Dezember 6, 2024

EP 67 – The Password Problem

In this episode of the Trust Issues podcast, host David Puner sits down with Andrew Shikiar, the Executive Director and CEO of the FIDO Alliance, to discuss the critical issues surrounding password security and the innovative solutions being developed to address them. Andrew highlights the vulnerabilities of traditional passwords, their susceptibility to phishing and brute force attacks, and the significant advancements in passwordless authentication methods, particularly passkeys. He explains how passkeys, based on FIDO standards, utilize asymmetric public key cryptography to enhance security and reduce the risk of data breaches. 

The conversation also covers the broader implications of strong, user-friendly authentication methods for consumers and organizations, as well as the collaborative efforts of major industry players to make the internet a safer place. Additionally, Andrew highlights the importance of identity security in the context of these advancements, emphasizing how robust authentication methods can protect personal and organizational data. 

Tune in to learn about the future of authentication and the steps being taken to eliminate the reliance on passwords.

David Puner: [00:00:00] You’re listening to the Trust Issues Podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in identity security.
Passwords. To know them is to deeply dislike them. And beyond the strong, almost universal deep user dislike of passwords, there’s the reality that they’re often the root cause of data breaches and cyber attacks. In short, passwords are the weakest link in the security chain. Even shorter, passwords are a big problem.

By that turn, our guest today is a problem solver. He’s Andrew Shikiar, the Executive Director and CEO of the FIDO Alliance, an [00:01:00] industry group dedicated to shaping the future of authentication with a focus on reducing the world’s reliance on passwords to enhance security and reduce data breaches.

In our conversation, Andrew discusses the significant issues with passwords, such as their susceptibility to phishing and brute force attacks, and the benefits of moving toward passwordless authentication. He also highlights the critical role of strong, user-friendly authentication methods in enhancing identity security and reducing the risk of data breaches.

One prominent method that’s backed by major industry players is the passkey—a FIDO authentication credential based on FIDO standards. Passkeys use asymmetric public key cryptography to eliminate the need for shared secrets, making them much harder to steal or phish than traditional passwords. Andrew discusses passkeys as a significant advancement [00:02:00] in the fight to reduce our reliance on passwords. He envisions a perhaps not-so-distant future where they could become a foundational technology for secure sign-ins, enhancing security for individuals and organizations.

The password is „robust123.“ Here’s my conversation with Andrew Shikiar.

David Puner: [00:02:45] Andrew Shikiar, Executive Director and CEO of the FIDO Alliance. Welcome to the podcast. Thanks for coming on.

Andrew Shikiar: [00:02:51] David, thank you so much for having me here.

David Puner: [00:02:53] Absolutely. We’re really excited to talk to you and talk about all things FIDO Alliance today. So maybe, I think, to start things off, for those folks who either don’t know what the FIDO Alliance is or think they know a little bit but maybe not the whole thing, what is the FIDO Alliance?

Andrew Shikiar: [00:03:09] Yeah, so the FIDO Alliance is an industry body focused on reducing the world’s reliance on passwords for the broader objective of reducing data breaches and making the internet a safer place for all. We have over 350 companies worldwide who take part in the Alliance. We do three things, basically.

One, we create technical standards and specifications. Secondly, we run a robust, world-class certification program that certifies B2B products—primarily B2B products for all users—being conformant to our specifications and interoperating with one another. And thirdly, we focus on driving successful market adoption of our technologies, most notably passkeys, which is the technology that people are using at massive scale now instead of passwords to sign into hundreds of applications and services worldwide.

David Puner: [00:04:06] And we will definitely get more into passkeys as we get further along in this conversation. So am I getting you right that there’s something wrong with passwords here? You don’t like those?

Andrew Shikiar: [00:04:17] Yeah. I mean, look, I think we can all identify, as consumers, a problem with passwords. I mean, how many people have had a happy password reset experience? Conversely, how many people have had an unhappy password reset experience right when you need to sign into something—like when you’re traveling and can’t sign into a rental car app or the hotel or whatever it might be?

