KEY TAKEAWAYS

Moving Past ■ Passwords are ubiquitous and vulnerable to attack;

new approaches to authentication are needed.

Passwords
■ A fundamental shift is required from legacy,
knowledge-based credentialing to modern,
possession-based credentialing.

(At Last!) ■ The FIDO Alliance’s mission is to develop a standards-

based means for user authentication.

■ FIDO authentication is based on a simple architecture

that delivers multiple benefits.

Interop Digital Keynote Executive Summary ■ The FIDO Alliance recognizes that usability and
presented by Andrew Shikiar, Executive Director security are critical for eliminating passwords at scale.
& CMO, FIDO Alliance, and Peter Newton, Senior ■ Although every organization has unique characteristics,
Director of Products and Solutions, Fortinet best practices for FIDO deployment exist.

■ Fortinet is committed to zero-trust solutions and

passwordless authentication technology.

Powered by
 Keynote Executive Summary - Moving Past Passwords (At Last!)

OVERVIEW KEY TAKEAWAY #1

Passwords represent an ongoing security threat for companies. Passwords are ubiquitous and vulnerable to attack;
Research suggests that over 80% of data breaches are due to new approaches to authentication are needed.
weak credentials and passwords. Managing unique passwords
and logins for hundreds of accounts is unwieldy, leading users Looking ahead to the next 18 months, security experts have
to bad password hygiene. It’s time to move beyond password- made two predictions:
based authentication. 1. Phishing attacks will continue to succeed. Phishing is a
The good news is that the passwordless authentication cheap, easy way for bad actors to take over user accounts.
movement is gaining momentum as more companies eliminate Well-designed phishing attacks have a success rate in
passwords from their authentication flows. The FIDO (“Fast excess of 50%.
IDentity Online”) Alliance’s 250 members have created a 2. Multifactor authentication (MFA) bypass attacks will
standards-based approach to passwordless authentication that become mainstream. Legacy MFA like SMS text codes isn’t
delivers both usability and outstanding security. fully secure.
Although password-based authentication has many
CONTEXT weaknesses, it’s been difficult to shift to a better approach.
Andrew Shikiar described how the FIDO Alliance’s approach Users and organizations are often reluctant to change because
to passwordless authentication is contributing to a more passwords are a known commodity that is part of the fabric of
frictionless, secure authentication future. Peter Newton the web.
participated in a fireside chat and discussed Fortinet’s
Fortunately, passwordless authentication provides a better
commitment to zero trust and passwordless authentication.
alternative, offering the same advantages of passwords
without the security weaknesses. The outlook for 2022 and
2023 is bright. Every major analyst firm has told enterprises to
implement passwordless authentication now.
The FIDO Alliance is seeing upwards of 20% to 40% of
companies implementing FIDO-based passwordless solutions
inside the enterprise. On the consumer side, device platforms
are providing consumer-ready solutions at scale, which should
be available later this year.
 Keynote Executive Summary - Moving Past Passwords (At Last!)

KEY TAKEAWAY #2
A fundamental shift is required from legacy, knowledge-based credentialing to modern, possession-based
credentialing.
Knowledge-based credentialing uses a shared secret, such as a password or an SMS one-time password (OTP). If users present the right
secret, they are granted access. However, this approach is susceptible to common threats, because any human-readable secret sent
over the network is vulnerable to remote attack.
The solution is to move to a possession-based form of authentication that is phishing resistant. Unlike most knowledge-based
authentication approaches, possession-based authentication never sends human-readable secrets over the network. Modern
approaches use cryptographically secure communication that is initiated by the user.

Figure 1: Knowledge-Based Credentialing vs. Possession-Based Credentialing

 Keynote Executive Summary - Moving Past Passwords (At Last!)

