At the annual Identity Identity & Policy Forum, it’s a tradition for Andrew Shikiar, CEO of the FIDO Alliance, to reflect on his predictions from the previous year and offer predictions for the coming one. 2025 was a pivotal year for FIDO: passkeys – FIDO’s raison d’etre in recent years – finally became a mainstream authentication method, marking a long-term win for the Alliance.

In his keynote, FIDO Alliance CEO Andrew Shikiar estimates over 4 billion passkeys are now being used to secure sign-ins around the world. “That’s a massive number considering we introduced passkeys in 2022.”

Shikiar’s speech runs through his record on predictions he made at the beginning of 2025, and comes out looking pretty clairvoyant. Major banks have deployed passkeys. “I stood here last year and said 2025 will be the year of passkeys and banking,” Shikiar says. “I was kind of eating my socks on that until around Q4, when all of a sudden basically every major bank in the U.S. passkeys for sign-up.”

• We’re sharing a novel approach to enabling cross-device passkey authentication for devices with inaccessible displays (like XR devices).
• Our approach bypasses the use of QR codes and enables cross-device authentication without the need for an on-device display, while still complying with all trust and proximity requirements.
• This approach builds on work done by the FIDO Alliance and we hope it will open the door to bring secure, passwordless authentication to a whole new ecosystem of devices and platforms.

In India, the passwordless market is estimated at $411 million in 2024 and projected to reach more than $1.5 billion by 2030. This reflects how businesses are opting for faster, smarter, and safer login experiences. To understand what’s driving this trend and how companies are adapting, indianexpress.com spoke with Chandramouli Dorai, chief evangelist, cyber solutions and digital signatures at Zoho Corp.

Biometrics rank as the most commonly used authentication methods for high risk transactions. It’s also rated as the most convenient, with 58.3 respondents listing it as such.

As usual, there are corresponding concerns about data privacy. One in three people worry their biometric data or digital credentials could be stolen or faked, leading to identity fraud. One in Authentication data theft is a top fear. “Many users feel that biometric authentication, though widely implemented, still is not secure enough for them or their digital assets.”

BSP requires organizations under its supervision to strengthen fraud management and identity verification by June 25, 2026. The directive calls for the adoption of secure, phishing-resistant methods, such as passwordless authentication through FIDO standards.

The measure comes amid rising online scams and fraud cases in the country. 

“By 2027, more than 90% of MFA transactions using a token will be based on FIDO protocols natively supported in IAM tools.”

Passkeys are unique digital credentials tied to a user’s personal device and offer a way to authenticate identity without the need for traditional passwords or one-time text codes.

Passkeys never leave the device and so cannot be reused across websites, which makes them resistant to phishing and other common attacks.

The Government has announced plans to replace passwords as the way to access Gov.UK, its digital services platform for the public.

In contrast to using a password and then an additional text message or code sent to a user’s trusted device – known as two-factor authentication – passkeys are unique digital keys tied to a specific device that proves the user’s identity when they log in without requiring them to input any further codes.

Tech-Specific Innovation

While AI was one of the hottest topics at the show, it wasn’t the only topic of discussion; we also heard a lot about the evolving ransomware ecosystem and what organizations need to be doing today to prepare for the arrival of “Q-Day”. 

But perhaps the second-biggest discussion piece was around identity and access security. 

With the rise of AI-powered deepfakes and fraud attempts, we’re seeing more need than ever before for organizations to make the switch from passwords to more secure methods of authentication, such as Passkeys—and many experts were optimistic that this space will see a lot of adoption over the next year. 

Key Insights:

• Andrew Shikiar, Executive Director and CEO of the FIDO Alliance: “We’re going to see Passkey deployment continue to grow in regulated industries. That’s really important, because addressing the higher assurance use cases and taking passwords out of play there will give greater confidence for more and more companies to deploy Passkeys at scale, which will further accelerate our journey towards putting passwords fully in the rear-view mirror.”

The move coincides with World Password Day and aligns with the tech giant’s broader commitment to the Passkey Pledge, an industry initiative to eliminate passwords in favor of more secure, phishing-resistant login methods. In a blog post, Microsoft executives Joy Chik and Vasu Jakkal emphasized that passkey users are three times more likely to log in successfully than those using passwords. Although existing account holders can still use passwords, Microsoft is nudging them toward using biometrics or PINs by default. Nearly all Windows users already rely on Windows Hello, and the shift is backed by support from industry partners, including Apple and Google, who are also rolling out FIDO-compliant passkey systems across their platforms. The change promises to streamline security and user experience across the board.

The U.K. government is set to replace SMS-based verification systems for digital services with passkeys this year in a bid to shore up cyber defenses.

The initiative will be rolled out by the U.K. National Cybersecurity Center using the open authentication standard Fast IDentity Online, or FIDO, as a more “secure and cost-effective solution.”

“The NCSC considers passkey adoption as vital for transforming cyber resilience at a national scale,” the NCSC said. “In addition to enhanced security and cost savings, passkeys offer users a faster login experience, saving approximately one minute per login when compared to entering a username, password and SMS code,” the agency said.

The new working group emerges at a time of growing momentum for passwordless authentication in the payments sector. Last year, Visa implemented passkeys for online payments, allowing customers to authorize transactions using biometric authentication rather than traditional passwords.

The Alliance, which now comprises over 250 members, has been steadily expanding its influence across various sectors of digital authentication.

