virtual Authenticate Summit: APAC Innovation, the quarterly series of virtual seminars that delve into the FIDO approach to modern user authentication. This three-day event, being held December 8-10, 2021, features expert speakers from around the globe, with regionally specific tracks focused on strong authentication trends in China, India, the ASEAN region, Korea, Japan and Taiwan.  

“Asia has long been a hub of innovation for FIDO Authentication – with some of the earliest and most noteworthy implementations having taken place throughout the region,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “We are pleased to build upon FIDO’s Authenticate Virtual Summit series to allow local participants to gain insights into the latest trends and technologies from FIDO Alliance and its global stakeholders.”

Fraud and identity theft continues to grow throughout APAC as a result of lingering reliance on weak authentication methods such as passwords, as witnessed by the recent FIDO Alliance Online Authentication Barometer survey. The survey shows that while security is a priority with 84% of respondents having taken steps they believe will better protect their accounts from compromise, 43% did so by strengthening their passwords.

This Virtual Summit will give attendees the necessary tools to start their companies on a journey towards a passwordless future – as regional stalwarts such as NTT DOCOMO, Samsung, LINE and many more have done already.

Participants will also gain insights from subject matter experts in identity and authentication, with case studies including:

• Asia Pacific — Electronic Transactions Development Agency (ETDA), Malaysian Ministry of Finance, SecureMetric
• China — FIME, Lenovo
• India — Ensurity, RBL Bank, Reserve Bank of India
• Japan — AXELL, Digital Agency of Japan Government, Josai University, OpenID Foundation Japan, NTT DOCOMO, Rakuten, Yahoo! Japan
• Korea — AWS/AirCuve, LINE, SK Telecom/Octaco, TrustKey, Telecommunications Technology Association of Korea 
• Taiwan — AuthenTrend/NEC, FIME, Financial Supervisory Commission, PUFsecurity

Authenticate Virtual Summit: APAC Innovation is free to attend for anyone interested in learning more about and/or deploying FIDO Authentication. Most sessions will also be available on-demand after they air, and translated subtitles for global contents will be available in Chinese, Japanese or Korean (as well as for the event platform). Attendees and sponsors will also have the ability to engage and network, as well as visit sponsor booths via the virtual platform. 

Visit the 2021 Authenticate Virtual Summit: APAC Innovation event page to find out more and register for the event.

For more information about the Authenticate Virtual Summit Series: https://authenticatecon.com/introducing-the-authenticate-virtual-summit-series/. 

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Authenticate Contact
authenticate@fidoalliance.org

PR Contact
press@fidoalliance.org 

Megan Shamas, Director of Marketing
FIDO Alliance
+1 (203) 231-9280
megan@fidoalliance.org

Jareth Cheng
FINN Partners for FIDO Alliance
+65 3157 5619
yingFIDO@finnpartners.com

Summary of key findings:

• Passwords still prevail over other, more secure authentication methods — 56% of people used them to log into financial services accounts in the last 60 days
• Biometrics are gaining traction, both in perception of security and usage — 32% of people think it is the most secure authentication method, and it is the preferred method for 28%
• Many consumers still don’t know what action to take to secure their accounts — stated by 37% of people that didn’t take any steps to improve their online security
• Many consumers wrongly believe that taking action to strengthen a password is the best way to secure their account — 19% of people believe this
• Consumers need to be educated on the risks and implications of poor account security and the solutions available 

SEATTLE, WA, October 18, 2021 — The FIDO Alliance today launched its Online Authentication Barometer to track the uptake of secure authentication technologies among the general public. The Online Authentication Barometer provides baseline insights into the state of online authentication in 10 countries across the globe, with future releases of the barometer able to compare changes in behaviors and attitudes over time. 

It reveals that biometrics, such as using fingerprints and face scans, are being used by at least 35% of people and are by far the most popular form of online authentication behind passwords. The barometer highlights how adoption of biometrics for online authentication varies widely internationally, yet all countries surveyed reported at least 25% of the population are using biometrics in some capacity. 

Passwords and other knowledge-based approaches such as OTPs have historically dominated online authentication and the barometer confirms this is still the case. However, major platform and device manufacturers including Apple, Google and Microsoft have begun adopting possession-based, passwordless alternatives into their core product offerings to improve security and convenience. As these and other initiatives gain traction, the world’s reliance upon passwords and other server-side “secrets” is expected to decrease in favor of modern solutions including biometrics, security keys and other on-device approaches for user authentication.

