FIDO Panel: Remember, Passwordless Is All About UsabilityCustomer Convenience, Not Security, Should Be the Selling Point for FIDO Passkeys
Organizations can improve security with modern authentication protocols, but the big message to the marketplace is that FIDO Passkeys give customers more convenience and deliver a consistent user experience.
That's according to a pair of panels convened on the final day of the FIDO Alliance's Authenticate 2022 Conference in Seattle, which examined the path to ubiquity for FIDO authentication as well as making FIDO more usable for customers. The three-day conference provided a variety of views on passwordless technology, including speakers from the U.S. Cybersecurity and Infrastructure Security Agency, Duo Security, Google and Microsoft and JPMorgan Chase (see: Authenticate 2022: Experts Share Path to Passwordless Future).
"If this all goes right, there might be a whole generation of people that a couple of years down the line never have to worry about a password," says Google UX Designer Mitch Galavan. FIDO's passkeys mean authentication takes place on the device a user is signed into, and Galavan says making authentication a really great experience will fundamentally change how users engage with security.
The Dangers of the Status Quo
Advancements in phishing-resistant authentication technology come as the number of security incidents tied to multifactor authentication bypass is growing, even at companies with well-funded, brilliant security teams, says CISA Senior Technical Adviser Bob Lord. As people spend more time online, the benefits associated with tricking people into giving up their passcodes increase markedly for hackers, Lord says.
"People are going to be hacking into systems because that's where the data is," Lord says. "The passcode is open source and very easy for attackers to use. I was just surprised at how we had a rapid succession of attacks that were successful."
Lord expects at least four high-profile companies will suffer MFA bypass attacks over the next year, which the general public will learn about through joyriding by the hackers rather than official disclosure by the compromised organization. That figure could be as high as 10 organizations, predicts Lord (see: Experts: One-Time Passwords Leave Huge Security Holes in MFA).
Preventing MFA bypass attacks sometimes requires difficult trade-offs, such as potentially blocking a user from accessing company resources for a day or two since their login details appear to be suspicious. Lord urged security leaders to have conversations with company executives and get their backing to thoroughly review or even block authentication attempts that don't appear to be valid.
"One of the challenges when we've actually run these programs at CISA is making sure the organization knew and agreed that the health of the organization is far more important than the productivity of any one person, even senior executives," Lord says.
Locking the Front Door Permanently
The industry should move away from single sign-on tokens that are short-lived and constantly refreshed. Instead, organizations should embrace tokens that last for a longer duration but are monitoring for signs of any irregular behavior, says Microsoft Director of Identity Standards Pamela Dingle. Organizations that are able to revoke risky tokens are far more secure than those that leave the front door unlocked for short periods.
"We very quickly have moved from a conversation about removing passwords to a conversation about phishing resistance," Dingle says. "We are getting to the point where we think administrators will be able to make those decisions."
Legacy authentication requests should be so rare that those vetting the requests can put a 24-hour to 48-hour hold on the request to contact the user and make sure the access attempt is legitimate, says Christiaan Brand, Google's product manager for identity and security. This type of investigation wouldn't be feasible from a labor standpoint if legacy authentication requests were coming in frequently, he says.
"We need to make these fallbacks so rare that we're able to eat a little bit more pain when they do come along to make it unpalatable for attackers so that they don't even go there," Brand says. "What we're going to see in the next few years as this technology gets out there is that the attacker won't go after the passkey. They'll go after everything else."
Selling FIDO to the Masses
Getting more organizations on the path to FIDO will require combating the misconception that it's complicated and unaffordable, and Lord says companies should focus on what they can do to make authentication more secure rather than what they can't. The industry needs to push beyond the tech bubble and present information about FIDO authentication at non-technology conferences, he says.
"Think about all the different verticals that are potentially affected by MFA bypass," Lord says. "They need help and they have no idea."
Dingle similarly urged the industry to be tolerant in its approach, noting that phishing resistance is wonderful but that businesses shouldn't be demonized for adopting better - but not the best - authentication technology. An overly dogmatic approach will leave organizations behind. Choices and breadth must be maintained for users and organizations that are slower adopters, according to Dingle.
"It's hard to adopt what you can't understand," says Sierre Wolfkostin, senior product designer at Duo Security. "The words are too long and too complex, and it takes a dictionary lookup to figure out what it is you're doing. That can be really intimidating, especially for new clients. So getting to simple human language is really core."
Focus on Convenience, Not Security
Following FIDO's hard work, Wolfkostin says 90% of desktop browsers support the WebAuthn framework that facilitates passwordless authentication. As a result, a user's experience with FIDO2 can vary dramatically based on what browser they're using. Some browsers do not support it at all while others fail to prompt users to immediately register the PIN associated with their new security key.
"Those inconsistencies can gradually chip away at that user experience," Wolfkostin says. "And as we know, what's confusing or hard to understand is also hard to adopt."
Many customers are used to the technology associated with passwordless authentication since Apple has offered biometrics such as fingerprints and facial scans to sign up since the iPhone 5s was released nearly a decade ago, Brand says. Efforts to convince users to adopt the FIDO standard should focus on ease of use rather than security since the former is much more important to consumers than the latter, he says.
"Now for the first time with Passkeys, the user has to do less," Brand says. "It's two factors, but it's a single step. We have the opportunity to start pitching some ease-of-use messaging, and those kinds of things do resonate."
Adoption also hinges on setting expectations properly when it comes to sign-up and account recovery using FIDO Passkeys, says Judy Clare, JPMorgan Chase's vice president and product manager for digital authentication. The value proposition needs to be presented in a clear and succinct manner upfront and the messaging should be consistent from the company's homepage to personnel in the call center.
"Start from the very beginning of your planning with the end-user experience, and work back from that into the technology," says Trusona Chief Experience Officer Kevin Goldman. "If you try to bolt on user experience later, it's just not going to be as good."