What are passkeys? How do they fit into a passwordless future? Why is user experience the key to adoption for passwordless? These are just a few of the questions people have for the FIDO Alliance – an open industry association that wants to reduce the world’s reliance on passwords.
Matt Davey, Chief Experience Officer at 1Password, sat down with Andrew Shikiar, Executive Director and CMO at FIDO Alliance, on the Random but Memorable podcast to get answers to these questions and more. Read on for the highlights, or listen to the full interview and subscribe to Random but Memorable on your favorite podcast player.
Matt Davey: Can you give us a bit of the background on FIDO Alliance and its core mission?
Andrew Shikiar: FIDO Alliance is an open industry body focused on reducing industry reliance on passwords. When FIDO launched, the problem we were really trying to address was a data breach problem. We still seek to address that but the vast majority of data breaches are due to passwords for knowledge-based credentials. The easiest way to start tackling the data breach problem is to attack the password problem.
At a very high level, what we’re doing is replacing the concept of a secret on a server, which of course can be hacked or stolen or guessed, with a public key. The public key has no material value to hackers or anyone like that.
MD: How has the landscape of passwords and authentication changed during FIDO’s time, and in the industry over the past ten years?
AS: It comes down to usability. There’s a dustbin of super effective, strong authentication technologies that simply were too difficult to be adopted at scale.
FIDO’s focus is on single gesture asymmetrical public key cryptography – which means all the user does is take a single gesture. Typically for a consumer, it’s the same action they take to unlock their device dozens of times a day. That same action can now allow them to securely authenticate to a website or an app. We didn’t invent public key cryptography, but the user-friendly aspect of it and the focus on usability is what differentiates FIDO authentication.
Taking on passwords and trying to supplant passwords is an extremely audacious goal. Not everyone likes passwords but everyone knows how to use them.
“We didn’t invent public key cryptography, but the user-friendly aspect of it and the focus on usability is what differentiates FIDO authentication."
What’s really turning the tide toward FIDO Alliance is that we’re the only industry initiative that’s looking at creating standards for password authentication. With the backing of every major platform vendor, FIDO authentication is now built into virtually every device that’s being unboxed at this very moment.
MD: What’s been the impact of passkeys on authentication, and on this drive for ubiquity?
AS: Passkeys are a safe replacement for passwords that allow you to leverage the device unlock capability to securely sign in to apps and services. What’s so important about it is that it’s the first step towards a truly post-password future.
Passkeys are being supported natively in all the major platforms and operating systems, with very strong commitments from Apple, Google, and Microsoft. But our vision has never been limited to those three platforms. It’s critical for independent credential providers and password manager providers to be able to manage passkeys as well.
“It’s critical for independent credential providers and password manager providers to be able to manage passkeys as well."
Ultimately, the user shouldn’t have to think about how they’re signing in – they should just sign in. Someone goes to a website not to enjoy the sign in experience. They go to a website to purchase something, or to learn or engage. Authentication should be a seamless yet strong step in that process.
MD: What are the biggest hurdles toward passkey adoption? And how can password managers play a role in that?
AS: FIDO Alliance has done some user experience (UX) research over the past couple of years, and one thing that’s become abundantly clear is that seeing passkeys adopted at scale is really a usability and user education issue.
A lot of folks listening to this discussion today are probably on the savvier end of the technology spectrum and are comfortable adopting new technologies. But think about others who are not comfortable with technology. There’s a massive user education challenge that we, as an industry, have in our hands to get people comfortable with this sign-in process.
“Seeing passkeys adopted at scale is really a usability and user education issue."
The good news is that the companies commercializing this are user experience experts. For example, the first company to support passkeys at scale is Apple. Having Apple actually bring passkeys to market, focusing primarily on UX is absolutely critical. And it’ll start getting consumers comfortable with the concept.
The term ‘passkey’ itself is also a new thing. Agreeing on the term passkey, and having an industry logo, will help. We’ll start seeing positive reinforcement happening, as more people use passkeys and become comfortable with the terminology and user experience.
Password managers have an important role in educating users on the experience they should expect when signing in to websites and applications.
“Password managers have an important role in educating users."
When I’m asked how passkeys work, I often describe it as a perfect password manager … but without any passwords. Passkeys are the password manager experience with secure, seamless access to sites and services, but simply using a biometric, rather than having to recall a password. That user experience is really important in helping educate and accelerate adoption of passkeys moving forward.
MD: Do you have any passwordless predictions for the next few years?
AS: I’m very excited about passkeys but it’s important to have a realistic perspective. Passkeys are not going to happen overnight. Some providers are going to be more cautious than others, so I think we’ll see brands deploy passkeys incrementally, and then eventually at scale.
Between the technology adoption and user education piece, we’re looking at multi-year roll outs before this becomes super mainstream, and part of the way we all sign in on a daily basis.
“Passkeys are not going to happen overnight."
With these capabilities, you start thinking about some interesting applications for passkey and FIDO authentication. One area I’ve been seeing a lot of chat around is vehicle authentication. Think about voice biometrics, or fingerprint biometrics, and those modalities for securely signing in to automotive services in your car, or managing your car in a mobile app. We’ve seen several companies bring FIDO into the automotive space already in 2022 and 2023.
MD: I wonder how the UX of passkeys will change over time with societal change. As people get more familiar with passkeys, it’s going to be fascinating to test some of these UX changes and find the right change for society. We may predict where things will go, and then there will be a moment where we are catching up with the rest of society, and trying to push the UX of things along with all of the websites.
AS: That’s extremely well said.
For those who don’t know how standards bodies work, they’re not terribly exciting. They basically get a bunch of really smart people in a room and debate where semicolons go in specifications. The group will fight and squabble until they decide how a specification looks and then it’s finalized, then you build products against them, which are then certified.
It’s absolutely critical, but that’s how standards work. What FIDO is doing above that, which is unique to any standards body or any industry initiative, is taking on this user experience work.
“For those who don’t know how standards bodies work, they’re not terribly exciting."
We’ve assembled a group of experts – including you, Matt – who are design and UX leads to give guidance on the best ways to deploy passkeys. We’re using this group to guide our research which will result in data-driven guidance on how to deploy passkeys. These really bright minds and designers will help establish design and UX best practices, which will influence our guidelines and other outputs at FIDO Alliance.
MD: Where can people go for more information about you or FIDO Alliance?
AS: You can head to our website at https://fidoalliance.org/. We have a ton of information about FIDO Alliance as a body and also a separate set of websites that we’ll be updating to reflect passkeys. But for now there’s LogInWithFIDO.com, which gives a jargon-free explanation of how passkeys work, both from a consumer point of view and from a service provider point of view.
Learn more about passkeys
Those are the highlights, however the full conversation covered so much more. Listen to the full interview with Andrew Shikiar on your preferred podcast player, and check out previous episodes of Random but Memorable to hear some other great interviews with security leaders.
If you want to learn more about passkeys, check out these great resources:
- What are passkeys?
- 1Password has joined the FIDO Alliance
- 1Password and passkeys demo
- Sign up to our passwordless newsletter for early access and updates