Thank you all my name's Andrew Shakar. I'm the executive director and C chief marketing officer at Fido Alliance here to talk to you today about the state of strong authentication, really looking through the lens of Fido and its members through the Fido authentication standards. I wanna start by backing up about 10 years ago to January of 2020, the before times before COVID hit. If you put yourself in that timeline, you'll remember that digital transformation was all the buzz. Lots of talk about digital transformation.
In fact, I actually, co-authored a paper with the world economic forum on this topic, talking about the importance of going passwordless to secure digital transformation, but in general, you know, I think that most the digital transformation plans are kind of hand wavy, you know, five year plans, which basically boil down to bringing systems and services and people online, but they were, you know, they're pretty vague.
And then all of a sudden COVID hit, of course, and the five year plan got compressed into five months, right?
So all of a sudden having remote employees was no longer a luxury, but a necessity that percentage of your banking customers that actually only transacted in branch had to be protected, had to be brought digital in a secure and easy way. And attackers took notice of this as well. All of a sudden there is a very broad, very soft and very lucrative target landscape for them to attack.
And so it's a little surprise, and this is kind of the obligatory, you know, passwords or scary slide, but the, the lens on this is, you know, COVID, and as you could see, you know, cyber attacks increased and you see, you know, 238% increase in cyber attacks, 18 million COVID themed malware and fishing attacks thwarted each day by Google.
And all that, you know, COVID really did was accelerate and exacerbate the problem that passwords, you know, lead to, to related to user authentication.
And of course the underlying theme or the one we all know is that passwords lead to the vast majority of data breaches, a weak credential, a stolen credential loss credential, a manipulated credential. This is what leads to breaches. This is what leads to the problem that we see today. And we've known that for some time, right? We know that passwords need to go.
In fact, in 2004, bill gates gave his, you know, infamous or famous talk about the, the necessity for the demise of the password. And that was a long time ago, but he's spot on passwords cannot meet the challenge of keeping critical information secure. Or as I like to say, passwords simply are not fit for purpose for today's networked economy.
We can all relate to this as users.
You know, they're clumsy, they're hard to remember, but most importantly, it's, it's a knowledge factor. It's a human readable knowledge factor that sits on a server and anything on a server most likely can and, and will be stolen. And since it is human readable, they're easy to fish outta someone's hands. They're easy to harvest and replay. And this is a core, fundamental problem of passwords.
Now, SMS OTP has come along and then second factor two FAS been around for a while. OTP certainly is better than a password alone, but it has its own problems. It has usability issues, deliverability issues, but I think the biggest problem with OTPs is that it's also still a shared secret. Granted it's a much shorter secret on the server, but it is still something that can be social engineered or mechanical engineered outta someone's hands not to mention, you're talking about SMS, OTP, SIM swapping, and redirects and things like that.
So it's an improvement, but certainly not the answer.
And this was the landscape that, that Fido Alliance, you know, came into when it was formally launched in 2013, it was formed before that, but it was launched 2013 is launched really to address the data breach problem. And as we establish passwords are the leading cause of data breaches. So that's very much the tip of the spear, which is why we focused on that as Fido's, you know, focus point and starting point.
And fundamentally, what Fido's trying to do again is, is shift the market from one that's dependent on, you know, centralized server side, shared secrets to means of authentication that allows users to do it locally with the device in their hand, you know, single gesture, asymmetric, public cryptography, that's a mouthful. But basically what we're looking to do is replace the password on a server with a public key, which has no material value to a hacker and no reuse.
And then on the device is a private key, which is, you know, stored securely on the device, whether it's a biometric or security key, and must be verified, the user presence or the user himself or herself must be verified to activate that key. If you will, you'll see in this slide of highlighted fast, have highlighted simpler out of our tagline, simpler, stronger authentication. That's always been a core part of Fido's mission is to make this easy history is littered with a lot of, you know, advanced MFA technologies that simply don't scale for mass consumption.
You look at things like smart cards and PKI, you know, very strong, very compelling, but ultimately not fit for purpose for mass utilization. So, and then there's other, you know, data points that show that MFA opt out rates increase with the complexity of the solution. So it needs to be easy for people to use.
And that's been a focus since the beginning. This is who Fido is. This is our board of directors, roughly 40 companies. This is our board.
The way I like looking at this set of logos is if you ask yourself the question, you know, who needs to be sitting around a table together to solve the password problem. And if you closed your eyes and started thinking of companies, it'd probably look a lot like this, right? So you have companies that create the devices and platforms that we all use every day.
We have experts in security, identity and biometrics, and last but not least, we have the service providers and the banks and such whose businesses are utterly dependent on their ability to deliver high assurance services to billions of users worldwide. And that, you know, composition is consistent throughout our membership. We have sponsor members who build out our working groups. We have associate members who comprise the phyto certified ecosystem. We liaise with other dot orgs to address joint use cases or regional education.
And we also have government members and engagements there as well to make sure that we have that perspective coming into all of our work.