Microsoft introduced passkey support across most of its consumer apps last year, allowing users to sign into their accounts without the need for 2FA methods or remembering long passwords. A year later, it’s removing passwords as the default and encouraging all new signups to use passkeys.

PCMag attempted to sign up for a new Microsoft account on May 2, but it still asked for a password at the time of publication. Microsoft hasn’t shared an exact timeframe for when the change will take place, but you should expect it to happen in the coming days.

This is the first time a new account can be entirely passwordless. Previously, it had to have one alongside your passkey.

In a blog post, Microsoft says 98% of passkey attempts to log in are successful, while passwords are only at 32%. Microsoft is also introducing what it calls a “streamlined” sign-in experience for all accounts that “prioritizes passwordless methods for sign-in and sign-up.” It means some UX design changes to highlight passkey functionality.

The new no-password initiative by Microsoft is accompanied by its recently launched, optimized sign-in window design with reordered steps that flow better for a passwordless and passkey-first experience.

Although current accounts won’t have to shed their passwords, new ones will try and leave them behind by not prompting you to create a password at all:

As part of this simplified UX, we’re changing the default behavior for new accounts. Brand new Microsoft accounts will now be “passwordless by default.” New users will have several passwordless options for signing into their account and they’ll never need to enroll a password. Existing users can visit their account settings to delete their password.

With today’s changes, Microsoft is renaming “World Password Day” to “World Passkey Day” instead and pledges to continue its work implementing passkeys over the coming year. This time last year, the company implemented passkeys into consumer accounts. Microsoft says it’s seeing “nearly a million passkeys registered every day,” and that passkey users have a 98 percent success rate of signing in versus 32 percent for password-based accounts.

The results are encouraging, they find 74 percent of consumers are aware of passkeys and 69 percent have enabled passkeys on at least one of their accounts.

Among those who have used passkeys, 38 percent report enabling them whenever possible. More than half of consumers now believe passkeys are both more secure (53 percent) and more convenient (54 percent) than passwords.

This increase in passkey adoption is likely driven by the shortcomings of passwords. Last year, over 35 percent of people had at least one of their accounts compromised due to password vulnerabilities. In addition, 47 percent of consumers will abandon purchases if they have forgotten their password for that particular account.

To further encourage organizations to embrace the shift to passkeys, the FIDO Alliance has also launched the Passkey Pledge, a voluntary pledge for online service providers and authentication product and service vendors committed to embracing passkeys.

“The establishment and growth of World Passkey Day reflects the fact that organizations of all shapes and sizes are taking action upon the imperative to move away from relying on passwords and other legacy authentication methods that have led to decades of data breaches, account takeovers and user frustration, which imperil the very foundations of our connected society,” says Andrew Shikiar, executive director and CEO of the FIDO Alliance. “We’re thrilled by the fact that over 100 organizations around the world signed our Passkey Pledge, and we are pleased to support the market in their march towards passkeys through a variety of freely available assets, including our market-leading Passkey Central resource center.”

The full report is available from the FIDO Alliance site.

This significant shift marks a turning point in digital security as the tech industry moves decisively away from vulnerable password-based systems.

“The establishment and growth of World Passkey Day reflects the fact that organizations of all shapes and sizes are taking action upon the imperative to move away from relying on passwords and other legacy authentication methods,” said Andrew Shikiar, Executive Director and CEO of the FIDO Alliance. 

The answer is passkeys, which link your account security to your physical device security, which means unless an attacker has access to your hardware and unlock method — biometric or PIN, they can’t bypass a password to login.

More than others, Microsoft is not just promoting passkeys but also password deletion: “If a user has both a passkey and a password, and both grant access to an account, the account is still at risk for phishing. Our ultimate goal is to remove passwords completely and have accounts that only support phishing-resistant credentials.”

The FIDO Alliance, the organization charged with promoting passkeys has taken to the internet airwaves this time around to “launch a Passkey Pledge to further accelerate [the] global movement away from passwords.”

Its latest research found that “over 35% of people had at least one of their accounts compromised due to password vulnerabilities, [and] 47% of consumers will abandon purchases if they have forgotten their password for that particular account. This is significant for passkey adoption, as 54% of people familiar with passkeys consider them to be more convenient than passwords, and 53% believe they offer greater security.”

FIDO has welcomed Microsoft’s password deletion as industry leading. “This is an exciting and seminal milestone as Microsoft is taking passwords out of play for over a billion user accounts,” its CEO Andrew Shikiar told me, “who can now instead leverage user-friendly, phishing-resistant passkeys. Microsoft’s leadership in doing so today will help encourage more service providers to do the same, which moves us collectively closer to the day when passwords are fully in our rear-view mirror.”

The FIDO Alliance has also recently invited companies to participate in the World Passkey Pledge to create a more secure future, and move past the vulnerability and hassle of passwords.

Simon McNally, Cybersecurity Expert at Thales said, “Passwords have long been a weak link in digital security, forcing consumers and businesses into a frustrating cycle of password resets and potential breaches. We welcome the FIDO Alliance’s commitment to World Passkey Day and its push for a passwordless future. Passkeys provide a seamless and secure authentication experience, eliminating the risks and frustrations associated with traditional passwords.

Passkeys are automatically generated and securely stored, removing the burden of creating and managing complex passwords. They also enhance privacy by allowing authentication without sharing sensitive data, reducing the risk of breaches. As trust in digital security becomes more critical, businesses must prioritise passwordless solutions to protect users and build brand confidence.”