We all understand the problem with passwords as consumers. They’re hard to remember. They’re hard to manage effectively. We’re told to change them often. We’re told to use a variety of uppercase and lowercase and characters and numbers. And we should have an individual password for each site. These are all things we should all do but are not humanly possible to do.

We are told to enter them in keyboardless devices and smart TVs, which is a horrible experience. I wouldn’t ask anyone to do it. And so as a result, as consumers, we all feel the pain of passwords. But perhaps more significantly is the security risk that they present to businesses and companies worldwide, as well as to the end users.

The vast majority of data breaches, which continue to skyrocket—the [00:05:00] vast majority of them are pegged back to passwords. And so anytime you have a human-readable shared secret as a mechanism for sign-in, whether that’s a primary factor like a password or even a second factor like a traditional OTP, those secrets can and will be stolen, leading to organizational breaches, ransomware attacks, and a host of problems.

So it’s actually an imperative that we move beyond passwords into something that’s a much stronger, safer, and simpler sign-in experience.

David Puner: [00:05:31] Yeah, I don’t have any hard data on me, but I think it’s pretty safe to say that there is a strong dislike for passwords among most of us non-attackers out there, at least. That being said, attackers do like them quite a bit.

Andrew Shikiar: [00:05:45] They do. And the thing is, because they’re so vulnerable—and also they’ve persisted for so long. I mean, passwords have been around for 60 years. I mean, how many pieces of technology do you use in your daily life that [00:06:00] were also used in the 1960s?

David Puner: [00:06:03] You’re right.

Andrew Shikiar: [00:06:04] Not many. Maybe if you have an old-school gas range, you know, the classic chef’s range—that hasn’t changed much. But the integrity of your bank accounts doesn’t depend on that, right? The integrity of your personal data, your ability to sign in and drive commerce and drive transactions and do business—they don’t depend on anything like that.

In this case, they do depend on technology that’s, you know, so outdated. And we’ve known this for, you know, the past, say, 30 years. And for the past 20 years or so, we’ve been actively trying to mitigate the problems associated with passwords. And the answer has been layers.

Okay, so how do I make a password suck less? Well, I put another layer on top of it. So that’s where we have two-factor authentication, multi-factor authentication—all of which, by the way, are much better than a password alone. But none of them solve the fundamental problem.

Andrew Shikiar: [00:07:00] Passwords are the problem statement, and a lot of the forms of 2FA are also bypassable and also vulnerable to more sophisticated attacks—and not even super sophisticated attacks, right? If you think about when someone executes a phishing attack, a basic phishing attack, they basically spoof a user into handing over their password and they enter it into a fake site. Then the attacker has that. They enter it into the real site, and they take it over.

Well, think about an OTP. It’s really no different than a password. Okay, all right. So it’s shorter-lived, but that same method of phishing can also work for legacy 2FA and OTP bypass attacks as well, where the hacker’s right in the middle of that dialogue. They’re entering in the real password into the real site, the user gets an OTP sent to them, they give it to the hacker, the hacker then enters it into the real site as the second factor, and then presto, they’re in that site as well.

And so what we’re seeing, and what we’ve seen, is that MFA is better than a password alone, but it’s not enough. And so what we do with passkeys and what we do with FIDO authentication—for the first time, we have an actual [00:08:00] password alternative, okay? All right. So passkeys as a primary factor address the problems that passwords bring to the table.

This is truly a sea change in the decades-long war against passwords. For the first time, we have a true password replacement that isn’t just technically fit for purpose but has the backing of, really, the whole world. If you look at who’s inside of the FIDO Alliance, it’s really—if you ask yourself, „What type of companies do I want to have working on this password problem?“—and you look at our member lists and people on our board of directors, there’s probably a pretty good match there.

Right. So it’s Apple and Google and Microsoft, Intel and Qualcomm, and Visa and MasterCard and American Express. So, people in biometrics, identity, and security—it’s the retailers, it’s Amazon, it’s eBay, it’s Mercari. The list goes on and on. So everyone who has a stake in maintaining the integrity and security of our networked society are sitting at this table, you know, solving these problems.

