New tools, Authenticate presentations coax hesitant businesses to adopt passkeys

The FIDO Alliance has launched a pair of tools at its Authenticate 2024 event online and in Carlsbad, California, Passkey Central and a secure credential exchange protocol, to help businesses move beyond passwords and embrace passkeys for phishing-resistant authentication.

This year, organizations started coming to the FIDO Alliance, unbidden, to report data on business benefits like lower costs and more successful sign-ins, Alliance CMO Megan Shamas said while introducing the conference.

The Alliance has published a working draft of the specifications for secure credential exchange. The draft Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) are intended to enable the transfer of passkeys and other credentials between any platform that manages them. This, according to the announcement, will make it easier and more secure for users to change credential providers.

Other keynotes on the first day focused on encouraging the adoption of passkeys by end-users.

Passkey Central

CEO and ED Andrew Shikiar shared a utopian vision for passkey adoption in a keynote address, and backed it up with indications of the progress that has been made towards reaching it.

Passkeys can now be applied to 15 billion passkeys, Shikiar says, just two years after their launch. He described a day in the life of a passkey user, performing authentication without passwords for a dizzying array of use cases. Even as a preeminent FIDO optimist, he did not anticipate this kind of uptake when passkeys launched.

Accumulated time and cost savings, higher revenues and lower fraud risk can all be achieved through easier access, Shikiar argues, citing presentations to come at Authenticate 2024.

Anthony Kemp of Air New Zealand described his organization’s journey to a fully-passwordless authentication system, relying on passkeys with OTPs as a fallback.

Shikiar described FIDO’s work on standards as “an effort of collective commoditization,” and says that “our ecosystem is where the value of open standards really starts to shine.”

Passkeys are being implemented for payments by both Visa and Mastercard, for smart home devices like TVs and refrigerators by Samsung, and the Alliance will lean into the growing interest in automotive implementations in 2025, Shikiar says.

He also emphasized the influence of FIDO’s certification program for biometric components.

Despite this, there is a long tail of adoption, largely made up of smaller service providers, that must be addressed to reach the promised “passkey utopia.”

Enabling them is the purpose of Passkey Central, an online resource hub of authoritative guidance for adopting passkeys at scale.

The website presents documentations to help organizations identify their needs by understanding the cost and benefits of passkey support, offers rollout guides and design guidelines, and shares a selection of resources and tools.

Costs and benefits

With FIDO working to ease implementation through its Passkey Central resource, making a dollars-and-cents argument may be the last remaining piece for convincing organizations to adopt passkeys.

The business case for passkeys, based on return on investment and a cost-benefit analysis of going passwordless, was presented by Softvision Info Solutions Head of Product Rohit Nayak.

He starts with an estimate by Forrester of time spent on resetting passwords, and by extension productivity loss. For an organization with 5,000 employees, IT help desk staffing costs just for those resets could amount to around $1.5 million a year. He shares an online calculator for the cost of passwords, which helps add other associated costs, like for MFA maintenance, and arrives closer to $3.5 million per year.

For passwordless implementation, hardware, software, management and replacement of tokens, training and setup costs could amount to $420,000, Nayak says.

He proceeds to compare building and buying a passwordless authentication system.  Building a system means setting up identity governance, access management and directories, while buying one incurs cost not just in payments to the vendor, but also from staff.

Vendors will naturally promise cost savings, but completing a full calculation is necessary to get a clear view of which would be less costly for your particular organizations, Nayak argues. For large enterprises, that may include foregoing the tax benefit of depreciating hardware, for instance.

Article Topics

Authenticate Conference  |  FIDO Alliance  |  passkeys  |  passwordless authentication  |  passwords  |  secure credential exchange