Passwords Are Unfit - So Why Do We Still Have Them?Andrew Shikiar of the FIDO Alliance on the Journey Beyond Passwords
Andrew Shikiar knows more about the password economy than anybody else in the industry. The executive director of the FIDO Alliance says passwords are still around "because they work," albeit "in a very crude form."
Passwords are ubiquitous and supported everywhere. The problem, Shikiar says, is that "they have been proven time and time again to simply be unfit for today's networked economy."
In this episode of "Cybersecurity Unplugged," Shikiar details how the Fast IDentity Online Alliance, which is an industry standards body and hundreds of industry partners are making "good progress" to reduce the world's reliance on passwords.
Shikiar also discusses:
- The work of the FIDO Alliance;
- How Passkey - FIDO's new collaboration with Apple, Google and Microsoft - can reduce the time required to go passwordless from decades to years;
- The need for a usable password alternative.
Shikiar serves as executive director and CMO at FIDO Alliance, a global consortium working to create open standards and an interoperable ecosystem for simpler, stronger user authentication. He has worked in identity management since 2001 and also has deep experience in multi-stakeholder organizations, having previously led market development efforts for Tizen Association, Liberty Alliance Project and other industry consortia. Shikiar also serves as an industry adviser to identity consultancy Liminal and digital identity VC firm 1414 Ventures.
Steve King: So, welcome, folks, this is Steve King, the managing director at CyberTheory. And today, we're going to devote our podcast to an exploration of the world of passwords. And we're fortunate to have with us the executive director of FIDO Alliance, Andrew Shikiar, who probably knows more about the password economy than anybody else in the industry. Andrew has been around both the open system standards space and the promotion and marketing of Linux and Java with a focus on identity management for companies like Sun Microsystems with an emphasis on developer mindsets and the most recent acceleration of streaming media. Andrew earned his bachelor's degree in political science from Emory University. So welcome, Andrew, it's great to have you on the show.
Andrew Shikiar: Thank you so much for having me. I appreciate being here.
King: Yeah. And we appreciate you being here, too. And we're joined by the 800-pound Gorilla in the room, which is still the password. So the question is, why do we still have them after all these years?
Shikiar: Yeah. Didn't Bill Gates predict the demise of the password back in 2004 or 2008? It's a great question. I think that when you look at the goal of FIDO Alliance, and what we're aiming to do, it's incredibly audacious. Passwords are around simply because they work. They work in a very crude form. But they also have the advantage of ubiquity. They are supported everywhere. You can certainly use them. The problem is that they've been proven time and time again to simply be unfit for purpose for today's networked economy. And, in fact, they were unfit for purpose when Bill Gates made that statement over a decade ago. So, the good news here is that FIDO Alliance and hundreds of industry partners are making good progress against that Gorilla to help reduce reliance on passwords across the board.
King: So, for some of our audience that doesn't know much about FIDO Alliance, can you sketch in the backgrounder on who you guys are, what you were trying to do when you put this together? And what your objectives still are?
Shikiar: Yeah, absolutely. So FIDO Alliance is an industry standards body. And we were launched almost 10 years ago now with a goal of reducing industry reliance on passwords. In fact, the driver for the foundation of FIDO Alliance was to address a data breach problem, which has only grown in the 10 years since. But the fact of the matter is the vast majority of data breaches are caused by weak knowledge-based credentials, like passwords. So, by addressing the password problem, you're also addressing the data breach problem. FIDO, as a body, we do three core things. First of all, we create technical standards and submit them for full formal standardization to official standards bodies. So, we have working groups comprised of some of the brightest minds in the planet who have poured countless hours of IP into our technical specifications. The second thing we do is we run a robust industry certification program. So, I like to say that standards without certification is like one hand clapping. Just because you can write to the standard doesn't mean that people will know that it works. So, to unleash the economic and technical benefits of open standards, you need to know that products can work together. So, our certification program does exactly that. I was certified products to show that they can support vital authentication processes. So, it included servers, authenticators, SDKs, all parts of the value chain that touches FIDO, that a company would need to deploy a theory to license software from a third-party provider. Additionally, a certification program has grown not only to be certified nearly 1,000 products for functional certification, we've also launched a biometric performance certification program, the first of its kind for industry usage. And we more recently launched a FIDO Certified Professional Program, which is nascent today. But our goal there is to empower the next generation of identity and authentication workers. Now, the third thing we do in addition to standards and certification is round market adoption and enablement programs. So, this takes a couple of forms. First of all, inside the Alliance, we have experts who have deployed FIDO authentication in a variety of scenarios, and work together to establish best practices and guidelines for future implementations of FIDO. Specifically, we have working groups looking at enterprise implementations, consumer-at-scale implementations, government implementations. And then based on their war stories and battle scars and successes, we put together free documentation to help people successfully deploy FIDO. Additionally, while you're on your full gamut of marketing programs, perhaps our flagship activity over the past couple of years is our Authenticate Conference, which is taking place this October in Seattle. And for anyone looking to get up to speed on all things authentication, not just FIDO, can come to hear from people who are in the know, who have deployed, looking at both technical case studies and technical explanations, as well as business analyses and best practices. So, collectively, as a body, we do those three things. We're a member-driven organization, we have over 250 members worldwide that take part in all these activities. We also have a talented and lean staff to drive the operations, technical and market development activities.