The Passkey Pledge for a Passwordless Future

To commemorate World Password Day (or at it will henceforth be known, World Passkey Day), the FIDO Alliance has released a survey on the usage of passkeys which found that 74% of consumers are aware of passkeys, meaning that consumers are aware of the potential value a passkey login experience can bring. To support this, the survey also found that 69% of consumers have enabled passkeys on at least one of their accounts.

Furthermore, for those who have used passkeys, 38% report enabling them whenever possible suggesting that some consumers already see the added user experience and security benefits passkeys bring. In fact, more than half of consumers believe passkeys are both more secure (53%) and more convenient (54%) than passwords. Many businesses and organizations have already signed the Passkey Pledge, including Amazon, Apple, Google, Microsoft, Samsung, and many more!

A pivotal moment

Andrew Shikiar, executive director and CEO of the FIDO Alliance, commented on both the recent survey, and the Passkey Pledge:

“This year’s World Passkey Day comes at a pivotal moment for user authentication around the world – with a rapidly growing number of service providers (including nearly half of the world’s top 100 websites) offering billions of user accounts the option to sign in with passkeys instead of passwords. Well over 100 organizations have taken the Passkey Pledge, indicating their commitment towards a future free from the risk and burdens of passwords.

Consumers are not only increasingly aware of passkeys, they’re using them more frequently: 69% of respondents to our recent survey are enabling them on at least one account, and 38% are now enabling them whenever possible.

Passkeys are so intuitive to use that once users integrate passkeys, they rarely go back. This is good for consumers who are frustrated by password reliant sign-in processes — 35% of whom said they experienced account compromises as a result of password vulnerabilities last year — and e-commerce retailers alike.

This shift isn’t just about innovation or bottom lines; it’s about rebuilding digital trust and creating a safer, more efficient internet for everyone.”

The passkey transfer capability is being integrated into Google Password Manager, with recent releases of Google Play Services containing direct references to passkey export and import tools. These developments are part of Google’s broader effort to enhance authentication security and usability on Android platforms. The initiative comes as enterprise adoption of passkeys continues to grow, according to recent FIDO Alliance research.

First to the good news. Google’s tightening restrictions on the mass delivery of spam emails to your inbox is working and it’s having a devastating impact on the industry spawned to plague you with marketing messages. “Over the last year,” website MarTech says the industry has seen “engagement rates (open and click rates, especially) drop considerably. Their emails only show up in the inboxes of people already engaging with the brand. For most subscribers, the emails are getting flagged as spam.”

An APK teardown by AndroidAuthority has found that Google might be working on a potential update that would allow you to export passkeys from one device to another.

Password export and import is already a key feature of many of the best password managers, but the same functionality for passkeys would be a huge step forward.

The report reveals an increasing misalignment between real-world security risks and outdated authentication methods.

It also highlights the growing risks associated with outdated authentication methods and the rise of new generative AI-related attacks.

However, the report signals a potential turning point in the fight against identity-based attacks, with phishing-resistant authentication methods like FIDO passkeys poised to become the dominant solution within the next two years.

The company states that this is a first in the report’s five-year history.

iProov today launched iProov Workforce MFA. 

This device-independent, FIDO Alliance-certified biometric authentication solution helps organizations mitigate the risk of one of workforce security’s most crucial concerns: account takeover.

“The password era is ending,” Microsoft warned in December. “Bad actors know it, which is why they’re desperately accelerating password-related attacks while they still can.” With “7,000 attacks on passwords [blocked] per second… almost double from a year ago,” the company is on a mission to “convince a billion users to love passkeys.”

A passkey replaces password and two-factor authentication (2FA) codes with account authentication linked to your hardware devices or devices and secured by the same security that unlocks that device, most likely your fingerprint or your face. Unlike passwords, this means a passkey cannot leak or be stolen as it requires that physical hardware device. And unlike 2FA, it cannot be intercepted or bypassed.

This certification allows the company to assess and validate identity verification vendors’ Document Authenticity and Face Verification solutions, contributing to fraud prevention efforts while ensuring compliance with industry standards.

Growing concerns over deepfakes drive standardisation 

The introduction of FIDO’s IDV Programme comes in the context of increasing concerns about AI-driven fraud. According to the official press release, despite over 70 billion digital identity verification checks conducted in 2024, more than half of users remain worried about the risks posed by deepfakes and other fraudulent activities. The programme establishes a unified accreditation process to ensure remote identity verification solutions are secure and resistant to manipulation. 

A representative from Fime stated that remote identity verification is essential for sectors such as banking and digital ID enrolment, given the rapid advancements in deepfake technology. The official highlighted the importance of FIDO IDV Certification in helping service providers ensure that their vendors deliver reliable, validated solutions capable of protecting users and mitigating risk. 

Officials from the FIDO Alliance emphasised that the certification programme is designed to strengthen security during onboarding and enrolment processes. They noted that, alongside biometric component certification, this initiative aims to reduce reliance on traditional passwords while enhancing security and user experience.

Key findings

Enterprises understand the value of passkeys for workforce sign-ins. Most decision makers (87%) report deploying passkeys at their companies. Of these, 47% report rolling out a mix of device-bound passkeys (on physical security keys and/or cards) and synced passkeys (synced securely across the user’s devices).