Biometrics are the most popular of these possession-based and password-free authentication options, and data from the barometer reveals why. Biometrics are perceived to be the most secure way for people to verify their identity online – 32% of people believe this, a trend that holds true in all 10 countries the Online Authentication Barometer explored. Biometrics are also the most preferred method of logging in for 28% of people surveyed. 

“Time and time again we see data breaches, ransomware and other attacks that leverage vulnerabilities associated with passwords and other ‘what you know’ forms of authentication — including OTPs as a second factor,” said Andrew Shikiar, Executive Director & CMO of the FIDO Alliance. “The industry at large must shift towards possession-based factors such as biometrics and security keys that are not susceptible to remote attacks such as phishing, credential stuffing and various forms of social engineering that frankly are difficult if not impossible for the average user to detect.  We are pleased to establish and share the Online Authentication Barometer as a mechanism to track our collective progress towards a safer and more secure networked economy.” 

The Online Authentication Barometer also found encouraging data on people actively taking steps to protect their accounts from being hacked or compromised. The vast majority of people (84%) took action, suggesting high levels of awareness on the security issues passwords have. However, despite biometrics being recognized for better security, 19% of people still consider passwords to be the most secure way to authenticate themselves online, and 11% of people think SMS OTPs are the most secure. This was ahead of some of the strongest methods available today, including authentication software (6%) and physical security keys (4%). 

Of the 16% who didn’t take any steps to improve their online security, the majority said they didn’t know how (37%), with 26% saying it’s too complicated and 16% believing a data breach or hack would not happen to them.

The full Online Authentication Barometer from the FIDO Alliance can be found here.

Notes to editors

• Major organizations that have begun adopting possession-based, passwordless alternatives to improve security and convenience include:
  • Apple announcing its intent for users iCloud Keychains users to secure accounts with cryptographic keypairs (“passkeys”) instead of passwords
  • Google announcing plans to enable multi factor authentication by default
  • Microsoft enabling its users to completely remove the password from their Microsoft account
• The FIDO Alliance Online Authentication Barometer research was conducted among 10,000 consumers across the UK, France, Germany, US, Australia, Singapore, Japan, South Korea, India and China. The interviews were conducted online by Sapio Research in September 2021 using an email invitation and an online survey. 

PR Contact

press@fidoalliance.org 

About the FIDO AllianceThe FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

At the Authenticate Virtual Summit on Sept. 23, 2021, users, experts and vendors from around the world detailed how strong authentication helps to enable government services and new efforts to secure online identities. Users including the U.K. National Health Service (NHS), as well as the U.S. Government’s login.gov and Internal Revenue Service (IRS) provided insights into the present and future of online authentication and digital identities.

In the opening session of the event, Andrew Shikiar, executive director and CMO of the FIDO Alliance, outlined the strategic imperative for FIDO in government services around the world.

“COVID-19 created an imperative to really accelerate digital transformation activities,” Shikiar said. “When the pandemic hit all of a sudden, everyone was at home and all activity brought requirements for modern authentication schemes that go far beyond passwords, even beyond traditional multi-factor authentication.”

Shikiar noted that the FIDO Alliance standards align very well with global regulations and policies and there is a growing trend of government guidance for authentication that cites the use of FIDO.

“It’s important to enable trust in the government ecosystem,” Shikiar said. “This comes through the engagement FIDO does with different regulators and government bodies and ultimately will be manifested through the secure implementation of digital identity services to citizens worldwide.” 

Technology Helping to Push FIDO Strong Authentication Forward

A key path for enabling FIDO specification is via vendors that support government efforts. 

Patrick Sullivan, CTO of security strategy at Akamai, commented that password credential stuffing attacks are very common. He noted that Akamai’s platform sees as many as a billion password attacks per day. That’s where multi-factor authentication and more specifically strong authentication based on FIDO Alliance standards play a strong role. Sullivan noted that there is a clear need to provide multi-factor authentication in a low friction environment where it’s delivered in the form factor of an app on a smartphone.

“We’re not asking users to carry around a hardware token to accomplish FIDO2 as we move in that direction, and by introducing less friction, there’s less risk of our users doing something anomalous,” Sullivan said.

Jeff Frederick, manager of solutions engineering at Yubico, noted during his session that in government, many agencies in the U.S use Common Access Card (CAC)/Personal Identity Verification (PIV) credentials that go beyond basic passwords. Frederick noted that FIDO2 standards, which are supported on his company’s YubiKey device, provide a strong impersonation resistant authentication protocol that uses public private key cryptography.

