So my name is Pedro Martinez. I'm business owner for Authentication Solution at Tallis.
At Teles, we provide a combination of solutions for identity and access management, strong authentication, digital onboarding, and risk management. We are gonna talk about PASIs. PASIs is a term that was released to the public exactly two years ago. It was in the month of May of 2022. That's when we started to hear about Basquez. The technology behind was known for quite a while, but that's when we first started to, to hear about it.
And in just two years, we have, we have not only, we are not only talking about them, but they have been deployed and they have been deployed quite massively to the point that I would bet that most of you here, whether you are aware or not, are already holding a device that is hosting some PASIs and you are using already some pasky.
So let's, let's talk about it. It's gonna be relatively fast paced. I have quite some material, but let's start by the beginning. So what is a Paki? And a PASKY essentially is a cryptographic credential for authentication.
And, and that follows the specifications that have been defined by an industry association. That is the Fido Alliance. The Fido Alliance was set up in, in the year 2013 with, with a clear objective of enable or find out solutions that would allow us to get past the dependency on passwords that we have had forever when it comes to digital, to digital services.
And the work that started in 2013 became, has gone through several iterations and there have been some releases of, of solutions, but essentially it became open to the public and to the masses through the term of PASIs in, in the month of May of 2022, as I was saying.
And from there, everything that we have seen since, let's see, how does it work? PASIs? So essentially the principle of PASIs, of the principle of FIDO, this is the principle of the Fido protocol. It's an authentication, it's a, it's a protocol for authentication that we can see it in two steps.
There is a first step of authentication that takes place locally between the user and his device, and typically through the means of biometrics. Though it would be possible as well to do it through the presentation of a pim, for example. And if this step is followed by a second step of authentication that is between the device of the user and an authentication backend following that, both of them speaking the Fido protocol, that's where the cryptographic exchange takes, takes place. So that's in essence what what it
Is.
And well, I mean it's, it's a protocol for authentication like many others. But why, why, why Fido?
Or why, why this is something that, that we should consider as something, as something better than other things now in the past? Well, there are, I would say for a reason the first three ones is because they, because they're great. Even if it sounds, even if it sounds silly to say that way, it's great in terms of user experience when you compare it with a usage of passwords, which is what we are trying to, to kill in the first place. The user experience is much better because essentially it's based on biometrics.
It also provides much big benefits in terms of security because they provide, they are immune to phishing and they are immune to server data lakes because they are based on asymmetric cryptography. So we don't have secrets on the backend side.
So there is a big, a big, a big benefit as well. And finally, because they, they, they actually deliver on benefits in terms of ROI.
So the, the improvement in terms of engagement that service provider can have with their users by using passwords, sorry, by using PA keys compared to using passwords. We will see some, some examples about that.
It's, it's really measurable. No users can, can log in much more easily, much more rapidly and with a success rate, which is much higher. There are also other benefits that could be related to a cost reduction for the fact that you are not having the expenses related to all the password resets, which is a major customer care expense. So I was saying that PASIs became known by the public in 2022 in the month of May, and that that was the time in the month of May coinciding with password day, which is the 5th of May when we saw something quite unprecedented.
So essentially Google, apple and Microsoft together with the fiber alliance, but Google, apple and Microsoft released a joint pr I have not been able to found any other example or any other case of these three companies issuing a joint PR for anything. And in this case, basically what they were, what they were sharing was their commitment to implement and deploy the FDO technology. And through that, eh, bring passwords to so sunset passwords, obviously over time.
So they did not just do that, but they, they, they, they complied with what they were saying there because in the following months, during 2022, before the end of 2022, we got to a point where we find ourselves with all the major operating systems of all the major end user devices for communication, whether they are PCs, tablets, or smartphones. So we have, we have Android, we have iOS, we have, we have Mac os, we have even Chrome os and, and Windows.
All of them had implemented and hand released native support for Fido.
So we do have today on all of the devices that we, we manage normally native support for this technology. And they didn't stop there, but they had been working obviously on all this.