Organizations are prioritizing passkey rollouts to users with access to sensitive data and applications, including the three most commonly cited priority groups: Those requiring access to IP (39%), users with admin accounts (39%), and users at the executive level (34%). Organizations leverage communication, training, and documentation within these deployments to increase adoption.

Passkey deployments are linked to significant security and business benefits. Respondents report moderate to strong positive impacts on user experience (82%), security (90%), help center call reduction (77%), productivity (73%), and digital transformation goals (83%).

Groups that do not have active passkey projects cite complexity (43%), costs (33%), and lack of clarity (29%) about implementation as reasons. This signals a need for increased education for enterprises on rollout strategies to reduce concerns, as there is a correlation between these perceived challenges and the proven benefits of passkeys.

Key talking points include:

• Why passkeys are more secure than passwords
• How widespread their adoption is 
• Ways organizations can prepare for broader passkey adoption

Visit Passkey Central for more resources on passkeys: https://www.passkeycentral.org/home 

With over 70 billion digital identity verification checks conducted in 2024, a reported 52% of people are still concerned about deepfakes and AI-driven fraud. To address this, FIDO introduced the IDV Program, providing a standardized accreditation that ensures remote digital identity verification solutions are secure, reliable, and fraud resistant. 

The initiative, which began with a joint announcement by the three tech giants in 2022, has now reached full implementation across all major platforms. Users can access passkey functionality through their devices’ built-in biometric systems, enabling seamless authentication across various services and applications. Microsoft has recently announced plans to implement passkeys for over one billion users in response to a 200 percent increase in cyberattacks.

And AI-driven password cracking tools can run millions of guess attempts lightning-fast, often defeating weak passwords in minutes. It is no surprise, then, that stolen or weak passwords contribute to about 80% of breaches​.

The old password model has outlived its usefulness. As cyber threats get smarter, it is time for consumers to do the same.

Based on a survey of 400 IT professionals (200 from each country), the report says passkey adoption for employee sign-ins is a high or critical priority for two thirds of respondents, and that the majority of enterprises have “either deployed or are in the midst of deploying passkeys with goals tied to improved user experience, enhanced security and standards/regulatory compliance.”

FIDO2 is a joint initiative by the FIDO Alliance and the World Wide Web Consortium (W3C) aimed at delivering streamlined, strong authentication without relying on passwords. It defines a set of technical components: WebAuthn and CTAP2 (Client to Authenticator Protocol). WebAuthn standardizes how a web application interacts with an authenticator—often a platform feature like a secure enclave on a phone or a hardware security key. CTAP2 governs how that authenticator communicates with the client device, such as a laptop or smartphone.

As a result, passwordless authentication is steadily gaining traction, enabling healthcare facilities to implement more secure user verification and streamline access management.

The transition to passwordless won’t happen overnight. However, we can expect continued adoption of passwordless methods over the next decade, as the challenges of traditional passwords become too glaring to ignore in this mission-critical industry.

The solution provides IT teams with comprehensive control over FIDO key management, from initial enrollment through to eventual revocation. By allowing IT departments to pre-register keys and handle lifecycle management tasks, the platform helps reduce the burden on end users while maintaining security standards. The approach supports recent FIDO Alliance guidelines for enterprise passkey implementation, which emphasize the importance of streamlined deployment processes.

A key feature of the solution is its integration with Microsoft Entra ID through FIDO2 provisioning APIs, enabling organizations to pre-register Thales FIDO keys for their users. The integration is particularly relevant for enterprises using Microsoft 365, providing secure authentication capabilities from initial deployment. The feature arrives as Microsoft implements mandatory multi-factor authentication across its enterprise platforms.

Following the launch by Yuno, merchants in Brazil, Argentina, and Chile can replace increasingly vulnerable traditional authentication methods, such as one-time passwords, with Mastercard Payment Passkey Service, which uses device-based biometrics, such as fingerprints and facial recognition already available on smartphones, to authenticate purchases.

Mastercard Payment Passkey Service also leverages tokenisation technology to ensure that sensitive data is never shared with third parties and remains useless to fraudsters in the event of a data breach, making transactions even more secure.

This technology promises to not only boost the security of online transactions, but also to significantly reduce cart abandonment rates by increasing convenience for merchants’ customers.

Mastercard and other card payment companies will be introducing a one-click button that will work on any online platform.

One of the reasons why services will be moving to a one-click system is to deter hackers who target merchant sites to steal consumer card information. According to a 2023 study by Juniper Research, merchant losses from online payment fraud will exceed $362 billion globally between 2023 to 2028, with losses of $91 billion alone in 2028.

The one-click system will protect consumers and their online data.

Safety is a cornerstone of our global operations, and we are committed to protecting our users across the approximately 200 markets that we serve. In this piece, we detail the latest developments in authentication security and share recommendations for policymakers to enable increased safety in the digital economy.

Passkeys, a breakthrough in the realm of digital security, eliminate the vulnerabilities of password-based systems. Utilizing cryptographic key pairs, passkeys are designed to safeguard user identities without relying on shared secrets. The system operates on a challenge-response mechanism: a private key stored securely on the user’s device interacts with a public key on the service provider’s server. This interaction ensures that sensitive credentials are never exposed, making passkeys inherently resistant to phishing attempts and credential theft.

This technology is underpinned by the FIDO2 standard, which comprises WebAuthn and the Client-to-Authenticator Protocol (CTAP). WebAuthn facilitates seamless integration of passkeys into web applications, while CTAP supports communication between devices and authenticators, ensuring flexibility and security. Together, these components offer a standardized and robust framework for passwordless authentication across various platforms.