KEY TAKEAWAY #3
The FIDO Alliance’s mission is to develop a standards-based means for user authentication.
Many legacy authentication technologies like smart cards or The FIDO Alliance is an international, open industry body.
public key infrastructure (PKI) are highly secure but are not Its 250 members are unified behind a common vision for
very usable. If a company deploys a form of MFA that’s hard to scaling asymmetric public key cryptography. Members fall into
use, employees and consumers find ways around it. The FIDO four categories:
Alliance’s mission is to develop a standards-based means for
1. Companies building platforms and devices at massive scale
user authentication that is more usable and secure than
legacy approaches. 2. Companies that are experts at security, identity, and biometrics
The FIDO Alliance has created user-friendly, asymmetric public 3. Service providers that securely deliver high-assurance
key cryptography through open standards. Single-gesture, services to billions of users worldwide every day
possession-based authentication ensures that the system is
4. Government bodies
highly usable. Users can log in with a single gesture whether it’s
a biometric, a security key, or a local device PIN that doesn’t go
over the network.
 Keynote Executive Summary - Moving Past Passwords (At Last!)

KEY TAKEAWAY #4
FIDO authentication is based on a simple architecture that delivers multiple benefits.
The fundamental difference between the FIDO approach to In this model, the public key has no material value. If bad
authentication and traditional approaches is the introduction actors steal the public key, they can’t do anything with it.
of an authenticator that mediates the relationship between To protect the private key, users verify themselves with the
the user and the server. authenticator and then the private key has the authentication
dialog with the public key. The only thing sent over the
Public key cryptography uses a key pair consisting of a public
network is an encrypted signal. As a result, there’s nothing for
key and a private key.
hackers to hack and it’s impossible for a man in the middle
▪ The public key resides on the server. attack to take over an account.
▪ The private key is local on the authenticator; private keys are The latest FIDO2 specs were built in collaboration with the
dedicated to each app on the authenticator. W3C standards body. There has been broad adoption of FIDO
across markets. Virtually every device unboxed today supports
FIDO authentication and over 90% of web browsers actively
use it today.
Figure 2: How FIDO Authentication Works
 Keynote Executive Summary - Moving Past Passwords (At Last!)

Figure 3: FIDO Use Cases

The benefits of deploying FIDO include: ▪ Increases to the top line. FIDO improves sign-in rates.
For example, a financial services firm saw a 15% lift in the
▪ Security. FIDO reduces the risk of data breaches and
number of people signing in compared to password-based
resulting damage.
authentication. Moving to a passwordless approach also
▪ User experience. A lower-friction user experience (UX) reduces shopping cart abandonment.
results in more site visitors, greater brand affinity, and higher
In addition to businesses, governments and regulatory bodies
employee productivity.
have also embraced FIDO authentication. In the United
▪ Cost savings. FIDO’s passwordless-based authentication States, the White House has been engaged in leveraging FIDO
eliminates the need for password resets, device provisioning, authentication for different policies. Globally, countries are
and customer support. deploying FIDO authentication to protect government assets
and e-citizen services.
 Keynote Executive Summary - Moving Past Passwords (At Last!)

KEY TAKEAWAY #5
The FIDO Alliance recognizes that usability and security are critical for eliminating passwords at scale.
To promote mass adoption of passwordless-based authentication, the FIDO Alliance is furthering usability while keeping security
top of mind.
▪ UX guidelines. The FIDO Alliance’s UX committee analyzes usability across the board to enable companies to be more successful.
The organization recently sponsored a multi-phase study that broke down the user journey from the time of being prompted for
passwordless authentication through enrollment, login, sign-out, and support. The findings from this research were incorporated
into FIDO’s UX guidelines for platform authenticators, released in 2021, and in the FIDO UX guidelines for security keys, published in
June 2022.
▪ Security. Passkeys (also known as multi-device FIDO credentials) are an important step forward on security. To enroll in FIDO
credentials, users historically had to have a new private key on every device for every service. This approach didn’t meet the market’s
usability needs. Passkeys now enable deployment of FIDO at scale for consumers moving between devices and upgrading to new
ones. Starting this year, passkeys will be supported on leading device platforms like Apple, Google, and Microsoft.

Figure 4: Passkeys/Multi-Device FIDO Credentials Implications for UX and Security

 Keynote Executive Summary - Moving Past Passwords (At Last!)