King: I see. And are many of your employees, volunteers paid to do the work you just described?
Shikiar: Also, members volunteer, I think that's one thing that makes it very unique. Again, if you look at FIDO specifications, which we'll talk about in a little bit, but these password authentication specifications have been built into billions of products worldwide. These were developed jointly by companies like Google, Microsoft and Apple and leaders in identity authentication, biometrics and like I said before, truly the brightest minds on the planet in authentication built this technology. And they did that on a volunteer basis. Our staff, including myself, were paid professionals to help drive the organization in alignment with the strategic guidance from our board of directors.
King: Right. If you look at FIDO's success and the timeline throughout the years, certainly began with great promise at PayPal, and Samsung had joined forces to authenticate on the finger swipe. And now it's followed quickly by Microsoft's Windows authentication services. Both services failed to live up to their expectations. What's your explanation on the causal effects of that?
Shikiar: You don't want to take issue with "failed to live up to your expectations." And you identified a good starting point of the Alliance, which was Pay Pal and Samsung and a company called Nok Nok Labs collaborated to create one of our first specifications, which was basically biometric authentication approach. And what happened is Nok Nok and Samsung came into PayPal, and say, "We have a brand new Samsung Galaxy - I think it was S5 - we can use a fingerprint reader to allow your users to sign into PayPal without using a password." And Michael Barrett, who was at PayPal, became the first president FIDO Alliance, said, "This is great technology. But I want this to be standardized. Go spin up a group to standardize this stuff." That was the use case. So that was one of the origins of FIDO Alliance. At the same time, there's a similar initiative happening within Google and Yubico on second-factor hardware key use case. But going back to PayPal, I think it was successful in the sense that that was a first biometric login to PayPal services. And we saw that technology, it was standardized, and has been utilized by hundreds of millions of users, and leading apps from various banks, mobile communications providers, insurance companies, and that list continues to grow today. So I think that the technology has proven to be successful. And PayPal also got a lot of lift out of that initial implementation. As far as Microsoft goes, we feel quite good about the work that Microsoft's doing incorporating FIDO into Windows Hello. So, Microsoft is deeply committed to getting rid of passwords, FIDO authentication within Windows Hello, and also support FIDO's security keys are a critical part of that. In fact, the strongest, most secure way of going passwordless is using the FIDO technology built into Windows. Any new technology has a growth and adoption curve, that timeline will vary based on a variety of circumstances. But overall, I do think that both implementations helped jumpstart FIDO deployments at scale and both also for those two companies.
King: Yeah, I think recently, you guys made a joint announcement along with Apple, Google and Microsoft on the next wave of FIDO technology. Can you explain what that's going to look like and why FIDO and all your partners there - Apple, Google and Microsoft - are excited about them?
Shikiar: Thanks. That's a good follow up to your last question. It's important to understand how FIDO works and how we're trying to take on the inherent advantages that passwords have, which we talked about at the outset of our conversation, you know, that 800-pound Gorilla. One of the advantages I mentioned about passwords is that they have ubiquity. And the same thing that go for SMS OTP as a second factor. And those are ubiquitous technologies that people know how to use. And FIDO has been built into every major operating system, ever major browser, which has set the stage for broader adoption. So, this has been the case for the past two years, when I've seen companies like eBay. If you're going to ebay.com, they've deployed FIDO fully in the browser, so that you can, after you log in, you can have the option of using a passwordless sign-in every time thereafter, with whatever device you're using, whatever that device unlock functionality may be. That's using FIDO. We've seen other companies use WebAuthn or FIDO as well. So, from Best Buy to Wayfair, Yahoo, Facebook, many more. That being said, the feedback we got from the industry is that usability wasn't there fully to allow for this to take off at scale. And I think the usability issue came in two pieces. One was that even with a lockdown today, even on eBay, for example, there's some awkwardness, frankly, in kind of the OS prompts and the user journey that needs to be smoothed out. We gave guidance on how to do this most effectively. But there are dependencies on the operating systems that need to be addressed by the closer integration. The other usability challenge is not operating system dependent, but came back to the feature of FIDO authentication, which is, historically, we've required users to enroll every device for every service. So, if I set up my account with eBay and enroll FIDO authentication on my MacBook, and then I go to my iPhone, or iPad or another MacBook, I have to re-enroll that device as well to use passwordless authentication there, which creates a usability challenge. And it requires me to remember my password. And it's not quite the experience that users expect. If you think about iCloud, for example, iCloud Keychain. It's a nice password manager that allows me to set a password stored in iCloud on one device and any other Apple device, when I use that, I automatically can use iCloud and not have to remember that password. So, I think consumers expect the same type of experience with biometric authentication as well. So that's my long preamble to answer your question: what such a big deal about this announcement we made jointly with Apple, Google and Microsoft? This is something that we're calling passkey. This is an implementation of FIDO that allows for the private key that historically has been bound to a single device. It allows it to be securely synced across the device cloud, such that you'll have that seamless password manager like experience, but with biometrics and not having to ever use passwords. Furthermore, as it's being built directly into the operating systems, a lot of the OS flows and the user flows will be smoother than they have been historically. But most importantly, the user experience will be better as well. So, we're super excited about the promise for passkey, both in the sense that it will help accelerate user adoption. But even more importantly, it will help us achieve our mission. That mission being to reduce reliance on passwords and taking passwords out of play. I think that passkeys have potential to, in the next two, three years, allow hundreds of millions of consumers to stop using passwords for many of their core services that they use every day.
