Persistent phishing to push passkeys past passwords
The adoption of the FIDO Alliance’s passkeys by tech giants has pushed their support by user devices beyond three out of every four in consumers’ hands already, according to a new report from OwnID. ‘The Passwordless Authentication Report 2023’ has been released on the heels of in-depth discussions of passkeys and their impact at the annual Cybersecurity Policy Forum hosted by the Better Identity Coalition, FIDO Alliance and Identity Theft Resource Center.
OwnID says that customers have found implementing passwordless registration and logins increases authenticated users by 20 percent across websites.
There was also a significant shift over the past year towards the adoption of biometrics for passwordless authentication, according to the report.
FIDO forecasts phishing
FIDO Alliance Executive Director and CMO Andrew Shikiar delivered a keynote address at the Cybersecurity Policy Forum.
The emergence of MFA bypass attacks into the mainstream, predicted by FIDO at the virtual Cybersecurity Policy Forum in 2022, accentuates the need to move from legacy authentication methods based on knowledge to more modern authentication based on a possession factor with local biometrics, he says.
In the year ahead, Shikiar sees MFA bypass attacks will continue, but in doing so will force organizations towards unphishable authentication.
In the Octopus attack, CloudFlare avoided a breach by “layering FIDO security keys on top of Okta instead of TOTP: They did not get hit by the attack.” The same attack motivated Twilio to move to FIDO2 instead of one-time passwords.
SMS OTP is the next vulnerability set to emerge. Identity verification is also heading into the mainstream, Shikiar says, citing moves by Twitter and to institute online age protections.
In response to these trends, the FIDO Alliance plans to launch certification for liveness and biometric matching for face verification solutions in 2023. The organization’s Biometric Component Certification tests are expanding with a presentation attack detection-only offering as well.
The organization is also working towards scaling its authentication through ubiquitous availability and adoption by incumbents.
“There are some fundamental aspects in how we’ve been deploying FIDO that were hindering such adoption,” Shikiar says. “So we took the decision with passkey that allows for further usability from the OS on up, while not loosing focus on security.”
What is different that the private key is now allowed to be securely synched across a cloud. Passkeys are also more deeply integrated with operating systems, allowing the “quirky” device and browser prompts that are found in some WebAuthn integrations to be skipped.
Passkeys are highly complementary to FIDO Security Keys, according to Shikiar, and will progress further into the consumer mainstream in 2023.
Together, they could help authentication to serve as a bridge over the digital divide, replacing the wedge created by numerous passwords.
Meaningful progress will come this year on reducing passwords for government services, FIDO predicts.
Shikiar cited the endorsement of FIDO and strong authentication in various publications and announcements by government agencies in the U.S. and elsewhere.
Passkeys ready now . . . at least for some
A panel discussion on ‘Passkeys and the Future of Passwordless Authentication’ immediately followed Shikiar’s presentation.
The panel was made up of representatives from NIST, Microsoft, Amazon and Google, and was moderated by Megan Shamas of the FIDO Alliance.
Passkeys will begin making their way into Google products this year, Google Product Manager for Identity and Security Christiaan Brand says. The company’s internal research suggests that 46 percent of consumers will fall for a well-crafted phishing attempt, lending urgency to the encouragement of adoption among the general public.
The role of password managers and other third-parties is as what Microsoft Identity Standards Architect Tim Cappalli refers to as “pluggable passkey providers.” They would interact with the OS as a native plug-in, which provides other aspects of functionality like biometrics.
Brand noted that while consumers have some clarity about how platforms like Apple and Android handle passkeys, the introduction of third parties introduces complexity, and may handle security in different ways. A minimum bar is being discussed within the Alliance.
Different environments like enterprise systems also present their own complexities.
Synching between devices introduces considerations for NIST’s Digital Identity Guidelines SP 800-63-4, currently at the draft stage, NIST Computer Security Division Lead for Hardware-Rooted Security Andrew Regenscheid says. It would be good to have a signal that a given credential has been synched to a new device.
Organizations were urged during the presentation to look at adoption beyond a binary decision to deploy passkeys everywhere for everyone, or nowhere at all.
For more complicated use cases, like those involving multiple devices, clarity about when and how the passkey should be served is coming in 2023.
With that clarity, and user adoption presumably taking significant bites out of the quantity of user devices without passkeys, will answer some of the remaining question over time, or render them moot.
That will be the time, it seems, when phishing will finally go from something users need to watch out for, to a legacy of a less-secure age.