Authenticate 2024: Day 1 Recap

By: FIDO staff

Authenticate 2024, the FIDO Alliance’s flagship conference, kicked off strong with more concurrent tracks and sessions than ever before.

The first day of the Authenticate 2024 conference was loaded with insightful user stories, sessions on how to improve passkey adoption and technical sessions about the latest innovations.

The opening panel of the event was moderated by Megan Shamas, Chief Marketing Officer at FIDO Alliance, exploring enterprise trends in passkey adoption. During the session, panelists shared preliminary details of an upcoming FIDO research report on workforce deployments of passkeys.

The research showed that complexity (43%) and cost (33%) are the main reasons for passkeys not being deployed among those who haven’t deployed passkeys.

Panelist Michael Thelander, Sr. Director of Product Marketing at Axiad, argued that, from his product perspective, complexity and cost are not the primary reasons for organizations to delay on passkey adoption.

“I see that from our product perspective, it is actually about usability and manageability,” Thelander said. “We say complexity, but actually the usability is what we’re complaining about.”

The research also found that over two thirds (68%) say the development of passkeys is a high or critical priority in their organization. After passkeys were deployed, 90% noticed an impact on increased security for login/authentication.

Additionally, 87% of those that were familiar with passkeys are in a project and or have completed a project. Panelist Sarah Lefavrais, IAM Product Marketing Manager at Thales, commented that means the majority of organizations that have considered passkeys are in the process of deploying or have already succeeded in passkey deployment.

The research also found that there is a significant decline in usage of all alternative authentication methods after passkeys are deployed

“Once they make the switch they are never going back,” commented Sean Dyon, Director of Strategic Alliances at HID Global.

What’s the ROI for Passkeys? 

There are many reasons why organizations are increasingly moving to passkeys. In a morning session, Jeff Hickman, Global Head of Solutions Engineering at HYPR provided some of his insight on the potential return on investment (ROI) for passkeys.

Hickman said that passkeys could potentially save several seconds per login attempt, leading to significant productivity gains. He estimates that for an organization with 8,000 employees, approximately 7 hours a year are spent on authentication, which could cost nearly $2 million annually.

“That’s a lot of time that’s lost, you know, doing authentication steps along those lines and passkeys can simplify that,” he said.

Japan Loves FIDO 

User stories are a key part of the Authenticate experience, helping attendees to learn from the experience of those that have deployed strong authentication in production.

Among the earliest adopters of FIDO specifications is NTT DOCOMO, which has helped to spearhead broad interest in Japan overall. In a morning session, Koichi Moriyama, Chief Security Architect at NTT DOCOMO, detailed his firm’s efforts as well as those of the FIDO Japan Working Group. In addition to broad adoption on carrier networks, there has also been strong support from the Japanese government to promote passkey adoption in a bid to protect against phishing attacks.

The 3Fs of Strong Authentication Adoption

Another early adopter of FIDO protocols was Yahoo. In a session with two former Yahoo engineers, Sarit Arora and Lovlesh Chhabra – both currently at Oracle – detailed their experiences and lessons learned. Yahoo implemented its Account Key technology 9 years ago.

Chhabra explained that the first ‘F’ is fear. He noted that users are afraid of the unknown. As such it’s important to educate them. The second ‘F’ is friction. Adding in a different way to get at what a user is trying to get at introduces friction that needs to be minimized.  

The third ‘F’ is flow.

“So the challenge is that fear and fiction is a known thing,” Chhabra said. “However, we need to make sure that from a user experience perspective, the user should neither feel the fear and they should neither feel the friction and that’s where the flow comes in.”

The “flow” involves principles like providing motivation to change, using multiple touchpoints to prompt the user, and creating a “pocket of success” where the user can experience the new authentication method before fully adopting it.

Passkey Advancements with CTAP 

Technical details on new and emerging specifications are another core element of the Authenticate conference. 

On the first day of the event included multiple sessions on technical innovations, including one on the CTAP 2.1 specification. CTAP stands for Client to Authenticator Protocol.

“CTAP is how the client or the web browser is going to talk to the security key to allow that security key to provide the passkey,” Will Smart, Sr. Solutions Architect at Yubico explained in a session. 

CTAP 2.1 was published back in the summer of 2022 and it contains a bunch of new features that are focused on making security keys. The CTAP 2.1 capabilities are now making their way into various platforms.

The main new additions in CTAP 2.1 include:

• Enterprise Authentication (EA) – Allows selective de-anonymization of security keys for specific relying parties during registration.
• PIN-on-first-use – Requires users to change their PIN before it can be used for security operations.
• Minimum PIN length – Allows organizations to set and enforce a minimum PIN length during registration.

Always require user verification – Ensures the security key always asks for user verification, even if not required by the relying party.

Credential Exchange Format is Making Progress

A commonly discussed topic relating to passkeys today is the ability to share passkeys across different management applications.

“Generally if you share passwords across different password managing apps today, the trick is to copy/paste your password and then put it right into your importing provider,” Nick Steele, Security Researcher at 1Password, said during his session. “And that’s not great for many reasons.”

The solution for the challenge is the emerging Credential Exchange Format specification.

The Credential Exchange Format is a comprehensive, standardized JSON-based representation of a user’s credentials and account structure, designed to enable secure and interoperable migration between different password management providers.

“This allows the passkeys and all the other credentials to never leave an unencrypted boundary, so they’re always encrypted in transit within the boundary of the provider,” explained Rene Leveille, Senior Developer at 1Password.

The Credential Exchange Format has a working draft that is being released on Friday October 18, with a review draft expected by the end of the first quarter of 2025.