“It’s very similar to PIV/CAC and FIDO2 is an open standard that’s managed by the FIDO Alliance, so that any vendor can support this and use it today,” Frederick said. “It’s built into all major operating systems and all major browsers so there’s no middleware that you need to install to make this work and it’s just an easy to implement solution that will modernize the federal authentication infrastructure across the board.”

Making Identity and Authentication Less Taxing at the IRS

The IRS proofs and authorizes tens of millions of taxpayers every year, across both digital and non digital channels, according to Courtney Rasey, assistant to the director, Identity Assurance, Privacy Governmental Liaison, & Disclosure (PGLD) at the IRS.

“None of those tens of millions of taxpayers who are calling the IRS are doing so just because they want to, it’s not really a fun weeknight activity,” she said. “They need to resolve an issue to meet their tax obligation and we know that, so we’re always striving to provide better service to taxpayers, to help them get the service that they need in the most convenient and efficient way possible.”

One way the IRS is looking to be more convenient to taxpayers is with its Secure Access Digital Identity (SADI) platform that was launched in June of 2021. Rasey explained that SADI leverages a Credential Service {rovider (CSP) that identity proofs the taxpayer and then provides the IRS with a digital identity credential.

“Users are eventually going to be able to access all IRS online applications utilizing that single digital identity credential,” Rasey said. “The IRS is moving more and more applications behind SADI throughout fiscal year 2022 and as we do move more applications taxpayers are going to be able to do so many things with just one credential.”

Moving Toward Zero Trust with Strong Authentication

In May, President Biden signed Executive Order 1402, which directs U.S. government agencies to improve cybersecurity. One of the primary provisions of the executive order is to move the federal government toward a zero trust architecture.

“When we talk about zero trust, we’re talking about an architecture where people and their devices aren’t trusted just by virtue of being inside an organization’s enterprise network,” explained Eric Mill, senior advisor, Office of Management and Budget (OMB).

Mill noted that in a zero trust model, people and devices are validated at each step and  authentication is context-aware. The OMB is strongly encouraging the adoption of phishing resistant multi-factor authentication, with FIDO WebAuthn as a good alternative option in environments where CAC/PIV isn’t feasible.

“We’re pushing very hard on multi-factor authentication and we really view reliable authentication as a critical foundation of zero trust architecture,” Mill said.

In a Policy Deep Dive session, Jeremy Grant, managing director, technology business strategy at Venable, noted that there are a number of reasons why authentication is important to governments. 

Grant said that FIDO specifications can help governments to protect access to their own assets and can help to enable more high-value citizen facing services to the public. 

“I think what we’re seeing in 2021, is a really different environment across the globe, where FIDO authentication is emerging, not just as another permitted option, but in many cases as a preferred choice of governments across the world,” Grant said.

How the National Health Service (NHS) uses FIDO

Among the areas in the world where FIDO is finding a home is in the U.K. 

The National Health Service (NHS) is the publicly funded medical and healthcare system in the U.K. and it has embraced FIDO standards to help improve human health.  With the NHS Login service, citizens get a centralized identity for health services while the NHS app provides a simplified application for accessing and managing an individual’s access to health services.

Priyanka Mittal, technical architect for the NHS Login and NHS app, said that over the past 18 months there has been a 10-fold increase in the user base for NHS login as demand has grown during the pandemic.

Sean Devlin, tech lead for the NHS App, explained that initially the services started out using an SMS based two-factor authentication approach, but wanted to find a more seamless approach. NHS decided to use FIDO UAF and built out its own implementation, using eBay’s open source FIDO implementation as a starting point.

Devlin said that before using FIDO, users had to navigate as many as five different screens to get through a multi-factor authentication flow. With FIDO, it’s a single screen.

The NHS has also saved a lot of money by moving to FIDO. With over 500,000 FIDO logins per day, Devlin estimates that the NHS is saving on the order of £8,000 per day on SMS messaging costs.

Bringing FIDO Strong Authentication to Login.gov

FIDO specifications also play a pivotal role at login.gov, which is a single sign-on platform for U.S. government services.

Jonathan Hooper, login.gov Engineering Lead at the General Services Administration (GSA), explained that the authentication portal fronts over 200 sites across the U.S. government,  spread across 27 different agencies. Hooper explained that starting in 2018, login.gov began expanding the use of multi-factor authentication, including the WebAuthn specification.

“We don’t want to be ‘big brother,’ we want to make sure that we can protect users’ privacy and the things built into the protocol that helped to do that were very attractive to us,” Hooper said. “WebAuthn is also very cheap, it is much cheaper to do a WebAuthn authentication event than it is to do SMS by several orders of magnitude.”