King: Thank you. On your PayPal browser option, what percentage of folks accept and use that versus a pure password approach?
Shikiar: So, here's a multiple perception question. I think one part is how many people can use the capability, so over 90% of browsers in use today can support a WebAuthn or FIDO to login using the device-on-lock functionality, which can be Windows Hello, or touch ID, whatever it might be. And then it's up to each service provider to try to prime and prompt their users to do this, instead of passwords. And that's why we invested in developing data-driven guidance on how to most effectively implement what we call platform authenticators or WebAuthn, looking at the entire user journey, so we gave guidance based on extensive research on everything, from how to message this, how to prime the user, how to use a toast message. It is a fascinating study, because it looked at everything outside of the FIDO technology. These were design and messaging considerations that we came up with the optimal combination to help drive more utilization. And so, several companies have given case studies on their uptake of FIDO and some of the resulting benefits. Yahoo! Japan recently talked about a study where they saw well over half their users adopt passwordless sign-ins, including using FIDO, and what they're seeing is signing time was increased by over two and a half percent, authentication inquiries and support was reduced dramatically. And signup success rate went up dramatically. So, generally, what anecdotally we're hearing is that most companies can get around a 50%-to-60% opt-in rate over the first period of time of their WebAuthn, FIDO2 implementations.
King: Yeah! To your point in that space, I spent years not succeeding at selling our integrated banking technology product. We started an MSSP about - it was 2012-ish. We built a nice integrated banking solution and took it all over the Midwest, and I talked to at least 100 bankers, and every one of them told me the same thing, "Granny Smith was not going to be doing any 2FA password activity on her accounts, or she'll be leaving." So, we didn't sell. We were hoping to sell to these guys. It's a big deal still. That people look at this as an overwhelming inconvenience to swipe a finger or come up with code or something in addition to a password. It's hard to believe.
Shikiar: Yeah. And I think you're hitting on a key point here, which is usability. And I talked about usability before. It is interesting, Steve. My conversations on FIDO authentication with companies who are thinking about deploying it have shifted over the years, from one being more about security postures and things like that, to about usability. And, in fact, I would say the vast majority of my conversations about FIDO authentication begin and end with discussing usability, for the simple reason that if it's too hard to use, people won't use it. There's a long history of fantastic, super secure, 2FA and MFA technologies that were unusable. So, people choose not to use it, meaning that your employees will find a way to work around it, which will leave you still vulnerable to attack, and your consumers won't use it either, which leaves them vulnerable to account takeovers. So, finally, our mantra is "simpler, stronger authentication" and you can't ignore the simpler piece. The underlying technology we're using is asymmetric public key cryptography, which is a mouthful and the earful, and our belief is that Granny Smith shouldn't have to know how to say, let alone understand what it means to use asymmetric public key cryptography. So what FIDO allows is no single gesture, user friendly, multi-factor authentication that's fully encrypted and immune to remote attacks. It's as simple as, basically whatever you do to unlock your device is what you can do to log into your accounts, into your apps. And it is a multi-factor authentication experience, because it's something that you have, and something that you are, and/or something that you know.