And I think that really speaks [00:09:00] to the imperative and the stakes that are at hand. Yeah. For replacing passwords, we have all these companies working in lockstep to finally solve this problem.

David Puner: [00:09:14] So when did passkeys roll out, and what’s the adoption trajectory been?

Andrew Shikiar: [00:09:20] Let’s back up a little bit and talk about FIDO and the protocols we’ve released. So, and I’m going to keep it pretty high level. You know, the way FIDO works as opposed to passwords—passwords are a shared secret model where you have a secret, quote-unquote „secret,“ on the server. And then the user knows that secret in their head. They enter it over the network. It goes over the network to the server, where they’re then granted access.

The problem with that model, of course, is literally that space in between where hackers play. They can guess that password. They can phish that password. They can buy it off the dark web. Those are all the problems with that.

What FIDO uses is something called asymmetric public key cryptography. And what we’re basically doing is introducing a virtual key pair. And the keys need to match precisely for you to sign in. Now, what’s called a public key sits on a server, and then the [00:10:00] private key sits with the user on their device.

Unlike a password, if you steal my public key, there’s no material value to that. You can’t do anything with it, right? You can’t sign me in unless you also have my private key. But also, unlike passwords, the private key is in my possession. All right, so you can’t do a remote attack. You literally need to have my device to get my private key.

So that gets rid of all the scalable attacks. And that public key cryptography architecture has been part of what FIDO has been implementing for over a decade now. So our initial specifications, called UAF for Universal Authentication Framework for biometric re-authentication, and U2F for second-factor authentication using, like, security keys—the common architecture underneath both of these was this unphishable approach using asymmetric public key cryptography.

Back in around 2019, we introduced FIDO2, which is really what brought this technology to the platforms and to the browsers, right? So starting in 2019, FIDO authentication was built into every leading web browser, built into Windows, built into Android, and [00:11:00] that’s where it started gaining penetration for what I’ll call endpoint support for FIDO authentication.

So that’s been out for a while now. Around two years ago, in May of 2022, we introduced the concept of passkeys. So, for the first time, we put a common name behind this. So all of a sudden, like—so whereas people were signing in with the Web Authentication Protocol, which was part of FIDO2, people were using WebAuthn on sites like eBay or Best Buy—you know, a number of sites were supporting it.

But prior to us introducing passkeys, two things happened. One, everyone had a different term for this, and they might say, „Well, next time use a biometric,“ or „Next time use Windows Hello,“ or „Next time use WebAuthn,“ which meant absolutely nothing to anybody other than, like, my fellow geeks.

The other thing that happened is that you had to—say, eBay, for example—if I enrolled for FIDO on my MacBook, when I went to my iPad, I’d have to re-enroll. And on my PC—every device would have to enroll [00:12:00] every device for every service.

David Puner: [00:12:04] So what you’re saying is, while it was secure, it wasn’t easy?

Andrew Shikiar: [00:12:08] Exactly, and it ran counter to user expectations. And that’s why we brought in passkeys. So, coming back to what we introduced with passkeys—we did two things. One, we gave this a common name, a common logo, a common brand. And secondly, we allowed that private key that’s in the user’s possession to be securely synchronized across a same operating system cloud or a credential manager cloud.

So now, if I went to, say, eBay and enrolled a passkey on my MacBook, automatically, when I go on any other Apple device, it automatically shows up. And likewise, since we’re an open alliance and collaborating across the industry, I can do the same thing with, say, 1Password, or Bitwarden, or Dashlane, or credential managers.

They can manage passkeys as well. And we also have ways to go from, let’s say, one ecosystem to the next via cross-device sign-ins. So, if I want to go from, say, a PC to my phone or want to sign in using a passkey on my phone, all these use cases are now possible, which truly start to take the password out of play.

So, all of that was—so I guess that’s a very, very long answer to your very short question.

David Puner: [00:13:11] But good.

Andrew Shikiar: [00:13:13] All solid. FIDO2 has been around for a long time. Passkeys are a new way of implementing them. The term „passkey“ and the ability to have it be readily available across devices—that’s around two years old. But the underlying technology has been out in the market for close to a decade.