Improving Digital Identity with FIDO

A FIDO-based approach for digital identity could soon be finding its way to Canada as well according to Joni Brennan, president, Digital ID & Authentication Council of Canada (DIACC). An effort currently underway is the Pan Canadian Trust Framework (PCTF) which is an information assurance framework.

“We think that there’s a great opportunity here to leverage an information assurance framework, coupled with FIDO Alliance driven specifications, to create and to verify that end to end experience that’s needed for digital ID adoption,” she said.

The need for secured digital identities was also highlighted by Amit Mital, special assistant to the President and senior director, National Security Council at the White House.

“Today, when we authenticate ourselves and identify ourselves, we might use one of dozens of popular systems,” Mital said. “

So the ecosystem itself is very decentralized, and it’s very unharmonized. It is also fundamentally unsecure.”

Mital said that there is a clear need for strong remote identity solutions that can provide easy, secure, affordable and reliable ways to identify consumers across digital systems. 

“It’s clear that there are a diverse and large number of scenarios that need digital identity and there is no single entity that can solve all these scenarios,” Mital said. “We need an ecosystem that brings together the best ideas and innovation from the private sector, both large companies and startups, as well as the government at both the federal and the state, the local, tribal and territorial lands.”

Wrapping up the day’s event, Andrew Shikiar, executive director of the FIDO Alliance, observed that there are a lot of conversations ongoing about  different types of government services and their dependency on secure digital identity.

“Ultimately, identity and authentication are core to deploy new services at scale, in a way that meets the requirements for government agencies, and for citizens alike,” Shikiar said.

The webcast is now available on demand. To watch the recording, visit the event page.

For more discussions on moving past passwords to modern strong authentication, attend Authenticate 2021 on October 18-20, 2021 in Seattle or virtually. The full agenda and details to register are available at authenticatecon.com. 

MOUNTAIN VIEW, CA, AUGUST 31, 2021 — The FIDO Alliance has announced the agenda and speaker lineup for its next Virtual Authenticate Summit, “The Imperative for Strong Authentication for Government Services,” taking place September 23, 2021 from 11:00 am – 2:30 pm EDT. Authenticate Virtual Summits are a quarterly series of virtual seminars that delve into the FIDO approach to modern user authentication across various markets and geographies.

Register for free and view the agenda on the Authenticate Virtual Summit event page.

“Government agencies around the world are rolling out more robust digital services for employees and citizens — and the COVID-19 pandemic has only accelerated this imperative,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “Global standards and best practices are key to success in this digital transformation of e-government services — particularly in the areas of strong user authentication and identity verification. We’ve been happy to see the growing trend of governments referencing and leveraging FIDO’s outputs and look forward to sharing their insights with the broader Authenticate community.”

This government-focused Authenticate Virtual Summit brings together leaders from the public and private sector to examine strong authentication for government services, including considerations for implementing modern authentication systems for e-citizen services and remote government workforces, government agency case studies, the intersection with global policy and more.

This Authenticate Virtual Summit agenda includes:

• Keynotes from Akamai, FIDO Alliance, IRS, and Yubico
• A look at how the IRS is leveraging new digital identity proofing procedures for non-digital authentication
• Case studies from GSA and NHS on how they are leveraging FIDO to streamline and secure logins
• Discussions on the state of strong authentication in government and how policies and directives are changing how governments authenticate
• Considerations and best practices for optimizing the strong authentication for government experience 

Akamai and Yubico are Signature sponsors for this Authenticate Virtual Summit. To participate as a sponsor, visit https://authenticatecon.com/sponsors/. 

For more information about the Authenticate Virtual Summit Series: https://authenticatecon.com/introducing-the-authenticate-virtual-summit-series/.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Authenticate Contact

authenticate@fidoalliance.org   

PR Contact

press@fidoalliance.org

Leaders from Amazon, Apple, Google, Microsoft and IBM met with President Joe Biden at the White House last week to discuss strategies the government and private sector can use together to improve the nation’s cybersecurity. 

Following the meeting, Amazon announced that it will provide eligible AWS customers with access to free FIDO Security Keys. Not only will this protect the burgeoning number of businesses that run on AWS, but it will help instill better authentication practices as these keys can be used across many other business (e.g., G Suite, Github, Dropbox, Stripe) and consumer (Facebook, Twitter, Coinbase, Bank of America) services.