What’s New with Passkeys at Google and Microsoft?

Both Google and Microsoft are supporters of the FIDO Alliance and both have adopted passkeys. In their respective sessions the two platform providers detailed their latest passkey efforts.

Diego Zavala, Product Manager at Google told the Authenticate 2024 audience that Android and Chrome first introduced passkeys two years ago. In that short period of time adoption has been nothing short of exceptional. There are already more than 400 million passkeys being used in the Google Password Manager.

Chirag Desai, Product Manager at Google detailed the many improvements that have landed and are coming soon to both Android and Chrome. These include:

• Enabling a single-tap passkey signing experience by merging the account selector with the biometric prompt.
• Bringing passkey support to more devices, including Wear OS, allowing users to sign in from their watches.
• Introducing a “restore credentials” feature to seamlessly sign users in on new devices during the upgrade process.
• Enabling passkey syncing between Chrome on desktop and Android devices, allowing users to create and access passkeys across their devices.Improving the overall passkey experience to make it more seamless and consistent with the password experience.

“We’re also working to improve the sign up experience for users,” Desai said.

Over at Microsoft, the passkey experience is also improving rapidly as well. In his session, Bob Gilbert, software engineering manager at Microsoft detailed enhanced capabilities for Windows. These include:

• Support for plug-in passkey providers: Windows is introducing a native API extension point that will allow third-party passkey providers to integrate directly into the Windows Hello experience. 
• Microsoft passkey provider for syncing: Microsoft is developing a native passkey provider for Windows that will allow users to sync their passkeys across their different Windows devices.

“So the point on Windows, what we’re trying to achieve here is giving users the opportunity to use passkeys wherever they need them,” Gilbert said.

Keynotes: Passkeys at Two

Day 1 concluded with a series of insightful keynotes kicked off by Andrew Shikiar, Executive Director and CEO of the FIDO Alliance.

Shikiar noted that passkeys are only two years old, yet they’ve already made tremendous inroads. FIDO estimates that 15 billion accounts can leverage passkeys for sign-in today.

Why have passkeys seen such success? There are many reasons.

“It’s partly because passkeys transform consumer sign-in from a necessary cost to a business opportunity,” Shikiar said.

He noted how passkeys reduce costs and improve overall user experience. During his keynote he brought Anthony Kemp from Air New Zealand up on stage. Air New Zealand is a passkey adopter and has seen great success reducing its call center volume for password related inquiries. Passkeys have also helped to reduce fraud attempts at the airline as well. Air New Zealand will be providing more details about its passkey journey in a session on Day 2 of Authenticate 2024.

Shikiar also used his keynote to announce the new passkeycentral.org resource. Passkey Central is a new FIDO Alliance initiative to democratize and accelerate passkey deployment by providing comprehensive, expert-driven guidance and support materials.

“Passkeys have fundamentally changed the way that we contemplate user authentication,” Shikiar said. “It has been amazing to see how the FIDO community has both addressed and embraced these changes, which ultimately has led to billions of accounts that are simpler and safer than before. The progress has been great, but the best is yet to come.”

Keynotes: Two Rules for Passwordless

During his keynote Mike Slaugh, Principal Engineer, Information Security at Amazon, reminded the Authenticate 2024 audience that passwords, simply stated – suck.

“We’ve spent the last 60 years teaching people how to choose passwords that are harder and harder and harder to remember, harder and harder to use,” Slaugh said.

The answer is passkeys. Though it is a journey to adoption that will take time. To get there Slaugh has to simple rules:

1. “Don’t be a jerk” – Create a user-friendly passwordless experience without making users jump through too many hoops.
   
2. “Don’t be stupid” – Leverage the security features of passkeys to effectively protect users, eventually eliminating passwords entirely.

Keynotes: How to Convince a Billion Users to Use Passkeys

The final keynote of the day came from Microsoft, with insight on how to help accelerate passkey adoption.

Sangeeta Ranjit from Microsoft noted that the upcoming Microsoft Digital Defense Report has some stark numbers on the latest security challenges. Over the last year, Microsoft saw 7,000 password attacks and a 58% increase in phishing attacks.

The solution to the challenge is passkey which Microsoft has been advocating. To date she noted that Microsoft has experienced a 99% enrollment success rate for passkeys, which is a 3X higher success rate than passwords. 

Passkeys are not just safer, they’re also faster. Ranjit said that on average it takes a user 24 seconds to login with a password and 69 seconds to login with a password and multi-factor authentication. In contrast with passkeys it only takes 8 seconds to login.

Getting high adoption for passkeys involved a few steps, not the least of which is actually nudging users to adopt them.

Scott Bingham, Principal Product Manager at Microsoft, said that proactive invitations work better than a passive “wait and see” approach. Users were nudged to enroll a passkey at key visit points, like after they sign in or during a password reset/account recovery flow. Bingham emphasized that having the option to add a passkey wherever a user manages their account connections is important, but a purely passive approach is unlikely to drive significant adoption.

No one company alone is enough to make passkey adoption pervasive though.

“So then, how do we convince billions and billions of users with trillions of accounts to be able to enroll and use passkeys? We do it together,” Ranjit said. “Those in this room will make passkeys easy and bring secure and simple experiences to our users and to the world.”

Get Ready for Day 2!

Day 2 will have even more great content across multiple tracks, including an Automotive track, more great user stories and technical insights.

Not registered? Don’t miss out! Attend remotely and access all previous sessions on demand, and attend day 2 and 3 live via the remote attendee platform! See the full agenda and register now at authenticatecon.com.