David Puner: [00:13:30] So then, are you evangelizing passkeys primarily with consumer service providers, or is it for workforce instances as well?

Andrew Shikiar: [00:13:38] It’s absolutely for workforce. Okay. So if you think about your YubiKey, your security key, your Titan key, your Feitian key—whatever it may be—that’s all using passkeys.

So that’s what I mean. This technology has been around for a long time and has been used with great success to prevent phishing for consumers, but also for the workforce. Cloudflare has a great case study of how they—there’s a very scalable social engineering attack targeting Okta customers, called Octopus, around two years ago.

That targeted Okta customers were using essentially legacy forms of 2FA with Okta and taking over those accounts. Now, Cloudflare was using FIDO security keys with their Okta implementation, and they were not victimized by this. So time and time again, we see companies that were victims of more sophisticated hacking attacks that were not using FIDO security keys and then moved [00:15:00] to FIDO security keys.

And those are all the same technology. Those are passkeys. If you want to get very literal about it, we call these device-bound passkeys, right? So they do not synchronize across the cloud necessarily. If they’re on a security key, they do not synchronize across the cloud. And so a lot of workforce applications focus on that use case, where I’m going to have a device-bound passkey that is on a piece of hardware, whether it’s a security token or even a PC.

David Puner: [00:15:28] So, as we already established earlier in this conversation, you are the executive director and CEO of the FIDO Alliance. So, to my mind, that’s essentially you are like the guy leading the charge to eliminate the password. How do you become the director and CEO of the FIDO Alliance? How do you become the guy leading the charge to get rid of that password?

Andrew Shikiar: [00:15:47] So this is definitely not about me. I shepherd, you know, a large organization. So we have a pretty lean team of kind of full-time staff, around maybe 20-something people. But as I mentioned before, we have over 300 members worldwide.

We have a board of directors of 42 very dedicated companies. Our specifications are built by experts in biometric security and authentication. And so, we’ve estimated tens of thousands of expert hours have been poured into our protocols, into our certification programs, and things like that. So those are the ones leading the charge, and I help shepherd the organization and steer the board and help manage the board so that we all reach the outcomes that we want to see.

But I do have a background in leading multi-stakeholder organizations and in digital identity. I’ve been in the identity space since 2001—not to date myself—but I just did. So I’ve been around, and I’ve seen the technology, and I’ve had the good fortune of working with a number of emerging standards and emerging technologies and emerging companies.

I think all those perspectives help me on a daily basis in working with our stakeholders to help us all collectively meet the goals that we’re setting out to achieve, which, again, is taking on the password and reducing and eliminating reliance on passwords, because I think that’s where we need to get to.

David Puner: [00:17:00] You’ve been in the identity space for a while. It obviously figures very heavily into all this. It’s about who you are and, you know, making sure that the right identity is associated with the right credential at the right time. When you think about identity—and maybe if you think about identity security—how does that factor into your overall perspective about authentication and passwords and passkeys and where we’ve been and where we’re going?

Andrew Shikiar: [00:17:23] So, authentication is part of the identity stack and not the entire identity stack, but it’s a critical part because that’s how people access systems and services. So we feel really good about the work we’ve done at FIDO Alliance in essentially shutting that door, shutting that attack vector—the sign-in attack vector from remote attackers.

FIDO presents an unfishable approach for user authentication, right? Full stop. And it’s been proven time and time again, and we have case studies galore that point to that. But that’s not the entire digital identity lifecycle, right? It’s a critical part, but it’s not all of it. And so, I think it’s also really important to think about account creation, account onboarding, and account recovery.

As we kind of close the door on the sign-in threat, new hackers—they don’t quit. They look for, „Where can I find a vulnerability?“ And the account recovery process is a particularly popular target for attackers because it’s vulnerable—not just to mission-impossible-style, super-technical attacks—but to very run-of-the-mill creative social engineering attacks.

If anyone’s familiar with Rachel Tobac—if you’re not familiar with Rachel Tobac, look at some of the work she’s done, like on 60 Minutes, to show you how easy it is actually to get some basic information, make some phone calls, and then spoof a customer service rep or an IT admin into handing over information that can then be used to sign in or reset credentials based on a set of lies a social engineer deploys.