Amazon has been a leading stakeholder in FIDO Alliance for several years now – it is wonderful to see their leadership extended to the market at large. As more businesses move to the cloud, it is absolutely critical that cloud service providers follow suit to protect this critical infrastructure. Threats and attackers are growing in sophistication, and the impacts are non-trivial. Hundreds of millions of personal records are being stolen and resold on the dark web on an alarmingly regular basis. This is a clear and present threat to our economy, our national security and our society.

It’s difficult to name a breach from the past five years that wasn’t tied to stolen credentials. 

The latest prominent attack, which was carried out on Colonial Pipeline, used a single stolen password to essentially cripple the U.S eastern seaboard.

It is important that all businesses take steps to educate and protect their employees and customers from such threats. “Traditional” means of multi-factor authentication (such as OTPs) simply aren’t fit-for-purpose to protect against these attacks, which can financially cripple a company or organization. 

Ultimately, credential-based breaches (like Colonial Pipeline’s) wouldn’t be possible if accounts were protected with FIDO Authentication, which requires local possession of a device with no knowledge-based authentication credentials passed over the network. 

The FIDO Alliance has come a long way since our inception. What started as a whiteboard concept has evolved into technology that is becoming part of the web’s DNA. Virtually every platform and device can now support FIDO Authentication, and there are public SDKs and tools, plus a rich ecosystem of FIDO Certified vendor products and services that can help companies implement FIDO for their sites and apps. 

Amazon’s move to provide free FIDO Security Keys sets a strong – and important – example. We encourage all other cloud service providers to urgently consider following suit by at a minimum enabling FIDO authenticators for admin access to networks.

SEATTLE, August 17, 2021 — Authenticate, the FIDO Alliance’s industry conference dedicated to the who, what, why and how of modern user authentication, today announced its full 2021 agenda. This three-day event, which takes place October 18-20 in Seattle and also with remote attendance options, will help educate attendees on business drivers, technical considerations, and overall best practices for deploying modern authentication systems. 

The Authenticate 2021 agenda features:

• Deployment case studies from enterprises and service providers including Capital One, eBay, Facebook, Google, Morgan Stanley, Target, Verizon, Wayfair and more 
• Technical deep dives on FIDO’s authentication specifications: IoT, biometrics and identity verification
• Vertical perspectives from leaders and practitioners in financial services, eGovernment, retail and communications
• In-depth discussions on the evolving policy landscape and deployment considerations therein 

“Relying on passwords is passé. Modern authentication systems and standards have emerged to provide more efficient ways for organizations to provide strong security and better interactions with their brands,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “The FIDO Alliance encourages organizations of all sizes to prioritize stronger security, and it is our mission to share the tools and resources to help them get there. ​​This year’s agenda delivers on that mission, providing attendees with a strong foundation for deploying simpler, stronger authentication.” 

This year’s headlining keynote speakers are: Bob Lord, former CSO of the Democratic National Committee; Joy Chik, corporate vice president of identity at Microsoft; Stina Ehrensvard, CEO and founder of Yubico; David Henstock, head of identity and authentication products, Visa; and Dave Kleidermacher, vice president for engineering, Android security and privacy, Google. A full list of speakers is available on the Authenticate conference website. 

The conference agenda features 45+ in-person sessions and 20+ sessions on-demand, all of which will be available to all attendees. Authenticate also features an expo hall with product and service offerings with 20+ sponsors, as well as various networking and social events built into the three-day schedule – all while adhering to all CDC and local health/distancing requirements. 

Register Today!
Take advantage of early-bird pricing by registering by September 3. To register, visit https://authenticatecon.com/event/authenticate-2021-conference/. Authenticate will be held in conjunction with the FIDO Alliance member plenary, scheduled for October 20-22. FIDO Alliance members have exclusive access to discounted rates to attend both events.

Get involved at Authenticate

There are still select sponsorship opportunities available for Authenticate 2021; companies interested can learn more at https://authenticatecon.com/sponsors/.

Follow Authenticate on Twitter @AuthenticateCon to participate in the conversation and get important updates leading up to and during the event.

TWEET THIS: The @AuthenticateCon agenda is here! Visit the event website to take a look at this year’s speakers and session topics for the latest in user #authentication. www.authenticatecon.com

About Authenticate

Authenticate is the first conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. In 2021, Authenticate will be held October 18-20 at the Motif hotel in Seattle, Washington with the option to participate remotely via live stream and on-demand sessions. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter.

Authenticate Contact

authenticate@fidoalliance.org  

PR Contact

Morgan Mason
Aircover PR
408-612-9889
press@fidoalliance.org