This is despite the fact that 80 percent of breaches today are a result of stolen login credentials from attacks like phishing. Because of this, passwords are widely understood by security experts as the most insecure authentication method that leaves individuals, organizations and their employees around the world vulnerable to increasingly sophisticated modern cyber attacks like phishing.

Formal methods analysis of the FIDO2 standard has revealed potential weaknesses in the underlying protocols that warrant attention from security professionals. The research particularly focuses on the implementation of synced passkeys, which enable cross-device access through passkey providers. These findings support recent expert warnings about interoperability concerns in FIDO2 implementations.

Even with the help of password managers, passwords are becoming more and more of a burden for most people.

Long gone are the days of being able to use and reuse rubbish passwords like p455w0rd123. Now, all of your online accounts need to be protected by passwords that are complex and unique.

Also: Passkeys take yet another big step towards killing off passwords

You also need to be ever vigilant in case one of your many passwords is compromised.

There’s a better solution: Passkeys.

It’s a “password tax” on businesses and consumers that no one can seem to get past.

As the digital economy has grown, so has the value associated with passwords. As a result, phishing and credential theft continue to run rampant, with stolen credentials sold openly on the dark web.

To protect people, organizations add more friction and worsen UX. They ask users to create long and complex passwords, change passwords every few months and use MFA. This results in lost sales, reduced company productivity and added costs.

A secure alternative to the password has emerged: passkeys. This option can strengthen organizations’ security posture because passkeys have the potential to generate billions in revenue and cost savings for businesses.

Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity 

The WebAuthn standard was called out by name in a new cybersecurity executive order (EO) that was released by the White House – in the final days of the Biden Administration. Among other things, the new EO effectively codifies a previous 2022 policy memo that called for the US government to use only phishing-resistant authentication. 

Key developments, such as AI-driven phishing, the adoption of digital identity wallets, and the shift to passkey authentication, are reshaping the cybersecurity landscape. These trends, combined with rising attack frequencies, require organisations to adopt proactive measures and align with evolving regulatory standards.

Global leaders, including experts from Yubico, and local organisations like CERT NZ and the National Cyber Security Centre (NCSC), have identified critical areas of focus for 2025. These include:

• combating increasingly sophisticated attacks
• implementing modern authentication methods
• prioritising board-level involvement in cybersecurity strategies

What’s wrong with passwords – why do we need passkeys?

Most cyber harms that affect citizens occur through abuse of legitimate credentials. That is, attackers have obtained the victim’s password somehow – whether by phishing or exploiting the fact the passwords are weak or have been reused.

Passwords are just not a good way to authenticate users on the modern internet (and arguably weren’t suitable back in the 1970s when the internet was used by just a few academics). Adding a strong – phishing-resistant – second factor to passwords definitely helps, but not everyone does this and not every type of Multi-Factor Authentication (MFA) is strong.

The report defines consumer identity and access management (CIAM) as a framework that controls and manages consumer identities, access, and policies across IT infrastructures to protect enterprises from unauthorized and potentially harmful security breaches. CIAM solutions include single sign-on, multi-factor authentication, identity verification, lifecycle management (provisioning, deprovisioning), password management, and compliance management.

• Fraudulent job applicants posing as IT workers from countries like North Korea have infiltrated organizations, posing significant security risks.
• HYPR encountered a potential fraud attempt during its onboarding process and successfully thwarted it using its Identity Assurance platform.
• HYPR’s use of multi-layered identity verification, including biometrics and video verification, helped prevent the fraudulent hire from gaining access to their systems.
• This issue is not limited to North Korea plots; fake workers and interview fraud are widespread and growing

Passkeys are a biometric security trend to watch in 2025. The FIDO Alliance themed its 11th annual FIDO Tokyo Seminar on how passkey adoption is accelerating, with presentations from Google, Sony Interactive Entertainment, Mastercard, and other organizations joining the journey to password-free living. Microsoft has confirmed its advice on how to make people love passkeys – as it sweeps aside a major vulnerability that exposed 400 million Outlook 365 users.

Major tech brands drive mainstreaming of passkey account log-ins

In 2024, Amazon made passkeys available to 100 percent of its users and has seen 175 million passkeys created for sign-in to amazon.com globally. Google says 800 million Google accounts now use passkeys, with more than 2.5 billion passkey sign-ins over the past two years and sign-in success rates improving by 30 percent. Sony adopted passkeys for the global Playstation gaming community and saw a 24 percent reduction in sign-in time on its web applications.

Hyatt, IBM, Target and TikTok are among firms that have added passkeys to their workforce authentication options. More credential management products offering passkey options means more flexibility for consumers.

Japan joins passkey party in private sector, academia

The Japanese market showed a notable turn toward passkeys, with Nikkei, Nulab and Tokyu Corporation among firms embracing passwordless authentication technology. Nikkei will deploy passkeys for Nikkei ID as early as February 2025. Tokyu Corporation says 45 percent of TOKYU ID users have passkeys. And Nulab announced a “dramatic improvement in passkey adoption.”

Academia is helping drive innovation, with teams from Keio University and Waseda University winning acknowledgement for their research and prototypes at a slew of hackathons and workshops.