And the good news is we've made solid progress. So here we are in 2021, there's hundreds of pH certified products on market that any service provider can use to quickly deploy pH certified solution, both, you know, to the enterprise and to consumers. There's already 4 billion devices on market that support vital authentication and Microsoft sites and accurately sites that over 150 million people are using passwordless methods each day to log on.
So that points to the fact that, you know, we're making progress, pathless is happening, you know, things are heading in the right direction, which is fantastic. However, the problems persist.
In fact, they're getting worse. I mean, the data is getting worse because the attacks are ongoing, they're persistent and it's an ongoing challenge, right? So you could see, you know, this article from a couple months ago, there's a 450% surge in breaches containing users, names and passwords.
So again, there's the weak link again. And the credentials you think about the colonial pipeline ransomware attack that happened in the us, a single password was at the root of that attack, right? A single password basically shut down the Eastern seaboard of the United States.
A single password led to people filling up plastic bags of gasoline in Georgia, because there's a race on gas. So that shows you the, the, the damage. And what's at stake for using weak credentials.
Likewise, this year is Verizon data breach re report side of the pandemic. As we just talked about as something that led to an increase in fishing and ransomware attacks.
And, you know, as the attack vector got broader, the attacks went up.
So I think it's fair to ask, you know, why is this taking so long?
Why, you know, we have fi Alliance, all these great companies working together. We've been talking about this since 2000, 2004.
You know, why haven't we solved this yet? And you know, not to be flipping about it, but ultimately it's very difficult.
It's, it's a very nuanced problem. And, and, and you know, more than that, it's because passwords are just ingrained in the way that people interact on the web today, right? It's part of the web's DNA passwords been around, you know, since the, well, before the age of the personal computer, the average person has over a hundred passwords. And I'd actually argue with this stat. I think the average person probably has six passwords, which is a whole problem, but hundreds of accounts and, you know, people just understand this behavior.
It's a learned behavior. People know what to do.
When you go to a new website, you look for the username password dialogue box. I have two young kids in school, elementary school kids they're being, you know, they have to go online for their apps. They're being taught good password hygiene, and how to use passwords. But the password hygiene is their first name. Last initial 1, 2, 3. And this is being taught at a very young age. So it's a systemic problem that we really need to uproot to make this change. We need to up change the DNA of the web itself. And how do you do something like that?
You know, I'd say there's, again, three things, three core areas that we need to execute upon to become part of the fabric of the web. The first thing, if you want to see industry collaboration and standardization, right?
This goes for any technology, not just Fido. You need to have broad industry support people, building your technology, supporting your technology, utilizing your technology. And to that, the second point is you need to just be there. You need to be shipping at scale, the dial to an effect. People need to be able to count on your technology.
Being able to be utilized by end users. And the third key element is strong regulatory and government embrace. So let's look at each of these, a little closer collaboration. All right. So I talked about how, you know, Fidos, membership's very diverse. We have great collaboration inside our membership. We also liaise with other standards bodies. So whether it's open ID foundation, em, VCO, we, we collaborate internally and externally and perhaps paramount amongst these collaborations is the work we've done with W3C.
So several years ago, we're working on the second wave of Fido specifications called the Fido 2.0 web API web APIs.
And the decision was made to contribute those to W3C simply because Fido realized at the time that to gain scale, to gain that ubiquity, we had to target the platforms and the web itself, and what better place to do that than the, the standardization body of the web. So we contributed the, the specs to W3C. The web authentication working group was launched, and we worked in parallel with them to advance that specification.
So what happens in these groups as many of, you know, a lot of the same people will be sitting in our technical working group as sitting in the web thin working group. In fact, some of them are in this room and that's how we keep things in sync and keep things moving along. And so is that the quickest way to get this specs done? Probably not, but it certainly was most impactful because as we talk about ubiquity, you know, the good thing about working with N w three C is that out the box, we had, you know, functional support for pH authentication for web authentic and every leading browser.
And since that time we've seen the platforms adopted as well. So initially it was Android and windows, hello. And more recently, apple has really broadened their support for pH authentication in their, their platforms and browsers as well, to where things stand today, which is at any device being unboxed right now, that's very second more likely than not can consume vital authentication, right? So we're hitting that second key point, which is ubiquity and just, you know, and broad distribution. And the third area is, you know, regulatory and government embrace.
You know, it's been real interesting to me, at least I feel like the past 18 months or thank, you know, partially thanks to COVID due to COVID. And in general that the pace of innovation implementation of identity technologies has been in this hockey stick type rise, right?
A lot, lot of ideas and concepts that have been talked about for 10, 15 years are now coming and being built into, to real, you know, shipping products.
And a lot of that's due to, you know, imperatives such as, you know, doing digital wallets or trying to thwart attacks that are coming in against governments, entities, companies, and individuals. So whether it's digital wallets or the us government citing phyto authentication, or as phyto MFA, as a means protected government offices and elections, we're seeing lots of embrace and in positive movement there as well.