So, I think it’s really important to look at these threats as well. One thing we’ve done as an alliance is create some certification programs and best practices for remote account onboarding and remote account recovery. More and more, I think a lot of us are being asked to do remote identity proofing and verification, where you do the selfie match plus a document scan—which is good stuff.

But one thing we’ve realized—and the industry has told us—is that they don’t know how well these vendors are actually performing. How’s this work actually being done? So we created a certification program that certifies vendors who provide these services, and it measures how well they’re performing against standard metrics such as false accept rate and false reject rate, presentation attack detection for the face verification, and so on.

Also, we added a bias component in there. So, when you start talking about biometric authentication—any sort of biometric work, especially with face—you need to be hypersensitive to bias. And so, we actually have the only program on the market that looks at that as well.

If you’re an enterprise now and you’re worried about someone trying to recover an account or even a fake onboarding attempt, you can use these certified products with confidence, knowing that they meet industry standards for identifying attackers—and, conversely, for allowing good guys to get in.

David Puner: [00:19:50] Just to clarify then, because obviously within the context of this podcast, we’re not talking here about the inner workings of organizational IT systems or privileged access necessarily. This is more about the human interaction. We’re talking really more about instances where there would have been a password or there is a password when we’re talking about passkeys.

Andrew Shikiar: [00:20:09] Yes, for passkeys, yes. For identity verification, this is more about preventing fake onboarding and fake recovery. Again, the recovery process is a vulnerable spot. We saw this with the casino hacks that happened in 2023, I believe.

MGM and—I don’t want to name names, I might get it wrong—but one of the casinos, if not multiple casinos, were victimized when someone called into the help desk, pretended to be an executive that they weren’t, and talked the help desk admin into giving them credential reset information.

They then reset that credential, which was not theirs, and managed to get into the networks and executed massive, successful ransomware attacks. That shows you the threat associated with social engineering. Now, conversely, by the way, had these credentials been protected by, say, a FIDO security key or a device-bound passkey, that just wouldn’t be possible.

There’s no way for the network admin remotely to do anything. The user needs to be in possession of the authenticator. That presents some remote reset challenges, but ultimately, in the name of security, it makes your enterprise a much safer space.

David Puner: [00:21:20] Are there any common challenges organizations face when deploying passkeys? And if so, how can they overcome the challenges?

Andrew Shikiar: [00:21:29] Passkeys, as reintroduced, if you will, two years ago, are still a relatively new technology. The capability to have the private key sync across an operating system cloud was introduced in October of 2021—so, just over two years ago—and that was only in the Apple operating system. It didn’t come to Android until early 2023, and full sync is just now coming live on Windows.

So, it’s still a relatively nascent technology. While there has been widespread adoption, both for consumers and for the workforce, there are issues that we’re hearing about and working through. Most of them come down to usability. That’s true for both use cases.

More and more, the conversations I have about FIDO have shifted from focusing on security to focusing on usability around three years ago. Now, pretty much every conversation I have about deploying passkeys begins and ends with usability. How usable is this? What’s my customer user experience going to be like?

What’s my employee change management experience going to be like? How do employees learn how to do this? The user journey is critical, and I think that’s a challenge that a lot of companies face.

David Puner: [00:23:00] And I would presume as folks become more familiar with what these are in general, that becomes less of a challenge.

Andrew Shikiar: [00:23:06] A hundred percent. It’s almost a consumerization-of-IT story. It’s not quite that, but most people at this point—our data shows that over half the people—have used a passkey. When you have services like Amazon with 175 million passkeys and Google with 600 million people using passkeys, odds are, if you’re an IT professional, you’ve used a passkey.

If you’re a front-office worker, you’ve used a passkey. So that familiarity should breed more comfort and knowledge on how to use passkeys.

We’ve given guidance on how to optimize the user journey. We’ve invested a lot of money and time into building and developing UX guidelines and design guidelines, which are freely available on a new site that we launched called Passkey Central.