And FIDO, of course, is there to offer support, now offering its Passkey Central website resource on passkey implementation in Japanese, so that Japanese companies can take better advantage of its introductory materials, implementation strategies, UX  and design guidelines and detailed roll-out guides.

The FIDO Japan Working Group, which includes 66 of the FIDO Alliance’s member companies, is now in its 9th year of working to raise passkey awareness in the country.

The conversation also covers the broader implications of strong, user-friendly authentication methods for consumers and organizations, as well as the collaborative efforts of major industry players to make the internet a safer place. Additionally, Andrew highlights the importance of identity security in the context of these advancements, emphasizing how robust authentication methods can protect personal and organizational data. 

Tune in to learn about the future of authentication and the steps being taken to eliminate the reliance on passwords.

Watch the interview with Andrew Shikiar on “The Future of Payment Authentication.”

In an MFA bypass attack, threat actors use social engineering techniques to trick victims into providing their username and password on a fake website. If victims are using “legacy MFA” (such as SMS, authenticator apps, or push notifications), the attackers simply request the MFA code or trigger the push notification. If they can convince someone to reveal two pieces of information (username and password), they can likely manipulate them into sharing three (username, password, and MFA code or action). 

Make no mistake—any form of MFA is better than no MFA. But recent attacks make it clear: legacy MFA is no match for modern threats. So, what can organizations do? Sometimes a case study can answer that question.

Today, CISA and the USDA are releasing a case study that details the USDA’s deployment of FIDO capabilities to approximately 40,000 staff. While most of their staff have been issued government-standard Personal Identity Verification (PIV) smartcards, this technology is not suitable for all employees, such as seasonal staff or those working in specialized lab environments where decontamination procedures could damage standard PIV cards. This case study outlines the challenges the USDA faced, how they built their identity system, and their recommendations to other enterprises. Our personal favorite recommendation: “Always be piloting”.

FIDO authentication addresses MFA-bypass attacks by using modern cryptographic techniques built into the operating systems, phones, and browsers we already use. Single sign-on (SSO) providers and popular websites also support FIDO authentication. 

Andrew Shikiar, executive director of FIDO, said the past two years have been momentous for members and ecommerce businesses. “You want to attract customers to your site and protect them from account takeover, credential stuffing, and phishing attacks,” he said. “That’s why PayPal, eBay, Amazon, Walmart, Best Buy, and other ecommerce companies were the earliest adopters of passkey payments.”

Shikiar noted that passkey awareness has risen from 39% in 2022 to 57% in 2024, according to a FIDO survey of 10,000 consumers in the U.S., U.K., France, Germany, Australia, Singapore, Japan, South Korea, India, and China.

The FIDO Alliance, the industry group spearheading the passkey push, is putting out some much-needed guidelines to make passkeys usage feel more consistent from one site to the next, and the big tech platforms are getting better at letting you store passkeys in your preferred password manager. Work is also underway on a protocol to let people securely switch between password managers and take all their passkeys with them.

All this is contributing to an air of inevitability for passkeys, especially as major e-commerce players such as Amazon and Shopify get on board. Even if you’re not fully attuned to the passkey movement, you’ll soon have to go out of your way to avoid it.

“Within the next three to five years, virtually every major service will offer consumers a passwordless option,” says Andrew Shikiar, the FIDO Alliance’s CEO and executive director.

NordPass and NordSteller recently released its sixth annual analysis of personal password habits.

Based on NordPass and NordStellar’s data they crunched, ‘secret’ was the most common password in the US.

The management platforms found that the password was used 328,831 times, and it would take less than one second for someone to crack it.

‘Secret’ is also ranked in the top 10 most common passwords in the world.

Andrew Shikiar, executive director of FIDO Alliance, mentioned hackers could guess the password if it’s even spelled using numbers or with other substitutions while speaking with CNBC.

‘For example, they might believe that “secret” is a weak password but “s3cr3t” will be hard to guess,’ Shikiar said in 2019. 

Some 20% of the world’s top 100 websites now accept passkeys, said Andrew Shikiar, CEO of the FIDO Alliance, an industry group that developed the core authentication technology behind passkeys.

Passkeys first came to the public’s attention when Apple added the technology to iOS in 2022. They got more traction after Google started using them in 2023. Now, many other companies including PayPal, Amazon, Microsoft and eBay work with passkeys. There’s a list on the FIDO Alliance website.

Still, some popular sites like Facebook and Netflix haven’t started using them yet.

Passkey technology is still in the “early adoption” phase but “it’s just a matter of time for more and more sites to start offering this,” Shikiar said.

The result is that consumers will be able to enjoy one-click checkout across devices, browsers and operating systems, without needing to input one-time passwords (OTPs).

The feature is enabled by the Mastercard Payment Passkey Service, which allows on-device biometric authentication through facial scans or fingerprints, the same way phones are unlocked.

In its latest Online Authentication Barometer, FIDO found that support for a number of authentication options – including not just passkeys but also biometrics – is growing.

Public awareness of passkeys has jumped from 39% in 2022, when the technology was first introduced, to 57% this year. Meanwhile, the use of passwords in various services sectors is dropping. For example, the percentage of people who used a password over a two-month period for financial services dropped from 51% two years ago to 31% this year.

Ecommerce sites have experimented with magic links, an authentication method that is a little higher friction but is still a viable passwordless alternative. Meanwhile, biometric authentication (think fingerprints and facial recognition) is gaining popularity among less technical users, even if it’s simply to unlock their smartphones. Passkeys, another passwordless authentication method, leverage biometrics or a PIN to let consumers confirm a purchase with just a tap or a quick selfie.