So in summary, you know, I, I think we're well on our way to becoming part of the fabric of the web. And it's something we'll continue to work on to help, you know, drive this adoption. And it's a little wonder then that we're seeing adoption, right? This is a small sampling of companies who have deployed Fido. It's meant to show you kinda the breadth and depth of companies that are using phyto authentication. It spans use cases, borders, and deployment types, right?
So we're seeing really broad initial adoption of Fido authentication today.
And so what's this look like, I know I'm kind of short on time, but this is, you know, some examples of phyto inion. This is eBay. eBay's been one of the earliest adopters of Fido and the top left there. You see safari on iOS, the browser window. There is I think, Chrome on Mac OS, right? Same experience, no password flows using a device by biometric. We moved to the next screen, you see Android.
And then, you know, last but not least, you know, windows hello with, with Chrome. And again, all these flows, not once do the user have to enter a password every time they're using a device biometric, or you can equally use a security key or local pin.
So, you know, how do we use all this technologies? Talk about regulation for a second, you know, simply put, you know, the new trends in digital identity and, and regulations really require modern authentication. So what phyto Alliance is doing is engaging, right. Engaging to understand and, and, and, and work with certain Y a schemes to, you know, in inserted phyto authentication flow into that.
You know, you can't be in Europe and not talk about PSC two and SCA. We've done a lot of work on this inside our Fido Europe working group. As you all likely know, there's several different ways to comply with PSC two and SCA whether it's SMS, OTP, or bespoke hardware solutions, or, you know, device by metrics for fi.
And, you know, we feel like Fido is really the only one that checks both the usability box, the compliance box and the security box. So we're really pushing more and more institutions to adopt Fido as a, as a PSC two solution.
So coming back to one of the core questions, how do we move beyond passwords, right? How do we actually get there? What we really wanna get to a state of is where people can forget what they know.
So again, the key theme I want to get across is that we need to move away from knowledge based authentication is something that's more possession based. And so, again, I'm gonna work in threes cause I can't count that high, but three key areas we need to, to work on. First of all, you know, replace password logins with biometrics or keys, right?
So one, we just finished a very extensive research study on usability. And one thing we saw that even though using a device biometric is to us, you know, very easy and intuitive. A lot of questions were asked and there needs to be a lot of kind of user behavior training and, and education.
So the sooner people can actually start doing these flows like eBay, for example, even if it's just hiding the password, even if the password's still in the server, that's an important first step to get people moving in this direction. The second piece.
And it's just probably most critical is to create an ID proofing and verification scheme that that matches phyto commitment to possession based authentication with what I'll call possession based ID proofing or verification scheme. Right? So no more knowledge based credentials for account creation. This will help do a couple things. First of all, it'll smooth the account recovery process, which is frankly, one of the biggest challenges for fi authenticator.
And secondly, it'll protect that account recovery process in the sense that it closes that back door, that a social engineer can manipulate and utilize to take over someone's account. It's very difficult work, but it's something that we're committed to work on to the ID.
We have an identity verification working group inside a Fido Alliance. And then once this is done, you know, we're in position to truly replace passwords with phyto key pairs, right?
No longer, well, you need to even have a knowledge based factor. You can just go with phyto key pairs. And so three examples of companies that are, you know, moving this direction today.
Google, I mentioned eBay already. Google is, has account recovery mechanisms that are not dependent on knowledge. NTT Domo has done so much to lead inside of Fido Alliance. And in market actually gives their customers the option of deleting their password, right? They're using other mechanisms to proof and recover these customers. And then recently in June of this year, apple at WWDC now something called pass keys, which is basically, you know, synced on the iCloud key chain.
When you use an apple device, you can now have the, you will have the option of basically implementing phyto key pairs rather than, than passwords, right? So no longer a complex password, any sort of hash password, it's a phyto public key on the server with a private key on your apple device or across iCloud key chain. And the good news is the other core platform providers in phyto Alliance being Microsoft and Google are working closely with apple to, you know, make this idea, become a reality, a secure reality across every platform that people use today.
So wrapping up here, you know, the opportunity or the call to action is for all of you to take advantage of this market opportunity, right? So if you're a vendor, you know, look at getting your product, find a certified, so you can tap into, you know, what's becoming a requirement in most RFPs. If you're a service provider or allowing party, you know, we encourage you to, you know, step up your password list, authentication plans with Fido at the core of that effort.
So to tie a bill on things and conclusion, we started by talking about, you know, bill Gates's quote about, you know, hoping for the demise of passwords. We're gonna wrap up by pointing to a tweet for Markovich. Who's a CTO, Microsoft Azure, who talks about his passwordless world within Microsoft. So mere 17 years later, you know, Microsoft's not just eating its own dog food, but helping lead pH Alliance in providing passwordless authentication for, for all of us across, across the market. So thank you very much. I'm happy to take any questions if we have time for that.
So I think
Andrew deserve a pause.
