Passkeys highlighted in new CISA guidance on secure-by-design software

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a guide to help organizations ensure they are buying software from companies that prioritize secure design.

The “Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem” defines secure by design products as “those in which software manufacturers – the companies that create, ship and maintain software – make security a core consideration from the earliest stages of the product development lifecycle.”

It is based on the principles of taking ownership of customer security outcomes, embracing “radical transparency and accountability,” and building organizational structures and leadership that can execute the plan.

“We are glad to see leading technology vendors recognize that their products need to be more secure and voluntarily join the Secure by Design pledge,” says CISA Director Jen Easterly in a release. “Businesses can also help move the needle by making better risk-informed decisions when purchasing software.”

The guide provides a list of questions buyers should ask, including queries about secure authentication including passkeys and multi-factor authentication (MFA), vulnerabilities, and reporting.

Following the guidance, say the feds, “will demonstrate to the customer that the software manufacturer is taking actions that will drive down exploitable defects and misconfigurations – a safer product for the customer.”

FIDO welcomes CISA’s spotlight on passkeys

The FIDO Alliance has published a reaction to the guidance from Executive Director and CEO Andrew Shikiar. Unsurprisingly, it is enthusiastic about the inclusion of passkeys.

“The Secure by Demand guidance empowers IT buyers, who can drive market demand for secure software features, such as passkeys and FIDO authentication,” writes Shikiar. “The guidance for those manufacturing or procuring software across the software supply chain is clear: passkeys improve third-party supply chains and ensure higher security standards in software procurement and development processes.”

“By integrating passkeys into authentication processes, organizations can strengthen end-to-end digital identity lifecycle management and significantly reduce the risks of phishing and social engineering attacks.”

API for automatic passkey creation to roll out with Apple iOS 18

The recently published Dashlane Passkey Report notes that large consumer apps, notably Amazon and Target, are driving passkey adoption. Apple is not in the top ten – but that could change with the release of iOS 18 in September. Fast Company says the company will roll out an API for app and website developers that will allow them to create passkeys for users automatically, which will enable passwordless login.

Apple has been supporting passkeys since iOS 16, but the next iteration is designed as a conscious effort to spur wider passkey adoption. In iOS 18, transitioning accounts to passkey logins can be done automatically with a simple settings toggle. The feature is likely to be duplicated by Google and Microsoft.

The FC piece points readers to Passkeys.directory, an online directory of sites and apps that offer passkey support. Andrew Shikiar also makes an appearance here, offering an explanation for why banks have been slow to follow large tech firms in supporting passkeys. The short answer is, rules.

“Banks and financial institutions operate in a highly regulated industry, so they are vigilant when it comes to ensuring that user authentication complies with relevant regulations,” Shikiar says. “Synced passkeys introduce a new customer assurance model that compliance leads within banks are still adjusting to.”

The latest entry in 9 to 5 Mac’s Apple @ Work series says passkeys are one of the most important security technologies in the world, and has an explanation for why e-commerce is a primary driver of passkey adoption.

“It’s no surprise that the push for passkey adoption is coming from consumer-centric platforms,” says the piece. Popular retailers like Amazon, eBay, and Target are “often frequented daily from smartphones,” making them “perfect candidates for showcasing the benefits of passkeys.” Passkeys go hand-in-hand with mobile shopping in terms of offering a secure and convenient customer experience that minimizes dropoff.

“Plagued by abandoned purchases due to forgotten login information, this industry stands to gain financially from the streamlined, secure process that passkeys offer.”

Forecasting the death of passwords is a popular pastime in the passkey sector – but, thus far, proclamations of passwords’ demise are often followed by an admission that passwords aren’t going away any time soon. But, with the number of authentications via Dashlane surging by over 400 percent since the start of the year, there is a growing trust and familiarity with passkeys that could point the way to the passwordless future of which FIDO dreams.

Ubank introduces passkeys for customer login

A release from Australian digital bank ubank says it has introduced passkeys for customers to “simply and securely access their banking app.”

It also offers one of the tidier summaries, in plain language, of what passkeys mean for the user. Ubank Chief Product and Growth Officer Andrew Morrison says “passkeys mean that customers don’t need to enter a one-time passcode (OTP) or remember a password to log into their banking app.” Once a passkey is created, “customers can log into the ubank app in the same way as they would to unlock their mobile device, using fingerprint or facial recognition, a PIN, or swipe pattern.”

Ubank cites as its motivation data from the Australian Competition and Consumer Commission (ACCC) showing that Australians lost $2.7 billion to scams in 2023. As well, its own research reveals that a majority of 18 to 43-year-olds say encryption and secure authentication is one of most effective ways for banks to prevent scams. Thirty-eight percent say biometrics, including fingerprints and facial recognition to access a device or information, give them the most confidence that they are protected from data and identity theft, fraud and scams.

Article Topics

Apple  |  biometric authentication  |  biometrics  |  CISA  |  cybersecurity  |  Dashlane  |  FIDO Alliance  |  FIDO2  |  passkeys  |  passwordless authentication