King: Yeah. But it feels like we've been struggling with this for a long time. And I don't see much progress anywhere. So, that's interesting. And I know that myself and a colleague put together MFA solution based on behavioral analytics and applied for, and received, a patent for it, and I look at the patent and think, "Well, this is not rocket science," And I'm sure there are hundreds of other ones that look a lot like this one. It'd be interesting to talk to some of the auditors that are making those determinations at USPTO because the distinctions they're drawing between one patent application and another, that both address the same behavioral analytics components of a multi-factor authentication solution and password, are so subtle as to be missed if you're not looking. But there's a lot of activity there. I'm going to branch to my education hat here with CyberEd. You appear to offer three different levels of training for certification testing. Is that right? You got functional interoperability testing, which, I think, is for servers, clients and authenticators, and then a certified authenticator-level testing process and then a biometric component or certification testing. Could you expand a bit on the courses underneath those and, in particular, I'm curious about what it is I would need to know to be able to be certified in biometric testing.
Shikiar: I touched on this a little bit before. So, certifications are basically one of the three pillars of FIDO Alliance. So, very important program that we invest in and for the benefit of the industry. We have three core certification programs. The functional certification test products against how well they adhere to the FIDO authentication specifications, and also to ensure they interoperate. So, the conformance tests, self-serve tests that an interested vendor can contest themselves against, can submit those results into our certification secretariat, and then they would sign up for interoperability testing where they test their products against other products to make sure that they do interoperate. So that's our one core program. You mentioned authenticator certification levels. So, an authenticator is part of the functional testing. But beyond that, certain use cases have higher requirements, higher security requirements for an authenticator. So, for example, for highly regulated use cases, a regulator may require that an authenticator, such as a security token, prevents against malware attacks, or it protects against hardware attacks. So, any FIDO authenticator protects against remote attacks. But not all of them ensure that and verify that the private key is stored in a secure enclave, for example. So that's what certified authenticator testing does. They have multiple levels that you can test against, and the service provider can leverage your metadata service, can make sure that the authenticator meets that criteria. Now, the biometric testing is a little unique because it's not tied to our authentication specs. It's an industry program that tests the efficacy and performance for biometric components, whether or not they're using FIDO authentication. So, we have industry standard metrics for things like false accept rate, false reject rate, presentation account, attack detection. And based on those metrics, that product will be tested against those. So, we work with third-party labs, we have a whole bunch of lab partners that a vendor could go to do this testing, they will test against live subjects. And then we meet that criteria, you get the certification mark for biometric certification. The last one, as I mentioned before, we're excited to have launched the FIDO Certified Professional Program. This is an emerging program that aims to allow industry professionals in identity authentication to demonstrate their skills in deploying FIDO solutions. And we have a full criteria, we have a full live tests, we've partnered with Pearson on this test, you can go into testing centers to get this done. We're actively building out some added training materials to help people be successful as they go through the testing process. So I think that that program, the FIDO Certified Professional program will be a growth area for the Alliance as we move forward in 2023 and beyond.
King: Yeah, have you partnered with third parties to deliver this certification training? Is that something that you normally do or consider?
Shikiar: So, the training for the FIDO Certified Professional Program, the training programs are in development right now. So, that is something that we will be working with third parties on.
King: Okay. Why don't we loop back to the beginning again, for final question. And I think we're at a time here. 800-pound Gorilla. When will we actually stop depending on passwords in your estimation?
Shikiar: Yeah. So, important point here. Moving beyond passwords is a journey, not a sprint. I think that passkey stands to greatly reduce the time of that journey, from potentially decades to years. It won't happen overnight. But I think that what passkey enables, and what FIDO enables, in general, allows service providers to become less dependent on passwords. And especially with passkey, where you no longer need a knowledge-based credential, to allow your consumers to enroll new devices or recover devices. So, little by little, you'll see service providers taking passwords out of play. I don't think they'll delete them right away. But once they're seeing demonstrated non-usage of passwords, they will delete them. And we're seeing companies do this already. So, NTT DOCOMO, for example, allows their consumers to delete passwords. eBay gives you the option to delete your password once you've enrolled with FIDO authentication. So it's a non-answer, but I would say, over the next two to three years, you're going to see passkey become a predominant way of logging into most mainstream consumer services. And the years beyond that, passwords will start to be taken out the user journey in and of itself.
King: Well, I don't think that's overly optimistic at all. So I'm there with you. And I hope that that turns out to be the case. And thank you, Andrew, for spending half an hour of your day with us. Andrew Shikiar, the executive director of FIDO we're happy to host today. And I hope that our audience got a little flavor into the mysterious world underneath passwords and multiple passwords and MFA and 2FA and all the rest of it. And what FIDO has been instrumental in doing as the major standard player in the space here. So thank goodness for you guys. And thank you for all that you do there. Appreciate it.
Shikiar: I see it. Thanks so much for having me. So it's great to be at ISMG and with CyberTheory, so thank you.
King: Sure. Thank you. Take care. Have a great day.