How FIDO Passkeys Will Accelerate a Passwordless Future

Passwords have been around since the invention of computers and are still the primary way of protecting a large percentage of our infrastructure today. However, despite being the go-to method for security, digital passwords are inherently problematic and will continue to be problematic as technology becomes more advanced.

Why?

Passwords are knowledge-based, meaning they can easily be guessed or stolen. They’re also a source of user frustration, which can negatively impact employee productivity, customer satisfaction, and ultimately revenue.

All that considered, how do you reconcile this when passwords—despite their shortcomings—are really the only digital security solution society has ever known?

Good question. The answer is going passwordless, which several leading enterprises across the industry are pursuing via FIDO passkeys. 

One of the most popular recent developments in passwordless is FIDO (Fast Identity Online). FIDO is an open standard that enables users to authenticate via a highly secure cryptographic login, which is phishing resistant and easy to implement. FIDO2—the latest protocol—leverages users’ physical devices to store credential information locally on secured hardware and sign authentication challenges.

The joint announcement by Apple, Google, and Microsoft to support passwordless is a clear statement that FIDO is the way to move towards a passwordless future, making it the new standard. Passkeys remove the most common barriers to FIDO adoption by (1) enabling users to enroll to FIDO once, sharing the credential between devices on the same platform, and (2) being able to leverage registered FIDO devices on one platform to authenticate when logging in from another.

Getting here wasn’t without some challenges. Let’s back up a little bit to see how we got to where we are now.

Initial Problems with FIDO

As a cryptographic solution that is both domain-bound and hardware-bound, FIDO has a reputation for being a highly secure and recommended identity and access management (IAM) practice.

However, as innovative as FIDO is intended to be (especially compared to traditional password usage), there were some initial setbacks with FIDO that needed to be mitigated in order for major enterprises like Apple, Google, and Microsoft to be at the point they are now, in which they’re setting the bar and announcing the implementation of passwordless/FIDO passkeys.

Here are some of those setbacks:

Registration and Usability

One of the initial problems with FIDO was that it still had to utilize weaker authentication mechanisms (like passwords) during the initial registration process. The first time you would register a FIDO platform device, you would need to bind your user authentication to that platform on that device. 

This meant that if you tried to log in from another platform device that you owned, you would first have to authenticate yourself using an alternative method (again, most likely going back to using a password) before the site or application would give you access. Then, once approved, you would need to register that new device as well in order to be able to leverage FIDO on that device thereafter. This process would have to repeat on each of the devices you used for access.

It’s easy to see how usability then became a tedious task, rendering organizations reluctant to give up traditional passwords and familiar login experiences—albeit weaker methods of authentication—in exchange for something else representing only a slight improvement.

Failure to Fully Eliminate Passwords

Considering the issues with registration, FIDO only really made sense in one circumstance. In order for FIDO to fulfill its vision of completely phasing out passwords and eliminating the threat of common password attacks, it needed to be fully adopted as the primary and only way for users to authenticate. In other words, the act of continuing to mix in traditional password login methods presented a conundrum that ultimately led FIDO to fail to live up to its passwordless promise.

Recovery

Furthermore, the failure to fully eliminate passwords ultimately led to recovery problems. To illustrate, organizations that pursued the route outlined above–choosing only FIDO as the main way for their users to authenticate–ended up facing account issues with user account recovery. These recovery problems resulted from the aforementioned usability issues. As a result, users ended up always needing access to at least two previously registered FIDO devices–in case they lost one–to enable account recovery. 

Otherwise, in the absence of the only FIDO-registered device that their identities were bound to, they’d be unable to access any of their accounts. 

Slow Adoption

As you can see, there were a plethora of conundrums associated with FIDO. From the inability to eliminate friction from the initial registration process, to the account recovery issues presented via the need to have additional back-up FIDO device as a fallback mechanism (in the event of a user losing their FIDO-enabled device), it was hard to see the benefit that FIDO would bring to organizations and their users. This turned out to be a significant deterrent to broad adoption of FIDO.

The problems with FIDO were apparent, but there was a solution to improve it and stay on track towards a passwordless future. 

That’s where the introduction of FIDO passkeys (or multi-device credentials) came in. This was a behavioral addition to the FIDO specification and implementation. FIDO passkeys provide a more efficient way for a user to enroll their FIDO devices and register for new sites during the initial setup. In addition, FIDO passkeys don’t require a tedious backup or recovery process. You can simply enroll/unenroll devices with a cloud backup from your service provider.

Source: https://media.fidoalliance.org/wp-content/uploads/2022/03/How-FIDO-Addresses-a-Full-Range-of-Use-Cases-March24.pdf

Passkeys also accelerate FIDO adoption within enterprises by lowering the technology’s barrier to entry. Now, FIDO credentials are no longer bound to a specific device, but rather are automatically synced to the cloud. This makes them reusable across the multiple devices that a user may own on the same platform, making enrollment and account recovery simpler and more resilient.

Another historically significant barrier to FIDO adoption that passkeys can help with is through their ability to share credentials across different vendor platforms. For example, by scanning a QR code on one platform, users can authenticate by using their trusted identity credentials from a different platform. This is accomplished via Bluetooth proximity checks to further streamline authentication and enhance cross-platform interoperability. 

But it doesn’t end there. The adoption of FIDO and the phasing out of passwordless is a full initiative being pushed by large technology companies, and we are now seeing the consideration of more promising improvements. Some of those improvements are meant to address requirements from different sectors in the market. Others plan to create an easy, secure, and familiar user experience by embedding FIDO digital credential authentication into the browser password manager, making the authentication experience a no-brainer for users to act on.

FIDO passkeys are a new and exciting step towards a passwordless future. That said, despite the plethora of benefits they provide, passkeys still are not a silver bullet. Organizations should consider the following before embarking on passkey adoption:

1. Passkeys are stored in the cloud and therefore require a thorough review of your cloud security controls.

    

2. Passkeys are managed by the supporting platform, i.e., Google, Microsoft, etc. Therefore, organizations must be comfortable with the fact that a third party will not only be playing an active role in their user authentication but will also require users to enable cloud backup on their devices.

    

3. FIDO servers are still required to begin leveraging passkeys. These servers are not provided by any of the supporting platforms.

In addition, when considering the adoption of passkeys and FIDO in general, organizations must also take into consideration the fact that FIDO is still an evolving standard that currently has different phases of implementation maturity across different platforms and browsers. As a result, organizations should be fully prepared for future supportability and user experience challenges and ready to adapt accordingly.

Ping Identity is a member of the FIDO alliance and also provides best-of-breed FIDO services for all passwordless use case scenarios, as a full identity lifecycle provider. Ping Identity supports all the OS and browser providers announced in the first iteration of passkeys. Ping Identity can support interoperability across these different OS and browser ecosystems via its orchestration platform PingOne DaVinci. Furthermore, passkeys will create a broader and more robust foundation for the services Ping provides.

Ping Identity can help organizations get started on their passwordless journeys by providing coverage for all passwordless use cases across all identity types. Furthermore, by leveraging passkeys, Ping Identity can further enhance identity security through risk and fraud indicators. 

To learn more about best practices related to deploying passwordless in your organization, including FIDO2 and passkeys, check out Ping Identity’s Passwordless Solution.