“Consumer expectations are changing, and this data should serve as a clear call to action for brands and organizations still relying on outdated password systems,” noted Andrew Shikiar, CEO at FIDO Alliance.

“Consumers are actively seeking out and prefer passwordless alternatives when available, and brands that fail to adapt are losing patience, money, and loyalty – especially among younger generations.”

“When consumers know about passkeys, they use them. Excitingly, 20% of the world’s top 100 websites and services already support passkeys. As the industry accelerates its efforts toward education and making deployment as simple as possible, we urge more brands to work with us to make passkeys available for consumers. The pace of passkey deployment and usage is set to accelerate even more in the next twelve months, and we are eager to help brands and consumers alike make the shift,” Shikiar concluded.

Apple thinks 249 of my passwords need attention. Some of them have been reused. Some of them have been caught up in data breaches. Some are just bad passwords.

That’s why, for the past 11 years, a group called the FIDO Alliance has been working to kill passwords — or at least make us less reliant on them. FIDO, short for Fast IDentity Online, wants to make signing into your accounts not only more secure but also, as the name implies, faster and easier. Since its members include Amazon, Apple, Google, Meta, and other architects of our online experience, the FIDO Alliance is in a position to accomplish this, too.

Whether you’ve realized it or not, FIDO’s efforts have already transformed the way you sign into everything online. You may have noticed a few years ago, for instance, that a lot more sites started requiring something called multifactor authentication, which adds an extra step to the login process, like texting a code to your phone so the site can verify you are you. That was FIDO’s doing.

But after years of making logging in more difficult but more secure, the alliance recently began a major push to get platforms and people alike to adopt a technology that may just kill passwords altogether: passkeys.

With all relevant operating systems now natively supporting passkeys, companies have been increasingly adopting them as an alternative to passwords. Relying on passkeys minimizes the risk of getting hacked, as users don’t have access to their cryptographic keys, and intercepting them is significantly more challenging. However, those switching between different service providers may prefer traditional passwords, as there’s currently no easy way to import or export passkeys. To minimize the friction separating distinct platforms, the FIDO Alliance is working on a solution that makes moving passkeys between them a breeze.

The FIDO Alliance has published (via Neowin) a working draft encompassing specifications that would make moving passkeys between providers possible. When implemented, users would be able to securely import and export their passkeys, making switching platforms less challenging. Read more of the article.

It’s been around two years since passkeys came onto the scene, and the technology has come a long way in making the world a passwordless place. Yet, one feature that’s been absent is the ability to import or export passkeys between devices.

That is set to change, as the FIDO Alliance — the working group behind the technology — has published a draft specification for Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) formats that would not only work for the secure transferring of passkeys but also other forms of authentication.

Amazon has seen massive adoption of passkeys since the company quietly rolled them out a year ago, announcing today that over 175 million customers use the security feature.

“Today, we’re excited to share that more than 175 million customers have enabled passkeys on their Amazon accounts, allowing them to sign in six-times faster than they could otherwise,” says Amazon.

Passkeys are an industry standard developed by the FIDO Alliance and the World Wide Web Consortium, and were integrated into Apple’s ecosystem with iOS 16, iPadOS 16.1, and macOS Ventura. They offer a more secure and convenient alternative to traditional passwords, allowing users to sign in to apps and websites in the same way they unlock their devices: With a fingerprint, a face scan, or a passcode. Passkeys are also resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.

The draft specifications, called Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF), will standardize the secure transfer of credentials across different providers. This addresses a current limitation where passkeys are often tied to specific ecosystems or password managers.

At the FIDO Alliance’s Authenticate Conference in Carlsbad, California, on Monday, October 14, researchers are announcing two projects that will make passkeys easier for organizations to offer—and easier for everyone to use. One is a new technical specification called Credential Exchange Protocol (CXP) that will make passkeys portable between digital ecosystems, a feature that users have increasingly demanded. The other is a website, called Passkey Central, where developers and system administrators can find resources like metrics and implementation guides that make it easier to add support for passkeys on existing digital platforms.

“To me, both announcements are part of the broader story of the industry working together to stop our dependence on passwords,” Andrew Shikiar, CEO of the FIDO Alliance, told WIRED ahead of Monday’s announcements. “And when it comes to CXP, we have all these companies who are fierce competitors willing to collaborate on credential exchange.”

What Are Passkeys?

Passkeys are a sophisticated, passwordless login option for apps and websites developed by the FIDO Alliance. They consist of a “private key” stored on the user’s device and a “public key” residing with the service. This dual-key system undergoes an encrypted verification process, ensuring that access is granted only when the user’s biometrics or device PIN confirm their identity. This system effectively eliminates the need for passwords and multi-factor authentication codes, creating a seamless and secure user experience.

The Benefits of Passkeys

Traditional logins rely on passwords, which users often reuse across multiple sites, posing substantial security risks. Passkeys, however, are tied to the user’s unique device and biometric data, rendering them immune to phishing and brute-force attacks. If a passkey is stolen, it becomes useless without the rightful owner’s biometric verification. This intrinsic link between the user and the device significantly mitigates the threat landscape.

