{"id":77512,"date":"2024-04-22T16:12:08","date_gmt":"2024-04-22T20:12:08","guid":{"rendered":"https:\/\/fidodev.wpengine.com\/?p=77512"},"modified":"2024-04-22T16:12:10","modified_gmt":"2024-04-22T20:12:10","slug":"nist-cites-phishing-resistance-of-synced-passkeys-in-digital-identity-guidelines-update","status":"publish","type":"post","link":"https:\/\/fidoalliance.org\/nist-cites-phishing-resistance-of-synced-passkeys-in-digital-identity-guidelines-update\/","title":{"rendered":"NIST cites phishing resistance of synced passkeys in Digital Identity Guidelines update"},"content":{"rendered":"\n<p><em>Andrew Shikiar, FIDO Alliance Executive Director &amp; CEO<\/em><\/p>\n\n\n\n<p>Adoption of passkeys has grown rapidly since the <a href=\"https:\/\/fidoalliance.org\/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins\/\" target=\"_blank\" rel=\"noreferrer noopener\">introduction<\/a> of sync capabilities less than two years ago, with passkeys being offered by a large and growing proportion of the world\u2019s most visited websites and services. This adoption has come in large part because passkeys offer a true password replacement, helping address the well-known security and user experience weaknesses of knowledge-based authentication like passwords and even other second-factor methods like SMS OTPs.<\/p>\n\n\n\n<p>Market adoption of new technology naturally moves faster than the associated policy and regulatory guidance &#8211; which for user authentication still generally reflects the password-centric worldview from when such guidance was developed. This is why we are excited that NIST has taken a lead amongst government agencies and moved quickly to provide <a href=\"https:\/\/www.nist.gov\/blogs\/cybersecurity-insights\/giving-nist-digital-identity-guidelines-boost-supplement-incorporating\" target=\"_blank\" rel=\"noreferrer noopener\">new supplemental guidance<\/a> confirming that synced passkeys meet Authentication Assurance Level 2 (AAL2).<\/p>\n\n\n\n<p>This new NIST guidance makes clear that passkeys \u2013 like other FIDO authenticators \u2013 can support both AAL2 and AAL3 requirements. Synced passkeys can be AAL2 and device-bound passkeys can be AAL3.<\/p>\n\n\n\n<p>Crucially, the NIST supplement also cites that synced passkeys deployed in a manner consistent with the guidelines as being phishing resistant. This has obvious benefits in a world where 87% of hacking-related breaches are caused by weak or stolen passwords and where there has been a 967% rise in credential phishing since 2022.<\/p>\n\n\n\n<p><strong>Passkey adoption to be boosted by the \u2018reassurance of assurance\u2019<\/strong><\/p>\n\n\n\n<p>While the rate of passkey adoption to date has been nothing short of phenomenal, some organizations \u2013 particularly those in regulated industries \u2013 understandably want to see that key government bodies accept and recommend new technologies like passkeys before supporting them at scale.&nbsp;&nbsp;<\/p>\n\n\n\n<p>We have heard this from our partners and constituents across the globe about NIST in particular, whose digital identity guidelines are a global gold standard that are frequently cited by other countries. Today\u2019s supplemental guidance from NIST stands to remove a critical barrier to passkey adoption, which now stands to be further accelerated.<\/p>\n\n\n\n<p>However, there is still work to do. We are working closely with other agencies across the globe to educate them about passkeys and the importance of phishing-resistant authentication, and are encouraging them to update legacy policies, guidelines, and regulations to ultimately allow all organizations, wherever they are, to confidently provide more secure and more convenient authentication to their users and customers.&nbsp;<\/p>\n\n\n\n<p><strong>Building NIST guidance into business best practices<\/strong><\/p>\n\n\n\n<p>Identity and authentication architects should contemplate NIST\u2019s supplemental guidance as part of their broader digital identity strategy. For example, for every use case where password + OTP was used in the past, a synced passkey deployed in accordance with the new NIST guidance is not only sufficient to meet AAL2 requirements, but also more effective. In the vast majority of deployment scenarios, synced passkeys will provide a significant security and UX improvement over today&#8217;s authentication patterns \u2013 almost all of which are susceptible to phishing.<\/p>\n\n\n\n<p>If organizations have specific business, regulatory, or other security requirements, they can choose whether to accept a synced passkey as the primary authentication method, a second factor, pair it with a risk engine, or require a device-bound key. Today\u2019s guidance frees architects up from thinking about authentication layers and to instead focus on business requirements and related threat models. And today\u2019s primary threat model of phishing and social engineering can be directly addressed by utilization of passkeys.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Andrew Shikiar, FIDO Alliance Executive Director &amp; CEO Adoption of passkeys has grown rapidly since the introduction of sync capabilities less than two years ago, with passkeys being offered by [&hellip;]<\/p>\n","protected":false},"author":72,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_EventAllDay":false,"_EventTimezone":"","_EventStartDate":"","_EventEndDate":"","_EventStartDateUTC":"","_EventEndDateUTC":"","_EventShowMap":false,"_EventShowMapLink":false,"_EventURL":"","_EventCost":"","_EventCostDescription":"","_EventCurrencySymbol":"","_EventCurrencyCode":"","_EventCurrencyPosition":"","_EventDateTimeSeparator":"","_EventTimeRangeSeparator":"","_EventOrganizerID":[],"_EventVenueID":[],"_OrganizerEmail":"","_OrganizerPhone":"","_OrganizerWebsite":"","_VenueAddress":"","_VenueCity":"","_VenueCountry":"","_VenueProvince":"","_VenueState":"","_VenueZip":"","_VenuePhone":"","_VenueURL":"","_VenueStateProvince":"","_VenueLat":"","_VenueLng":"","_VenueShowMap":false,"_VenueShowMapLink":false,"footnotes":""},"categories":[464],"tags":[],"content-type":[456],"class_list":["post-77512","post","type-post","status-publish","format-standard","hentry","category-buying-building-partnering","content-type-fido-news-center"],"acf":[],"_links":{"self":[{"href":"https:\/\/fidoalliance.org\/wp-json\/wp\/v2\/posts\/77512","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fidoalliance.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fidoalliance.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fidoalliance.org\/wp-json\/wp\/v2\/users\/72"}],"replies":[{"embeddable":true,"href":"https:\/\/fidoalliance.org\/wp-json\/wp\/v2\/comments?post=77512"}],"version-history":[{"count":0,"href":"https:\/\/fidoalliance.org\/wp-json\/wp\/v2\/posts\/77512\/revisions"}],"wp:attachment":[{"href":"https:\/\/fidoalliance.org\/wp-json\/wp\/v2\/media?parent=77512"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fidoalliance.org\/wp-json\/wp\/v2\/categories?post=77512"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fidoalliance.org\/wp-json\/wp\/v2\/tags?post=77512"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/fidoalliance.org\/wp-json\/wp\/v2\/content-type?post=77512"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}