But the, by, by the end of 2022, we had as well support for PAs keys at the browser level. For the first time we had the possibility of using a technology from, from a standard browsers for authentication, leveraging the resources that were available on the devices themselves. So with this level of ubiquity combined with the benefits that PASIs are, this is what what brought us to conclude that certainly the, the arrival and the success of PASIs was quite inevitable.
So, and, and in fact as of today, this thesis that we have is that 96% of the, of active browsers that the ones that we use and 98% of mobile devices have indeed the support for PASIs already. So it's not surprised that with this information, with the benefits that they have and with the Ubiquiti we have just mentioned, we have seen over the last year, year and a half, a plethora of major service providers that have implemented support for PASIs and that have deployed this, have deployed this technology and made it available to their users.
Not only, not only the names that you can see these that represent different type of industries, but also Apple themselves. For example, as of I was saying that you probably have a PA in your device, whether you know it or not, when they released, when Apple released iOS 17 last September, automatically they issued a pass key for every user at the moment that they were doing the upgrade to iOS 17.
So the main way now for each of us Apple users that in order to log into our devices with, to our, to our accounts in the cloud is the PAs keys that we have stored on our, on our iPhones already.
Not only Apple, also Google committed to to it. And they decided that PAs keys was the main, the main technology moving forward for, for authentication for login to, to Google accounts. And there are other examples such as WhatsApp for example, such as Amazon. So as you can see, it's very important companies that have committed to the success of this, not not to the success of this technology that's at the platform level, but that they have decided that it was the smart move to make, to leverage this technology for their own, for their own services.
And it's no surprise because if you, we look at the statistics that we get from Google themselves, from their early deployment of PAs keys, the numbers are quite staggering.
No four plus improvement in success rate compared to an authentication based on passwords and, and a reduction by half of the time required by a user to complete successfully a login. These numbers are very good numbers and we have seen ever seen similar numbers and similar statistic reported by other, other vendors that have been sharing the success of their deployment of PASIs.
Okay, arrive to this point. The question is, if they have done it, should every other service provider, any other company or enterprise for that matter internally for the, for for their employees also deploy PASIs?
Well, so response to that question, we have to first of all think about the three main types of, of devices or the main types, the three types of supports that you can have for PAs case there is, there is one type of support that is hardware token.
So it is possible to implement the Fido layer and in fact, this was one of the earliest implementations inside a hardware token, they implement the protocol. And so you can have one external device separate from your communication device for authentication. And that's obviously a very secure way of, of managing your past case.
We have another option, which is through mobile applications. It is possible to implement the Fido layer on the client, on the client side, on an SDK for example. And that SDK can be embedded on a mobile lab. So enabling the mobile lab for authentication based on PASIs, not even relying on the resources on the PHY or native support of the device, but just relying on the SDK and on the implementation on the, on the mobile application itself. And finally there is the one that we have been talking about. Here's where we have the big numbers.
Here's where we have tons of devices that are already implemented, tons of devices that are already enabled.
So through the, through the, through the platforms themself. If we look at these 3, 3, 3 types of substrates for PASIs, we can easily, this is not a, an an strict rule, but we can see what can be a preference of format for deploying PASIs for different types of use cases. So for example, for workforce, the usage of a dedicated device such as a token or in a smart card makes a lot of sense. It's a very secure way of doing it.
And the enterprise manages the, manages the park of of devices and can release the, that park of devices to their users. It's a matter of security. And of course the other options are also available, but this is a common choice for workforce when it come to consumers in this case. But unregulated industries that have a high bar in terms of security, the mobile application may be the, the, the, the first choice for many of them and we will see why.
And finally, for unregulated industries, we believe that obviously the, the, the PAs keys on through the platform through the US would be the best, the best choice. Now why, if we look at the platforms, why, why is it that there is this difference between regulated and unregulated markets? We have to look a little bit that something particular on the implementation of PAs, keys of support for Fido on OS platforms.
