Highlights and Trend-Setter Standouts
The Authenticate 2021 conference, only in its second year, has wrapped and the plenary sessions for standards body work under the FIDO Alliance are underway. The obvious questions that came to mind for the conference, especially given it was a conference started during a pandemic: How well was it attended? Were there any trend-setting end-user organizations that presented? Were there any new products, technologies or use cases that were featured? The short answers are: well, yes, and yes!
In-person attendance reached approximately 250 attendees, with good safety measures in place. No doubt we had to quickly get over the surreal nature of networking among security and identity experts while donning masks – symbology frequently used in the industry to represent the hackers! Virtual attendance was more than three-times the in-person numbers, and the tech and orchestration of the virtual speakers was very smooth. Considering the conference got its start only last year during a pandemic, the numbers are not bad at all. Some standout presentations are highlighted here:
Dave Kleidermacher, VP of Engineering for Android Security & Privacy for Google, presented four solutions for key challenges of digital safety for users. Kleidermacher sees a day when each user retains exclusive access to their private information processed by systems and services so that no one unauthorized has access to the plain-text information, not even the service providers (Private Computing). Safety in public content platforms would be ensured via ‘Radical Curation’ where subject matter experts will review apps (that opt in) related to their space to ensure ‘good nutrition’ (e.g. teachers reviewing apps for kids). Transparency regarding the security and privacy ‘ingredients’ inside of products via certification labels that would ‘raise the tide’ so users know how the apps and devices are protecting them.
And finally, and most exciting to this geeky nerd, Kleidermacher emphasized how digital ID wallets on smartphones, tablets, laptops and other devices can bring easy to use and strong access to websites, applications and IoT devices. Kleidermacher called this the “miracle of unphishable authentication” and reinforced that FIDO passkeys will be available in Google’s digital wallet, including APIs for developers, linked to or in addition to government and other ID types.
Anand Bahety, Software Engineering Manager at eBay, presented a sobering and refreshing view on the challenges of implementing FIDO within a production environment. Many presenters would gloss-over these challenges. Instead, Bahety helped the audience understand how to approach these challenges head-on and mitigate them before going live. Bahety also revealed key gaps in the FIDO specification that need to be addressed through updated specifications in the future, including key APIs that should exist but don’t, and the inability for a user to register using the same device with the same single service provider (relying party) across various applications or websites. Today, using FIDO, you have to re-register for each and every app or website that the relying party hosts.
Itai Zach, Senior Product Specialist, and Anthony Bahor, Customer Success Manager, from Ping Identity reminded the audience that implementing passwordless within an enterprise or for customers can bring major benefits if it is treated as a “journey” rather than just a program or project. Zach gave a very logical high-level walkthrough of the journey template to succeed in passwordless deployments. Bahor followed up by providing first-hand experience in the details when planning and executing each step along the way. The nuances of how to avoid obstacles and glide over the speedbumps during activities along the journey to get to a passwordless experience were very helpful. There is no doubt taking these experience-based recommendations when it comes to FIDO and implementing passwordless will make life a lot easier.
Tom Sheffield, Senior Director of Cybersecurity at Target, gave us an impressive overview of how FIDO was rolled out for the the company’s workforce. Amazingly, Target discovered how important creating an internal brand and related iconography was to help educate users and drive adoption. Target also learned that trying to force adoption, including mandating a particular FIDO authenticator for all users (e.g. a particular hardware device or methodology), would not work in their environment. Users had to be convinced to opt in on their own and had to be afforded flexibility for their specific work environment and habits. Some excellent program metrics were also presented by Target, including how and when to measure each metric, useful to anyone implementing passwordless for their workforce. Very impressive indeed to see a giant like Target working smart deploying FIDO throughout their ecosystem.
Kayla Shapiro, Production Engineer from Facebook, highlighted the work her team did building an end-to-end trusted environment for employees that also incorporates FIDO. Shapiro masterfully delivered understandable and meaningful content around topics like “key exfiltration” and components like “Merkle trees.” Shapiro artfully presented these aspects in the context of identity (as opposed to generic PKI or blockchain, as is typically the case). It was also clear to the audience how these aspects discriminate the solution presented. Shapiro mentioned their work is being considered for OpenSource availability – something to definitely keep an eye out for.
These kinds of presentations certainly were refreshing, as compared to only listening to how a standard workflow happens or has been improved. Highlighting concrete information regarding real-world implementations of FIDO, including metrics, really builds confidence that the FIDO standard has come into its own and is ready for primetime. Organizations looking for the “miracle of unphishable authentication” to strengthen their security posture, while simultaneously improving the user experience, should consider FIDO to get things started. It’s clear the next step is for those same organizations to demand that FIDO be combined with the strong root-of-trust incorporated in mobile IDs and driver licenses now being provisioned by government issuers and being inserted in various wallets. This combination has a real chance to truly digitize and revolutionize how we engage daily with in-person, online and IoT systems and applications, and then yes, maybe… just maybe… the password will be dead.
We can’t wait to attend next year’s Authenticate conference, when hopefully someone will be showcasing this exact combination! Until then, we are pleased to see FIDO stepping up to the table to begin independent lab testing of ID verification vendors starting early next year (i.e. UX/UI and image quality assurance and back-engine ML/AI processing for physical government ID authentication and selfie-to-ID photo matching with liveness). This will be very helpful as a stopgap until mobile IDs become more ubiquitous across jurisdictions.
We would be remiss not to also mention the important key activities sponsored by the OpenID Foundation (OIDF) that happened the same week as Authenticate 2021 to offer FIDO Alliance member engagement to participate in:
- Global Assured Identity Network (GAIN) – An initiative kicked off by a white paper with 150 authors of a white paper focused on a common-sense approach that addresses the challenge of international interoperability of digital identity. An overview of the program and planned proof of concept was presented and invitation to FIDO Alliance members to collaborate and participate.
- Interconnecting Mobile Driver Licenses and OIDF Protocols with FIDO – Established standards (e.g. ISO 18013-5 and Open ID Connect SIOP), and standards in development like ISO 18013-7 and workgroup effort under ISO 23220, can benefit greatly by considering or interconnecting complementary FIDO standards to enable safer and more secure online experiences that need to take advantage of the mobile driver license data and root-of-trust.
- Shared Signals and Events Framework (SSE) – OIDF recently launched a new standard that is designed to fight fraud, securely and privately, through the sharing of security events, state changes, and other signals between related and/or dependent systems. By standardizing how organizations share various fraud, risk and identity proofing / vetting signals, along with built-in access control mechanisms and additional FIDO standards, the number of errors and omissions would be reduced, consent and approval can be realized, and dealing with exceptions becomes a lot easier and faster.
These sessions were icing on the cake for the week. All-in-all, Authenticate 2021 packed a good punch of industry progress backed up with real-world results and metrics, topped off with a glimpse of the future where things can go when mashing up key standards. I look forward to what’s in store at Authenticate 2022!
Related News
Have VCs Been Investing in the Wrong Places?
Google Makes Passkeys Default Login Option for Personal Accounts
UK Parliament Passes a Potentially Impactful Bill – Identity New Digest
Mobile ID Checks Are Coming to a Business Near You – Identity News Digest
TrinamiX’s Under-display Facial Recognition Passes Spoofing Tests
Google Exploring Use of Facial Expressions to Control Android Phones
Follow Us