KEY TAKEAWAY #6
Although every organization has unique characteristics,
best practices for FIDO deployment exist.
FIDO can scale from small deployments inside a local
enterprise to broad global deployments for billions of
consumers. When it comes to FIDO deployment, every
organization has unique characteristics. These may include
the organization’s size and number of users, device types,
complexity, and the regulatory environment.
To move forward, Mr. Shikiar recommended four steps:
5. Build a business case. The FIDO Alliance website has many
case studies which may be useful.
6. Scope out a pilot project. As part of this work, establish
success metrics such as reductions in IT help desk calls,
successful login rates, customer satisfaction, or employee
satisfaction.
7. Implement a proof of concept. Based on what you see,
assess and improve. It can be helpful to find peers through
industry networks to discuss common challenges.
“How do we eliminate passwords at scale? It comes 8. Implement FIDO. If you are building your own FIDO
down to two things. The primary one is usability. implementation, check out FIDO’s dev resources. For
The second is security.” organizations interested in outsourcing, over 900 FIDO-
– Andrew Shikiar, FIDO Alliance certified products exist.
 Keynote Executive Summary - Moving Past Passwords (At Last!)

KEY TAKEAWAY #7
Fortinet is committed to zero-trust solutions and passwordless authentication technology.
Fortinet’s mission is protecting users and data, no matter where ▪ Going passwordless isn’t a significant shift in how
they are located. The company’s focus is securing enterprises of authentication is organized. It is important, however, to deal
all sizes and granting employees access to corporate resources with vendors certified by the FIDO Alliance. If an organization
in a safe and secure manner. Fortinet’s comprehensive is creating a multivendor passwordless implementation,
cybersecurity solution spans firewalls, the cloud, and on- solutions must be certified to work together. Fortinet
premise. One of the key pillars of the company’s zero-trust has its own authentication solution. Shifting from that to
solutions is identity and user authentication. passwordless mode is straightforward.
Peter Newton made the following observations about ▪ If IT teams are hesitant to adopt passwordless
passwordless authentication: authentication, at a minimum they must have existing
and proven technologies in place. Multifactor capabilities,
▪ Eliminating passwords is the path forward to better
for example, are a great way to enhance the security
cybersecurity. Fortinet has released its FIDO2-certified
shortcomings of passwords alone.
passwordless authentication solution. Passwordless
authentication improves organizational security and
improves the user experience. Employees only need a
username to access resources much more rapidly.
▪ Passwordless authentication enhances productivity for “We’ve known for a decade that passwords are
IT teams. Historically, IT departments have spent a lot of a problem and they are the single biggest hole
unnecessary time resetting employee passwords. Going to in our security solutions. With the FIDO Alliance,
passwordless authentication eliminates this time and money we finally have a viable consortium of companies
and enables IT to focus on more strategic tasks. working together to eliminate this weak spot in our
entire cybersecurity kill chain.”
Peter Newton, Fortinet
 Keynote Executive Summary - Moving Past Passwords (At Last!)

BIOGRAPHIES

Andrew Shikiar, Executive Director & CMO, Joe Maglitta, Head of Editorial and
FIDO Alliance Editorial Director, Interop
Andrew Shikiar brings extensive experience driving awareness Joe Maglitta is Editorial Director at Interop. An-
and adoption of emerging B2B technologies to his role as award-winning technology writer and editor, Joe has served
Executive Director and Chief Marketing Officer at the FIDO in senior event and editorial roles at top media companies.
Alliance - a non-profit industry association focused on He has created innovative programs and content for dozens of
eliminating the world’s dependence on passwords by creating leading technology companies, agencies, and research firms.
and driving adoption of open standards for simpler, stronger Follow and connect with him at
user authentication. https://www.linkedin.com/in/joemaglitta/
https://www.linkedin.com/in/andrewshikiar/

Peter Newton, Senior Director of Products

and Solutions, Fortinet
Peter Newton is a Senior Director of Products
and Solutions at Fortinet, where he oversees the Zero-Trust
Access (ZTA), LAN Edge, Operational Technology (OT), and
IoT solutions. He brings 20 years of experience with computer
networking and security, working at both chip-level and
system-level solutions for companies including AMD, Netgear,
Silver Spring Networks, and Fortinet. Prior work experience
includes being an officer in the US Navy. Peter holds a
Bachelor’s of Science in Electrical Engineering from Rice
University and a Master’s in Business Administration from the
University of Texas at Austin.
https://www.linkedin.com/in/newtonpeter/