The first thing that we have to see is that with the implementation of OS platforms, now we have one use case that becomes available that we had never had before, which is the possibility of making an authentication, a user authentication from a web service running on a PC directly on the device without having to do an out of band to an authentication on a separate device. Okay?
Now it is possible because we can do the biometrics or a presentation on a pin on the device, and we can be using that native support through the browser and through the device in order to complete the possession factor part and having a strong authentication directly done, run, run on the device itself.
But the other characteristic that is very particular about the implementation on OS platforms is that when Apple, particularly Apple Google decided to implement the support for Fido, they introduced one very specific characteristic that had never been considered before in the, in the work done by FI ido and that was synchronization. What do we mean by synchronization?
Well, I am an Apple user. I do have three devices. I have an iPhone, I have a tablet and I have a, and I have a MacBook.
No, let's say that I go to the website of a given service and that website is going to offer me the possibility of enrolling for Paske for that service. I do that on my mobile phone, doesn't matter on the app or on the, or on the browser, let's say on the browser, on Safari, on Chrome, whatever. I do it on my phone.
So when I do that, what is going to happen is that the, the pass key that consists of a key pair, this is a symmetric cryptography, the key pair, a private key and the public key are going to be created on the device.
The private key will stay on the device and the public key will go and be registered on the authentication server that is managed by the service provider. Okay? So once we get to this point, all this is pure standard Fido protocol, nothing particular here. What is particular is what happens next. That was decided by, by Google and by Apple. And what happens next is that the apple in this case is going to export my PAs key up to ID cloud, sorry, up to up to iCloud to the key chain in a similar way as they do with passwords. And from there it's going to propagate to other devices.
Now this is nice, but it also raises some questions on the positive side. It's great because I register for Paki once for one given service and then all of a sudden I have it available on any other device that I could do whenever I take my iPad, I'm going to have my paki waiting for me to be used already even if I had registered it on my, on my mobile device. That's great.
And also, it's also another issue that has been always an issue related to strong authentication, which is device recovery. If I lose my phone, normally I have to go through an entire process in order to re-register myself and to get credentials. But in this case, that is not going to be the case because I have a backup of my basket, which is waiting for me in the cloud. Well that all is great, but it raises some questions and the questions have to do with security and with perception of ownership of the credentials, the matter of perception is simple.
All of a sudden we have a third party.
So if the pass is initially are a binding between the service provider and their users, all of a sudden here we have a third party participating in this, in this exchange, which is Google or which is Apple. Some service providers may not feel by principle, very, very happy about that.
No, but then there is a second question, especially for regulated industries, which is the fact that PASIs, the, the notion for strong authentication, for example in in PSC two, which is the standard for financial, for financial services in Europe requires a, a strong device binding between the credential and the device where that credential is created. We don't have that with, we don't have that with PAs keys.
And so it, it creates some questions so we get to the conclusion. So what is our conclusion when this came out?
It created a lot of questions, especially in the finance in the, in the financial industry. For example, should we be adopting PAs keys or not? They're great on one side, but we have concerns. This is our recipe, this is our recommendation to our customers. This is what we share with you as our view. There is no doubt whatsoever that PASIs, synchronized PASIs are great as a password replacement.
If any company for their employees or for their end users are relying today on passwords, they should be moving away from them. They should be introducing the support for PAs keys because
They will get a solution with my be much better security and much better user experience now. Totally. If they need something else. I'm just one minute.
Yeah, we're already over time. So if you could wrap it up in seconds, just I wrap it up. Just one more slide.
If we, if they need a stronger authentication, then they should be looking at, at the other form factors they should be looking at, at the usage of, of an SDK integrated into their mobile app. And so having device bound, device bound pais that are fully compatible with SCA. And so with that, this is what they, what they will be getting.
So move, improve much your user experience with introduction of sync PAs keys no matter what. And if you need a higher level of security because of regulation use as well an implementation over mobile through an SDK in order to get that level of security or even for workforce with tokens. Thank you. Thank you.