But inside enterprise systems, the user experience varies a little bit more. So there’s always a need to understand what that user journey looks like. There is a change management aspect, which is true for any technology, but it’s really important to educate your employees on what to expect.

We’ve seen that companies who have been very successful with moving employees to passkeys have really invested a lot into internal marketing campaigns—internal education—sending out flyers, holding webinars, branding this. Target gave a case study on how they did this. I forget the name they gave their sign-in system, but it’s using FIDO passkeys, and they ran a huge campaign so all of their back-office workers would be ready to make this change.

Those are some of the challenges people face. One other challenge—and this is something we continue to hear about and work on—is that in a BYOD (Bring Your Own Device) scenario, the syncing of passkeys is something that a lot of security leads inside enterprises are not comfortable with.

They need to find added ways to manage that, as we work harder internally to make sure that our protocols and the platform implementations start to meet all those requirements, which will certainly happen over time.

David Puner: [00:25:00] So you mentioned user experience. How can organizations balance the need for a seamless user experience with the necessity of maintaining strong security measures in a passwordless environment?

Andrew Shikiar: [00:25:12] Yeah, the user experience is great because it’s just easier to use. Part of the challenge that we’ve seen across all settings historically with multi-factor authentication and strong authentication is that it simply wasn’t usable. If your strong authentication isn’t usable, your consumers certainly won’t opt in, and your employees will, by and large, try to work around it.

It’s important to find that balance. In fact, our tagline is “Simpler, Stronger Authentication,” so we focus very squarely on both of those things.

Every company has its own use case, its own requirements, its own culture on how to manage these things. Generally, if you’re using passkeys in the workforce and you’re on all managed devices, the user experience is going to be better and security is going to be better—full stop.

There are other things you can do on top of passkeys. Passkeys don’t need to be your only authentication signal. If you want to treat a passkey as a single factor, you certainly could, and do step-up authentication on top of that.

You could even do an OTP (One-Time Password) on top of it if you want to, or some sort of notification. Maybe you have other risk-signaling features in your authentication stack to give you greater confidence in who that user is and where that device is.

There are all sorts of things you can layer on top of passkeys if you want to, that will give you added security assurances or added compliance assurances while still delivering the usability benefits of using a passkey as a primary sign-in factor.

David Puner: [00:26:38] You’d mentioned earlier—hypothetically—about what other kind of technology, 60 years old, would we potentially be using now. Over the course of this conversation, I haven’t thought of one. A screwdriver doesn’t really qualify as technology unless you put a battery in it.

But when you are out there evangelizing passkeys, what do you figure the shelf life is here? What’s the future? How long will they be the solution?

Andrew Shikiar: [00:27:02] Passkeys? Yes. I think for the foreseeable future. Things continue to evolve. Look, the most important thing, again, is our mission—to reduce the industry’s reliance on passwords.

One note on that: What I didn’t say is our mission is to get rid of passwords. People are very focused on “passwordless” or “no more passwords.” It’s really about “less passwords,” not “passwordless.”

Passwords will be around for a while, but we need to put them fully in the background. Where you use them, have some added management on top of them. But the sooner they go in the background, the sooner they actually do go away.

The dependence on passwords is our problem. We want to eliminate that dependence. Passkeys are what we have—that’s what we’re doing to get rid of them.

I don’t see a shelf life for passkeys. If you had to draw an analogy, passkeys are similar to SSL or TLS—something that will become part of the embedded way that we simply do things on the web.

Those protocols still exist and still secure the way we do things on the web. I think passkeys will very much be a similar kind of foundational technology that we continue to use to enable secure sign-ins.

They’ll evolve over time. We’re seeing new use cases emerge—not just for user sign-in, but for payment authentication. Visa and MasterCard have introduced what they call “payment passkeys” for payment authentication.

If you go to some markets, especially outside the U.S., where you need to authenticate payments, passkeys present a very elegant, user-friendly way of doing so—and much more secure, much more reliable than OTPs.

I think we’ll see added use cases evolve, say, in that space. We have a lot of interest in automotive. We’re going to combine FIDO biometrics in a car with passkeys.

