by Dr. Tina P. Srivastava
Authenticate 2024 took place in Carlsbad, CA in mid-October. The weather was beautiful and the attendance was high. Hosted by the FIDO Alliance, Authenticate focuses on user authentication and brings together CISOs, business leaders, product managers, and identity architects.
Keynote and session highlights:
IDPro member Chris Anderson, Product CTO at Cisco discussed the challenges that exist today with compromised identity credentials, which contribute to over 80% of data breaches, a seemingly undented figure year over year. Chris noted there are gaps in protection as there is no phishing-resistant MFA available for many areas from unmanaged devices to remote access, to Linux systems, to contractors and vendors, and others.
IDPro member Tina Srivastava, PhD, Badge Co-founder and MIT Lecturer, and Bill Wright, former executive director at USAA bank and FIDO board member, presented on the importance of strong attestation for #passkeys and the approaches financial institutions are taking to solve this on their passwordless journeys. Relatedly, Pedro Martinez from Thales presented why synced passkeys do not work for banking, including that “they are exported and stored in the Cloud of the user’s device OS” and “synced passkeys may not meet stringent MFA requirements from Financial regulators in some countries/regions.”
The industry has been seeking phishing-resistant technologies to address the problem of breaches caused by the compromise of identity credentials. Challenges exist with passkeys, such as with account recovery, provenance, and portability. Many approaches still maintain a password or KBA as a fallback for account recovery, enabling ATOs prone to attack from social engineering.
Google’s keynote by John Gronberg noted “Cross device still a challenge” and “Users are anxious about losing their devices.” In his key learnings about passkeys, he shared, “Raising the security bar comes later” and that passkeys are for “re-authentication,” account takeover playbooks already include passkeys, and credential managers storing passkeys are becoming targets. He noted that the new device bootstrap scenario is critical and unsolved. Amazon’s keynote by Abhinav Mehta similarly noted “Cross-Platform Challenges” and that “Passkeys don’t transfer across platforms.”
On the future of digital payments, Mastercard executives Jonathan Grossar, VP, product management, and Fred Tyler, VP, emerging digital products for North America, introduced the concept of the payment passkey, bound to a user’s device. They shared that in situations of higher security, enterprises are leaning towards device-bound passkeys. Generally, enterprises are not adopting synced passkeys as stand-alone MFA. This is the approach many companies seem to be taking, including Mastercard.
Sushma K. and Ritesh Kumar from Microsoft shared the challenges with migrating a passkey across devices. They demonstrated a set up that is required once per device that requires scanning QR codes with a phone or tablet. The accessibility and usability issues of scanning QR codes were raised.
Amazon and Microsoft presented their passkey implementations, including the importance of using prompts like “Skip for now” instead of “Not now” or “No thanks.”
Partnership Announcements and Expo highlights:
Qualcomm and Daon are working toward IoT-connected cars using biometrics and passkeys with key drivers including personalization and payments.
Cisco and Thales announced major partnerships with Badge, the award-winning privacy company enabling identity without secrets. The companies demonstrated their joint integrations with customers. Cisco demonstrated the Hardwareless MFA experience. Thales showcased Passwordless authentication without secrets.
Social highlights:
An identity-themed family feud-style game show captured the attention of attendees, resulting in laughter and applause from the Authenticate audience. A big surprise was that for the question “What trend are you most tired of in the identity and access management space?” the answer “FIDO/Passkeys” was #2. IDPro member Jeff Steadman, of the Identity at the Center podcast, quickly noted to his FIDO hosts that he did not generate these and was just the host! The Gliterati team was seen taking shots on stage at a fun-filled comedic break.
Karaoke was a hit at the Passwordless Party. Pictured below, singing their hearts out to Katy Perry’s “Firework”: Christiaan Brand from Google, IDPro member Tim Cappalli from Okta, Matt Miller from Cisco, IDPro member Christine Owen from 1Kosmos, Jamie Danker from Venable LLP, and IDPro member Tina Srivastava, PhD from Badge (left to right).
Dr. Tina P. Srivastava is an entrepreneur, author, inventor of more than 15 patents, and an MIT-trained rocket scientist. She served as Chief Engineer of electronic warfare programs at Raytheon before founding a cybersecurity startup that was acquired by a public company and global leader in network security. She is an FAA-certified pilot and is a Lecturer at MIT in Aeronautics and Astronautics.
When her identity was stolen in a data breach in 2015, Dr. Srivastava teamed up with a group of MIT cryptography PhDs to crack the code on one of the most common reasons for modern data breaches: stored credentials. Together, they solved a decades-old cryptography problem to remove PII, biometrics and other stored credentials from the authentication equation, eliminating highly vulnerable storage systems as points of attack for hackers. Badge Inc. is the award-winning privacy company enabling Identity without Secrets™.