Banks and Passkey Adoption

While the advantages of passkeys are clear, some industries have been slow to adopt, including banks. Andrew Shikiar, CEO and Executive Director of the FIDO Alliance, explains, “Banks and financial institutions operate in a highly regulated industry, so they are vigilant when it comes to ensuring that user authentication complies with relevant regulations. Synced passkeys introduce a new customer assurance model that compliance leads within banks are still adjusting to.”

However, Shikiar noted that “we are now seeing regulatory and other government bodies begin to give formal guidance on how industry should contemplate passkeys,” including an April 2024 missive from the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) offering guidance about implementation.

But Shikiar says that “banks are hypersensitive to customer experience,” too, and thus more cautious about changing how customers log in—even if passkeys are quicker and more secure. New login methods require educating customers—and that takes time.

Despite these bottlenecks, Shikiar says that banks are slowly moving away from strictly password-based logins because they “inherently understand that using a passkey as a primary factor is far superior to a password.”

The Collaborative Future of Passwordless Authentication

Apple’s implementation of passkeys underlines a collective effort by tech giants within the FIDO Alliance, including Microsoft and Google, to enhance internet security. The Alliance has pioneered developments in authentication standards, striving to eliminate the vulnerabilities of password-based systems. Users can visit the FIDO Alliance to learn more about the ongoing efforts and advancements in passkey technology and the latest in passkey implementation.

As passkeys gain traction, the internet moves closer to a future where security does not come at the expense of user convenience. The collaborative efforts of industry leaders within the FIDO Alliance signal a transformative shift towards more secure, passwordless authentication methods, promising a safer digital experience for all.

This week, Andrew Shikiar, FIDO’s Executive Director and CEO, joins the ID Talk podcast to discuss critical issues in authentication and identity security. The conversation covers topics such as the intricacies of passkeys, the dangers of phishing and deepfakes, and the comprehensive testing FIDO certified products undergo with independent, accredited labs to gain FIDO certification. Additionally, Shikiar introduces FIDO’s new Face Verification Certification program, aimed at standardizing selfie-based identity verification technologies across various sectors.Gain valuable insights from Andrew Shikiar by tuning into the podcast, available on Soundcloud, Spotify, Apple Podcasts, or using the link below.

The State of Michigan aimed to address several key objectives with the integration of passkeys, fortifying security and enhancing the digital user experience to access critical state government services.

This capability is powered by the Visa Payment Passkey Service, which is built on Visa’s Fast Identity Online (FIDO) server. The service allows merchants to integrate the Visa Payment Passkey Service into their checkout systems without needing to establish their own servers, thereby simplifying the setup process.

For users, this means they can use the same biometric authentication methods they use to unlock their devices to approve Visa payments online, with a one-time enrollment required during checkout. Visa also plans to extend enrollment options to banking apps in the future.

The development of passkeys was a collaborative effort among major technology companies such as Apple, Google, and Microsoft, which joined forces around 2012 to form the FIDO Alliance. This group aimed to overcome the limitations of traditional passwords by creating open standards for more robust authentication, involving biometric experts like HYPR and Nok Nok Labs.

FIDO released its first standards in 2014, setting the stage for authentication methods that do not depend on passwords. Subsequent advancements led to the establishment of the WebAuthn standard in 2019, which quickly gained acceptance among major web browsers. This progress facilitated the creation of passkeys, leveraging FIDO protocols to link authentication credentials to users’ mobile biometrics.

Visa’s recent move has been welcomed by supporters of FIDO and passkeys. HYPR’s co-founder and CEO, Bojan Simic, commented on this development, stating that nearly every regulated business he has interacted with in the past year has included a passkey initiative in their plans in an online post. “I’m so proud of the work that we have all done at the FIDO Alliance to make this a reality. When we wrote the first FIDO implementation in 2014 here at HYPR, seeing the top brands adopt the standard in a major way seemed like fantasy.”

In making this vision a reality, Visa joins several other prominent companies that have recently introduced support for passkeys, including PayPal, Samsung, and Amazon.

It’s time to modernize your authentication! Organizations around the globe are embracing a new way to authenticate with FIDO standards, moving past passwords and legacy forms of multi-factor authentication to provide users with passkeys for phishing-resistant sign-ins. Their results? Strong security, lessened data breach risk, improved user experiences, faster sign-in rates, and reduced costs.

Join these industry leaders as they come together at Authenticate 2024, and get the latest tools and insights to get your organization on the path to strong, modern passwordless authentication.

Hosted by the FIDO Alliance, Authenticate is the industry’s only conference dedicated to all aspects of user authentication – including a focus on FIDO-based sign-ins. It is the place for CISOs, business leaders, product managers, security strategists and identity architects to get all of the education, tools and best practices to roll out modern authentication across web, enterprise and government applications.

Authenticate 2024 will be held at the Omni La Costa Resort & Spa in Carlsbad, California for the second year in a row. This venue includes ample space for our growing audience, more sessions and session types for all levels, and more opportunities for networking with peers. The 2024 event will include our most dynamic expo hall yet, where all exhibiting sponsors can showcase their solutions and meet companies looking for partners on their path to passwordless.

Whether you are new to FIDO, in the midst of deployment or somewhere in between, Authenticate 2024 will have the right content – and community – for you.

Register and learn more here.

Visa has unveiled new digital products and services based on biometrics and passkeys, as it aims to address rapid changes in AI and digital identity technology. WhatsApp has expanded its passkey availability for all users. And the FIDO Alliance welcomes a new board member, while researchers question how airtight its security protocol really is.