Whether in a password manager, a book or on sticky notes, passwords really are among the most frustrating aspects of the online experience. One report notes 44% of Americans and 40% of Brits only change passwords when they forget them or are prompted to change them. The same report notes that American buyers abandon at least 16 purchases annually due to a lost password. The majority of people do not change their passwords regularly, and most users reject suggestions provided for more secure passwords when creating new ones.
The FIDO Alliance, a M3AAWG industry partner, has been working for years to remove the world’s dependance on passwords. At February’s M3AAWG 57th general meeting, FIDO Executive Director and Chief Operating Officer Christina Hulka and Christiaan Brand of Google updated attendees on passkey. Per FIDO, “Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant.
Why is this critical? Eighty-one percent of hacking-related breaches are caused by weak or stolen passwords (Ping Identity) and 91 percent of IT leaders that said they are very or somewhat worried about passwords being stolen at their organization (Ping Identity and Yubico). One million dollars was spent annually by large organizations in staffing and infrastructure expenses to handle password resets. This doesn’t include the time and productivity lost (Forrester).
Passkeys simplify account registration for apps and websites, are easy to use, work across most of a user’s devices, and even work on other devices within physical proximity.”
Passkeys eliminate the need for individual passwords for each site or service. Passkeys are locked with a PIN or biometric and are based on secure FIDO authentication. Passkeys are available for new devices or services so there is not a need to create a new password for a new phone or application, for example. Compared to traditional passwords based on something you remember, are stored on a server and subject to many threats, Passkeys offer a different approach – managed on-device (never on a server) and based on a device in the user’s possession, such as a biometric credential or a PIN
Passkeys are based on a private-public key model. A user verifies his or her identity using a private key, authenticated through FIDO standards to a public key. Typically, authentication requires a biometric, such as a fingerprint or facial recognition. Passkey standards are being developed by a large group of industry companies and are already being adopted in commercial applications. Support is provided in Google for iOS and Android, and Microsoft will soon provide support at the operating systems level.
Users will create passkeys that replace autofill standard log-in pages.
Details on passkeys can be seen here.
M3AAWG has supported FIDO in its efforts to support and enable more secure authentication and looks forward to the security and ease of use provided by passkeys. Learn more about our work and see our industry partnerships. Also learn more about our recently announced focus areas that include data and identity protection.
If you have an idea or topic for future M3AAWG meetings, please submit them here.