Before we start talking about the shelf life of passkeys, I think we want to look a little bit at how passkeys might evolve in our daily life. If I fast forward 40 or 50 years from now, and some permutation of passkeys results in something new that keeps the internet safe and secure, that’s fantastic as well.

That means we’ve collectively met our goal, which is truly eliminating the risk, hassle, and nuisance associated with being dependent on passwords.

David Puner: [00:28:52] When we look that far forward into the future—and obviously I think I mentioned this in a podcast intro, and one of our guests mentioned it in his episode and I can’t get it out of my mind—it’s that we don’t know what we don’t know.

It’s a pretty trite statement, but it says a lot. We do know that quantum computing is coming at some point. How are you thinking about that—or not thinking about that? Or can we only solve for what we can solve for right now?

Andrew Shikiar: [00:29:15] No, we’re definitely aware of that. The threat of quantum computing is that it could break the encryption that’s used for our cryptographic communication between the key pair.

We’re very aware of that. We have a study group inside of FIDO Alliance focused on PQC (Post-Quantum Cryptography). We believe we’ll be ready for it. We can update the algorithms and such as needed, and we’ll be prepared to manage that eventuality when it does come.

I think it’s important for everyone to be aware of trends in the space and then look at their own security setup to understand where there may be vulnerabilities.

That goes well beyond authentication. From a user authentication standpoint, from a passkey standpoint, I think we’ll be prepared to manage that.

David Puner: [00:30:00] So getting back down to current-day reality, what is Passkey Central, and how does it help organizations get started with passkeys?

Andrew Shikiar: [00:30:08] David, thanks so much for asking about that. Last month, at our annual Authenticate conference, we launched a brand-new resource called Passkey Central. You’ll find it at passkeycentral.org.

This is the culmination of around 15 months of work focused on doing even deeper user experience research than we’ve done in the past to understand what internal change leaders need to implement new technologies—not just passkeys, but new innovations in general.

We did interviews with around 40 different companies to understand what type of assets people need, what basic knowledge they require to help define their own problem statement, and how they can get internal buy-in and support for implementing new technologies.

Of course, we did focus more on passkeys, but not exclusively on passkeys.

What this resulted in is independent expert guidance for anyone interested in passkeys at any phase of their passkey journey.

The initial use cases focus primarily on consumer rollouts, but I’d say 80 to 90 percent of the content is relevant to any scenario, whether you’re in an enterprise or a regulated industry as well.

I’d encourage people to check it out to get started. There’s a variety of really helpful assets to help you make your business case, help you understand the ROI you’re looking at.

We talk about a couple of different paths you can take to roll out passkeys—from the more conservative approach of just making them available to the way more aggressive approach of eliminating passwords altogether.

There are videos that show different sign-in scenarios. There’s just a lot of great resources we launched with. We have a very aggressive roadmap moving forward, where we’ll look at additional use cases, added requirements, and added assets that people would like to use to understand how to leverage passkeys most effectively.

It’s worth noting that all the work we do in FIDO Alliance is funded through our annual budget, much of which comes from our membership. This initiative took an added investment from companies like Google, Yubico, and Trusona, and even Craig Newmark of Craigslist fame.

Craig is actively investing in cybersecurity causes, among other things. He’s really keen on what we’re doing. He sees passkeys as critical for helping protect consumers worldwide.

He served as an underwriter for this initiative. We look forward to seeing this thing continue to grow, and I’d absolutely encourage listeners to check it out.

David Puner: [00:33:00] Andrew Shikiar, Executive Director and CEO of the FIDO Alliance, thanks for coming on the podcast. Really appreciate it.

Andrew Shikiar: [00:33:07] Thanks for having me. It was great to talk to you. I look forward to keeping in touch and doing this again.

David Puner: [00:33:14] Thanks for listening to Trust Issues. If you liked this episode, please check out our back catalog for more conversations with cyber defenders and protectors.

And don’t miss new episodes! Make sure you’re following us wherever you get your podcasts.

Let’s see—oh yeah—drop us a line if you feel so inclined: questions, comments, suggestions, which, come to think of it, are kind of like comments. Our email address is [email protected].

See you next time.